The branch, v4-8-test has been updated
via 58c53ddef51 s3:smb2_sesssetup: check session_info security level
before it gets talloc_move'd
via 3d9debd0f7e s4:torture/smb2/session: session reauth response must
be signed
via 9694933cc39 s4:torture/smb2/session: add force_signing to
test_session_expire1i
via b79e847e351 s4:torture/smb2/session: require a signed session setup
reauth response
via 288a79d997b s4:torture/smb2/session: invalidate credential cache
via 7a5077d7e9a libcli/smb: use require_signed_response in
smb2cli_conn_dispatch_incoming()
via 4ba496bf3c1 libcli/smb: defer singing check a little bit
via 2b73c8a0df4 libcli/smb: maintain require_signed_response in
smbXcli_req_state
via 33dc0907353 libcli/smb: add
smb2cli_session_require_signed_response()
via c25a69a0861 s3:selftest: also run smb2.session torture testsuite
against ad_member
via eb8a35e7f84 s3:selftest: split "raw.session" and "smb2.session"
from aa3a07a01f9 torture: Fix the 32-bit build
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 58c53ddef51239c9581728131b60188c663c14a6
Author: Ralph Boehme <s...@samba.org>
Date: Thu Nov 8 17:31:41 2018 +0100
s3:smb2_sesssetup: check session_info security level before it gets
talloc_move'd
We talloc_move() session_info to session->global->auth_session_info
which sets session_info to NULL.
This means security_session_user_level(NULL, NULL) will always return
SECURITY_ANONYMOUS so we never sign the session setup response.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144
(cherry picked from commit bb93e691ca9b1922bf552363a1e7d70792749d67)
Autobuild-User(v4-8-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-8-test): Fri Nov 23 13:52:04 CET 2018 on sn-devel-144
commit 3d9debd0f7e43dc20450acef90ce0180193a6ad6
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 12:39:41 2018 +0100
s4:torture/smb2/session: session reauth response must be signed
This test checks that a session setup reauth is signed even when neither
client nor server require signing.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 181f18c4bf70754a6f3132375d06250baab2871b)
commit 9694933cc39adfb37afaec7edc6a1650b5ec57a8
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 12:19:16 2018 +0100
s4:torture/smb2/session: add force_signing to test_session_expire1i
Existing callers pass true, so no change in behaviour. The next commit
adds an additional test that passes force_signing=false.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 5fdea4095ac82536192c8d91c411b22e2683a5c1)
commit b79e847e35145ad04b7582f64a3c6aeae36212d8
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 15:34:24 2018 +0100
s4:torture/smb2/session: require a signed session setup reauth response
All existing tests using this function require signing, so currently
this passes. A subsequent commit adds a test where neither client nor
server require signing and that's where this trap will explode.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit ffc424ee6bedc3c208acb4c0c83da836a12d6123)
commit 288a79d997b30acbd611b17b024cec1cc33fba10
Author: Ralph Boehme <s...@samba.org>
Date: Thu Nov 8 15:42:46 2018 +0100
s4:torture/smb2/session: invalidate credential cache
Invalidate credential cache before connecting to the server, otherwise
we will reuse the credentials from the credential cache populated by the
preceeding tests.
Also invalidate it at the end, otherwise subsequent tests might run into
problems if the credentials expire while authenticating.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 368e1860654e737aa2fa9516cdd3668fa644009a)
commit 7a5077d7e9a5ef8c346877f10426355a298ea6e4
Author: Ralph Boehme <s...@samba.org>
Date: Sat Nov 10 22:00:04 2018 +0100
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc)
commit 4ba496bf3c13c567b7a2617133e0bc7f5a2c8f1f
Author: Ralph Boehme <s...@samba.org>
Date: Sat Nov 10 21:56:28 2018 +0100
libcli/smb: defer singing check a little bit
This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 7abf3900218e3d27c075b405735b2c38ec0fc4ca)
commit 2b73c8a0df41d0e3e303bd0de7d45141580c4eff
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 15:26:44 2018 +0100
libcli/smb: maintain require_signed_response in smbXcli_req_state
Not used for now, that comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 67cfb01611869b7590ccd836dd13a80e53545714)
commit 33dc09073532ac7bb30a0ae97c08a1956491208d
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 15:17:19 2018 +0100
libcli/smb: add smb2cli_session_require_signed_response()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit d407201d9bd4ee5ae5609dd107e3ab9ee7afbeb0)
commit c25a69a08618510306dafc97aaaf80a8c65e80b8
Author: Ralph Boehme <s...@samba.org>
Date: Fri Nov 9 12:33:29 2018 +0100
s3:selftest: also run smb2.session torture testsuite against ad_member
The next commit adds a subtest to the smb2.session testsuite that
requires Kerberos (ad_dc would work), but where neither SMB2 server or
client must require signing (ad_dc, being an AD DC, requires signing).
