[SCM] Samba Shared Repository - branch v4-8-test updated

Karolin Seeger kseeger at samba.org
Wed Oct 10 15:26:02 UTC 2018 

The branch, v4-8-test has been updated
       via  fd01706 smb2_server: set req->do_encryption = true earlier
       via  5a77625 s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion
      from  2d79c2e ctdb-tests: Drop code for RECEIVE_RECORDS control

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test


- Log -----------------------------------------------------------------
commit fd017065e0178e73c9c76a0a796356e078aae77a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 17 11:35:41 2018 +0200

    smb2_server: set req->do_encryption = true earlier
    
    The STATUS_SESSION_EXPIRED error was returned unencrypted,
    if the request was encrypted.
    
    If clients use SMB3 encryption and the kerberos authenticated session
    expires, clients disconnect the connection instead of doing a reauthentication.
    
    From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/
    
      The sender encrypts the message if any of the following conditions is
      satisfied:
    
        - If the sender is sending a response to an encrypted request.
        - If Session.EncryptData is TRUE and the request or response being
          sent is not NEGOTIATE.
        - If Session.EncryptData is FALSE, the request or response being sent
          is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and
          <TreeConnect|Share>.EncryptData is TRUE.
    
    [MS-SMB2] 3.3.4.1.4 Encrypting the Message
    
     If Connection.Dialect belongs to the SMB 3.x dialect family and
     Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION
     bit, the server MUST encrypt the message before sending, if any of the
     following conditions are satisfied:
    
     - If the message being sent is any response to a client request for which
       Request.IsEncrypted is TRUE.
    
     - If Session.EncryptData is TRUE and the response being sent is not
       SMB2_NEGOTIATE or SMB2 SESSION_SETUP.
    
     - If Session.EncryptData is FALSE, the response being sent is not
       SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and
       Share.EncryptData for the share associated with the TreeId in the SMB2
       header of the response is TRUE.
    
     The server MUST encrypt the message as specified in section 3.1.4.3,
     before sending it to the client.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Tue Oct  2 14:11:30 CEST 2018 on sn-devel-144
    
    (cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d)
    
    Autobuild-User(v4-8-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-8-test): Wed Oct 10 17:25:32 CEST 2018 on sn-devel-144

commit 5a77625fb86401f6300f3c45e2fbcaf295412ac6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Sep 28 12:23:37 2018 +0200

    s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion
    
    This reproduces the problem we have with expired encrypted sessions.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1)

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_server.c     | 15 ++++++++-----
 source4/torture/smb2/session.c | 50 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 56 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 177e5ff..af065e9 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2364,7 +2364,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 
 	req->async_internal = false;
 	req->do_signing = false;
-	req->do_encryption = false;
+	if (opcode != SMB2_OP_SESSSETUP) {
+		req->do_encryption = encryption_desired;
+	} else {
+		req->do_encryption = false;
+	}
 	req->was_encrypted = false;
 	if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
 		const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
@@ -2388,9 +2392,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		}
 
 		req->was_encrypted = true;
+		req->do_encryption = true;
 	}
 
 	if (encryption_required && !req->was_encrypted) {
+		req->do_encryption = true;
 		return smbd_smb2_request_error(req,
 				NT_STATUS_ACCESS_DENIED);
 	}
@@ -2526,15 +2532,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 			encryption_required = true;
 		}
 		if (encryption_required && !req->was_encrypted) {
+			req->do_encryption = true;
 			return smbd_smb2_request_error(req,
 				NT_STATUS_ACCESS_DENIED);
+		} else if (encryption_desired) {
+			req->do_encryption = true;
 		}
 	}
 
-	if (req->was_encrypted || encryption_desired) {
-		req->do_encryption = true;
-	}
-
 	if (req->session) {
 		bool update_session_global = false;
 		bool update_tcon_global = false;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index f3fa596..7dc9ba1 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1046,7 +1046,8 @@ done:
 }
 
 
-static bool test_session_expire1(struct torture_context *tctx)
+static bool test_session_expire1i(struct torture_context *tctx,
+				  bool force_encryption)
 {
 	NTSTATUS status;
 	bool ret = false;
@@ -1075,6 +1076,7 @@ static bool test_session_expire1(struct torture_context *tctx)
 	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
 
 	lpcfg_smbcli_options(tctx->lp_ctx, &options);
+	options.signing = SMB_SIGNING_REQUIRED;
 
 	status = smb2_connect(tctx,
 			      host,
@@ -1091,6 +1093,12 @@ static bool test_session_expire1(struct torture_context *tctx)
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_connect failed");
 
+	if (force_encryption) {
+		status = smb2cli_session_encryption_on(tree->session->smbXcli);
+		torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2cli_session_encryption_on failed");
+	}
+
 	/* Add some random component to the file name. */
 	snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
 		 generate_random_str(tctx, 8));
@@ -1168,7 +1176,20 @@ done:
 	return ret;
 }
 
-static bool test_session_expire2(struct torture_context *tctx)
+static bool test_session_expire1s(struct torture_context *tctx)
+{
+	return test_session_expire1i(tctx,
+				     false); /* force_encryption */
+}
+
+static bool test_session_expire1e(struct torture_context *tctx)
+{
+	return test_session_expire1i(tctx,
+				     true); /* force_encryption */
+}
+
+static bool test_session_expire2i(struct torture_context *tctx,
+				  bool force_encryption)
 {
 	NTSTATUS status;
 	bool ret = false;
@@ -1218,6 +1239,7 @@ static bool test_session_expire2(struct torture_context *tctx)
 	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
 
 	lpcfg_smbcli_options(tctx->lp_ctx, &options);
+	options.signing = SMB_SIGNING_REQUIRED;
 
 	unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
 	torture_assert(tctx, unc != NULL, "talloc_asprintf");
@@ -1237,6 +1259,12 @@ static bool test_session_expire2(struct torture_context *tctx)
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_connect failed");
 
+	if (force_encryption) {
+		status = smb2cli_session_encryption_on(tree->session->smbXcli);
+		torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2cli_session_encryption_on failed");
+	}
+
 	caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
 
 	/* Add some random component to the file name. */
@@ -1528,6 +1556,18 @@ done:
 	return ret;
 }
 
+static bool test_session_expire2s(struct torture_context *tctx)
+{
+	return test_session_expire2i(tctx,
+				     false); /* force_encryption */
+}
+
+static bool test_session_expire2e(struct torture_context *tctx)
+{
+	return test_session_expire2i(tctx,
+				     true); /* force_encryption */
+}
+
 bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
 {
 	const char *host = torture_setting_string(tctx, "host", NULL);
@@ -1681,8 +1721,10 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 	torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
 	torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
 	torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
-	torture_suite_add_simple_test(suite, "expire1", test_session_expire1);
-	torture_suite_add_simple_test(suite, "expire2", test_session_expire2);
+	torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
+	torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
+	torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
+	torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
 	torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
 
 	suite->description = talloc_strdup(suite, "SMB2-SESSION tests");


-- 
Samba Shared Repository

More information about the samba-cvs mailing list