1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

237 Commits

Author SHA1 Message Date
Stefan Metzmacher
a095a2d960 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
It will be used in smb2cli_read.c soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1faf15b3d0)
2021-08-12 08:41:09 +00:00
Jeremy Allison
0abb5ca6b9 libcli/smb: Allow smb2cli_validate_negotiate_info_done() to ignore NT_STATUS_INVALID_PARAMETER.
This can be returned from NetApp Ontap 7.3.7 SMB server
implementations. Now we have ensured smb2_signing_check_pdu()
cannot return NT_STATUS_INVALID_PARAMETER on a signing error
it's safe to check this error code here. Windows 10
clients ignore this error from the NetApp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-01-15 07:26:29 +00:00
Stefan Metzmacher
560e4b1b32 libcli/smb: add smbXcli_conn_send_queue()
This is useful in order to test async requests
tevent_queue_wait_send/recv() can be used to block
the queue between requests or wait for the queue to be flushed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-17 13:59:38 +00:00
Andreas Schneider
8d5d968dde libcli:smb: Check return code of set_blocking
Found by covscan.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-26 06:52:41 +00:00
Isaac Boukris
f0f8de9d4a Add smb2cli_session_get_encryption_cipher()
When 'session->smb2->should_encrypt' is true, the client MUST encrypt
all transport messages (see also MS-SMB2 3.2.4.1.8).

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-06 10:02:35 +00:00
Volker Lendecke
666d2a38fc libcli: Use GUID_to_ndr_buf() in smb2cli_validate_negotiate_info_send()
Avoid a talloc/free

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct  2 22:50:43 UTC 2020 on sn-devel-184
2020-10-02 22:50:43 +00:00
Volker Lendecke
63ab004e38 libcli: Use GUID_to_ndr_buf() in smbXcli_negprot_smb2_subreq()
Avoid a talloc/free

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:34 +00:00
Christof Schmitt
37a51b105b libcli: Use NT_STATUS_PENDING instead of STATUS_PENDING
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-06-22 12:07:38 +00:00
Volker Lendecke
7e73527ad3 libcli: Slightly simplify smb2cli_req_recv() with an early return
One if-condition less

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-06-15 17:59:39 +00:00
Volker Lendecke
0e50ed1936 libsmb: Make sure that the TCP socket is non-blocking
All traffic goes through smbXcli_base.c, and that is prepared to deal
with short writes via the conn->outgoing queue. Instead of making sure
that all callers properly set the socket nonblocking, do it here, so
that we can later optimize sending out data to the server.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-03-25 09:04:28 +00:00
Andreas Schneider
454ed53221 libcli:smb: Prefer AES-GCM over AES-CCM with GnuTLS
The AES-GCM implementation in GnuTLS is faster.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adapted to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-27 04:44:41 +00:00
Andreas Schneider
eb65fe5505 libcli:smb: Use smb2_signing_key in smb2_signing_encrypt_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adaped to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-27 04:44:41 +00:00
Andreas Schneider
7f56e91dbe libcli:smb: Use smb2_signing_key in smb2_signing_decrypt_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adaped to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-27 04:44:41 +00:00
Andreas Schneider
87832f6140 libcli:smb: Use a smb2_signing_key for storing the decryption key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:32 +00:00
Andreas Schneider
48116a30d5 libcli:smb: Use a smb2_signing_key for storing the encryption key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:31 +00:00
Andreas Schneider
1b384f378c libcli:smb: Use GnuTLS for AES constants
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adapted to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:31 +00:00
Andreas Schneider
b2506f2407 libcli:smb: Use generate_nonce_buffer() for AES-CCM and AES-GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-12 09:23:40 +00:00
Stefan Metzmacher
21f6cece54 libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
Note: Unlike the current documentation, the utf16 string
is not null-terminated, that matches Windows Server 1903
as a client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14055
RN: Add the target server name of SMB 3.1.1 connections
as a hint to load balancers or servers with "multi-tenancy"
support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
2019-08-01 14:21:36 +00:00
Noel Power
6ea9c795b1 libcli/smb: clang: Fix ' 2nd function call argument is an uninitialized value'
Fixes:

