The branch, master has been updated via 528d3fe libcli/smb: do not set SMB2_TF_MSG_SIZE in the caller via 143fb84 libcli/smb: smb2_signing_[en|de]crypt_pdu() check and set SMB2_TF_MSG_SIZE via 6bfdca4 s3:smb2_sesssetup: remove unused code in smbd_smb2_reauth_generic_return() via 5f7d786 s3:smb2_sesssetup: remove TALLOC_FREE(session) from smbd_smb2_[re]auth_generic_return via c9ecfd6 s3:smb2_server: sign the last request at the start of smbd_smb2_request_reply() from 64c0367 s3: Fix a crash in reply_lockingX_error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 528d3fe2ae9691bc1c0b322bb3007524987f8b28 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Aug 8 05:04:07 2012 +0200 libcli/smb: do not set SMB2_TF_MSG_SIZE in the caller metze Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Aug 8 07:32:55 CEST 2012 on sn-devel-104 commit 143fb8403a5b763224b078e67aa9e4ef005ec9ca Author: Stefan Metzmacher <me...@samba.org> Date: Wed Aug 8 05:03:19 2012 +0200 libcli/smb: smb2_signing_[en|de]crypt_pdu() check and set SMB2_TF_MSG_SIZE metze commit 6bfdca4786cd6293650ecde784e316d2f0258a56 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Aug 8 05:35:37 2012 +0200 s3:smb2_sesssetup: remove unused code in smbd_smb2_reauth_generic_return() A reauth exchange is already signed, with the channel signing key. metze commit 5f7d786b08f2d67d200fb473b12781174a69e776 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Aug 8 05:33:50 2012 +0200 s3:smb2_sesssetup: remove TALLOC_FREE(session) from smbd_smb2_[re]auth_generic_return The caller does this via the smbd_smb2_session_setup_state_destructor() metze commit c9ecfd6f3df2714bfaabb77ceb987ce65c62e38a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Aug 8 04:35:15 2012 +0200 s3:smb2_server: sign the last request at the start of smbd_smb2_request_reply() This means we correctly sign all responses in a compound chain. metze ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb2_signing.c | 22 ++++++++++++++++------ libcli/smb/smbXcli_base.c | 3 --- source3/smbd/smb2_server.c | 38 ++++++++++++++++---------------------- source3/smbd/smb2_sesssetup.c | 18 ------------------ 4 files changed, 32 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index bb621fd..97143f7 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -238,13 +238,15 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key, return NT_STATUS_ACCESS_DENIED; } - alg = SMB2_ENCRYPTION_AES128_CCM; - SSVAL(tf, SMB2_TF_ALGORITHM, alg); - a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; for (i=1; i < count; i++) { m_total += vector[i].iov_len; } + + alg = SMB2_ENCRYPTION_AES128_CCM; + SSVAL(tf, SMB2_TF_ALGORITHM, alg); + SIVAL(tf, SMB2_TF_MSG_SIZE, m_total); + ZERO_STRUCT(key); memcpy(key, encryption_key.data, MIN(encryption_key.length, AES_BLOCK_SIZE)); @@ -283,6 +285,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, int i; size_t a_total; size_t m_total = 0; + uint32_t msg_size = 0; struct aes_ccm_128_context ctx; uint8_t key[AES_BLOCK_SIZE]; @@ -302,15 +305,22 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key, return NT_STATUS_ACCESS_DENIED; } + a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; + for (i=1; i < count; i++) { + m_total += vector[i].iov_len; + } + alg = SVAL(tf, SMB2_TF_ALGORITHM); + msg_size = IVAL(tf, SMB2_TF_MSG_SIZE); + if (alg != SMB2_ENCRYPTION_AES128_CCM) { return NT_STATUS_ACCESS_DENIED; } - a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE; - for (i=1; i < count; i++) { - m_total += vector[i].iov_len; + if (msg_size != m_total) { + return NT_STATUS_INTERNAL_ERROR; } + ZERO_STRUCT(key); memcpy(key, decryption_key.data, MIN(decryption_key.length, AES_BLOCK_SIZE)); diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index c6e3b2a..dad869c 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -2764,9 +2764,6 @@ skip_credits: state->session->smb2->nonce_low += 1; } - SBVAL(state->smb2.transform, SMB2_TF_MSG_SIZE, - reqlen); - buf = talloc_array(iov, uint8_t, reqlen); if (buf == NULL) { return NT_STATUS_NO_MEMORY; diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index afd001c..19a1051 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1977,7 +1977,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) struct tevent_req *subreq; struct iovec *outhdr = SMBD_SMB2_OUT_HDR_IOV(req); struct