[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Jul 15 00:58:01 UTC 2021
The branch, master has been updated
via c5cd5c9d57b WHATSNEW: add client/server smb3 signing/encryption algorithms
via 898caeae630 s3:smbd: improve the error returns for invalid session binding requests
via 1025e1bfea0 s4:torture: more smb2.session.bind_negative_smb3* combinations
via 8ace94498fb docs-xml: offer aes-128-gmac by default
via 3f843e56a82 libcli/smb: add support for SMB2_SIGNING_AES128_GMAC
via 220c019933e s4:torture: force AES_CMAC or HMAC_SHA256 for some SMB 3.1.1 tests
via 982bdcf4270 libcli/smb: actually make use of "client/server smb3 signing algorithms"
via be71039be4e docs-xml: add "client/server smb3 signing algorithms" options
via 4a61410f602 s3:smbd: prepare support for SMB2_SIGNING_CAPABILITIES
via 3706b27a3bc libcli/smb: prepare support for SMB2_SIGNING_CAPABILITIES negotiation
via 4d33b08c0fb libcli/smb: make sure smb2_signing_calc_signature() never generates a signature without a valid MID
via 89f0552c5e0 libcli/smb: make sure we always send a valid MID in cancel PDUs
via e720ce4fadb libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED
via eeb09dfa6d7 libcli/smb: add smb2cli_conn_server_{signing,encryption}_algo()
via c363825557a s3:smbd: make sure we don't try to sign CANCEL response PDUs
via 90bc67f3221 s3:smbd: make sure STATUS_PENDING responses are never signed
via b576123dd97 s3:smbstatus: pretty print the use of new signing/encryption algorithms
via f435de5917f s3:smbd: only allow cancel with the same session
via 6447ae60b03 libcli/smb: add SMB2_SIGNING_CAPABILITIES related defines to smb2_constants.h
via 6b775f030a8 libcli/smb: add SMB2_RDMA_TRANSFORM_CAPABILITIES related defines to smb2_constants.h
via 24142c37964 libcli/smb: add SMB2_TRANSPORT_CAPABILITIES related defines to smb2_constants.h
via 033716d9fdb lib/param: offer aes-256-{gcm,ccm} encryption by default
via d10153c8514 libcli/smb: add aes-256-{gcm,ccm} support to smb2_signing_[en|de]crypt_pdu()
via 9b123bc97aa s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
via 9e6d3df68db libcli/smb: add smb311_capabilities_check() helper
via cf1459f458b libcli/smb: let 'client smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
via 71b06682b68 s3:smbd: make use of 'server smb3 encryption algorithms'
via e0ba6f40c90 s4:param: make use of 'client smb3 encryption algorithms'
via 53e37124e8f s3:libsmb: make use of 'client smb3 encryption algorithms'
via 374f26aafa8 libcli/smb: add helpers to parse client/server smb3 encryption algorithms into struct smb311_capabilities
via 5ca01e48da3 docs-xml: add "client/server smb3 encryption algorithms" options
via a702d781864 smb2_negprot: make use of struct smb311_capabilities.encryption
via 4a7bd4c0c56 WHATNEW: document "server multi channel support" change
via 7f03d7c85e6 lib/param: enable "server multi channel support" by default on Linux and FreeBSD
via f627727898d lib/param: add lpcfg_parm_is_unspecified() helper
via 95a3bf58881 s3:smbd: fallback to smb2srv_session_lookup_global() for session setups with failed signing
via f8f4a9faf09 s3:smbd: remove dead code from smbd_smb2_request_dispatch()
via 1781910df6d s3:smbd: make sure smbXsrv_session_update() doesn't segfault with table == NULL
via aa29d899423 s3:smbd: fix a NULL pointer deference caused by smb2srv_update_crypto_flags()
via 2b36af83f68 s3:smbd: let smb2srv_session_lookup_global() clear the signing/encryption_flags
via a262568eaab s4:torture: let smb2.session.bind_negative_* tests also use a different client guid
via 66673f08f7c s4:torture: let smb2.session.bind_negative_* also test without session keys
via e25a9e8f4ec WHATSNEW: document the removal of SMB2_22, SMB2_24 and SMB3_10
via 2a575dfd58b libcli/smb: remove unused PROTOCOL_SMB3_10 definition
via 41cf9f8966e docs-xml: remove support for "SMB3_10"
via cb86d581737 libcli/smb: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
via 7f8507332ea s3:smbd: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
via a12c4a7b528 libcli/smb: remove unused PROTOCOL_SMB2_24 definition
via fde7128b12f docs-xml: remove support for "SMB2_24"
