1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

81 Commits

Author SHA1 Message Date
Jeremy Allison
836219c479 s3: smbd: Change reply_smb20xx() to return NTSTATUS.
Not yet used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-12-04 20:02:40 +00:00
Andreas Schneider
2ee1764ca8 s3:smbd: Prefer AES-GCM over AES-CCM with GnuTLS
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adapted to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-27 04:44:41 +00:00
Volker Lendecke
e8e9677154 libcli: Pass buf/len to smb2_negotiate_context_add
Every caller did a data_blob_const() right before calling
smb2_negotiate_context_add(). Avoid that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 25 21:07:22 CET 2019 on sn-devel-144
2019-02-25 21:07:22 +01:00
Volker Lendecke
2bd6f57c65 smbd: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-02-25 19:36:19 +01:00
Jeremy Allison
8dabcf8948 s3: debug: smb2: Create a new DBGC_SMB2 debug class and mark all smbd/smb2_*.c files with it.
Will allow easier smb2-specific debugging.

https://bugzilla.samba.org/show_bug.cgi?id=13347

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2018-03-22 02:15:13 +01:00
Volker Lendecke
dea1881fc5 smbd: Remove an indentation level in smb2_negprot
Do an early return. Best viewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-27 20:33:25 +02:00
Ralph Boehme
6ae63d42f5 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share]
  smb encrypt = required

must be to completely deny access to the share "share".

This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-27 22:00:17 +01:00
Ralph Boehme
a2c59d3e45 smbd: use remote arch caching
We're using the client guid as gencache db key, so this can only be used
with SMB 2_10 or higher.

The idea is that whenever we get a direct SMB2 negprot, we can then try
to see if a value is cached for the client's guid.

When a user logs off the cache entry is deleted.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-05-04 01:28:22 +02:00
Stefan Metzmacher
5cb4ee27f8 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.

The main logic for this hides in lpcfg_server_signing_allowed().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Justin Maggard
b69b96fc14 s3:smbd: rework negprot remote arch detection
Negprot remote arch detection is very cryptic.  Rework it so it's easier
to understand, and therefore more extensible, following the protocol table
in inline comments.  This also allows us to remove some hacks.

Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Ralph Boehme <rb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 05:50:17 +01:00
Michael Adam
7a890a7855 smbd:smb2_negprot: implement connection passing based on client_guid
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-01-26 15:58:11 +01:00
Michael Adam
91770e3fa7 s3:smb2_negprot: announce multi channel support (disabled)
This disabled for now. Will be enabled by config setting
once underpinnings are ready.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-01-23 00:08:36 +01:00
Ralph Boehme
1bb46dae82 s3:smb3: rename smbd_smb2_first_negprot and pass expected seq_low
This is in preperation of connection passing where we have to set
seq_low to the mid from the negprot we've handed over.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Oct  7 00:54:34 CEST 2015 on sn-devel-104
2015-10-07 00:54:34 +02:00
Stefan Metzmacher
bd0ec51cfc s3:smb2_negprot: prefer AES128_CCM if the client supports it
Callgrind showed that we use 28,165,720,719 cpu cycles to send
a 100MB file to a client using aes-ccm.

With aes-gcm this is raises up to 723,094,413,831 cpu cycles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-17 17:43:36 +02:00
Jeremy Allison
cd570757c8 s3: smbd - Fix SMB3.11 protocol encryption selection.
Selecting encryption in 3.11 depends on the negprot contexts being present.
Setting SMB2_CAP_ENCRYPTION from the 3.11 client is optional. The absence
of it should not remove the negprot context.

Found by the Microsoft testsuites at the Redmond plugfest.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 04:09:04 CEST 2015 on sn-devel-104
2015-06-18 04:09:04 +02:00
Stefan Metzmacher
8a56fab24d s3:smb2_negprot: add support for negotiating SMB 3.1.0 and SMB 3.1.1
Note: SMB 3.1.0 was used in a early preview versions of Windows 10.
Was later superseded by 3.1.1.

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2015-05-08 13:00:28 +02:00
Michael Adam
08845ad616 s3:smb2_negprot.c: add support SMB 3.1 negotiate contexts
Used for:
- preauthentication validation
- negotiation of ciphers for sigingn and encryprtion

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2015-05-08 13:00:28 +02:00
Stefan Metzmacher
02b223ced3 s3:smb2_negprot: add support for negotiating SMB 3.0.2
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2015-05-08 13:00:28 +02:00
Volker Lendecke
53486f00e9 smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-26 03:02:07 +01:00
Jeremy Allison
eb05766a8c Revert "s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED."
Even though the MS-SMB2 spec says so, Windows doesn't behave
like this.

