The Samba-Bugzilla – Attachment 16733 Details for
Bug 14793
We should start the SMB encryption as soon as possible
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-14-test
tmp414.diff.txt (text/plain), 7.07 KB, created by
Stefan Metzmacher
on 2021-08-12 07:55:09 UTC
(
hide
)
Description:
Patches for v4-14-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-08-12 07:55:09 UTC
Size:
7.07 KB
patch
obsolete
>From 1e8309ab171b54e6eeac08113578edcbf7e8e591 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Aug 2021 14:33:24 +0200 >Subject: [PATCH 1/2] s3:libsmb: start encryption as soon as possible after the > session setup > >For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon, >if there's no tcon yet. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 21302649c46441ea325c66457294225ddb1d6235) >--- > source3/libsmb/clidfs.c | 56 +++++++++++++++++++++++++++++------------ > 1 file changed, 40 insertions(+), 16 deletions(-) > >diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c >index 040b957e6f8c..5b64858ca338 100644 >--- a/source3/libsmb/clidfs.c >+++ b/source3/libsmb/clidfs.c >@@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, > uint16_t major, minor; > uint32_t caplow, caphigh; > NTSTATUS status; >+ bool temp_ipc = false; > > if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) { > status = smb2cli_session_encryption_on(c->smb2.session); >@@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, > return NT_STATUS_NOT_SUPPORTED; > } > >+ if (c->smb1.tcon == NULL) { >+ status = cli_tree_connect_creds(c, "IPC$", "IPC", creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ d_printf("Encryption required and " >+ "can't connect to IPC$ to check " >+ "UNIX CIFS extensions.\n"); >+ return NT_STATUS_UNKNOWN_REVISION; >+ } >+ temp_ipc = true; >+ } >+ > status = cli_unix_extensions_version(c, &major, &minor, &caplow, > &caphigh); > if (!NT_STATUS_IS_OK(status)) { > d_printf("Encryption required and " > "can't get UNIX CIFS extensions " > "version from server.\n"); >+ if (temp_ipc) { >+ cli_tdis(c); >+ } > return NT_STATUS_UNKNOWN_REVISION; > } > >@@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, > d_printf("Encryption required and " > "share %s doesn't support " > "encryption.\n", sharename); >+ if (temp_ipc) { >+ cli_tdis(c); >+ } > return NT_STATUS_UNSUPPORTED_COMPRESSION; > } > >@@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, > d_printf("Encryption required and " > "setup failed with error %s.\n", > nt_errstr(status)); >+ if (temp_ipc) { >+ cli_tdis(c); >+ } > return status; > } > >+ if (temp_ipc) { >+ cli_tdis(c); >+ } > return NT_STATUS_OK; > } > >@@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, > > DEBUG(4,(" session setup ok\n")); > >+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) { >+ status = cli_cm_force_encryption_creds(c, >+ creds, >+ sharename); >+ if (!NT_STATUS_IS_OK(status)) { >+ switch (encryption_state) { >+ case SMB_ENCRYPTION_DESIRED: >+ break; >+ case SMB_ENCRYPTION_REQUIRED: >+ default: >+ cli_shutdown(c); >+ return status; >+ } >+ } >+ } >+ > /* here's the fun part....to support 'msdfs proxy' shares > (on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL > here before trying to connect to the original share. >@@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, > return status; > } > >- if (encryption_state >= SMB_ENCRYPTION_DESIRED) { >- status = cli_cm_force_encryption_creds(c, >- creds, >- sharename); >- if (!NT_STATUS_IS_OK(status)) { >- switch (encryption_state) { >- case SMB_ENCRYPTION_DESIRED: >- break; >- case SMB_ENCRYPTION_REQUIRED: >- default: >- cli_shutdown(c); >- return status; >- } >- } >- } >- > DEBUG(4,(" tconx ok\n")); > *pcli = c; > return NT_STATUS_OK; >-- >2.25.1 > > >From b5094d827aca46633fa7b4cfab6524b6ef1dcb9c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Aug 2021 15:30:12 +0200 >Subject: [PATCH 2/2] s3:libsmb: close the temporary IPC$ connection in > cli_full_connection() > >We don't need the temporary IPC$ connection used for the >SMB1 UNIX CIFS extensions encryption setup anymore, >so we can also let the server close it. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Aug 11 23:03:11 UTC 2021 on sn-devel-184 > >(cherry picked from commit 289b7a1595ab13a200cfb327604e4b9296fa81e0) >--- > source3/libsmb/cliconnect.c | 39 +++++++++++++++++++++++++++++++++++-- > 1 file changed, 37 insertions(+), 2 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index b95b14b018cb..853fb344bcd6 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -3361,6 +3361,8 @@ static void cli_full_connection_creds_enc_start(struct tevent_req *req); > static void cli_full_connection_creds_enc_tcon(struct tevent_req *subreq); > static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq); > static void cli_full_connection_creds_enc_done(struct tevent_req *subreq); >+static void cli_full_connection_creds_enc_tdis(struct tevent_req *req); >+static void cli_full_connection_creds_enc_finished(struct tevent_req *subreq); > static void cli_full_connection_creds_tcon_start(struct tevent_req *req); > static void cli_full_connection_creds_tcon_done(struct tevent_req *subreq); > >@@ -3588,7 +3590,8 @@ static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq) > TALLOC_FREE(subreq); > if (!NT_STATUS_IS_OK(status)) { > if (encryption_state < SMB_ENCRYPTION_REQUIRED) { >- cli_full_connection_creds_tcon_start(req); >+ /* disconnect ipc$ followed by the real tree connect */ >+ cli_full_connection_creds_enc_tdis(req); > return; > } > DEBUG(10, ("%s: cli_unix_extensions_version " >@@ -3599,7 +3602,8 @@ static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq) > > if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) { > if (encryption_state < SMB_ENCRYPTION_REQUIRED) { >- cli_full_connection_creds_tcon_start(req); >+ /* disconnect ipc$ followed by the real tree connect */ >+ cli_full_connection_creds_enc_tdis(req); > return; > } > DEBUG(10, ("%s: CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP " >@@ -3631,6 +3635,37 @@ static void cli_full_connection_creds_enc_done(struct tevent_req *subreq) > return; > } > >+ /* disconnect ipc$ followed by the real tree connect */ >+ cli_full_connection_creds_enc_tdis(req); >+} >+ >+static void cli_full_connection_creds_enc_tdis(struct tevent_req *req) >+{ >+ struct cli_full_connection_creds_state *state = tevent_req_data( >+ req, struct cli_full_connection_creds_state); >+ struct tevent_req *subreq = NULL; >+ >+ subreq = cli_tdis_send(state, state->ev, state->cli); >+ if (tevent_req_nomem(subreq, req)) { >+ return; >+ } >+ tevent_req_set_callback(subreq, >+ cli_full_connection_creds_enc_finished, >+ req); >+} >+ >+static void cli_full_connection_creds_enc_finished(struct tevent_req *subreq) >+{ >+ struct tevent_req *req = tevent_req_callback_data( >+ subreq, struct tevent_req); >+ NTSTATUS status; >+ >+ status = cli_tdis_recv(subreq); >+ TALLOC_FREE(subreq); >+ if (tevent_req_nterror(req, status)) { >+ return; >+ } >+ > cli_full_connection_creds_tcon_start(req); > } > >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 14793
:
16732
| 16733 |
16734