The Samba-Bugzilla – Attachment 9226 Details for
Bug 10146
Samba SMB2 client code expects the response to sessionsetup to be signed.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix from master for 4.1.0
signing-4.1.patches (text/plain), 4.00 KB, created by
Jeremy Allison
on 2013-09-18 18:19:44 UTC
(
hide
)
Description:
git-am fix from master for 4.1.0
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2013-09-18 18:19:44 UTC
Size:
4.00 KB
patch
obsolete
>From 5c459fb110024c81bb27274fc6f17406883927a0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 17 Sep 2013 04:12:30 +0200 >Subject: [PATCH 1/2] libcli/smb: fix non mendatory signing against some vendor > SMB2 servers. > >Windows and Samba always sign the final session setup response >even if signing is not mendatory, but it ensures that the signing >key is correctly in place. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Sep 17 09:40:10 CEST 2013 on sn-devel-104 >(cherry picked from commit af290a03cef63c3b08446c1980de064a3b1c8804) >--- > libcli/smb/smbXcli_base.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index 1e91975..9d187cd 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -4841,7 +4841,16 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, > session->conn->protocol, > recv_iov, 3); > if (!NT_STATUS_IS_OK(status)) { >- return status; >+ /* >+ * Sadly some vendors don't sign the >+ * final SMB2 session setup response >+ * >+ * At least Windows and Samba are always doing this >+ * if there's a session key available. >+ */ >+ if (conn->mandatory_signing) { >+ return status; >+ } > } > > session->smb2->should_sign = false; >-- >1.8.1.2 > > >From db018804d729ab60498c545e01e6ea8549a9c217 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 18 Sep 2013 02:24:30 +0200 >Subject: [PATCH 2/2] libcli/smb: only check the SMB2 session setup signature > if required and valid > >This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804 >that skips the scary debug messages. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104 >(cherry picked from commit 4879d0810a2ad741e32ad174a7a14cd35521aeaf) >--- > libcli/smb/smbXcli_base.c | 26 +++++++++++++++++++++----- > 1 file changed, 21 insertions(+), 5 deletions(-) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index 9d187cd..14d4cc3 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -4740,12 +4740,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, > struct smbXcli_conn *conn = session->conn; > uint16_t no_sign_flags; > uint8_t session_key[16]; >+ bool check_signature = true; >+ uint32_t hdr_flags; > NTSTATUS status; > > if (conn == NULL) { > return NT_STATUS_INVALID_PARAMETER_MIX; > } > >+ if (recv_iov[0].iov_len != SMB2_HDR_BODY) { >+ return NT_STATUS_INVALID_PARAMETER_MIX; >+ } >+ > no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; > > if (session->smb2->session_flags & no_sign_flags) { >@@ -4837,18 +4843,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, > return NT_STATUS_NO_MEMORY; > } > >- status = smb2_signing_check_pdu(session->smb2_channel.signing_key, >- session->conn->protocol, >- recv_iov, 3); >- if (!NT_STATUS_IS_OK(status)) { >+ check_signature = conn->mandatory_signing; >+ >+ hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS); >+ if (hdr_flags & SMB2_HDR_FLAG_SIGNED) { > /* > * Sadly some vendors don't sign the > * final SMB2 session setup response > * > * At least Windows and Samba are always doing this > * if there's a session key available. >+ * >+ * We only check the signature if it's mandatory >+ * or SMB2_HDR_FLAG_SIGNED is provided. > */ >- if (conn->mandatory_signing) { >+ check_signature = true; >+ } >+ >+ if (check_signature) { >+ status = smb2_signing_check_pdu(session->smb2_channel.signing_key, >+ session->conn->protocol, >+ recv_iov, 3); >+ if (!NT_STATUS_IS_OK(status)) { > return status; > } > } >-- >1.8.1.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9226">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 10146
:
9220
|
9225
| 9226