This reverts commit 1cea6e5b6f.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
2015-02-23 22:32:48 +01:00
Jeremy Allison
1cea6e5b6f s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED.
Bug 11103:  - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client

https://bugzilla.samba.org/show_bug.cgi?id=11103

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <smfrench@gmail.com>
2015-02-19 20:42:07 +01:00
Jeremy Allison
556bf2ee00 s3:smb2_negprot: announce support for SMB2.1 leases.
We only do this with "smb2 leases = yes"
and the default values for "oplocks = yes"
and "kernel oplocks = no".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-04 05:45:10 +01:00
Stefan Metzmacher
b4604590b0 s3:smb2_negprot: remember xconn->smb2.server.cipher
For now we always use SMB2_ENCRYPTION_AES128_CCM or 0.
0 is the indication that we don't support encryption on the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-10-16 19:30:04 +02:00
Stefan Metzmacher
760f23a8e2 s3:smb2_negprot: allow really large io sizes up to allmost 16MB
The default is still 8MB (as on Windows 2012 *).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-09-30 23:35:08 +02:00
Michael Adam
d7d70c0d3c smbd:smb2: improve smbd_smb2_protocol_dialect_match(), removing code duplication
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-09-27 10:17:05 +02:00
Stefan Metzmacher
e9fb54c1ec s3:smbd: pass smbXsrv_connection to negprot_spnego()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
888ddd171a s3:smb2_negprot: remove NBT_HDR_SIZE from smbd_smb2_first_negprot()
This will simplify future features like multi-channel and rdma.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
c9e171ff72 s3:smb2_*: make use of smb2req->xconn where possible
We need to use the connection that is used by the current request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
3a622c785c s3:smb2_server: pass smbXsrv_connection to smbd_smb2_first_negprot()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:12 +02:00
Stefan Metzmacher
36e3484260 s3:smb2_server: move sconn->smb2.*credits* to xconn->smb2.credits.*
This prepares the structures for multi-channel support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
4f3f889dcd s3:smb2_negprot: remove unused variable 'conn' we already have 'xconn'...
We don't need two helper variables for the same thing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
e79b011434 s3:smb2_server: use xconn->smb2.server.max_* instead of sconn->smb2.max_*
We don't need this twice...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
ce76a40956 s3:smb2_server: move sconn->smb2.negprot_2ff to xconn->smb2.allow_2ff
This prepares the structures for multi-channel support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
1000e424fc s3:smb2_negprot: allow "smb max {read,write,trans}" up to 8MiB
This matches Windows 2012R2.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-07-11 02:32:08 +02:00
Ira Cooper
6221937aca s3: Refactor smbd_smb2_request_process_negprot
Breakout smb2_protocol_dialect_match to support future work in
fsctl_validate_neg_info.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-06-23 11:59:10 +02:00
Stefan Metzmacher
59c185bf54 s3:smb2_negprot: make use of smbd_smb2_generate_outbody()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-03-05 13:59:22 -08:00
Garming Sam
fc111c7875 param: rename lp function and variable from "srv_minprotocol" to "server_min_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Garming Sam
64dc4b59f8 param: rename lp function and variable from "srv_maxprotocol" to "server_max_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Stefan Metzmacher
5d721de7fd s3:smb2_negprot: set the 'remote_proto' value
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-09 09:11:20 +01:00
Jeremy Allison
49a335731a Revert "Fix bug #9222 - smbd ignores the "server signing = no" setting for SMB2."
This reverts commit dfd3c31a3f.

As Metze pointed out:

From MS-SMB2 section 2.2.4:

SMB2_NEGOTIATE_SIGNING_ENABLED

When set, indicates that security signatures are enabled
on the server. The server MUST set this bit, and the client MUST return
STATUS_INVALID_NETWORK_RESPONSE if the flag is missing.

I'll submit a documentation bug to fix #9222 that way.
2012-10-03 12:50:42 -07:00
Jeremy Allison
dfd3c31a3f Fix bug #9222 - smbd ignores the "server signing = no" setting for SMB2.
Still sign if client request is signed, just don't negotiate it in
negprot or sessionsetup.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  3 00:59:42 CEST 2012 on sn-devel-104
2012-10-03 00:59:42 +02:00
Volker Lendecke
e0de443af8 s3: Slightly simplify smbd_smb2_request_process_negprot
Remove a nested if-statement
2012-09-25 22:41:51 +02:00
Stefan Metzmacher
45471f4d8f s3:smb2_negprot: annouce/negotiate SMB3 encryption support
metze
2012-08-17 14:51:57 +02:00
Stefan Metzmacher
e9a21e5c8b s3:smb2_negprot: make use of SMBD_SMB2_* macros
metze
2012-08-05 20:55:39 +02:00
Stefan Metzmacher
a67daa3aa6 s3:smb2_negprot: return the current system time in the SMB2 NEGPROT response
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 26 11:56:02 CEST 2012 on sn-devel-104
2012-07-26 11:56:02 +02:00
Stefan Metzmacher
5b7f5d02b5 s3:smb2_negprot: support SMB2_CAP_LARGE_MTU on everything but port 139
In future we'll have other transports like RDMA.
This makes NBT (tcp port 139) special instead of port 445.

metze
2012-06-29 00:14:56 +02:00
Jeremy Allison
6cef2a613c Fix warning: variable ‘in_start_time’ set but not used. 2012-06-19 10:27:23 -07:00
Stefan Metzmacher
b3235d483d s3:smbd: introduce struct smbXsrv_connection
This will represent a transport connection for SMB 1 or 2
in the server. smbd_server_connection will slowly be moved
to the SMB_VFS layer to satisfy the existing modules,
but it will hopefully be protocol independend in future.

metze
2012-05-12 01:01:34 +02:00
Stefan Metzmacher
c8a3c0e0f7 s3:smb2_negprot: setup the protocol at the end of the negprot with a real dialect
metze
2012-05-12 01:01:34 +02:00
Stefan Metzmacher
1512ec7772 s3:smb2_negprot: add support for PROTOCOL_SMB3_00
metze
2012-05-06 14:50:39 +02:00