From 88ec1aead4c5414a7bbbb555370f2a9eab99acc4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 14 Aug 2008 15:27:22 +1000 Subject: cope with not knowing the kdc key (This used to be commit 7e48dad4c7724f3f11236171a777603574224c42) --- source4/torture/auth/pac.c | 97 ++++++++++++++++++++++++++-------------------- 1 file changed, 56 insertions(+), 41 deletions(-) (limited to 'source4') diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 7fdd7e58bf..4e51c66950 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -279,7 +279,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) struct auth_serversupplied_info *server_info_out; krb5_keyblock server_keyblock; - krb5_keyblock krbtgt_keyblock; + krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p; struct samr_Password *krbtgt_bytes, *krbsrv_bytes; krb5_error_code ret; @@ -309,9 +309,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) /* The krbtgt key in use when the above PAC was generated. * This is an arcfour-hmac-md5 key, extracted with our 'net * samdump' tool. */ - krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); - if (!krbtgt_bytes) { - torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); + if (*pac_kdc_key == 0) { + krbtgt_bytes = NULL; + } else { + krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); + if (!krbtgt_bytes) { + torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); + } } krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key); @@ -329,18 +333,23 @@ static bool torture_pac_saved_check(struct torture_context *tctx) smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - ret = krb5_keyblock_init(smb_krb5_context->krb5_context, - ENCTYPE_ARCFOUR_HMAC, - krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), - &krbtgt_keyblock); - if (ret) { - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &server_keyblock); - torture_fail(tctx, - talloc_asprintf(tctx, - "(saved test) Server Keyblock encoding failed: %s", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); + if (krbtgt_bytes) { + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), + &krbtgt_keyblock); + if (ret) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) Server Keyblock encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + } + krbtgt_keyblock_p = &krbtgt_keyblock; + } else { + krbtgt_keyblock_p = NULL; } pac_file = torture_setting_string(tctx, "pac_file", NULL); @@ -363,7 +372,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, @@ -379,12 +388,12 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -400,13 +409,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &logon_info, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -424,7 +433,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -440,7 +449,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) "S-1-5-21-3048156945-3961193616-3706469200-1005"), server_info_out->account_sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -452,17 +461,25 @@ static bool torture_pac_saved_check(struct torture_context *tctx) dom_sid_string(mem_ctx, server_info_out->account_sid))); } + if (krbtgt_bytes == NULL) { + torture_comment(tctx, "skipping PAC encoding tests as non kdc key\n"); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + return true; + } + ret = kerberos_encode_pac(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), pac_data, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -478,7 +495,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) */ if (tmp_blob.length != validate_blob.length) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -491,7 +508,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -508,14 +525,14 @@ static bool torture_pac_saved_check(struct torture_context *tctx) lp_iconv_convenience(tctx->lp_ctx), server_info_out, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -541,7 +558,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -563,7 +580,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -583,14 +600,14 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime + 1, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -608,7 +625,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, talloc_asprintf(tctx, @@ -621,13 +638,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal"); @@ -641,20 +658,20 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum"); } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); return true; @@ -666,9 +683,7 @@ struct torture_suite *torture_pac(TALLOC_CTX *mem_ctx) torture_suite_add_simple_test(suite, "self