via 8a30ad66b8f libcli/smb: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
via 880d2e18e13 s3:smbd: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
via 8c05c979433 libcli/smb: remove unused PROTOCOL_SMB2_22 definition
via acb724c8b3e docs-xml: remove support for "SMB2_22"
via 3c8067a63fc libcli/smb: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
via 1cd3394d709 s3:smbd: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
via ea102d3b1b9 s3:torture: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
via 2a16bb716b7 smb2_negprot: no longer use experimental dialects 2.2.2, 2.2.4, 3.1.0 on the wire
via 7816d70f69b libcli/smb: no longer use experimental dialects 2.2.2, 2.2.4, 3.1.0 on the wire
via 36023cb5f81 s4:torture:libsmbclient: make use of PROTOCOL_* enum values instead of of hardcoded int values
from fdcae2872b6 selftest: use SAMBA_DEPRECATED_SUPPRESS=1 for all tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c5cd5c9d57b567b78b58039d0845b41ec5caf72b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 18:40:34 2021 +0200
WHATSNEW: add client/server smb3 signing/encryption algorithms
We can add more about this in the final 4.15.0 release notes later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jul 15 00:57:24 UTC 2021 on sn-devel-184
commit 898caeae63035abd006d8440208ae69be9b3478a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 8 02:05:55 2021 +0100
s3:smbd: improve the error returns for invalid session binding requests
This brings us closer to what a Windows Server with GMAC signing
returns.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1025e1bfea08e090cb556b0858bdfdaa94f8366f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 16:12:41 2021 +0200
s4:torture: more smb2.session.bind_negative_smb3* combinations
This tests all kind of signing/encryption algorithm mismatches
and passes against Windows with GMAC signing support.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8ace94498fbf223c40aa842c1beb013ca20c4eb8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 23:28:04 2021 +0200
docs-xml: offer aes-128-gmac by default
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3f843e56a829084c2443b8b1fec51b26665aa9ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 14:10:01 2020 +0100
libcli/smb: add support for SMB2_SIGNING_AES128_GMAC
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 220c019933e3143741bf612aa4900ac1cd39fae0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 15:04:22 2021 +0200
s4:torture: force AES_CMAC or HMAC_SHA256 for some SMB 3.1.1 tests
Allowing GMAC in future will generate different results, so
make sure the tests keep working as is.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 982bdcf427008138a1c7c8d3f2756de1c5126d6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 21:26:19 2021 +0200
libcli/smb: actually make use of "client/server smb3 signing algorithms"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit be71039be4edf90f28704026aa3d16da0848231c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 21:26:19 2021 +0200
docs-xml: add "client/server smb3 signing algorithms" options
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4a61410f602c3c5cac634b3a18a29378b49281de
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 14:27:30 2020 +0100
s3:smbd: prepare support for SMB2_SIGNING_CAPABILITIES
But notice that srv_sign_algos->num_algos is always 0 for now,
but that'll change in the next commits.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3706b27a3bc17e6e876c322c2e1701e494eee938
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 11 11:04:14 2021 +0100
libcli/smb: prepare support for SMB2_SIGNING_CAPABILITIES negotiation
For now client_sign_algos->num_algos will always be 0,
but that'll change in the next commits.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4d33b08c0fbbfeeed734c1538911f3b1886eca64
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 14:10:01 2020 +0100
libcli/smb: make sure smb2_signing_calc_signature() never generates a signature without a valid MID
This is important as AES-128-GMAC signing will derive the NONCE from the MID.
