The branch, master has been updated
via 66736fe s4:torture/rpc: use dcerpc_secondary_auth_connection with
creds
via 87bf1a6 s4:torture/rpc: use dcerpc_secondary_auth_connection with
anon creds
via e0bb97f s4:torture/samba3rpc: use pipe_bind_smb_auth()
via 810d630 s4:torture/samba3rpc: add pipe_bind_smb_auth()
via f42d4e9 s4:torture/samba3rpc: use pipe_bind_smb2()
via 1df9416 s4:torture/samba3rpc: add pipe_bind_smb2()
via d80c389 s4:torture/samba3rpc: use pipe_bind_smb() in more places
via 5a849c1 s4:torture/samba3rpc: move pipe_bind_smb() to the top
via 07b1e37 s4:libnet: make use of
dcerpc_secondary_auth_connection_send/recv()
via f036683 s4:libcli/clilsa: only remember the dcerpc_binding_handle
via 8c22f81 s4:librpc/rpc: add dcerpc_secondary_auth_connection()
via 9c165e5 dcerpc.idl: fix calculatin of uint16 secondary_address_size;
via 9f62c4e pidl:Samba4/NDR/Parser: always initialize _mem_save_
pointers to NULL
via 856c9aa pidl:Samba3/ServerNDR: add pidl_reset() and pidl_return()
helper functions
via 16952dc pidl:Samba3/ServerNDR: make CallWithStruct() more flexible
via b3de334 pidl:Samba3/ServerNDR: simplify CallWithStruct()
via 365d9d8 docs:smb.conf: explain effect of new setting 'desired' of
smb encrypt
via 1435770 smbd:smb2: use encryption_desired in send_break
via 41cb881 smbd:smb2: only enable encryption in tcon if desired
via fc22802 smbd:smb2: only enable encryption in session if desired
via 3bb2999 smbd:smb2: separate between encryption required and enc
desired
via a3ea6db smbXsrv: add bools encryption_desired to session and tcon
via 204cbe3 Introduce setting "desired" for 'smb encrypt' and
'client/server signing'
from 8fec359 vfs_fruit: Fix CID 1311244 Out-of-bounds read
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 66736fee3a896edf5571dc627a9cf6d8eee405b0
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jan 17 13:39:45 2014 +0100
s4:torture/rpc: use dcerpc_secondary_auth_connection with creds
This is the same as calling dcerpc_secondary_connection/dcerpc_bind_auth.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
Autobuild-User(master): Günther Deschner <g...@samba.org>
Autobuild-Date(master): Tue Jul 7 17:07:49 CEST 2015 on sn-devel-104
commit 87bf1a6edd2395b1a98775af0edb0a0b5be59c62
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jan 17 09:54:39 2014 +0100
s4:torture/rpc: use dcerpc_secondary_auth_connection with anon creds
This is the same as calling
dcerpc_secondary_connection/dcerpc_bind_auth_none.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit e0bb97fde61bf3577651a8624bc1014561087d31
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:20:37 2014 +0100
s4:torture/samba3rpc: use pipe_bind_smb_auth()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 810d630bd5120f12540ce9ab09e106c41a028347
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:20:20 2014 +0100
s4:torture/samba3rpc: add pipe_bind_smb_auth()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit f42d4e9dd342f207b206f7cf00a75e690ded76ed
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:19:49 2014 +0100
s4:torture/samba3rpc: use pipe_bind_smb2()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 1df9416bdb9ce569618a94df4dbcdbb016b8f8a1
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:19:26 2014 +0100
s4:torture/samba3rpc: add pipe_bind_smb2()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit d80c38990fa8821cbda554aa18c19a50207172a9
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:18:30 2014 +0100
s4:torture/samba3rpc: use pipe_bind_smb() in more places
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 5a849c13a7100fe5c3a84386988b0910608b3ece
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 07:17:00 2014 +0100
s4:torture/samba3rpc: move pipe_bind_smb() to the top
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 07b1e375e561dfe4bac9e8dd495401df1b4fcff7
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 22 12:49:58 2014 +0100
s4:libnet: make use of dcerpc_secondary_auth_connection_send/recv()
This avoid the bogus usage of dcerpc_pipe_auth().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit f0366838960888fa09d040ccafa76bb0723c8174
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 16 08:57:30 2014 +0100
s4:libcli/clilsa: only remember the dcerpc_binding_handle
We don't need the 'dcerpc_pipe'.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 8c22f81e9b7f58099ad095e6c205a85b05ed59a3
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jan 17 09:31:51 2014 +0100
s4:librpc/rpc: add dcerpc_secondary_auth_connection()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 9c165e550491339fbea1222b26b78e75658ec876
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 26 22:12:49 2015 +0200
dcerpc.idl: fix calculatin of uint16 secondary_address_size;
This should be 0 for secondary_address = "".
