[PATCH] Display status of encryption and signing in smbstatus
Jeremy Allison
jra at samba.org
Wed Dec 9 23:26:10 UTC 2015
On Wed, Dec 09, 2015 at 01:57:56PM +0100, Ralph Boehme wrote:
> Hi!
>
> Attached is a patchset that adds support for displaying the current
> status of signing and encryption per session and tcon.
>
> Example:
>
> # smbstatus
>
> Samba version 4.4.0pre1-DEVELOPERBUILD
> PID Username Group Machine Protocol Version Encryption Signing
> ----------------------------------------------------------------------------------------------------------------------------------------
> 25597 slow men 10.10.11.1 (ipv4:10.10.11.1:51241) SMB3_02 partial(AES-128-CCM) partial(AES-128-CMAC)
>
> Service pid Machine Connected at Encryption Signing
> ---------------------------------------------------------------------------------------------
> encrypted 25597 10.10.11.1 Wed Dec 9 01:40:20 PM 2015 CET AES-128-CCM AES-128-CMAC
> clear 25597 10.10.11.1 Wed Dec 9 01:40:17 PM 2015 CET - -
>
> The main changes involve modifying smbXsrv tdbs and packet processing
> to track signing and encryption per incoming and outgoing packets.
>
> tcons are either shown as encrpyted or unencrpyted, signed or
> unsigned, sessions can be shown as partially encrypted in order to
> give a consistent summary, otherwise it would look strange displaying
> a sessions as unencryped when one of its tcons is encrypted.
>
> Per the nature of SMB3 encryption where sessions and tcons may be
> encrypted (smb encrypt = desired), but not enforced (smb encrypt !=
> required), the output is NOT a guarantee that all future packets will
> be encrypted too. The output is only a summary of what has been seen
> so far.
>
> Please review and push if ok.
Code looks nice, and I like the idea. One comment (so
far) on first look over.
I still need to go through and understand it fully,
but I like what it's trying to do !
Can you split the following code into an external function
please rather than putting it inline inside switch_message() ?
Oh, and the similar code in smbd_smb2_request_dispatch()
should also be in a different function too I think.
Jeremy.
@@ -1452,6 +1452,8 @@ static connection_struct *switch_message(uint8_t type, struct smb_request *req)
NTTIME now = timeval_to_nttime(&req->request_time);
struct smbXsrv_session *session = NULL;
NTSTATUS status;
+ bool update_session_global = false;
+ bool update_tcon_global = false;
....
+ /*
+ * Update encryption and signing state tracking flags that are
+ * used by smbstatus to display signing and encryption status.
+ */
+ if (session != NULL) {
+ if (ENCRYPTION_REQUIRED(conn)) {
+ /*
+ * conn->encrypt_level = SMB_SIGNING_REQUIRED
+ * guarantees that all further packets will be
+ * encrypted, so set the encryption state flags to
+ * signalize encryption to smbstatus
+ */
+ if (!(conn->tcon && conn->tcon->global->encryption_flags &
+ SMBXSRV_PROCESSED_ENCRYPTED_PACKET))
+ {
+ session->global->encryption_flags |= SMBXSRV_PROCESSED_ENCRYPTED_PACKET;
+ conn->tcon->global->encryption_flags |= SMBXSRV_PROCESSED_ENCRYPTED_PACKET;
+ session->global->channels[0].encryption_cipher = SMB_ENCRYPTION_GSSAPI;
+ update_session_global = true;
+ update_tcon_global = true;
+ }
+ } else {
+ if (!(session->global->encryption_flags & SMBXSRV_PROCESSED_UNENCRYPTED_PACKET)) {
....
+ if (update_tcon_global) {
+ status = smbXsrv_tcon_update(conn->tcon);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return conn;
+ }
+ }
+ }
More information about the samba-technical
mailing list