It also means a STATUS_PENDING response must never be signed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 89f0552c5e08ddc8ad9c3b048f57b90c88ae84be
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 6 23:07:13 2021 +0200
libcli/smb: make sure we always send a valid MID in cancel PDUs
This is important as with AES-128-GMAC signing, the nonce will be
derived from the MID.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e720ce4fadb051295871314bfcb1057c48586736
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 8 02:03:30 2021 +0100
libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED
We should propagate these errors to the caller instead of masking them
with ACCESS_DENIED. And for ACCESS_DENIED we should not disconnect the
connection.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit eeb09dfa6d79bfd42ad4a31cc2297438e917fef7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 16:23:54 2021 +0200
libcli/smb: add smb2cli_conn_server_{signing,encryption}_algo()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c363825557a3fd816636119583a9328eab01272d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 22:37:36 2021 +0200
s3:smbd: make sure we don't try to sign CANCEL response PDUs
Normally these are never generated, but it can happen when the
signing check fails.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 90bc67f322112986d221f4401536493dcd406135
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 11 13:33:46 2021 +0000
s3:smbd: make sure STATUS_PENDING responses are never signed
It's important to match Windows here in order to avoid reusing
a NONCE for AES-128-GMAC signing.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b576123dd976e94a229a9b094f6d047e100e88f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 6 23:55:49 2021 +0200
s3:smbstatus: pretty print the use of new signing/encryption algorithms
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f435de5917fd52d027c94d68d692b21cd8adc861
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 21:50:27 2021 +0200
s3:smbd: only allow cancel with the same session
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6447ae60b03cdbc677fd2bf009b8a59e72477aba
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 13:47:11 2020 +0100
libcli/smb: add SMB2_SIGNING_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6b775f030a8725a7fb36bc4b83d1a2353106b677
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 13:47:11 2020 +0100
libcli/smb: add SMB2_RDMA_TRANSFORM_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 24142c379645d1b56fc8ba33cdc3b239cecd3a0b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 13:47:11 2020 +0100
libcli/smb: add SMB2_TRANSPORT_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 033716d9fdbfe1605c4ffb77e741727be4eb8e0d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 01:28:03 2020 +0100
lib/param: offer aes-256-{gcm,ccm} encryption by default
We match Windows and keep aes-128-{gcm,ccm} first...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d10153c8514a74b5805ee12d9684a8ca56537d92
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 01:25:19 2020 +0100
libcli/smb: add aes-256-{gcm,ccm} support to smb2_signing_[en|de]crypt_pdu()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9b123bc97aaef40277408a301a485fda5c922b34
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 12:13:49 2021 +0200
s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless
'client smb3 encryption algorithms' allows them.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9e6d3df68db941c231844e9291bf6cbd5b6a42bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 12:13:49 2021 +0200
libcli/smb: add smb311_capabilities_check() helper
It checks that the resulting algorithms (most likely for
dialects < 3.1.1) are actually allowed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cf1459f458bd8cb03cf1cd3f3ed2e5d8568203b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 12:13:49 2021 +0200
libcli/smb: let 'client smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless
'client smb3 encryption algorithms' allows them.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 71b06682b68f7cc081a7a062761dc9b7cfc59495
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 18:16:10 2021 +0200
s3:smbd: make use of 'server smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e0ba6f40c90b0a7074272153c643fc253dae9612
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 18:16:10 2021 +0200
s4:param: make use of 'client smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 53e37124e8f0884fc5e24edd7ebc4627a2357a3e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 18:16:10 2021 +0200
s3:libsmb: make use of 'client smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 374f26aafa8b1a54662675a151bb54022560c155
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 18:00:59 2021 +0200
libcli/smb: add helpers to parse client/server smb3 encryption algorithms into struct smb311_capabilities
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5ca01e48da3339a0810ff72ba204e05b4e555025
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 18:00:59 2021 +0200
docs-xml: add "client/server smb3 encryption algorithms" options
This gives administrators more control over the used algorithms.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a702d781864ea09d3698b312d930ff03bb77f45e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 10 16:34:54 2021 +0100
smb2_negprot: make use of struct smb311_capabilities.encryption
This makes the code more generic and allow the supported ciphers
to be easily added or depend on the configuration later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4a7bd4c0c5672a27c8a931c9f9a5c2e706356845
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 00:16:06 2021 +0200
WHATNEW: document "server multi channel support" change
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7f03d7c85e62bec3f97143980ec45db8bd0e5383
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 00:14:24 2021 +0200
lib/param: enable "server multi channel support" by default on Linux and FreeBSD
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f627727898dc3fb17e4c49afea90824b05b8d94e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 00:06:52 2021 +0200
lib/param: add lpcfg_parm_is_unspecified() helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 95a3bf588819bf7a71a333f823a5191fa49ac9dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 15:36:12 2021 +0200
s3:smbd: fallback to smb2srv_session_lookup_global() for session setups with failed signing
The motivation is to get the same error responses as a windows server.
We already fallback to smb2srv_session_lookup_global() in other places
where we don't have a valid session in the current smbd process.
If signing is failing while verifying a session setup request,
we should do the same if we don't have a valid channel binding
for the connection yet.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f8f4a9faf099eb768eaa25f1e1a7d126b75291d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 13 16:37:42 2021 +0200
s3:smbd: remove dead code from smbd_smb2_request_dispatch()
We have '} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {'
before...
Use 'git show -U52' to see the whole story...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1781910df6d5f2678cdd5716d2db242199fceb84
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 14 17:15:52 2021 +0200
s3:smbd: make sure smbXsrv_session_update() doesn't segfault with table == NULL
There might be other places than smb2srv_update_crypto_flags(), which
may call smbXsrv_session_update() with a fake session, they should
return in error instead of segfaulting.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit aa29d89942355f988815d3b4b562bf3cf0f26b94
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 10 16:03:15 2021 +0000
s3:smbd: fix a NULL pointer deference caused by smb2srv_update_crypto_flags()
When we used a fake session structure from
smb2srv_session_lookup_global() there's no point in updating
any database.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2b36af83f68f588806a73a2688890ab9742242ad
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 10 16:03:15 2021 +0000
s3:smbd: let smb2srv_session_lookup_global() clear the signing/encryption_flags
When we make use of this we only in order to provide the correct
error codes anyway.