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 9f62c4e47b43d6ef7e32dedd13749de613cfc4d0
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jul 7 13:01:16 2015 +0200
pidl:Samba4/NDR/Parser: always initialize _mem_save_ pointers to NULL
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 856c9aa503877251313885b6192286ce9b7d5059
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 19 10:41:52 2014 +0100
pidl:Samba3/ServerNDR: add pidl_reset() and pidl_return() helper functions
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 16952dc7a420d2e3b4994229171580f1608d020d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 19 10:36:04 2014 +0100
pidl:Samba3/ServerNDR: make CallWithStruct() more flexible
We now pass multiple callbacks $check, $cleanup, $return
down to AllocOutVar().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit b3de33493871bb9c2e65f48a5990d3795b8192af
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 19 10:35:14 2014 +0100
pidl:Samba3/ServerNDR: simplify CallWithStruct()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2
Author: Michael Adam <ob...@samba.org>
Date: Tue Jun 30 17:46:36 2015 +0200
docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
Thereby clarify some details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 14357700fd69291995ce6adebb13e7340a63c209
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:41:38 2015 +0200
smbd:smb2: use encryption_desired in send_break
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 18:07:52 2015 +0200
smbd:smb2: only enable encryption in tcon if desired
Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit fc228025d78f165815d3fa1670d51f0c27ed2091
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 18:07:26 2015 +0200
smbd:smb2: only enable encryption in session if desired
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 3bb299944391633c45d87d5e8ad48c2c14428592
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:42:58 2015 +0200
smbd:smb2: separate between encryption required and enc desired
this means we:
- accept unencrypted requests if encryption only desired
and not required,
- but we always send encrypted responses in the desired
case, not only when the request was encrypted.
For this purpose, the do_encryption in the request
structure is separated into was_encrypted and do_encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit a3ea6dbef53e049701326497e684e1563344e6d8
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:34:45 2015 +0200
smbXsrv: add bools encryption_desired to session and tcon
This is to indicate that we should sen the ENCRYPT_DATA
flag on session or tcon replies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
commit 204cbe3645c59b43175beeadad792b4a00e80da3
Author: Michael Adam <ob...@samba.org>
Date: Tue Jun 30 14:16:19 2015 +0200
Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/smbencrypt.xml | 66 +++--
lib/param/loadparm.c | 1 +
lib/param/param_table.c | 1 +
libcli/smb/smbXcli_base.c | 6 +
libcli/smb/smb_constants.h | 1 +
librpc/idl/dcerpc.idl | 2 +-
pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm | 50 ++--
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 2 +-
source3/librpc/idl/smbXsrv.idl | 2 +
source3/smbd/globals.h | 3 +
source3/smbd/smb2_server.c | 22 +-
source3/smbd/smb2_sesssetup.c | 7 +-
source3/smbd/smb2_tcon.c | 9 +-
source4/libcli/util/clilsa.c | 25 +-
source4/libnet/libnet_join.c | 11 -
source4/libnet/libnet_rpc.c | 9 +-
source4/librpc/rpc/dcerpc.h | 7 +
source4/librpc/rpc/dcerpc_secondary.c | 15 ++
source4/smb_server/smb2/negprot.c | 1 +
source4/torture/rpc/netlogon.c | 13 +-
source4/torture/rpc/samba3rpc.c | 371 +++++++++++++---------------
source4/torture/rpc/schannel.c | 33 +--
source4/torture/rpc/spoolss.c | 11 +-
23 files changed, 359 insertions(+), 309 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml
b/docs-xml/smbdotconf/security/smbencrypt.xml
index 17248e6..ae0682b 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -30,11 +30,15 @@
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
- <emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
- <emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
- <emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+ <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+ <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+ <emphasis>if_required</emphasis>),
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>
+ (or <emphasis>mandatory</emphasis>).
