struct {
struct {
+ uint32_t capabilities;
uint16_t security_mode;
struct GUID guid;
} client;
struct {
uint64_t session_id;
uint16_t session_flags;
+ DATA_BLOB application_key;
DATA_BLOB signing_key;
- DATA_BLOB session_key;
bool should_sign;
- bool channel_setup;
+ DATA_BLOB channel_signing_key;
} smb2;
};
DLIST_REMOVE(conn->sessions, conn->sessions);
}
+<<<<<<< HEAD
if (conn->smb1.trans_enc) {
- common_free_encryption_state(&conn->smb1.trans_enc);
+ TALLOC_FREE(conn->smb1.trans_enc);
}
+=======
+>>>>>>> 7efc635... s3-libsmb: Convert struct smb_trans_enc_state to talloc
return 0;
}
const char *remote_name,
enum smb_signing_setting signing_state,
uint32_t smb1_capabilities,
- struct GUID *client_guid)
+ struct GUID *client_guid,
+ uint32_t smb2_capabilities)
{
struct smbXcli_conn *conn = NULL;
void *ss = NULL;
if (client_guid) {
conn->smb2.client.guid = *client_guid;
}
+ conn->smb2.client.capabilities = smb2_capabilities;
conn->smb2.cur_credits = 1;
conn->smb2.max_credits = 0;
}
void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
- struct smb_trans_enc_state *es)
+ struct smb_trans_enc_state **es)
{
/* Replace the old state, if any. */
+<<<<<<< HEAD
if (conn->smb1.trans_enc) {
- common_free_encryption_state(&conn->smb1.trans_enc);
+ TALLOC_FREE(conn->smb1.trans_enc);
}
conn->smb1.trans_enc = es;
+=======
+ TALLOC_FREE(conn->smb1.trans_enc);
+ conn->smb1.trans_enc = talloc_move(conn, es);
+>>>>>>> 7efc635... s3-libsmb: Convert struct smb_trans_enc_state to talloc
}
bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
* No NULL check here, we're shrinking by sizeof(void *), and
* talloc_realloc just adjusts the size for this.
*/
- conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
+ conn->pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
num_pending - 1);
return;
}
uint16_t charge;
uint16_t credits;
uint64_t mid;
- bool should_sign = false;
+ const DATA_BLOB *signing_key = NULL;
if (!tevent_req_is_in_progress(reqs[i])) {
return NT_STATUS_INTERNAL_ERROR;
nbt_len += reqlen;
if (state->session) {
- should_sign = state->session->smb2.should_sign;
- if (state->session->smb2.channel_setup) {
+ bool should_sign = state->session->smb2.should_sign;
+
+ if (opcode == SMB2_OP_SESSSETUP &&
+ state->session->smb2.signing_key.length != 0) {
should_sign = true;
}
+
+ /*
+ * We prefer the channel signing key if it is
+ * already there.
+ */
+ if (should_sign) {
+ signing_key = &state->session->smb2.channel_signing_key;
+ }
+
+ /*
+ * If it is a channel binding, we already have the main
+ * signing key and try that one.
+ */
+ if (signing_key && signing_key->length == 0) {
+ signing_key = &state->session->smb2.signing_key;
+ }
+
+ /*
+ * If we do not have any session key yet, we skip the
+ * signing of SMB2_OP_SESSSETUP requests.
+ */
+ if (signing_key && signing_key->length == 0) {
+ signing_key = NULL;
+ }
}
- if (should_sign) {
+ if (signing_key) {
NTSTATUS status;
- status = smb2_signing_sign_pdu(state->session->smb2.signing_key,
+ status = smb2_signing_sign_pdu(*signing_key,
+ state->session->conn->protocol,
&iov[hdr_iov], num_iov - hdr_iov);
if (!NT_STATUS_IS_OK(status)) {
return status;
if (session) {
should_sign = session->smb2.should_sign;
- if (session->smb2.channel_setup) {
+ if (opcode == SMB2_OP_SESSSETUP &&
+ session->smb2.signing_key.length != 0) {
should_sign = true;
}
}
}
last_session = session;
- signing_key = &session->smb2.signing_key;
+ signing_key = &session->smb2.channel_signing_key;
}
- if ((opcode == SMB2_OP_SESSSETUP) &&
- NT_STATUS_IS_OK(status)) {
+ if (opcode == SMB2_OP_SESSSETUP) {
/*
- * the caller has to check the signing
- * as only the caller knows the correct
- * session key
+ * We prefer the channel signing key, if it is
+ * already there.