This actually fixes even more error codes.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a262568eaabd7d9ced554c408e76a38745d85f2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 10 16:03:15 2021 +0000
s4:torture: let smb2.session.bind_negative_* tests also use a different client guid
Testing also with a different client guid between channels
triggers (at least in samba) a different code path compaired
to the tests using the same client guid.
Testing both already revealed a bug.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 66673f08f7c214aa221236cfa49695c11564d4e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 10 16:03:15 2021 +0000
s4:torture: let smb2.session.bind_negative_* also test without session keys
This checks the result of a 2nd session setup without the BIND flags
and also without signing being already enabled.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e25a9e8f4ec8034d2974a887e4f64e99a04f226a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:37:38 2021 +0200
WHATSNEW: document the removal of SMB2_22, SMB2_24 and SMB3_10
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2a575dfd58bf2e118d3c716f4b5062fef41cdb76
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:04:30 2021 +0200
libcli/smb: remove unused PROTOCOL_SMB3_10 definition
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 41cf9f8966e22a391fa484872a48d9c89abc5db0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:03:06 2021 +0200
docs-xml: remove support for "SMB3_10"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cb86d5817377130b5663a4cb09430cb38de2a357
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
libcli/smb: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7f8507332eac5a7a7cc4f2222e0a9e896df823f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
s3:smbd: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a12c4a7b528c340dca6edd87c5ac0d786604bc13
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:04:30 2021 +0200
libcli/smb: remove unused PROTOCOL_SMB2_24 definition
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fde7128b12f4635dbc0f207ef0923ff4528d3a6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:03:06 2021 +0200
docs-xml: remove support for "SMB2_24"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8a30ad66b8ffe916c6f0427c5a753f0ecfa50691
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
libcli/smb: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 880d2e18e13a50d4bcca9824590901a4fb8443b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
s3:smbd: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8c05c979433bc8ee2e1d69d93869110cf0051ff8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:04:30 2021 +0200
libcli/smb: remove unused PROTOCOL_SMB2_22 definition
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit acb724c8b3eea513ddadd5eaa23af9e702831efb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 12:03:06 2021 +0200
docs-xml: remove support for "SMB2_22"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3c8067a63fca1fb24ec7786b85b41b27b3fb639f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
libcli/smb: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1cd3394d7096386e66d36354d381e77d27b7a614
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
s3:smbd: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ea102d3b1b9f2ca78a276143dedb0e88abde8c77
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 11:57:17 2021 +0200
s3:torture: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2a16bb716b77167d55dc4e5acd02a1f89db1a6c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
smb2_negprot: no longer use experimental dialects 2.2.2, 2.2.4, 3.1.0 on the wire
These were only used in Windows development versions but not in
production.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7816d70f69bba0273ade5485320e9a49cfd3b507
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 15:14:12 2020 +0100
libcli/smb: no longer use experimental dialects 2.2.2, 2.2.4, 3.1.0 on the wire
These were only used in Windows development versions but not in
production.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 36023cb5f81e71d02bd92b8998db3890be393f58
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 9 14:58:24 2021 +0200
s4:torture:libsmbclient: make use of PROTOCOL_* enum values instead of of hardcoded int values
We should also test protocol versions which are not our default.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 35 +
docs-xml/manpages/smb.conf.5.xml | 3 +-
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 13 +-
docs-xml/smbdotconf/protocol/servermaxprotocol.xml | 13 +-
.../protocol/servermultichannelsupport.xml | 11 +-
.../security/clientsmbencryptionalgos.xml | 21 +
.../smbdotconf/security/clientsmbsigningalgos.xml | 22 +
.../security/serversmbencryptionalgos.xml | 21 +
.../smbdotconf/security/serversmbsigningalgos.xml | 22 +
lib/param/loadparm.c | 26 +
lib/param/loadparm.h | 3 +
lib/param/param.h | 1 +
lib/param/param_table.c | 3 -
libcli/smb/smb2_constants.h | 19 +-
libcli/smb/smb2_negotiate_context.h | 25 +-
libcli/smb/smb2_signing.c | 205 +-
libcli/smb/smb2cli_tcon.c | 4 +-
libcli/smb/smbXcli_base.c | 227 ++-
libcli/smb/smbXcli_base.h | 2 +
libcli/smb/smb_constants.h | 3 -
libcli/smb/util.c | 258 ++-
libgpo/admx/en-US/samba.adml | 8 +-
selftest/knownfail.d/smb2.session | 4 +
source3/include/session.h | 1 +
source3/lib/sessionid_tdb.c | 1 +
source3/libsmb/clientgen.c | 13 +-
source3/param/loadparm.c | 11 +
source3/smbd/smb2_negprot.c | 141 +-
source3/smbd/smb2_server.c | 118 +-
source3/smbd/smb2_sesssetup.c | 47 +-
source3/smbd/smbXsrv_session.c | 11 +-
source3/torture/test_smb2.c | 8 +-
source3/utils/conn_tdb.c | 3 +
source3/utils/conn_tdb.h | 1 +
source3/utils/status.c | 75 +-
source4/param/loadparm.c | 12 +-
source4/torture/libsmbclient/libsmbclient.c | 5 +-
source4/torture/smb2/session.c | 2079 +++++++++++++++++++-
testdata/samba3/smb_new.conf | 4 +-
39 files changed, 3278 insertions(+), 201 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
create mode 100644 docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
create mode 100644 docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
create mode 100644 docs-xml/smbdotconf/security/serversmbsigningalgos.xml
create mode 100644 selftest/knownfail.d/smb2.session
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 076eaa2007b..acde58ed7ad 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,6 +12,25 @@ Samba 4.15 will be the next version of the Samba suite.