The ad_member environment supports Kerberos with the SMB2 server not
mandating signing, that'll do.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit b86c94f0b929f2d9e521d41396c4e1611f5a4c5b)
commit eb8a35e7f84593a3dc05c841761c0d5d9f1557e6
Author: Ralph Boehme <s...@samba.org>
Date: Thu Nov 8 16:24:45 2018 +0100
s3:selftest: split "raw.session" and "smb2.session"
The next commit is going to add a testsuite to "smb2.session".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit d0a8899ed57c2b368c3870b3899a3422251222aa)
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 37 +++++++++++++++++++++++++++++++------
libcli/smb/smbXcli_base.h | 2 ++
source3/selftest/tests.py | 8 +++++++-
source3/smbd/smb2_sesssetup.c | 8 ++++----
source4/torture/smb2/session.c | 31 ++++++++++++++++++++++++++++++-
5 files changed, 74 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 389c272675d..512cbd8c6f4 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -161,6 +161,7 @@ struct smb2cli_session {
uint64_t nonce_low;
uint16_t channel_sequence;
bool replay_active;
+ bool require_signed_response;
};
struct smbXcli_session {
@@ -289,6 +290,7 @@ struct smbXcli_req_state {
uint64_t encryption_session_id;
bool signing_skipped;
+ bool require_signed_response;
bool notify_async;
bool got_async;
uint16_t cancel_flags;
@@ -2962,6 +2964,8 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
state->smb2.should_sign = session->smb2->should_sign;
state->smb2.should_encrypt = session->smb2->should_encrypt;
+ state->smb2.require_signed_response =
+ session->smb2->require_signed_response;
if (cmd == SMB2_OP_SESSSETUP &&
session->smb2_channel.signing_key.length == 0 &&
@@ -3748,12 +3752,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct
smbXcli_conn *conn,
}
last_session = session;
- if (state->smb2.should_sign) {
- if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
if (flags & SMB2_HDR_FLAG_SIGNED) {
uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
@@ -3800,6 +3798,27 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct
smbXcli_conn *conn,
*/
signing_key = NULL;
}
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Only check the signature of the last response
+ * of a successfull session auth. This matches
+ * Windows behaviour for NTLM auth and reauth.
+ */
+ state->smb2.require_signed_response = false;
+ }
+ }
+
+ if (state->smb2.should_sign ||
+ state->smb2.require_signed_response)
+ {
+ if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (signing_key == NULL && state->smb2.require_signed_response)
{
+ signing_key = &session->smb2_channel.signing_key;
}
if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
@@ -5717,6 +5736,12 @@ void smb2cli_session_stop_replay(struct smbXcli_session
*session)
session->smb2->replay_active = false;
}
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response)
+{
+ session->smb2->require_signed_response = require_signed_response;
+}
+
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 536c7ab60f4..42c2519c7ff 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -492,6 +492,8 @@ uint16_t smb2cli_session_reset_channel_sequence(struct
smbXcli_session *session,
uint16_t smb2cli_session_current_channel_sequence(struct smbXcli_session
*session);
void smb2cli_session_start_replay(struct smbXcli_session *session);
void smb2cli_session_stop_replay(struct smbXcli_session *session);
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response);
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov);
NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index a6de080b1d3..7b3552a31b9 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -460,11 +460,17 @@ for t in tests:
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "simpleserver", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp
-U$USERNAME%$PASSWORD')
- elif t == "raw.session" or t == "smb2.session":
+ elif t == "raw.session":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD', 'plain')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc
-U$USERNAME%$PASSWORD', 'enc')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no
-U$USERNAME%$PASSWORD', 'ntlm')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes
-U$USERNAME%$PASSWORD', 'krb5')
+ elif t == "smb2.session":
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD', 'plain')
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc
-U$USERNAME%$PASSWORD', 'enc')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no
-U$USERNAME%$PASSWORD', 'ntlm')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes
-U$USERNAME%$PASSWORD', 'krb5')
+ plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -k yes
-U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
elif t == "rpc.lsa":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD', 'over ncacn_np ')
plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP
-U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 5e1e8b4ec57..2c24e7a1abc 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -525,6 +525,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct
smbXsrv_session *session,
reload_services(smb2req->sconn, conn_snum_used, true);
+ if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+ smb2req->do_signing = true;
+ }
+
session->status = NT_STATUS_OK;
TALLOC_FREE(session->global->auth_session_info);
session->global->auth_session_info = talloc_move(session->global,
@@ -551,10 +555,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct
smbXsrv_session *session,
conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid);
- if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
- smb2req->do_signing = true;
- }
-
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 7dc9ba19ee6..57a5addcfcc 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1047,6 +1047,7 @@ done:
static bool test_session_expire1i(struct torture_context *tctx,
+ bool force_signing,
bool force_encryption)
{
NTSTATUS status;
@@ -1073,10 +1074,14 @@ static bool test_session_expire1i(struct
torture_context *tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
- options.signing = SMB_SIGNING_REQUIRED;
+ if (force_signing) {
+ options.signing = SMB_SIGNING_REQUIRED;
+ }
status = smb2_connect(tctx,
host,
@@ -1152,12 +1157,20 @@ static bool test_session_expire1i(struct
torture_context *tctx,
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+ if (!force_encryption) {
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, true);
+ }
+
torture_comment(tctx, "reauth => OK\n");
status = smb2_session_setup_spnego(tree->session,
credentials,
0 /* previous_session_id */);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"smb2_session_setup_spnego failed");
+
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, false);
}
ZERO_STRUCT(qfinfo.access_information.out);
@@ -1167,6 +1180,8 @@ static bool test_session_expire1i(struct torture_context
*tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1176,15 +1191,24 @@ done:
return ret;
}
+static bool test_session_expire1n(struct torture_context *tctx)
+{
+ return test_session_expire1i(tctx,
+ false, /* force_signing */
+ false); /* force_encryption */
+}
+
static bool test_session_expire1s(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
false); /* force_encryption */
}
static bool test_session_expire1e(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
true); /* force_encryption */
}
@@ -1236,6 +1260,8 @@ static bool test_session_expire2i(struct torture_context
*tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
@@ -1547,6 +1573,8 @@ static bool test_session_expire2i(struct torture_context
*tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1721,6 +1749,7 @@ struct torture_suite
*torture_smb2_session_init(TALLOC_CTX *ctx)
torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
+ torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
--
Samba Shared Repository
