1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1120 Commits

Author SHA1 Message Date
Volker Lendecke
7d8006f3b4 ldap: Correctly check asn1_tag_remaining retval
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Ralph Boehme
f95549957e libcli/smb: add define SMB_ENCRYPTION_GSSAPI for CIFS encryption type
Add a define for the CIFS UNIX extensions encryption type. We store this
in smbXsrv_channel and use it in smbstatus for showing the
CIFS/SMB2/SMB3 encryption cipher used.

The SMB3 encryption cipher constants start at 1, carefully choosing the
highest available bit for the CIFS UNIX extensions encryption cipher
should avoid collisions and leaves room for many SMB3 ciphers in the
future.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-22 07:52:21 +01:00
Günther Deschner
cf163ac359 security: Add Asserted Identity sids (S-1-18)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677

definitions taken from [MS-DTYP]: Windows Data Types,
2.4.2.4 Well-Known SID Structures.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-15 22:19:07 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
218f96f2bf libcli: Make headers for private libraries private.
Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Jelmer Vernooij
ffbd9c4584 Add a new header file for functions in lib/util/util.c.
This allows public headers to not include samba_util.h, but rather
specific header files under lib/util.

Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Jelmer Vernooij
fddca39f19 samdb: Add explicit dependency on ldb.
This is needed to pull in the right -I flags.

Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
2016-01-13 04:43:22 +01:00
Volker Lendecke
3c340d81d8 libcli: Remove a reference to asn1->ofs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
b7f0e29fd2 lib: Use asn1_current_ofs()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
1282f6063d lib: Use asn1_has_nesting
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
a93946b2fe lib: Use asn1_extract_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
8cfb6a3139 lib: Use asn1_set_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
ad630a681e asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Stefan Metzmacher
bc2d8592f4 CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-16 12:56:48 +01:00
Volker Lendecke
ea6de66b9c libdns: Small cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-08 23:01:28 +01:00
Volker Lendecke
dfceb51da8 libdns: Convert dns_udp_request to 0/errno
Replaces 5 calls to unix_to_werror with just one

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-08 23:01:27 +01:00
Volker Lendecke
190e2c013b libdns: Properly set ENOMEM
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-08 23:01:27 +01:00
Volker Lendecke
a0fcb7bd80 libdns: tsocket returns -1 and sets errno
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-08 23:01:27 +01:00
Stefan Metzmacher
3bbd8d3614 libcli/smb: fix BUFFER_OVERFLOW handling in tstream_smbXcli_np
The special error is not NT_STATUS_BUFFER_TOO_SMALL, but STATUS_BUFFER_OVERFLOW.

Tested using TSTREAM_SMBXCLI_NP_MAX_BUF_SIZE == 20 and running
the following commands against a Windows 2012R2 server:

bin/smbtorture ncacn_np:SERVER[] rpc.lsa-getuser
bin/smbtorture ncacn_np:SERVER[smb2] rpc.lsa-getuser

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec  1 03:42:52 CET 2015 on sn-devel-104
2015-12-01 03:42:51 +01:00
Stefan Metzmacher
0e8d33fb5f libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00
Stefan Metzmacher
68850f3f56 libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_query_info*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00
Stefan Metzmacher
b47bfce678 libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_read*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00
Stefan Metzmacher
91e12e04fc libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
Found by valgrind, reported by Noel Power <nopower@suse.com>:

==7913== Invalid read of size 1
==7913==    at 0xC4F23EE: smb2cli_ioctl_done (smb2cli_ioctl.c:245)
==7913==    by 0x747A744: _tevent_req_notify_callback (tevent_req.c:112)
==7913==    by 0x747A817: tevent_req_finish (tevent_req.c:149)
==7913==    by 0x747A93C: tevent_req_trigger (tevent_req.c:206)
==7913==    by 0x7479B2B: tevent_common_loop_immediate
(tevent_immediate.c:135)
==7913==    by 0xA9CB4BE: run_events_poll (events.c:192)
==7913==    by 0xA9CBB32: s3_event_loop_once (events.c:303)
==7913==    by 0x7478C72: _tevent_loop_once (tevent.c:533)
==7913==    by 0x747AACD: tevent_req_poll (tevent_req.c:256)
==7913==    by 0x505315D: tevent_req_poll_ntstatus (tevent_ntstatus.c:109)
==7913==    by 0xA7201F2: cli_tree_connect (cliconnect.c:2764)
==7913==    by 0x165FF7: cm_prepare_connection (winbindd_cm.c:1276)
==7913==  Address 0x16ce24ec is 764 bytes inside a block of size 813 alloc'd
==7913==    at 0x4C29110: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7913==    by 0x768A0C1: __talloc_with_prefix (talloc.c:668)
==7913==    by 0x768A27E: _talloc_pool (talloc.c:721)
==7913==    by 0x768A41E: _talloc_pooled_object (talloc.c:790)
==7913==    by 0x747A594: _tevent_req_create (tevent_req.c:66)
==7913==    by 0xCF6E2FA: read_packet_send (async_sock.c:414)
==7913==    by 0xCF6EB54: read_smb_send (read_smb.c:54)
==7913==    by 0xC4DA146: smbXcli_conn_receive_next (smbXcli_base.c:1027)
==7913==    by 0xC4DA02D: smbXcli_req_set_pending (smbXcli_base.c:978)
==7913==    by 0xC4DF776: smb2cli_req_compound_submit (smbXcli_base.c:3166)
==7913==    by 0xC4DFC1D: smb2cli_req_send (smbXcli_base.c:3268)
==7913==    by 0xC4F2210: smb2cli_ioctl_send (smb2cli_ioctl.c:149)
==7913==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11622

