[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Tue Nov 13 13:23:01 UTC 2018
The branch, master has been updated
via bb93e691ca9 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
via 181f18c4bf7 s4:torture/smb2/session: session reauth response must be signed
via 5fdea4095ac s4:torture/smb2/session: add force_signing to test_session_expire1i
via ffc424ee6be s4:torture/smb2/session: require a signed session setup reauth response
via 368e1860654 s4:torture/smb2/session: invalidate credential cache
via 53fe148476a libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
via 7abf3900218 libcli/smb: defer singing check a little bit
via 67cfb016118 libcli/smb: maintain require_signed_response in smbXcli_req_state
via d407201d9bd libcli/smb: add smb2cli_session_require_signed_response()
via b86c94f0b92 s3:selftest: also run smb2.session torture testsuite against ad_member
via d0a8899ed57 s3:selftest: split "raw.session" and "smb2.session"
from 9f5768106fd replace: Add check for variable program_invocation_short_name
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bb93e691ca9b1922bf552363a1e7d70792749d67
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 17:31:41 2018 +0100
s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
We talloc_move() session_info to session->global->auth_session_info
which sets session_info to NULL.
This means security_session_user_level(NULL, NULL) will always return
SECURITY_ANONYMOUS so we never sign the session setup response.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144
commit 181f18c4bf70754a6f3132375d06250baab2871b
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:39:41 2018 +0100
s4:torture/smb2/session: session reauth response must be signed
This test checks that a session setup reauth is signed even when neither
client nor server require signing.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5fdea4095ac82536192c8d91c411b22e2683a5c1
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:19:16 2018 +0100
s4:torture/smb2/session: add force_signing to test_session_expire1i
Existing callers pass true, so no change in behaviour. The next commit
adds an additional test that passes force_signing=false.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ffc424ee6bedc3c208acb4c0c83da836a12d6123
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:34:24 2018 +0100
s4:torture/smb2/session: require a signed session setup reauth response
All existing tests using this function require signing, so currently
this passes. A subsequent commit adds a test where neither client nor
server require signing and that's where this trap will explode.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 368e1860654e737aa2fa9516cdd3668fa644009a
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 15:42:46 2018 +0100
s4:torture/smb2/session: invalidate credential cache
Invalidate credential cache before connecting to the server, otherwise
we will reuse the credentials from the credential cache populated by the
preceeding tests.
Also invalidate it at the end, otherwise subsequent tests might run into
problems if the credentials expire while authenticating.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc
Author: Ralph Boehme <slow at samba.org>
Date: Sat Nov 10 22:00:04 2018 +0100
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7abf3900218e3d27c075b405735b2c38ec0fc4ca
Author: Ralph Boehme <slow at samba.org>
Date: Sat Nov 10 21:56:28 2018 +0100
libcli/smb: defer singing check a little bit
This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 67cfb01611869b7590ccd836dd13a80e53545714
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:26:44 2018 +0100
libcli/smb: maintain require_signed_response in smbXcli_req_state
Not used for now, that comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d407201d9bd4ee5ae5609dd107e3ab9ee7afbeb0
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:17:19 2018 +0100
libcli/smb: add smb2cli_session_require_signed_response()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b86c94f0b929f2d9e521d41396c4e1611f5a4c5b
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:33:29 2018 +0100
s3:selftest: also run smb2.session torture testsuite against ad_member
The next commit adds a subtest to the smb2.session testsuite that
requires Kerberos (ad_dc would work), but where neither SMB2 server or
client must require signing (ad_dc, being an AD DC, requires signing).