check", torture_pac_self_check); - torture_suite_add_simple_test(suite, "saved check", torture_pac_saved_check); - return suite; } -- cgit From 0eb1840994ec6ddcf11a4ad948cb537e510ca0c7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 14 Aug 2008 15:27:48 +1000 Subject: cope with arbitrary unknown pac buffer types, so when MS adds a new one we don't break our server (This used to be commit 5e08b285319e35afd3a9a6e6f5f59145350f2d80) --- source4/librpc/idl/krb5pac.idl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index 3505fc895c..b450908915 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -70,7 +70,11 @@ interface krb5pac [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum; [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum; [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name; - [case(PAC_TYPE_UNKNOWN_12)] [subcontext(0)] DATA_BLOB_REM unknown; + /* when new PAC info types are added they are supposed to be done + in such a way that they are backwards compatible with existing + servers. This makes it safe to just use a [default] for + unknown types, which lets us ignore the data */ + [default] [subcontext(0)] DATA_BLOB_REM unknown; /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */ } PAC_INFO; -- cgit From 336f6810cec9b30ad497da26ee463ed5736db2bd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 14 Aug 2008 17:26:30 +1000 Subject: expanded the SMB2-CREATE and RAW-OPEN tests to explore more of how the create options fields are supposed to work (This used to be commit 0576875eccaa21ad529c9db41db91781ad400d0f) --- source4/torture/raw/open.c | 35 +++++++++++++++++++++++++++++++++++ source4/torture/smb2/create.c | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 67 insertions(+), 8 deletions(-) (limited to 'source4') diff --git a/source4/torture/raw/open.c b/source4/torture/raw/open.c index b6979fa0d9..39ff443ccd 100644 --- a/source4/torture/raw/open.c +++ b/source4/torture/raw/open.c @@ -844,6 +844,7 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context int fnum = -1; bool ret = true; int i; + uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; struct { uint32_t open_disp; bool with_file; @@ -982,6 +983,10 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context } io.ntcreatex.in.create_options = create_option; status = smb_raw_open(cli->tree, tctx, &io); + if (!NT_STATUS_IS_OK(status)) { + printf("ntcreatex create option 0x%08x gave %s - should give NT_STATUS_OK\n", + create_option, nt_errstr(status)); + } CHECK_STATUS(status, NT_STATUS_OK); fnum = io.ntcreatex.out.file.fnum; @@ -999,6 +1004,36 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context smbcli_close(cli->tree, fnum); } + ok_mask = not_supported_mask = invalid_parameter_mask = 0; + + io.ntcreatex.in.file_attr = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; + io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + + /* Check for options that should return NOT_SUPPORTED, OK or INVALID_PARAMETER */ + for (i=0; i < 32; i++) { + uint32_t create_option = 1<tree, tctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + not_supported_mask |= create_option; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_OK)) { + ok_mask |= create_option; + smbcli_close(cli->tree, io.ntcreatex.out.file.fnum); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + invalid_parameter_mask |= create_option; + } else { + printf("create option 0x%08x returned %s\n", create_option, nt_errstr(status)); + } + } + + CHECK_VAL(ok_mask, 0x00efcfce); + CHECK_VAL(not_supported_mask, 0x00002000); + CHECK_VAL(invalid_parameter_mask, 0xff100030); + smbcli_unlink(cli->tree, fname); diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c index c23ff8b8ce..744c5d2b6c 100644 --- a/source4/torture/smb2/create.c +++ b/source4/torture/smb2/create.c @@ -53,6 +53,7 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_new(tree); uint32_t access_mask, file_attributes, file_attributes_set, denied_mask; + uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; union smb_fileinfo q; ZERO_STRUCT(io); @@ -76,14 +77,6 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre status = smb2_create(tree, tmp_ctx, &io); CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); - io.in.create_options = 0x00100000; - status = smb2_create(tree, tmp_ctx, &io); - CHECK_STATUS(status, NT_STATUS_NOT_SUPPORTED); - - io.in.create_options = 0xF0100000; - status = smb2_create(tree, tmp_ctx, &io); - CHECK_STATUS(status, NT_STATUS_NOT_SUPPORTED); - io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_DEVICE; @@ -108,6 +101,37 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre status = smb2_create(tree, tmp_ctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); + io.in.file_attributes = 0; + io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; + io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; + ok_mask = not_supported_mask = invalid_parameter_mask = 0; + { + int i; + for (i=0;i<32;i++) { + io.in.create_options = 1< Date: Wed, 13 Aug 2008 16:53:13 +0200 Subject: NBT-WINSREPLICATION: be more robust to timing errors Also reenable disabled tests. metze (This used to be commit 76878a9c798e0acb0387b8352972d66db989c09a) --- source4/torture/nbt/winsreplication.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4') diff --git a/source4/torture/nbt/winsreplication.c b/source4/torture/nbt/winsreplication.c index ee7a1510d5..6b600bd7cd 100644 --- a/source4/torture/nbt/winsreplication.c +++ b/source4/torture/nbt/winsreplication.c @@ -6701,7 +6701,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, /* * unique vs. unique section */ -#if METZE_NEEDS_TO_LOOK_AT_THIS_ONE /* * unique,active vs. unique,active with same ip(s), unchecked */ @@ -6728,7 +6727,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .apply_expected = true }, }, -#endif /* * unique,active vs. unique,active with different ip(s), positive response */ @@ -8967,7 +8965,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .sgroup_merge = true }, }, -#if 0 /* * sgroup,active vs. sgroup,active with same ip(s) */ @@ -9157,7 +9154,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .apply_expected = false }, }, -#endif }; if (!ctx->nbtsock_srv) { @@ -9543,7 +9539,9 @@ static void test_conflict_owned_active_vs_replica_handler_query(struct nbt_name_ talloc_free(rep_packet); /* make sure we push the reply to the wire */ - event_loop_once(nbtsock->event_ctx); + while (nbtsock->send_queue) { + event_loop_once(nbtsock->event_ctx); + } msleep(1000); rec->defend.timeout = 0; @@ -9598,7 +9596,9 @@ static void test_conflict_owned_active_vs_replica_handler_release( talloc_free(rep_packet); /* make sure we push the reply to the wire */ - event_loop_once(nbtsock->event_ctx); + while (nbtsock->send_queue) { + event_loop_once(nbtsock->event_ctx); + } msleep(1000); rec->defend.timeout = 0; -- cgit From 150d7a16236732abfe23082bdeef62d8e36beeb4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 16:58:12 +0200 Subject: pidl: fix samba4.pidl.samba3-cli test metze (This used to be commit 0449a5c8267873d7986c7c50adce57029192c456) --- source4/pidl/tests/samba3-cli.pl | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4') diff --git a/source4/pidl/tests/samba3-cli.pl b/source4/pidl/tests/samba3-cli.pl index 80725d28cf..d762954159 100755 --- a/source4/pidl/tests/samba3-cli.pl +++ b/source4/pidl/tests/samba3-cli.pl @@ -44,7 +44,6 @@ is($x->{res}, status = cli_do_rpc_ndr(cli, mem_ctx, - PI_FOO, &ndr_table_foo, NDR_BAR, &r); @@ -89,7 +88,6 @@ is($x->{res}, status = cli_do_rpc_ndr(cli, mem_ctx, - PI_FOO, &ndr_table_foo, NDR_BAR, &r); -- cgit From be0a45d865dbb78c0a82e6bcebebbbbdb4ecb2d1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 09:42:27 +0200 Subject: libcli/smb2: async replies with STATUS_PENDING are not signed metze (This used to be commit 3f6cbece4a199a42ad6583ea4bd4302629399625) --- source4/libcli/smb2/transport.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) (limited to 'source4') diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c index d9691bec7c..b946a102c8 100644 --- a/source4/libcli/smb2/transport.c +++ b/source4/libcli/smb2/transport.c @@ -235,6 +235,17 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob) req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE); req->status = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS)); + if ((flags & SMB2_HDR_FLAG_ASYNC) && + NT_STATUS_EQUAL(req->status, STATUS_PENDING)) { + req->cancel.can_cancel = true; + req->cancel.pending_id = IVAL(hdr, SMB2_HDR_PID); + for (i=0; i< req->cancel.do_cancel; i++) { + smb2_cancel(req); + } + talloc_free(buffer); + return NT_STATUS_OK; + } + if (req->session && req->session->signing_active) { status = smb2_check_signature(&req->in, req->session->session_key); @@ -244,19 +255,6 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob) return status; } } - - - if (NT_STATUS_EQUAL(req->status, STATUS_PENDING)) { - if (flags & 0x00000002) { - req->cancel.can_cancel = true; - req->cancel.pending_id = IVAL(hdr, SMB2_HDR_PID); - for (i=0; i< req->cancel.do_cancel; i++) { - smb2_cancel(req); - } - } - talloc_free(buffer); - return NT_STATUS_OK; - } buffer_code = SVAL(req->in.body, 0); req->in.body_fixed = (buffer_code & ~1); -- cgit From be92e7fc11c9ee55beacf8c6cc019539d3d7c486 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 09:44:06 +0200 Subject: libcli/smb2: we don't need check the same thing twice... metze (This used to be commit 1380fb954a7d9d4b543c4650a060fef9f357af7b) --- source4/libcli/smb2/signing.