UPGRADING
=========
+Removed SMB (development) dialects
+----------------------------------
+
+The following SMB (development) dialects are no longer
+supported: SMB2_22, SMB2_24 and SMB3_10. They are were
+only supported by Windows technical preview builds.
+They used to be useful in order to test against the
+latest Windows versions, but it's no longer useful
+to have them. If you have them explicitly specified
+in your smb.conf or an the command line,
+you need to replace them like this:
+- SMB2_22 => SMB3_00
+- SMB2_24 => SMB3_00
+- SMB3_10 => SMB3_11
+Note that it's typically not useful to specify
+"client max protocol" or "server max protocol"
+explicitly to a specific dialect, just leave
+them unspecified or specify the value "default".
+
New GPG key
-----------
@@ -46,6 +65,13 @@ NEW FEATURES/CHANGES
In order to be accepted, the request must be issued by a client
that is in the allow list and NOT in the deny list.
+"server multi channel support" no longer experimental
+-----------------------------------------------------
+
+This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
+Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
+to use this feature on Linux and FreeBSD for now.
+
samba-tool available without the ad-dc
--------------------------------------
@@ -147,7 +173,11 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
client use kerberos New desired
+ client max protocol Values Removed
+ client min protocol Values Removed
client protection New default
+ client smb3 signing algorithms New see man smb.conf
+ client smb3 encryption algorithms New see man smb.conf
preopen:posix-basic-regex New No
preopen:nomatch_log_level New 5
preopen:match_log_level New 5
@@ -156,6 +186,11 @@ smb.conf changes
preopen:reset_log_level New 5
preopen:push_log_level New 3
preopen:queue_log_level New 10
+ server max protocol Values Removed
+ server min protocol Values Removed
+ server multi channel support Changed Yes (on Linux and FreeBSD)
+ server smb3 signing algorithms New see man smb.conf
+ server smb3 encryption algorithms New see man smb.conf
winbind use krb5 enterprise principals Changed Yes
winbind scan trusted domains Changed No
diff --git a/docs-xml/manpages/smb.conf.5.xml b/docs-xml/manpages/smb.conf.5.xml
index eb4bcba3ee5..72664a2e457 100644
--- a/docs-xml/manpages/smb.conf.5.xml
+++ b/docs-xml/manpages/smb.conf.5.xml
@@ -504,8 +504,7 @@ chmod 1770 /usr/local/samba/lib/usershares
<term>%R</term>
<listitem><para>the selected protocol level after protocol negotiation. It can be one of
CORE, COREPLUS, LANMAN1, LANMAN2, NT1,
- SMB2_02, SMB2_10, SMB2_22, SMB2_24,
- SMB3_00, SMB3_02, SMB3_10, SMB3_11
+ SMB2_02, SMB2_10, SMB3_00, SMB3_02, SMB3_11
or SMB2_FF.</para></listitem>
</varlistentry>
diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index eba18bfb80a..784123ecadf 100644
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -44,12 +44,6 @@
<listitem>
<para><constant>SMB2_10</constant>: Windows 7 SMB2 version.</para>
</listitem>
- <listitem>
- <para><constant>SMB2_22</constant>: Early Windows 8 SMB2 version.</para>
- </listitem>
- <listitem>
- <para><constant>SMB2_24</constant>: Windows 8 beta SMB2 version.</para>
- </listitem>
</itemizedlist>
<para>By default SMB2 selects the SMB2_10 variant.</para>
</listitem>
@@ -59,16 +53,13 @@
Used by Windows 8. SMB3 has sub protocols available.</para>
<itemizedlist>
<listitem>
- <para><constant>SMB3_00</constant>: Windows 8 SMB3 version. (mostly the same as SMB2_24)</para>
+ <para><constant>SMB3_00</constant>: Windows 8 SMB3 version.</para>
</listitem>
<listitem>
<para><constant>SMB3_02</constant>: Windows 8.1 SMB3 version.</para>
</listitem>
<listitem>
- <para><constant>SMB3_10</constant>: early Windows 10 technical preview SMB3 version.</para>
- </listitem>
- <listitem>
- <para><constant>SMB3_11</constant>: Windows 10 technical preview SMB3 version (maybe final).</para>
+ <para><constant>SMB3_11</constant>: Windows 10 SMB3 version.</para>
</listitem>
</itemizedlist>
<para>By default SMB3 selects the SMB3_11 variant.</para>
diff --git a/docs-xml/smbdotconf/protocol/servermaxprotocol.xml b/docs-xml/smbdotconf/protocol/servermaxprotocol.xml
index 1dbe602d278..815841d6001 100644
--- a/docs-xml/smbdotconf/protocol/servermaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/servermaxprotocol.xml
@@ -33,12 +33,6 @@
<listitem>
<para><constant>SMB2_10</constant>: Windows 7 SMB2 version.</para>
</listitem>
- <listitem>