/home/samba/samba/libcli/smb/smbXcli_base.c:5120:8: warning: 2nd function call argument is an uninitialized value <--[clang]
                rc = gnutls_hash(hash_hnd,

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-16 22:52:25 +00:00
Noel Power
fb49e411aa libcli/smb: clang: Fix 'Dereference of null pointer'
Fixes:

smbXcli_base.c:4885:20: warning: Dereference of null pointer <--[clang]
        body = (uint8_t *)iov[1].iov_base;
                          ^~~~~~~~~~~~~~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-16 22:52:25 +00:00
Noel Power
3594c3ae20 libcli/smb: clang: Fix 'Array access results in a null pointer deref'
Fixes:

smbXcli_base.c:4393:10: warning: Array access (from variable 'inhdr') results in a null pointer dereference <--[clang]
        flags = CVAL(inhdr, HDR_FLG);

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-16 22:52:24 +00:00
Noel Power
7a86c99ccb libcli/smb: clang: Fix 'array access results in a null pointer deref'
Fixes:

smbXcli_base.c:1239:9: warning: Array access (via field 'pending') results in a null pointer dereference <--[clang]
                req = conn->pending[0];
                      ^

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-16 22:52:24 +00:00
Andrew Bartlett
8f4c30f785 lib/crypto: move gnutls error wrapper to own subsystem
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-27 12:54:22 +00:00
Andreas Schneider
68d495cadb libcli:smb: Use gnutls_error_to_ntstatus() in smbXcli_base.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-24 06:11:17 +00:00
Andreas Schneider
d61601d44f libcli:smb: Return NSTATUS for smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-24 06:11:16 +00:00
Stefan Metzmacher
b336d09b7b libcli/smb: harden smbXcli_session_shallow_copy against nonce reusage
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 12 13:56:19 UTC 2019 on sn-devel-184
2019-06-12 13:56:19 +00:00
Stefan Metzmacher
317054f6eb libcli/smb: s/smbXcli_session_copy/smbXcli_session_shallow_copy
We should make clear that this is a function for testing only,
with possible strange side effects.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-12 12:42:26 +00:00
Andreas Schneider
1b46a10c16 libcli/smb: only fallback to the global smb2 signing key if we should sign
We should only sign if we're asked for it. The signing keys are
always generated, so we were always using global signing key
and signed with it when signing was not asked for.

By luck this was the correct signing key for the 1st channel.

But multi channel connections where broken is the server nor the client
require/desire signing. It seems the tests only ever run against
Windows domain controllers, which always require signing.

Note that the following code in smb2cli_req_create() makes
sure that we always sign session binds:

  if (cmd == SMB2_OP_SESSSETUP &&
      !smb2_signing_key_valid(session->smb2_channel.signing_key) &&
      smb2_signing_key_valid(session->smb2->signing_key))
  {
          /*
           * a session bind needs to be signed
           */
          state->smb2.should_sign = true;
  }

This removed a logic changed introduced in commit
17e22e020f. As

  if (!smb2_signing_key_valid(signing_key)) {

is not the same as:

  if (signing_key && signing_key->length == 0) {

it's the same as:

  if (signing_key == NULL || signing_key->length == 0) {

so we need:

  if (signing_key != NULL && !smb2_signing_key_valid(signing_key)) {

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2019-06-12 12:42:26 +00:00
Stefan Metzmacher
7b1eab1093 libcli/smb: make sure the session->{smb2->,smb2_channel.}signing_key is never NULL!
Before commit 17e22e020f they we not a
pointer and always be present.

We used the local pointer variable 'signing_key = NULL' and logic like
this:

    if (state->smb2.should_sign) {
        signing_key = state->session->smb2_channel.signing_key;
    }

    if (signing_key != NULL ...

In order to keep this we need to nake sure
state->session->smb2_channel.signing_key is never NULL!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-12 12:42:26 +00:00
Stefan Metzmacher
2ad02acf38 Revert "libcli:smb: Fix signing with multichannel"
This reverts commit 1817db965d.

This was pushed to fast, the corrected commit follows.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-12 12:42:26 +00:00
Stefan Metzmacher
824db29672 Revert "libcli/smb: add missing struct smb2_signing_key allocation in smb2cli_session_set_channel_key()"
This reverts commit 0875016654.