The ad_member environment supports Kerberos with the SMB2 server not
mandating signing, that'll do.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d0a8899ed57c2b368c3870b3899a3422251222aa
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 16:24:45 2018 +0100
s3:selftest: split "raw.session" and "smb2.session"
The next commit is going to add a testsuite to "smb2.session".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 37 +++++++++++++++++++++++++++++++------
libcli/smb/smbXcli_base.h | 2 ++
source3/selftest/tests.py | 8 +++++++-
source3/smbd/smb2_sesssetup.c | 8 ++++----
source4/torture/smb2/session.c | 31 ++++++++++++++++++++++++++++++-
5 files changed, 74 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 9edb6292777..d0cc33b8b05 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -161,6 +161,7 @@ struct smb2cli_session {
uint64_t nonce_low;
uint16_t channel_sequence;
bool replay_active;
+ bool require_signed_response;
};
struct smbXcli_session {
@@ -289,6 +290,7 @@ struct smbXcli_req_state {
uint64_t encryption_session_id;
bool signing_skipped;
+ bool require_signed_response;
bool notify_async;
bool got_async;
uint16_t cancel_flags;
@@ -2962,6 +2964,8 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
state->smb2.should_sign = session->smb2->should_sign;
state->smb2.should_encrypt = session->smb2->should_encrypt;
+ state->smb2.require_signed_response =
+ session->smb2->require_signed_response;
if (cmd == SMB2_OP_SESSSETUP &&
session->smb2_channel.signing_key.length == 0 &&
@@ -3749,12 +3753,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
}
last_session = session;
- if (state->smb2.should_sign) {
- if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
if (flags & SMB2_HDR_FLAG_SIGNED) {
uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
@@ -3801,6 +3799,27 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
*/
signing_key = NULL;
}
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Only check the signature of the last response
+ * of a successfull session auth. This matches
+ * Windows behaviour for NTLM auth and reauth.
+ */
+ state->smb2.require_signed_response = false;
+ }
+ }
+
+ if (state->smb2.should_sign ||
+ state->smb2.require_signed_response)
+ {
+ if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (signing_key == NULL && state->smb2.require_signed_response) {
+ signing_key = &session->smb2_channel.signing_key;
}
if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
@@ -5719,6 +5738,12 @@ void smb2cli_session_stop_replay(struct smbXcli_session *session)
session->smb2->replay_active = false;
}
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response)
+{
+ session->smb2->require_signed_response = require_signed_response;
+}
+
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 536c7ab60f4..42c2519c7ff 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -492,6 +492,8 @@ uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
uint16_t smb2cli_session_current_channel_sequence(struct smbXcli_session *session);
void smb2cli_session_start_replay(struct smbXcli_session *session);
void smb2cli_session_stop_replay(struct smbXcli_session *session);
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response);
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov);
NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 98d13d3c4f7..f3c5c39664b 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -503,11 +503,17 @@ for t in tests:
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "simpleserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
- elif t == "raw.session" or t == "smb2.session":
+ elif t == "raw.session":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+ elif t == "smb2.session":
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+ plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
elif t == "rpc.lsa":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index fe5835b83f3..5420d4f09bb 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -525,6 +525,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
reload_services(smb2req->sconn, conn_snum_used, true);
+ if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+ smb2req->do_signing = true;
+ }
+
session->status = NT_STATUS_OK;
TALLOC_FREE(session->global->auth_session_info);
session->global->auth_session_info = talloc_move(session->global,
@@ -551,10 +555,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid);
- if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
- smb2req->do_signing = true;
- }
-
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 7dc9ba19ee6..57a5addcfcc 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1047,6 +1047,7 @@ done:
static bool test_session_expire1i(struct torture_context *tctx,
+ bool force_signing,
bool force_encryption)
{
NTSTATUS status;
@@ -1073,10 +1074,14 @@ static bool test_session_expire1i(struct torture_context *tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
- options.signing = SMB_SIGNING_REQUIRED;
+ if (force_signing) {
+ options.signing = SMB_SIGNING_REQUIRED;
+ }
status = smb2_connect(tctx,
host,
@@ -1152,12 +1157,20 @@ static bool test_session_expire1i(struct torture_context *tctx,
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+ if (!force_encryption) {
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, true);
+ }
+
torture_comment(tctx, "reauth => OK\n");
status = smb2_session_setup_spnego(tree->session,
credentials,
0 /* previous_session_id */);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"smb2_session_setup_spnego failed");
+
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, false);
}
ZERO_STRUCT(qfinfo.access_information.out);
@@ -1167,6 +1180,8 @@ static bool test_session_expire1i(struct torture_context *tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1176,15 +1191,24 @@ done:
return ret;
}
+static bool test_session_expire1n(struct torture_context *tctx)
+{
+ return test_session_expire1i(tctx,
+ false, /* force_signing */
+ false); /* force_encryption */
+}
+
static bool test_session_expire1s(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
false); /* force_encryption */
}
static bool test_session_expire1e(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
true); /* force_encryption */
}
@@ -1236,6 +1260,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
@@ -1547,6 +1573,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1721,6 +1749,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
+ torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
--
Samba Shared Repository
More information about the samba-cvs
mailing list