iovec *outdyn = SMBD_SMB2_OUT_DYN_IOV(req); - struct iovec *lasthdr = NULL; req->subreq = NULL; TALLOC_FREE(req->async_te); @@ -1985,9 +1984,24 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) if ((req->current_idx > SMBD_SMB2_NUM_IOV_PER_REQ) && (req->last_key.length > 0)) { int last_idx = req->current_idx - SMBD_SMB2_NUM_IOV_PER_REQ; + struct iovec *lasthdr = SMBD_SMB2_IDX_HDR_IOV(req,out,last_idx); + NTSTATUS status; + + /* + * As we are sure the header of the last request in the + * compound chain will not change, we can to sign here + * with the last signing key we remembered. + */ - lasthdr = SMBD_SMB2_IDX_HDR_IOV(req,out,last_idx); + status = smb2_signing_sign_pdu(req->last_key, + conn->protocol, + lasthdr, + SMBD_SMB2_NUM_IOV_PER_REQ); + if (!NT_STATUS_IS_OK(status)) { + return status; + } } + data_blob_clear_free(&req->last_key); req->current_idx += SMBD_SMB2_NUM_IOV_PER_REQ; @@ -2005,8 +2019,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) return NT_STATUS_NO_MEMORY; } - data_blob_clear_free(&req->last_key); - if (req->do_signing) { struct smbXsrv_session *x = req->session; DATA_BLOB signing_key = x->global->channels[0].signing_key; @@ -2041,24 +2053,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req) smb2_calculate_credits(req, req); /* - * As we are sure the header of the last request in the - * compound chain will not change, we can to sign here - * with the last signing key we remembered. - */ - if (lasthdr != NULL) { - NTSTATUS status; - - status = smb2_signing_sign_pdu(req->last_key, - conn->protocol, - lasthdr, - SMBD_SMB2_NUM_IOV_PER_REQ); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } - data_blob_clear_free(&req->last_key); - - /* * now check if we need to sign the current response */ if (req->do_signing) { diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 474c04b..07a168f 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -208,7 +208,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, sizeof(session_key)); if (x->global->signing_key.data == NULL) { ZERO_STRUCT(session_key); - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } @@ -226,7 +225,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_key); if (x->global->application_key.data == NULL) { ZERO_STRUCT(session_key); - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } @@ -244,7 +242,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels, x->global->signing_key); if (x->global->channels[0].signing_key.data == NULL) { - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } @@ -252,13 +249,11 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, session_info->session_key = data_blob_dup_talloc(session_info, x->global->application_key); if (session_info->session_key.data == NULL) { - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } session->compat = talloc_zero(session, struct user_struct); if (session->compat == NULL) { - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } session->compat->session = session; @@ -278,7 +273,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, DEBUG(1, ("smb2: Failed to claim session " "for vuid=%llu\n", (unsigned long long)session->compat->vuid)); - TALLOC_FREE(session); return NT_STATUS_LOGON_FAILURE; } @@ -300,7 +294,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n", (unsigned long long)session->compat->vuid, nt_errstr(status))); - TALLOC_FREE(session); return NT_STATUS_LOGON_FAILURE; } @@ -334,7 +327,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session, session_info->session_key = data_blob_dup_talloc(session_info, x->global->application_key); if (session_info->session_key.data == NULL) { - TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } @@ -363,21 +355,11 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session, DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n", (unsigned long long)session->compat->vuid, nt_errstr(status))); - TALLOC_FREE(session); return NT_STATUS_LOGON_FAILURE; } conn_clear_vuid_caches(conn->sconn, session->compat->vuid); - /* - * we attach the session to the request - * so that the response can be signed - */ - smb2req->session = session; - smb2req->do_signing = true; - - global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32); - *out_session_id = session->global->session_wire_id; return NT_STATUS_OK; -- Samba Shared Repository