[PATCH] Patch for bug 12520

Mon Jan 16 14:54:22 UTC 2017

Hi!

Attached is a fix for:
<https://bugzilla.samba.org/show_bug.cgi?id=12520>

I didn't add a test because that would require an additional server in selftest
just for that. Shall I?

Cheerio!
-slow
-------------- next part --------------
From f721f6e52379526a9b39797d9140c96d415e08db Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 5 Jan 2017 12:14:35 +0100
Subject: [PATCH 1/3] s3/smbd: ensure global "smb encrypt = off" is effective
 for SMB 3.1.1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of specifying contradictory settings

[Global]
  smb encrypt = off
[share]
  smb encrypt = required

must be to completely deny access to the share "share". This way users
are made aware of this misconfiguration.

This was working correctly for clients when using SMB dialects < 3.1.1,
but not for 3.1.1 with a negprot encryption context.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/smbd/smb2_negprot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6cfa64f..d9ccdbe 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 		req->preauth = &req->xconn->smb2.preauth;
 	}
 
-	if (in_cipher != NULL) {
+	if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
 		size_t needed = 2;
 		uint16_t cipher_count;
 		const uint8_t *p;
-- 
2.7.4


From 7d6e3d08471a4d74edb242afdfb17f5b946f60af Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 16 Jan 2017 12:56:10 +0100
Subject: [PATCH 2/3] s3/smbd: ensure global "smb encrypt = off" is effective
 for share with "smb encrypt = desired"

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of specifying

[Global]
  smb encrypt = off
[share]
  smb encrypt = desired

must be an unecrypted tree connect.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/smbd/smb2_tcon.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a36..cc4b6b6 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,6 +268,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 	}
 
 	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
+	    (conn->smb2.server.cipher != 0) &&
 	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 		encryption_desired = true;
 	}
-- 
2.7.4


From 390b4877225f6e09be356502b521fb92fd6ca782 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 16 Jan 2017 15:45:32 +0100
Subject: [PATCH 3/3] docs: impact of a global "smb encrpyt=off" on a share
 with "smb encrpyt=required"

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 docs-xml/smbdotconf/security/smbencrypt.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 0f08966..4b2f83f 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -180,7 +180,10 @@
 			<listitem>
 			<para>
 			Setting it to <emphasis>off</emphasis> globally will
-			completely disable the encryption feature.
+			completely disable the encryption feature. Setting
+			<parameter>smb encrypt = required</parameter> is an
+			invalid configuration that will deny access to all
+			clients.
 			</para>
 			</listitem>
 
-- 
2.7.4