A special value is <emphasis>default</emphasis> which is
- the implicit default setting.
+ the implicit default setting of <emphasis>enabled</emphasis>.
</para>
<variablelist>
@@ -103,7 +107,7 @@
<listitem>
<para>
The capability to perform SMB encryption can be
- negotiated during prorocol negotiation.
+ negotiated during protocol negotiation.
</para>
</listitem>
@@ -145,8 +149,9 @@
<itemizedlist>
<listitem>
<para>
- Leaving it as default or explicitly setting
- <emphasis>default</emphasis> globally will enable
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>enabled</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
@@ -154,16 +159,20 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> globally will
- enable negotiation and turn on data encryption globally.
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those clients
+ that support it.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
- will enable negotiation and enforce data encryption
- globally.
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
</para>
</listitem>
@@ -176,9 +185,10 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> on a share
- will turn on data encryption for this share if
- negotiation has been enabled globally.
+ Setting it to <emphasis>desired</emphasis> on a share
+ will turn on data encryption for this share for clients
+ that support encryption if negotiation has been
+ enabled globally.
</para>
</listitem>
@@ -186,16 +196,34 @@
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
- negotiation has been enabled globally. Note that this
- allows enforcing to be controlled in Samba more
- fine-grainedly than in Windows. This is a small
- deviation from the MS-SMB2 protocol document.
+ negotiation has been enabled globally. I.e. clients that
+ do not support encryption will be denied access to the
+ share.
+ </para>
+ <para>
+ Note that this allows per-share enforcing to be
+ controlled in Samba differently from Windows:
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+ is a global setting, and if it is set, all shares with
+ data encryption turned on
+ are automatically enforcing encryption. In order to
+ achieve the same effect in Samba, one
+ has to globally set <emphasis>smb encrypt</emphasis> to
+ <emphasis>enabled</emphasis>, and then set all shares
+ that should be encrypted to
+ <emphasis>required</emphasis>.
+ Additionally, it is possible in Samba to have some
+ shares with encryption <emphasis>required</emphasis>
+ and some other shares with encryption only
+ <emphasis>desired</emphasis>, which is not possible in
+ Windows.
</para>
</listitem>
<listitem>
<para>
- Setting it to <emphasis>off</emphasis> for a share has
+ Setting it to <emphasis>off</emphasis> or
+ <emphasis>enabled</emphasis> for a share has
no effect.
</para>
</listitem>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index bb215b2..0e11428 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3207,6 +3207,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context
*lp_ctx, bool *mandato
case SMB_SIGNING_REQUIRED:
*mandatory = true;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
break;
case SMB_SIGNING_DEFAULT:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 287839f..ff31038 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -115,6 +115,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
{SMB_SIGNING_IF_REQUIRED, "On"},
{SMB_SIGNING_IF_REQUIRED, "enabled"},
{SMB_SIGNING_IF_REQUIRED, "auto"},
+ {SMB_SIGNING_DESIRED, "desired"},
{SMB_SIGNING_REQUIRED, "required"},
{SMB_SIGNING_REQUIRED, "mandatory"},
{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c8ae5b0..6c35430 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -376,6 +376,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX
*mem_ctx,
conn->desire_signing = false;
conn->mandatory_signing = false;
break;
+ case SMB_SIGNING_DESIRED:
+ /* if the server desires it */
+ conn->allow_signing = true;
+ conn->desire_signing = true;
+ conn->mandatory_signing = false;
+ break;
case SMB_SIGNING_REQUIRED:
/* always */
conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 589b1a63..c4cca15 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -98,6 +98,7 @@ enum smb_signing_setting {
SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1,
+ SMB_SIGNING_DESIRED = 2,