+ *
+ * If we do not have a channel signing key yet,
+ * we try the main signing key, if it is not
+ * the final response.
*/
- signing_key = NULL;
+ if (signing_key && signing_key->length == 0 &&
+ !NT_STATUS_IS_OK(status)) {
+ signing_key = &session->smb2.signing_key;
+ }
+
+ if (signing_key && signing_key->length == 0) {
+ /*
+ * If we do not have a session key to
+ * verify the signature, we defer the
+ * signing check to the caller.
+ *
+ * The caller gets NT_STATUS_OK, it
+ * has to call
+ * smb2cli_session_set_session_key()
+ * or
+ * smb2cli_session_set_channel_key()
+ * which will check the signature
+ * with the channel signing key.
+ */
+ signing_key = NULL;
+ }
}
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
* propagate the NT_STATUS_USER_SESSION_DELETED
* status to the caller.
*/
- if (signing_key) {
- signing_key = NULL;
- }
+ signing_key = NULL;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
}
if (signing_key) {
- status = smb2_signing_check_pdu(*signing_key, cur, 3);
+ status = smb2_signing_check_pdu(*signing_key,
+ state->conn->protocol,
+ cur, 3);
if (!NT_STATUS_IS_OK(status)) {
/*
* If the signing check fails, we disconnect
{PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
{PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
{PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
+ {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
};
struct smbXcli_negprot_state {
SSVAL(buf, 2, dialect_count);
SSVAL(buf, 4, state->conn->smb2.client.security_mode);
SSVAL(buf, 6, 0); /* Reserved */
- SSVAL(buf, 8, 0); /* Capabilities */
+ if (state->max_protocol >= PROTOCOL_SMB2_22) {
+ SIVAL(buf, 8, state->conn->smb2.client.capabilities);
+ } else {
+ SIVAL(buf, 8, 0); /* Capabilities */
+ }
if (state->max_protocol >= PROTOCOL_SMB2_10) {
NTSTATUS status;
DATA_BLOB blob;
/*
* send a SMB2 negprot, in order to negotiate
- * the SMB2 dialect. This needs to use the
- * message id 1.
+ * the SMB2 dialect.
*/
- state->conn->smb2.mid = 1;
subreq = smbXcli_negprot_smb2_subreq(state);
if (tevent_req_nomem(subreq, req)) {
return;
substate->smb1.recv_iov = NULL;
}
+ /*
+ * we got an SMB2 answer, which consumed sequence number 0
+ * so we need to use 1 as the next one
+ */
+ conn->smb2.mid = 1;
tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
return session->smb2.session_id;
}
+uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
+{
+ return session->smb2.session_flags;
+}
+
+NTSTATUS smb2cli_session_application_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key)
+{
+ *key = data_blob_null;
+
+ if (session->smb2.application_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *key = data_blob_dup_talloc(mem_ctx, session->smb2.application_key);
+ if (key->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
uint64_t session_id,
uint16_t session_flags)
session->smb2.session_flags = session_flags;
}
-NTSTATUS smb2cli_session_update_session_key(struct smbXcli_session *session,
- const DATA_BLOB session_key,
- const struct iovec *recv_iov)
+NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
+ const DATA_BLOB _session_key,
+ const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
uint16_t no_sign_flags;
- DATA_BLOB signing_key;
+ uint8_t session_key[16];
NTSTATUS status;
if (conn == NULL) {
return NT_STATUS_OK;
}
- if (session->smb2.signing_key.length > 0) {
- signing_key = session->smb2.signing_key;
- } else {
- signing_key = session_key;
- }
- if (session->smb2.channel_setup) {
- signing_key = session_key;
+ if (session->smb2.signing_key.length != 0) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
}
- status = smb2_signing_check_pdu(signing_key, recv_iov, 3);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ ZERO_STRUCT(session_key);
+ memcpy(session_key, _session_key.data,
+ MIN(_session_key.length, sizeof(session_key)));
+
+ session->smb2.signing_key = data_blob_talloc(session,
+ session_key,
+ sizeof(session_key));
+ if (session->smb2.signing_key.data == NULL) {
+ ZERO_STRUCT(session_key);
+ return NT_STATUS_NO_MEMORY;
}
- if (!session->smb2.channel_setup) {
- session->smb2.session_key = data_blob_dup_talloc(session,
