1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

20 Commits

Author SHA1 Message Date
Stefan Metzmacher
0ac7106104 s3:smbd: really support AES-256* in the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184
2021-07-20 16:13:28 +00:00
Stefan Metzmacher
407b458242 s4:torture/smb2: add tests to check all signing and encryption algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
Stefan Metzmacher
898caeae63 s3:smbd: improve the error returns for invalid session binding requests
This brings us closer to what a Windows Server with GMAC signing
returns.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:32 +00:00
Stefan Metzmacher
1025e1bfea s4:torture: more smb2.session.bind_negative_smb3* combinations
This tests all kind of signing/encryption algorithm mismatches
and passes against Windows with GMAC signing support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:32 +00:00
Stefan Metzmacher
95a3bf5888 s3:smbd: fallback to smb2srv_session_lookup_global() for session setups with failed signing
The motivation is to get the same error responses as a windows server.

We already fallback to smb2srv_session_lookup_global() in other places
where we don't have a valid session in the current smbd process.

If signing is failing while verifying a session setup request,
we should do the same if we don't have a valid channel binding
for the connection yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:31 +00:00
Stefan Metzmacher
aa29d89942 s3:smbd: fix a NULL pointer deference caused by smb2srv_update_crypto_flags()
When we used a fake session structure from
smb2srv_session_lookup_global() there's no point in updating
any database.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:31 +00:00
Stefan Metzmacher
2b36af83f6 s3:smbd: let smb2srv_session_lookup_global() clear the signing/encryption_flags
When we make use of this we only in order to provide the correct
error codes anyway.

This actually fixes even more error codes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:31 +00:00
Stefan Metzmacher
a262568eaa s4:torture: let smb2.session.bind_negative_* tests also use a different client guid
Testing also with a different client guid between channels
triggers (at least in samba) a different code path compaired
to the tests using the same client guid.

Testing both already revealed a bug.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:31 +00:00
Stefan Metzmacher
66673f08f7 s4:torture: let smb2.session.bind_negative_* also test without session keys
This checks the result of a 2nd session setup without the BIND flags
and also without signing being already enabled.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 00:06:31 +00:00
Stefan Metzmacher
a19180904e smbXsrv_session: smbXsrv_session_remove_channel() should also remove the last channel
There's nothing special regarding the last channel,
as the smb2.session.bind2 test demonstrates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
87b8049320 s4:torture/smb2: add smb2.session.bind2
This demonstrates that a session and it's open handles is destroyed
when the last explicitly bound channel gets disconnected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
8f43c15f62 smb2_sesssetup: validate that sign_algo and encryption_cipher match on a session bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 17 01:56:37 UTC 2021 on sn-devel-184
2021-03-17 01:56:37 +00:00
Stefan Metzmacher
4ab1b29d5d smb2_sesssetup: a session bind with a different user results in ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
7733f98f69 smb2_sesssetup: a bind dialect mismatch should always result in INVALID_PARAMETER
The ACCESS_DENIED errors happened as we didn't expected to signing
algo is attached to the session key. So our client calculated the
wrong signature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
fd9191fb9c smb2_sesssetup: only set NT_STATUS_MORE_PROCESSING_REQUIRED if a reauth can start
When the session is not valid on the current connection it should not be
possible to start a reauth.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
d95e90fe46 smb2_sesssetup: don't shutdown a session on failure when it's not valid yet on the connection
If someone tries to operate on a session that is not yet valid on the
current connection and the current session setup fails, then we should
not shutdown the session.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
b8ccd2391a smb2_server: fallback global session lookup if the session belongs to a different client
The key is that we need to have the signing key in order to pass the
signing checks and give the correct session bind error status.

This should fix the MultipleChannel_Negative_SMB2002 testcase
of the Windows Protocol Test Suite (FileServer).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reported-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
c4bec67f06 s3:selftest: pass alice credentials to the smb2.session tests for ad_dc
This allows us to test session binds with different users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
2045008995 s4:torture/smb2: add smb2.session.bind_{invalid_auth,different_user}
These demonstrate that a failing bind does not destroy
the existing session and binding with a different user results
in ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
457b989881 s4:torture/smb2: add smb2.session.bind_negative_{smb202,smb210,smb2to3,smb3to2,smb3to3}
'smb2.session.bind_negative_smb202' is similar to the MultipleChannel_Negative_SMB2002 test
from the Windows Protocol Test Suite.

It demonstrates that the server needs to do lookup
in the global session table in order to get the signing
and error code of invalid session setups correct.

In order to work out the details I've added more similar tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00