SMB_SIGNING_REQUIRED = 3,
};
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 67f4b9d..63be48e 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -106,7 +106,7 @@ interface dcerpc
uint16 max_xmit_frag;
uint16 max_recv_frag;
uint32 assoc_group_id;
- [value(strlen(secondary_address)+1)] uint16
secondary_address_size;
+ [value(strlen_m_term_null(secondary_address))] uint16
secondary_address_size;
[charset(DOS)] uint8 secondary_address[secondary_address_size];
[flag(NDR_ALIGN4)] DATA_BLOB _pad1;
uint8 num_results;
diff --git a/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm
b/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm
index bff23e2..bae84af 100644
--- a/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm
+++ b/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm
@@ -24,6 +24,8 @@ $VERSION = '0.01';
my $res;
my $res_hdr;
my $tabs = "";
+sub pidl_reset() { $res=""; $res_hdr="", $tabs=""; }
+sub pidl_return() { my $s = $res; my $h = $res_hdr; pidl_reset(); return ($s,
$h) }
sub indent() { $tabs.="\t"; }
sub deindent() { $tabs = substr($tabs, 1); }
sub pidl($) { my ($txt) = @_; $res .= $txt?$tabs.(shift)."\n":"\n"; }
@@ -48,9 +50,9 @@ sub DeclLevel($$)
return $res;
}
-sub AllocOutVar($$$$$)
+sub AllocOutVar($$$$$$$)
{
- my ($e, $mem_ctx, $name, $env, $fail) = @_;
+ my ($e, $mem_ctx, $name, $env, $check, $cleanup, $return) = @_;
my $l = $e->{LEVELS}[0];
@@ -83,15 +85,18 @@ sub AllocOutVar($$$$$)
pidl "$name = talloc_zero($mem_ctx, " . DeclLevel($e, 1) . ");";
}
- pidl "if ($name == NULL) {";
- $fail->();
+ pidl "if (" . $check->($name) . ") {";
+ indent;
+ pidl $cleanup->($name) if defined($cleanup);
+ pidl $return->($name) if defined($return);
+ deindent;
pidl "}";
pidl "";
}
-sub CallWithStruct($$$$)
+sub CallWithStruct($$$$$$)
{
- my ($pipes_struct, $mem_ctx, $fn, $fail) = @_;
+ my ($pipes_struct, $mem_ctx, $fn, $check, $cleanup, $return) = @_;
my $env = GenerateFunctionOutEnv($fn);
my $hasout = 0;
foreach (@{$fn->{ELEMENTS}}) {
@@ -100,8 +105,6 @@ sub CallWithStruct($$$$)
pidl "ZERO_STRUCT(r->out);" if ($hasout);
- my $proto = "_$fn->{NAME}(struct pipes_struct *p, struct $fn->{NAME}
*r";
- my $ret = "_$fn->{NAME}($pipes_struct, r";
foreach (@{$fn->{ELEMENTS}}) {
my @dir = @{$_->{DIRECTION}};
if (grep(/in/, @dir) and grep(/out/, @dir)) {
@@ -116,11 +119,13 @@ sub CallWithStruct($$$$)
# noop
} elsif (grep(/out/, @dir) and not
has_property($_, "represent_as")) {
- AllocOutVar($_, $mem_ctx, "r->out.$_->{NAME}", $env,
$fail);
+ AllocOutVar($_, $mem_ctx, "r->out.$_->{NAME}", $env,
+ $check, $cleanup, $return);
}
}
- $ret .= ")";
- $proto .= ");";
+
+ my $proto = "_$fn->{NAME}(struct pipes_struct *p, struct $fn->{NAME}
*r)";
+ my $ret = "_$fn->{NAME}($pipes_struct, r)";
if ($fn->{RETURN_TYPE}) {
$ret = "r->out.result = $ret";
@@ -129,7 +134,7 @@ sub CallWithStruct($$$$)
$proto = "void $proto";
}
- pidl_hdr "$proto";
+ pidl_hdr "$proto;";
pidl "$ret;";
}
@@ -176,10 +181,18 @@ sub ParseFunction($$)
pidl "}";
pidl "";
- CallWithStruct("p", "r", $fn,
- sub {
- pidl "\ttalloc_free(r);";
- pidl "\treturn false;";
+ CallWithStruct("p", "r", $fn,
+ sub ($) {
+ my ($name) = @_;
+ return "${name} == NULL";
+ },
+ sub ($) {
+ my ($name) = @_;
+ return "talloc_free(r);";
+ },
+ sub ($) {
+ my ($name) = @_;
+ return "return false;";
}
);
@@ -286,8 +299,7 @@ sub Parse($$$)
{
my($ndr,$header,$ndr_header) = @_;
- $res = "";
- $res_hdr = "";
+ pidl_reset();
pidl "/*";
pidl " * Unix SMB/CIFS implementation.";
@@ -304,7 +316,7 @@ sub Parse($$$)
ParseInterface($_) if ($_->{TYPE} eq "INTERFACE");
}
- return ($res, $res_hdr);
+ return pidl_return();
}
1;
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index a267fb1..f52d4b1 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1688,7 +1688,7 @@ sub DeclareMemCtxVariables($$)
}
if (defined($mem_flags)) {
- $self->pidl("TALLOC_CTX
*_mem_save_$e->{NAME}_$l->{LEVEL_INDEX};");
+ $self->pidl("TALLOC_CTX
*_mem_save_$e->{NAME}_$l->{LEVEL_INDEX} = NULL;");
}
}
}
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 4367d72..77959ce 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -193,6 +193,7 @@ interface smbXsrv
[ignore] user_struct *compat;
[ignore] smbXsrv_tcon_table *tcon_table;
[ignore] smbXsrv_preauth *preauth;
+ boolean8 encryption_desired;