- session_key);
- if (session->smb2.session_key.data == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ if (conn->protocol >= PROTOCOL_SMB2_24) {
+ const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
+ const DATA_BLOB context = data_blob_string_const_null("SmbSign");
+
+ smb2_key_derivation(session_key, sizeof(session_key),
+ label.data, label.length,
+ context.data, context.length,
+ session->smb2.signing_key.data);
}
- if (session->smb2.channel_setup) {
- data_blob_free(&session->smb2.signing_key);
- session->smb2.channel_setup = false;
+ session->smb2.application_key = data_blob_dup_talloc(session,
+ session->smb2.signing_key);
+ if (session->smb2.application_key.data == NULL) {
+ ZERO_STRUCT(session_key);
+ return NT_STATUS_NO_MEMORY;
}
- if (session->smb2.signing_key.length > 0) {
- return NT_STATUS_OK;
+ if (conn->protocol >= PROTOCOL_SMB2_24) {
+ const DATA_BLOB label = data_blob_string_const_null("SMB2APP");
+ const DATA_BLOB context = data_blob_string_const_null("SmbRpc");
+
+ smb2_key_derivation(session_key, sizeof(session_key),
+ label.data, label.length,
+ context.data, context.length,
+ session->smb2.application_key.data);
}
+ ZERO_STRUCT(session_key);
- session->smb2.signing_key = data_blob_dup_talloc(session, signing_key);
- if (session->smb2.signing_key.data == NULL) {
+ session->smb2.channel_signing_key = data_blob_dup_talloc(session,
+ session->smb2.signing_key);
+ if (session->smb2.channel_signing_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ status = smb2_signing_check_pdu(session->smb2.channel_signing_key,
+ session->conn->protocol,
+ recv_iov, 3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
session->smb2.should_sign = false;
if (conn->desire_signing) {
struct smbXcli_session **_session2)
{
struct smbXcli_session *session2;
- uint16_t no_sign_flags;
-
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
-
- if (session1->smb2.session_flags & no_sign_flags) {
- return NT_STATUS_INVALID_PARAMETER_MIX;
- }
-
- if (session1->smb2.session_key.length == 0) {
- return NT_STATUS_INVALID_PARAMETER_MIX;
- }
if (session1->smb2.signing_key.length == 0) {
return NT_STATUS_INVALID_PARAMETER_MIX;
session2->smb2.session_id = session1->smb2.session_id;
session2->smb2.session_flags = session1->smb2.session_flags;
- session2->smb2.session_key = data_blob_dup_talloc(session2,
- session1->smb2.session_key);
- if (session2->smb2.session_key.data == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
session2->smb2.signing_key = data_blob_dup_talloc(session2,
session1->smb2.signing_key);
if (session2->smb2.signing_key.data == NULL) {
}
session2->smb2.should_sign = session1->smb2.should_sign;
- session2->smb2.channel_setup = true;
talloc_set_destructor(session2, smbXcli_session_destructor);
DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
*_session2 = session2;
return NT_STATUS_OK;
}
+
+NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
+ const DATA_BLOB _channel_key,
+ const struct iovec *recv_iov)
+{
+ struct smbXcli_conn *conn = session->conn;
+ uint8_t channel_key[16];
+ NTSTATUS status;
+
+ if (conn == NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (session->smb2.channel_signing_key.length != 0) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ ZERO_STRUCT(channel_key);
+ memcpy(channel_key, _channel_key.data,
+ MIN(_channel_key.length, sizeof(channel_key)));
+
+ session->smb2.channel_signing_key = data_blob_talloc(session,
+ channel_key,
+ sizeof(channel_key));
+ if (session->smb2.channel_signing_key.data == NULL) {
+ ZERO_STRUCT(channel_key);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (conn->protocol >= PROTOCOL_SMB2_24) {
+ const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
+ const DATA_BLOB context = data_blob_string_const_null("SmbSign");
+
+ smb2_key_derivation(channel_key, sizeof(channel_key),
+ label.data, label.length,
+ context.data, context.length,
+ session->smb2.channel_signing_key.data);
+ }
+ ZERO_STRUCT(channel_key);
+
+ status = smb2_signing_check_pdu(session->smb2.channel_signing_key,
+ session->conn->protocol,
+ recv_iov, 3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}