mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
libcli/smb: make use of smb3_capabilities.encryption
This avoids a hardcoded list of possible ciphers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
fe7fe76c31
commit
44e76fccf6
@ -336,6 +336,13 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
|
|||||||
socklen_t sa_length;
|
socklen_t sa_length;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
|
if (smb3_capabilities != NULL) {
|
||||||
|
const struct smb3_encryption_capabilities *ciphers =
|
||||||
|
&smb3_capabilities->encryption;
|
||||||
|
|
||||||
|
SMB_ASSERT(ciphers->num_algos <= SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS);
|
||||||
|
}
|
||||||
|
|
||||||
conn = talloc_zero(mem_ctx, struct smbXcli_conn);
|
conn = talloc_zero(mem_ctx, struct smbXcli_conn);
|
||||||
if (!conn) {
|
if (!conn) {
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -4772,6 +4779,8 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
|
if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
|
||||||
|
const struct smb3_encryption_capabilities *client_ciphers =
|
||||||
|
&state->conn->smb2.client.smb3_capabilities.encryption;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
struct smb2_negotiate_contexts c = { .num_contexts = 0, };
|
struct smb2_negotiate_contexts c = { .num_contexts = 0, };
|
||||||
uint8_t *netname_utf16 = NULL;
|
uint8_t *netname_utf16 = NULL;
|
||||||
@ -4794,15 +4803,23 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
SSVAL(p, 0, 2); /* ChiperCount */
|
if (client_ciphers->num_algos > 0) {
|
||||||
|
size_t ofs = 0;
|
||||||
|
SSVAL(p, ofs, client_ciphers->num_algos);
|
||||||
|
ofs += 2;
|
||||||
|
|
||||||
SSVAL(p, 2, SMB2_ENCRYPTION_AES128_GCM);
|
for (i = 0; i < client_ciphers->num_algos; i++) {
|
||||||
SSVAL(p, 4, SMB2_ENCRYPTION_AES128_CCM);
|
size_t next_ofs = ofs + 2;
|
||||||
|
SMB_ASSERT(next_ofs < ARRAY_SIZE(p));
|
||||||
|
SSVAL(p, ofs, client_ciphers->algos[i]);
|
||||||
|
ofs = next_ofs;
|
||||||
|
}
|
||||||
|
|
||||||
status = smb2_negotiate_context_add(
|
status = smb2_negotiate_context_add(
|
||||||
state, &c, SMB2_ENCRYPTION_CAPABILITIES, p, 6);
|
state, &c, SMB2_ENCRYPTION_CAPABILITIES, p, ofs);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
return NULL;
|
return NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ok = convert_string_talloc(state, CH_UNIX, CH_UTF16,
|
ok = convert_string_talloc(state, CH_UNIX, CH_UTF16,
|
||||||
@ -5085,7 +5102,20 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
|
|||||||
|
|
||||||
cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
|
cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
|
||||||
if (cipher != NULL) {
|
if (cipher != NULL) {
|
||||||
|
const struct smb3_encryption_capabilities *client_ciphers =
|
||||||
|
&state->conn->smb2.client.smb3_capabilities.encryption;
|
||||||
|
bool found_selected = false;
|
||||||
uint16_t cipher_count;
|
uint16_t cipher_count;
|
||||||
|
uint16_t cipher_selected;
|
||||||
|
|
||||||
|
if (client_ciphers->num_algos == 0) {
|
||||||
|
/*
|
||||||
|
* We didn't ask for SMB2_ENCRYPTION_CAPABILITIES
|
||||||
|
*/
|
||||||
|
tevent_req_nterror(req,
|
||||||
|
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (cipher->data.length < 2) {
|
if (cipher->data.length < 2) {
|
||||||
tevent_req_nterror(req,
|
tevent_req_nterror(req,
|
||||||
@ -5094,8 +5124,7 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
|
|||||||
}
|
}
|
||||||
|
|
||||||
cipher_count = SVAL(cipher->data.data, 0);
|
cipher_count = SVAL(cipher->data.data, 0);
|
||||||
|
if (cipher_count != 1) {
|
||||||
if (cipher_count > 1) {
|
|
||||||
tevent_req_nterror(req,
|
tevent_req_nterror(req,
|
||||||
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||||
return;
|
return;
|
||||||
@ -5106,19 +5135,35 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
|
|||||||
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
cipher_selected = SVAL(cipher->data.data, 2);
|
||||||
|
|
||||||
if (cipher_count == 1) {
|
for (i = 0; i < client_ciphers->num_algos; i++) {
|
||||||
uint16_t cipher_selected;
|
if (cipher_selected == SMB2_ENCRYPTION_NONE) {
|
||||||
|
/*
|
||||||
cipher_selected = SVAL(cipher->data.data, 2);
|
* encryption not supported
|
||||||
|
*/
|
||||||
switch (cipher_selected) {
|
found_selected = true;
|
||||||
case SMB2_ENCRYPTION_AES128_GCM:
|
break;
|
||||||
case SMB2_ENCRYPTION_AES128_CCM:
|
}
|
||||||
conn->smb2.server.cipher = cipher_selected;
|
if (client_ciphers->algos[i] == cipher_selected) {
|
||||||
|
/*
|
||||||
|
* We found a match
|
||||||
|
*/
|
||||||
|
found_selected = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!found_selected) {
|
||||||
|
/*
|
||||||
|
* The server send a cipher we didn't offer.
|
||||||
|
*/
|
||||||
|
tevent_req_nterror(req,
|
||||||
|
NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
conn->smb2.server.cipher = cipher_selected;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* First we hash the request */
|
/* First we hash the request */
|
||||||
|
Loading…
Reference in New Issue
Block a user