This was pushed to fast, the corrected commit follows.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-12 12:42:26 +00:00
Stefan Metzmacher
0875016654 libcli/smb: add missing struct smb2_signing_key allocation in smb2cli_session_set_channel_key()
This was missing in commit 17e22e020f
and causes all multi-channel tests to segfault.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 11 15:25:56 UTC 2019 on sn-devel-184
2019-06-11 15:25:56 +00:00
Andreas Schneider
1817db965d libcli:smb: Fix signing with multichannel
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-06-11 14:01:20 +00:00
Andreas Schneider
5a0516bee9 libcli:smb: Return NTSTATUS for smb_key_derivation()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:21 +00:00
Andreas Schneider
754e155183 libcli:smb: Return NTSTATUS for smb_signing_sign_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:21 +00:00
Andreas Schneider
d2a4088cc3 libcli:smb: Use GnuTLS SHA512 in smbXcli_base
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-07 03:04:28 +00:00
Andreas Schneider
015e4d2dc2 libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:28 +00:00
Andreas Schneider
dcf37228e1 libcli:smb: Use smb2_signing_key for smb2_signing_sign_pdu()
This caches the gnutls hmac handle in the struct so we only allocate it
once.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:28 +00:00
Andreas Schneider
3f252816ad libcli:smb: Add smb2_signing_key_destructor()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:28 +00:00
Andreas Schneider
17e22e020f libcli:smb: Use 'struct smb2_signing_key' in smbXcli_base.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:28 +00:00
Philipp Gesang
865b7b0c7d libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response
Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES
structures containing DataLength field that includes the padding
[0]. Microsoft has since clarified that only values smaller than
the size are considered invalid [1].

While parsing the NegotiateContext it is ensured that DataLength
does not exceed the message bounds. Also, the value is not
actually used anywhere outside the validation. Thus values
greater than the actual data size are safe to use. This patch
makes Samba fail only on values that are too small for the (fixed
size) payload.

[0] https://lists.samba.org/archive/samba/2019-February/221139.html
[1] https://lists.samba.org/archive/cifs-protocol/2019-March/003210.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13869

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Mar 31 01:11:09 UTC 2019 on sn-devel-144
2019-03-31 01:11:09 +00:00
Andreas Schneider
3eee4394cb libcli: Use a define for the SMB_SUICIDE_PACKET
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-21 20:38:32 +00:00
Volker Lendecke
e8e9677154 libcli: Pass buf/len to smb2_negotiate_context_add
Every caller did a data_blob_const() right before calling
smb2_negotiate_context_add(). Avoid that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 25 21:07:22 CET 2019 on sn-devel-144
2019-02-25 21:07:22 +01:00
Aurelien Aptel
67825c9647 libcli: add getters for smb2 {signing,encryption,decryption} keys
Adds:
- smb2cli_session_signing_key()
- smb2cli_session_encryption_key()
- smb2cli_session_decryption_key()

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2019-02-09 18:30:14 +01:00
Andreas Schneider
6a332618b6 libcli:smb: Use C99 initializer for derivation in smbXcli_base
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-01-28 10:29:26 +01:00
Tim Beale
bf229de792 libcli: Add error log if insufficient SMB2 credits
Although it's unusual to hit this case, I was seeing it happen while
working on the SMB python bindings. Even with debug level 10, there was
nothing coming out to help pin down the source of the
NT_STATUS_INTERNAL_ERROR.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-01-09 22:39:26 +01:00
Ralph Boehme
5a8583ed70 libcli/smb: don't overwrite status code
The original commit c5cd22b5bb from bug
9175 never worked, as the preceeding signing check overwrote the status
variable.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
2018-11-13 17:28:45 +01:00
Ralph Boehme
53fe148476 libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-11-13 11:13:03 +01:00
Ralph Boehme
7abf390021 libcli/smb: defer singing check a little bit
This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-11-13 11:13:03 +01:00
Ralph Boehme
67cfb01611 libcli/smb: maintain require_signed_response in smbXcli_req_state
Not used for now, that comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-11-13 11:13:03 +01:00