- <para><constant>SMB2_22</constant>: Early Windows 8 SMB2 version.</para>
- </listitem>
- <listitem>
- <para><constant>SMB2_24</constant>: Windows 8 beta SMB2 version.</para>
- </listitem>
</itemizedlist>
<para>By default SMB2 selects the SMB2_10 variant.</para>
</listitem>
@@ -48,16 +42,13 @@
Used by Windows 8. SMB3 has sub protocols available.</para>
<itemizedlist>
<listitem>
- <para><constant>SMB3_00</constant>: Windows 8 SMB3 version. (mostly the same as SMB2_24)</para>
+ <para><constant>SMB3_00</constant>: Windows 8 SMB3 version.</para>
</listitem>
<listitem>
<para><constant>SMB3_02</constant>: Windows 8.1 SMB3 version.</para>
</listitem>
<listitem>
- <para><constant>SMB3_10</constant>: early Windows 10 technical preview SMB3 version.</para>
- </listitem>
- <listitem>
- <para><constant>SMB3_11</constant>: Windows 10 technical preview SMB3 version (maybe final).</para>
+ <para><constant>SMB3_11</constant>: Windows 10 SMB3 version.</para>
</listitem>
</itemizedlist>
<para>By default SMB3 selects the SMB3_11 variant.</para>
diff --git a/docs-xml/smbdotconf/protocol/servermultichannelsupport.xml b/docs-xml/smbdotconf/protocol/servermultichannelsupport.xml
index 5f87298b4bd..105627139a5 100644
--- a/docs-xml/smbdotconf/protocol/servermultichannelsupport.xml
+++ b/docs-xml/smbdotconf/protocol/servermultichannelsupport.xml
@@ -10,17 +10,18 @@
</para>
<para>This parameter was added with version 4.4.</para>
<para>
- Warning: Note that this feature is still considered experimental.
- Use it at your own risk: Even though it may seem to work well in testing,
- it may result in data corruption under some race conditions.
- Future releases may improve this situation.
+ Note that this feature was still considered experimental up to 4.14.
</para>
<para>Due to dependencies to kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now. For testing this restriction
can be overwritten by specifying <constant>force:server multi channel support=yes</constant>
in addition.</para>
+
+ <para>
+ This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
+ </para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
new file mode 100644
index 00000000000..27da51ad625
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="client smb3 encryption algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ encryption algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-ccm from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
+ available algorithm for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
+<value type="example">aes-256-gcm</value>
+<value type="example">-aes-128-gcm -aes-128-ccm</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
new file mode 100644
index 00000000000..1ad6c09626f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="client smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-cmac from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-gmac, aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac, hmac-sha-256</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
new file mode 100644
index 00000000000..3217970d4e7
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="server smb3 encryption algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ encryption algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-ccm from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
+ available algorithm for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
+<value type="example">aes-256-gcm</value>
+<value type="example">-aes-128-gcm -aes-128-ccm</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
new file mode 100644
index 00000000000..e73d4f04242
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="server smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-cmac from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-gmac, aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac, hmac-sha-256</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 59ddc213156..59e749d9d46 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -800,6 +800,16 @@ bool lpcfg_parm_is_cmdline(struct loadparm_context *lp_ctx, const char *name)
return lp_ctx->flags[parmnum] & FLAG_CMDLINE;
}
+bool lpcfg_parm_is_unspecified(struct loadparm_context *lp_ctx, const char *name)
+{
+ int parmnum;
+
+ parmnum = lpcfg_map_parameter(name);
+ if (parmnum == -1) return false;
+
+ return lp_ctx->flags[parmnum] & FLAG_DEFAULT;
+}
+
/**
* Find a service by name. Otherwise works like get_service.
