libcli/smb: add smb311_capabilities_check() helper

It checks that the resulting algorithms (most likely for
dialects < 3.1.1) are actually allowed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/libcli/smb/smb2_negotiate_context.h b/libcli/smb/smb2_negotiate_context.h
index a7e94b50681b1933f209220e3d3fa20f19147ac6..aa0eb4097f38243b4c76d4a2ef94557791fe9bd2 100644 (file)
--- a/libcli/smb/smb2_negotiate_context.h
+++ b/libcli/smb/smb2_negotiate_context.h
@@ -71,4 +71,12 @@ const char *smb3_encryption_algorithm_name(uint16_t algo);
 struct smb311_capabilities smb311_capabilities_parse(const char *role,
                                const char * const *encryption_algos);
 
+NTSTATUS smb311_capabilities_check(const struct smb311_capabilities *c,
+                                  const char *debug_prefix,
+                                  int debug_lvl,
+                                  NTSTATUS error_status,
+                                  const char *role,
+                                  enum protocol_types protocol,
+                                  uint16_t cipher_algo);
+
 #endif /* _LIBCLI_SMB_SMB2_NEGOTIATE_BLOB_H_ */

diff --git a/libcli/smb/util.c b/libcli/smb/util.c
index c2fa2f0d2447254df644ecbef83c988b0bdfa88a..79f1bac81b2e667d66417a500888260a206dd50c 100644 (file)
--- a/libcli/smb/util.c
+++ b/libcli/smb/util.c
@@ -562,3 +562,54 @@ struct smb311_capabilities smb311_capabilities_parse(const char *role,
 
        return c;
 }
+
+NTSTATUS smb311_capabilities_check(const struct smb311_capabilities *c,
+                                  const char *debug_prefix,
+                                  int debug_lvl,
+                                  NTSTATUS error_status,
+                                  const char *role,
+                                  enum protocol_types protocol,
+                                  uint16_t cipher_algo)
+{
+       const struct smb3_encryption_capabilities *ciphers =
+               &c->encryption;
+       bool found_encryption = false;
+       size_t i;
+
+       for (i = 0; i < ciphers->num_algos; i++) {
+               if (cipher_algo == SMB2_ENCRYPTION_NONE) {
+                       /*
+                        * encryption not supported, we'll error out later
+                        */
+                       found_encryption = true;
+                       break;
+               }
+
+               if (cipher_algo == ciphers->algos[i]) {
+                       /*
+                        * We found a match
+                        */
+                       found_encryption = true;
+                       break;
+               }
+       }
+
+       if (!found_encryption) {
+               /*
+                * We negotiated a cipher we don't allow,
+                * most likely for SMB 3.0 and 3.0.2
+                */
+               DEBUG(debug_lvl,("%s: "
+                     "SMB3 encryption algorithm[%u][%s] on dialect[%s] "
+                     "not allowed by '%s smb3 encryption algorithms' - %s.\n",
+                     debug_prefix,
+                     cipher_algo,
+                     smb3_encryption_algorithm_name(cipher_algo),
+                     smb_protocol_types_string(protocol),
+                     role,
+                     nt_errstr(error_status)));
+               return error_status;
+       }
+
+       return NT_STATUS_OK;
+}