The branch, v4-8-test has been updated via fd01706 smb2_server: set req->do_encryption = true earlier via 5a77625 s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion from 2d79c2e ctdb-tests: Drop code for RECEIVE_RECORDS control
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test - Log ----------------------------------------------------------------- commit fd017065e0178e73c9c76a0a796356e078aae77a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Aug 17 11:35:41 2018 +0200 smb2_server: set req->do_encryption = true earlier The STATUS_SESSION_EXPIRED error was returned unencrypted, if the request was encrypted. If clients use SMB3 encryption and the kerberos authenticated session expires, clients disconnect the connection instead of doing a reauthentication. From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/ The sender encrypts the message if any of the following conditions is satisfied: - If the sender is sending a response to an encrypted request. - If Session.EncryptData is TRUE and the request or response being sent is not NEGOTIATE. - If Session.EncryptData is FALSE, the request or response being sent is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and <TreeConnect|Share>.EncryptData is TRUE. [MS-SMB2] 3.3.4.1.4 Encrypting the Message If Connection.Dialect belongs to the SMB 3.x dialect family and Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST encrypt the message before sending, if any of the following conditions are satisfied: - If the message being sent is any response to a client request for which Request.IsEncrypted is TRUE. - If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP. - If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE. The server MUST encrypt the message as specified in section 3.1.4.3, before sending it to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144 (cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d) Autobuild-User(v4-8-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-8-test): Wed Oct 10 17:25:32 CEST 2018 on sn-devel-144 commit 5a77625fb86401f6300f3c45e2fbcaf295412ac6 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 28 12:23:37 2018 +0200 s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion This reproduces the problem we have with expired encrypted sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1) ----------------------------------------------------------------------- Summary of changes: source3/smbd/smb2_server.c | 15 ++++++++----- source4/torture/smb2/session.c | 50 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 56 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 177e5ff..af065e9 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2364,7 +2364,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->async_internal = false; req->do_signing = false; - req->do_encryption = false; + if (opcode != SMB2_OP_SESSSETUP) { + req->do_encryption = encryption_desired; + } else { + req->do_encryption = false; + } req->was_encrypted = false; if (intf_v->iov_len == SMB2_TF_HDR_SIZE) { const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req); @@ -2388,9 +2392,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) } req->was_encrypted = true; + req->do_encryption = true; } if (encryption_required && !req->was_encrypted) { + req->do_encryption = true; return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); } @@ -2526,15 +2532,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) encryption_required = true; } if (encryption_required && !req->was_encrypted) { + req->do_encryption = true; return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); + } else if (encryption_desired) { + req->do_encryption = true; } } - if (req->was_encrypted || encryption_desired) { - req->do_encryption = true; - } - if (req->session) { bool update_session_global = false; bool update_tcon_global = false; diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c index f3fa596..7dc9ba1 100644 --- a/source4/torture/smb2/session.c +++ b/source4/torture/smb2/session.c @@ -1046,7 +1046,8 @@ done: } -static bool test_session_expire1(struct torture_context *tctx) +static bool test_session_expire1i(struct torture_context *tctx, + bool force_encryption) { NTSTATUS status; bool ret = false; @@ -1075,6 +1076,7 @@ static bool test_session_expire1(struct torture_context *tctx) lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4"); lpcfg_smbcli_options(tctx->lp_ctx, &options); + options.signing = SMB_SIGNING_REQUIRED; status = smb2_connect(tctx, host, @@ -1091,6 +1093,12 @@ static bool test_session_expire1(struct torture_context *tctx) torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_connect failed"); + if (force_encryption) { + status = smb2cli_session_encryption_on(tree->session->smbXcli); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2cli_session_encryption_on failed"); + } + /* Add some random component to the file name. */ snprintf(fname, sizeof(fname), "session_expire1_%s.dat", generate_random_str(tctx, 8)); @@ -1168,7 +1176,20 @@ done: return ret; } -static bool test_session_expire2(struct torture_context *tctx) +static bool test_session_expire1s(struct torture_context *tctx) +{ + return test_session_expire1i(tctx, + false); /* force_encryption */ +} + +static bool test_session_expire1e(struct torture_context *tctx) +{ + return test_session_expire1i(tctx, + true); /* force_encryption */ +} + +static bool test_session_expire2i(struct torture_context *tctx, + bool force_encryption) { NTSTATUS status; bool ret = false; @@ -1218,6 +1239,7 @@ static bool test_session_expire2(struct torture_context *tctx) lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4"); lpcfg_smbcli_options(tctx->lp_ctx, &options); + options.signing = SMB_SIGNING_REQUIRED; unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share); torture_assert(tctx, unc != NULL, "talloc_asprintf"); @@ -1237,6 +1259,12 @@ static bool test_session_expire2(struct torture_context *tctx) torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_connect failed"); + if (force_encryption) { + status = smb2cli_session_encryption_on(tree->session->smbXcli); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2cli_session_encryption_on failed"); + } + caps = smb2cli_conn_server_capabilities(tree->session->transport->conn); /* Add some random component to the file name. */ @@ -1528,6 +1556,18 @@ done: return ret; } +static bool test_session_expire2s(struct torture_context *tctx) +{ + return test_session_expire2i(tctx, + false); /* force_encryption */ +} + +static bool test_session_expire2e(struct torture_context *tctx) +{ + return test_session_expire2i(tctx, + true); /* force_encryption */ +} + bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1) { const char *host = torture_setting_string(tctx, "host", NULL); @@ -1681,8 +1721,10 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4); torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5); torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6); - torture_suite_add_simple_test(suite, "expire1", test_session_expire1); - torture_suite_add_simple_test(suite, "expire2", test_session_expire2); + torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s); + torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e); + torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s); + torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e); torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1); suite->description = talloc_strdup(suite, "SMB2-SESSION tests"); -- Samba Shared Repository