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00
Christof Schmitt
fd05d617a8 libcli/smb: Use helper function for finding session
This removes some duplicated code.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 18 04:04:17 CET 2015 on sn-devel-104
2015-11-18 04:04:15 +01:00
Andrew Bartlett
4b25650577 repl: Give an error if we get a secret when not expecting one
We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING

This asserts that this is the case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:21 +01:00
Jeremy Allison
b1bd84e9c9 lib: cli: Add accessor function smb2cli_tcon_flags() to get tcon flags.
We need this to see if a share supports access-based enumeration.

https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-14 15:58:19 +02:00
Volker Lendecke
8eedd5c48b libdap: Fix a '\0' vs NULL mixup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-10-14 02:19:14 +02:00
Richard Sharpe
9893888c51 Change the libreadline word-break character set to only space, TAB and NL so that we can attempt to do tab completion across backslashes.
This turned out to be all that was needed to enable cd to handle multiple
directory levels.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  7 04:16:24 CEST 2015 on sn-devel-104
2015-10-07 04:16:24 +02:00
Volker Lendecke
de421d8826 lib: Remove unused sid_blob_parse
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Volker Lendecke
4a442e2eb7 lib: Make sid_parse take a uint8_t
sid_parse takes a binary blob, uint8_t reflects this a bit
better than char * does

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Volker Lendecke
796c77d43d lib: Use dom_sid_equal where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-08-20 12:49:22 +02:00
Stefan Metzmacher
05dbd3b47a libcli/smb: prefer AES128_CCM
Callgrind showed that we use 28,165,720,719 cpu cycles to send
a 100MB file to a client using aes-ccm.

With aes-gcm this is raises up to 723,094,413,831 cpu cycles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-17 17:43:36 +02:00
Volker Lendecke
e6c8452093 libcli: Use iov_buflen in smb2_signing.c
This gives us overflow protection.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Aug 14 13:56:49 CEST 2015 on sn-devel-104
2015-08-14 13:56:49 +02:00
Volker Lendecke
5d141a32f3 lib: Remove some unused code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2015-08-14 07:46:12 +02:00
Volker Lendecke
f0f23d6a92 lib: Remove some unused code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2015-08-14 07:46:12 +02:00
Michael Adam
204cbe3645 Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:27 +02:00
Stefan Metzmacher
7e095eb334 libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
This maps to NT_STATUS_CONNECTION_DISCONNECTED instead of
NT_STATUS_IO_DEVICE_ERROR.

EPIPE, NT_STATUS_CONNECTION_DISCONNECTED matches what other tstream backends
e.g. tcp and unix report.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Volker Lendecke
994d08e420 libsmb: Streamline smb1cli_trans a bit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-06-26 19:32:19 +02:00
Jeremy Allison
95fc7fbe82 lib: ldap: Properly check talloc error returns.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 16 04:16:13 CEST 2015 on sn-devel-104
2015-06-16 04:16:13 +02:00
Stefan Metzmacher
006042ac12 libcli/smb: make sure we remove the writev_send() request when a request is destroyed
This way smbXcli_conn_disconnect() removes all tevent_fd structures attached to
the sock_fd before closing it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
f3982eb2c7 libcli/smb: add smb1 requests to the pending array before writev_send()
This way we have a change to destroy the pending writev_send request before
closing the socket in smbXcli_conn_disconnect().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
5933843427 libcli/smb: make sure the writev_send of smbXcli_conn_samba_suicide() is removed before closing the socket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
8f42df235d libcli/smb: remove unused split of read_fd and write_fd
The tevent epoll backend supports separate read and write tevent_fd structure
on a single fd, so there's no need for a dup() anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
46e1aa22b1 libcli/smb: close the socket fd at the end of smbXcli_conn_disconnect()
We need to cancel all pending requests before closing the socket fds,
otherwise we cause problem with the interaction with the epoll event backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
26c4b3fc9d libcli/smb: use tevent_req_received(req) in read_smb_recv()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-12 17:08:18 +02:00
Stefan Metzmacher
fcf0d3ebef libcli/named_pipe_auth: call smb_set_close_on_exec() in tstream_npa_socketpair()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11312

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-06-05 14:33:19 +02:00
Volker Lendecke
ab26e84da1 tstream: Make socketpair nonblocking
When we have a large RPC reply, we can't block in the RPC server.

Test: Do rpcclient netshareenumall with a thousand shares defined

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-04 01:02:26 +02:00
Stefan Metzmacher
477ecfbdaf libcli/smb: In CCM and GCM mode we can't reuse nonces
Reuse of nonces with AES-CCM and AES-GCM leads to catastrophic failure,
so make sure the server drops the connection if that ever happens.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2015-05-29 19:50:25 +02:00