*/
@@ -2914,6 +2924,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "smb2 leases", "yes");
+ lpcfg_do_global_parameter(lp_ctx, "server multi channel support", "yes");
+
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
lpcfg_do_global_parameter(lp_ctx,
@@ -2968,6 +2980,20 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"winbind use krb5 enterprise principals",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "client smb3 signing algorithms",
+ DEFAULT_SMB3_SIGNING_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "server smb3 signing algorithms",
+ DEFAULT_SMB3_SIGNING_ALGORITHMS);
+
+ lpcfg_do_global_parameter(lp_ctx,
+ "client smb3 encryption algorithms",
+ DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "server smb3 encryption algorithms",
+ DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index e66ce2324b4..a942eaf9472 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -285,6 +285,9 @@ enum samba_weak_crypto {
#define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024)
#define DEFAULT_SMB2_MAX_CREDITS 8192
+#define DEFAULT_SMB3_SIGNING_ALGORITHMS "aes-128-gmac aes-128-cmac hmac-sha-256"
+#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm"
+
#define LOADPARM_EXTRA_LOCALS \
int usershare; \
struct timespec usershare_last_mod; \
diff --git a/lib/param/param.h b/lib/param/param.h
index 07b387a8108..7ead57f6130 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -120,6 +120,7 @@ struct parm_struct *lpcfg_parm_struct(struct loadparm_context *lp_ctx, const cha
void *lpcfg_parm_ptr(struct loadparm_context *lp_ctx,
struct loadparm_service *service, struct parm_struct *parm);
bool lpcfg_parm_is_cmdline(struct loadparm_context *lp_ctx, const char *name);
+bool lpcfg_parm_is_unspecified(struct loadparm_context *lp_ctx, const char *name);
bool lpcfg_do_global_parameter(struct loadparm_context *lp_ctx,
const char *pszParmName, const char *pszParmValue);
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index a67e8549294..d9301152d94 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -46,11 +46,8 @@ static const struct enum_list enum_protocol[] = {
{PROTOCOL_SMB2_10, "SMB2"}, /* for now keep PROTOCOL_SMB2_10 */
{PROTOCOL_SMB3_11, "SMB3"}, /* for now keep PROTOCOL_SMB3_11 */
{PROTOCOL_SMB3_11, "SMB3_11"},
- {PROTOCOL_SMB3_10, "SMB3_10"},
{PROTOCOL_SMB3_02, "SMB3_02"},
{PROTOCOL_SMB3_00, "SMB3_00"},
- {PROTOCOL_SMB2_24, "SMB2_24"},
- {PROTOCOL_SMB2_22, "SMB2_22"},
{PROTOCOL_SMB2_10, "SMB2_10"},
{PROTOCOL_SMB2_02, "SMB2_02"},
{PROTOCOL_NT1, "NT1"},
diff --git a/libcli/smb/smb2_constants.h b/libcli/smb/smb2_constants.h
index 7d48ad4bb13..886989d89ed 100644
--- a/libcli/smb/smb2_constants.h
+++ b/libcli/smb/smb2_constants.h
@@ -133,26 +133,41 @@
#define SMB2_ENCRYPTION_CAPABILITIES 0x0002
#define SMB2_COMPRESSION_CAPABILITIES 0x0003
#define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 0x0005
+#define SMB2_TRANSPORT_CAPABILITIES 0x0006
+#define SMB2_RDMA_TRANSFORM_CAPABILITIES 0x0007
+#define SMB2_SIGNING_CAPABILITIES 0x0008
/* Values for the SMB2_PREAUTH_INTEGRITY_CAPABILITIES Context (>= 0x310) */
#define SMB2_PREAUTH_INTEGRITY_SHA512 0x0001
+/* Values for the SMB2_SIGNING_CAPABILITIES Context (>= 0x311) */
#define SMB2_SIGNING_INVALID_ALGO 0xffff /* only used internally */
#define SMB2_SIGNING_MD5_SMB1 0xfffe /* internally for SMB1 */
#define SMB2_SIGNING_HMAC_SHA256 0x0000 /* default <= 0x210 */
#define SMB2_SIGNING_AES128_CMAC 0x0001 /* default >= 0x224 */
+#define SMB2_SIGNING_AES128_GMAC 0x0002 /* only in dialect >= 0x311 */
-/* Values for the SMB2_ENCRYPTION_CAPABILITIES Context (>= 0x310) */
+/* Values for the SMB2_ENCRYPTION_CAPABILITIES Context (>= 0x311) */
