const char *smb3_encryption_algorithm_name(uint16_t algo);
struct smb311_capabilities smb311_capabilities_parse(const char *role,
+ const char * const *signing_algos,
const char * const *encryption_algos);
NTSTATUS smb311_capabilities_check(const struct smb311_capabilities *c,
NTSTATUS error_status,
const char *role,
enum protocol_types protocol,
+ uint16_t sign_algo,
uint16_t cipher_algo);
#endif /* _LIBCLI_SMB_SMB2_NEGOTIATE_BLOB_H_ */
NT_STATUS_ACCESS_DENIED,
"client",
conn->protocol,
+ conn->smb2.server.sign_algo,
conn->smb2.server.cipher);
}
}
struct smb311_capabilities smb311_capabilities_parse(const char *role,
+ const char * const *signing_algos,
const char * const *encryption_algos)
{
- const char * const *signing_algos = NULL;
struct smb311_capabilities c = {
.signing = {
.num_algos = 0,
NTSTATUS error_status,
const char *role,
enum protocol_types protocol,
+ uint16_t sign_algo,
uint16_t cipher_algo)
{
+ const struct smb3_signing_capabilities *sign_algos =
+ &c->signing;
const struct smb3_encryption_capabilities *ciphers =
&c->encryption;
+ bool found_signing = false;
bool found_encryption = false;
size_t i;
+ for (i = 0; i < sign_algos->num_algos; i++) {
+ if (sign_algo == sign_algos->algos[i]) {
+ /*
+ * We found a match
+ */
+ found_signing = true;
+ break;
+ }
+ }
+
for (i = 0; i < ciphers->num_algos; i++) {
if (cipher_algo == SMB2_ENCRYPTION_NONE) {
/*
}
}
+ if (!found_signing) {
+ /*
+ * We negotiated a signing algo we don't allow,
+ * most likely for SMB < 3.1.1
+ */
+ DEBUG(debug_lvl,("%s: "
+ "SMB3 signing algorithm[%u][%s] on dialect[%s] "
+ "not allowed by '%s smb3 signing algorithms' - %s.\n",
+ debug_prefix,
+ sign_algo,
+ smb3_signing_algorithm_name(sign_algo),
+ smb_protocol_types_string(protocol),
+ role,
+ nt_errstr(error_status)));
+ return error_status;
+ }
+
if (!found_encryption) {
/*
* We negotiated a cipher we don't allow,
uint32_t smb2_capabilities = 0;
struct smb311_capabilities smb3_capabilities =
smb311_capabilities_parse("client",
+ lp_client_smb3_signing_algorithms(),
lp_client_smb3_encryption_algorithms());
struct GUID client_guid;
struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
const struct smb311_capabilities default_smb3_capabilities =
smb311_capabilities_parse("server",
+ lp_server_smb3_signing_algorithms(),
lp_server_smb3_encryption_algorithms());
DATA_BLOB out_negotiate_context_blob = data_blob_null;
uint32_t out_negotiate_context_offset = 0;
NT_STATUS_INVALID_PARAMETER,
"server",
protocol,
+ xconn->smb2.server.sign_algo,
xconn->smb2.server.cipher);
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
.client_guid = GUID_random(),
.max_credits = WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK,
.smb3_capabilities = smb311_capabilities_parse("client",
+ lpcfg_client_smb3_signing_algorithms(lp_ctx),
lpcfg_client_smb3_encryption_algorithms(lp_ctx)),
};
}
git.samba.org / samba.git / commitdiff