} smbXsrv_session;
typedef union {
@@ -287,6 +288,7 @@ interface smbXsrv
NTSTATUS status;
NTTIME idle_time;
[ignore] connection_struct *compat;
+ boolean8 encryption_desired;
} smbXsrv_tcon;
typedef union {
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 3ddafaf..2ca23aa 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -654,6 +654,9 @@ struct smbd_smb2_request {
int current_idx;
bool do_signing;
+ /* Was the request encrypted? */
+ bool was_encrypted;
+ /* Should we encrypt? */
bool do_encryption;
struct tevent_timer *async_te;
bool compound_related;
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a8d54cb..2ea997e 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2000,6 +2000,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NTSTATUS return_value;
struct smbXsrv_session *x = NULL;
bool signing_required = false;
+ bool encryption_desired = false;
bool encryption_required = false;
inhdr = SMBD_SMB2_IN_HDR_PTR(req);
@@ -2047,11 +2048,13 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
x = req->session;
if (x != NULL) {
signing_required = x->global->signing_required;
+ encryption_desired = x->encryption_desired;
encryption_required = x->global->encryption_required;
}
req->do_signing = false;
req->do_encryption = false;
+ req->was_encrypted = false;
if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID);
@@ -2073,10 +2076,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NT_STATUS_ACCESS_DENIED);
}
- req->do_encryption = true;
+ req->was_encrypted = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
@@ -2116,7 +2119,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
req->compat_chain_fsp = NULL;
}
- if (req->do_encryption) {
+ if (req->was_encrypted) {
signing_required = false;
} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
DATA_BLOB signing_key = data_blob_null;
@@ -2202,15 +2205,22 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
+ if (req->tcon->encryption_desired) {
+ encryption_desired = true;
+ }
if (req->tcon->global->encryption_required) {
encryption_required = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
}
+ if (req->was_encrypted || encryption_desired) {
+ req->do_encryption = true;
+ }
+
if (call->fileid_ofs != 0) {
size_t needed = call->fileid_ofs + 16;
const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
@@ -2843,8 +2853,8 @@ static NTSTATUS smbd_smb2_send_break(struct
smbXsrv_connection *xconn,
if (session != NULL) {
session_wire_id = session->global->session_wire_id;
- do_encryption = session->global->encryption_required;
- if (tcon->global->encryption_required) {
+ do_encryption = session->encryption_desired;
+ if (tcon->encryption_desired) {
do_encryption = true;
}
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index da7adb3..11d381f 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -262,12 +262,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
x->global->signing_required = true;
}
- if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
+ if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
(xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
- x->global->encryption_required = true;
+ x->encryption_desired = true;
}
if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+ x->encryption_desired = true;
x->global->encryption_required = true;
}
@@ -294,7 +295,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
}
}
- if (x->global->encryption_required) {
+ if (x->encryption_desired) {
*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
}
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index eb66ea0..99e2f21 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -193,6 +193,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_desired = req->session->encryption_desired;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
bool require_signed_tcon = false;
@@ -266,12 +267,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
return NT_STATUS_BAD_NETWORK_NAME;
}
- if ((lp_smb_encrypt(snum) > SMB_SIGNING_OFF) &&
+ if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
(conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
- encryption_required = true;
+ encryption_desired = true;
}
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+ encryption_desired = true;
encryption_required = true;
--
Samba Shared Repository