#define SMB2_ENCRYPTION_INVALID_ALGO 0xffff /* only used internally */
#define SMB2_ENCRYPTION_NONE 0x0000 /* only used internally */
#define SMB2_ENCRYPTION_AES128_CCM 0x0001 /* only in dialect >= 0x224 */
-#define SMB2_ENCRYPTION_AES128_GCM 0x0002 /* only in dialect >= 0x310 */
+#define SMB2_ENCRYPTION_AES128_GCM 0x0002 /* only in dialect >= 0x311 */
+#define SMB2_ENCRYPTION_AES256_CCM 0x0003 /* only in dialect >= 0x311 */
+#define SMB2_ENCRYPTION_AES256_GCM 0x0004 /* only in dialect >= 0x311 */
#define SMB2_NONCE_HIGH_MAX(nonce_len_bytes) ((uint64_t)(\
((nonce_len_bytes) >= 16) ? UINT64_MAX : \
((nonce_len_bytes) <= 8) ? 0 : \
(((uint64_t)1 << (((nonce_len_bytes) - 8)*8)) - 1) \
))
+/* Values for the SMB2_TRANSPORT_CAPABILITIES Context (>= 0x311) */
+#define SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY 0x0001
+
+/* Values for the SMB2_RDMA_TRANSFORM_CAPABILITIES Context (>= 0x311) */
+#define SMB2_RDMA_TRANSFORM_NONE 0x0000
+#define SMB2_RDMA_TRANSFORM_ENCRYPTION 0x0001
+#define SMB2_RDMA_TRANSFORM_SIGNING 0x0002
+
/* SMB2 session (request) flags */
#define SMB2_SESSION_FLAG_BINDING 0x01
/* SMB2_SESSION_FLAG_ENCRYPT_DATA 0x04 only in dialect >= 0x310 */
diff --git a/libcli/smb/smb2_negotiate_context.h b/libcli/smb/smb2_negotiate_context.h
index a671d8a0ebf..645fb64a377 100644
--- a/libcli/smb/smb2_negotiate_context.h
+++ b/libcli/smb/smb2_negotiate_context.h
@@ -56,14 +56,37 @@ struct smb2_negotiate_context *smb2_negotiate_context_find(const struct smb2_neg
uint16_t type);
#define WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK 31
+struct smb3_signing_capabilities {
+#define SMB3_SIGNING_CAPABILITIES_MAX_ALGOS 3
+ uint16_t num_algos;
+ uint16_t algos[SMB3_SIGNING_CAPABILITIES_MAX_ALGOS];
+};
+
struct smb3_encryption_capabilities {
-#define SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS 2
+#define SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS 4
uint16_t num_algos;
uint16_t algos[SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS];
};
struct smb311_capabilities {
+ struct smb3_signing_capabilities signing;
struct smb3_encryption_capabilities encryption;
};
+const char *smb3_signing_algorithm_name(uint16_t algo);
+const char *smb3_encryption_algorithm_name(uint16_t algo);
+
+struct smb311_capabilities smb311_capabilities_parse(const char *role,
+ const char * const *signing_algos,
+ const char * const *encryption_algos);
+
+NTSTATUS smb311_capabilities_check(const struct smb311_capabilities *c,
+ const char *debug_prefix,
+ int debug_lvl,
+ NTSTATUS error_status,
+ const char *role,
+ enum protocol_types protocol,
+ uint16_t sign_algo,
+ uint16_t cipher_algo);
+
#endif /* _LIBCLI_SMB_SMB2_NEGOTIATE_BLOB_H_ */
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 4d74085721a..830f3bf1570 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -40,7 +40,7 @@ void smb2_signing_derivations_fill_const_stack(struct smb2_signing_derivations *
{
*ds = (struct smb2_signing_derivations) { .signing = NULL, };
- if (protocol >= PROTOCOL_SMB3_10) {
+ if (protocol >= PROTOCOL_SMB3_11) {
struct smb2_signing_derivation *d = NULL;
SMB_ASSERT(preauth_hash.length != 0);
@@ -65,7 +65,7 @@ void smb2_signing_derivations_fill_const_stack(struct smb2_signing_derivations *
d->label = data_blob_string_const_null("SMBAppKey");
d->context = preauth_hash;
- } else if (protocol >= PROTOCOL_SMB2_24) {
+ } else if (protocol >= PROTOCOL_SMB3_00) {
struct smb2_signing_derivation *d = NULL;
d = &ds->__signing;
@@ -187,6 +187,7 @@ static NTSTATUS smb2_signing_key_create(TALLOC_CTX *mem_ctx,
break;
--
Samba Shared Repository
More information about the samba-cvs
mailing list