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source4') diff --git a/source4/libcli/smb2/signing.c b/source4/libcli/smb2/signing.c index 0d655d1a86..de9e1e9d29 100644 --- a/source4/libcli/smb2/signing.c +++ b/source4/libcli/smb2/signing.c @@ -94,12 +94,6 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session return NT_STATUS_OK; } - if (session_key.length == 0) { - DEBUG(2,("Wrong session key length %u for SMB2 signing\n", - (unsigned)session_key.length)); - return NT_STATUS_ACCESS_DENIED; - } - memcpy(sig, buf->hdr+SMB2_HDR_SIGNATURE, 16); memset(buf->hdr + SMB2_HDR_SIGNATURE, 0, 16); -- cgit From f086e796d6a933b95e36f5638b39ee261fb6a784 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 15:19:01 +0200 Subject: libcli/smb2: use smb2 signing in auto mode if the server supports it metze (This used to be commit fe74faf13dc64eaa58d757de156aedcb24abed1f) --- source4/libcli/smb2/connect.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c index c89c109b72..43151943d3 100644 --- a/source4/libcli/smb2/connect.c +++ b/source4/libcli/smb2/connect.c @@ -115,13 +115,19 @@ static void continue_negprot(struct smb2_request *req) transport->signing_required = false; break; case SMB_SIGNING_SUPPORTED: - case SMB_SIGNING_AUTO: if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) { transport->signing_required = true; } else { transport->signing_required = false; } break; + case SMB_SIGNING_AUTO: + if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_ENABLED) { + transport->signing_required = true; + } else { + transport->signing_required = false; + } + break; case SMB_SIGNING_REQUIRED: if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_ENABLED) { transport->signing_required = true; -- cgit From 4a214dba301474c48f2ae45194b0e363440ee01d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 09:45:44 +0200 Subject: smb2srv: use defines instead of hex values metze (This used to be commit 7c4abf6614c47471ae005a12abe27d85890d867f) --- source4/smb_server/smb2/receive.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index cfd6c1d01a..007125c4c4 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -79,12 +79,12 @@ struct smb2srv_request *smb2srv_init_request(struct smbsrv_connection *smb_conn) NTSTATUS smb2srv_setup_reply(struct smb2srv_request *req, uint16_t body_fixed_size, bool body_dynamic_present, uint32_t body_dynamic_size) { - uint32_t flags = 0x00000001; + uint32_t flags = SMB2_HDR_FLAG_REDIRECT; uint32_t pid = IVAL(req->in.hdr, SMB2_HDR_PID); uint32_t tid = IVAL(req->in.hdr, SMB2_HDR_TID); if (req->pending_id) { - flags |= 0x00000002; + flags |= SMB2_HDR_FLAG_ASYNC; pid = req->pending_id; tid = 0; } @@ -545,7 +545,7 @@ void smb2srv_cancel_recv(struct smb2srv_request *req) flags = IVAL(req->in.hdr, SMB2_HDR_FLAGS); pending_id = IVAL(req->in.hdr, SMB2_HDR_PID); - if (!(flags & 0x00000002)) { + if (!(flags & SMB2_HDR_FLAG_ASYNC)) { /* TODO: what to do here? */ goto done; } -- cgit From 0294c678c0665e675673ff477df26fddd8ed53dd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 15:20:18 +0200 Subject: smb2srv: sign replies when the request was also signed metze (This used to be commit dd2f4f7a491debcc30e590f571272afd99e52940) --- source4/smb_server/smb2/receive.c | 9 ++------- source4/smb_server/smb2/smb2_server.h | 2 ++ 2 files changed, 4 insertions(+), 7 deletions(-) (limited to 'source4') diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index 007125c4c4..bcc91e4ee3 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -236,7 +236,7 @@ void smb2srv_send_reply(struct smb2srv_request *req) } /* if signing is active on the session then sign the packet */ - if (req->session && req->session->smb2_signing.active) { + if (req->is_signed) { status = smb2_sign_message(&req->out, req->session->session_info->session_key); if (!NT_STATUS_IS_OK(status)) { @@ -310,12 +310,7 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req) if (!req->session) goto nosession; - if (!req->session->smb2_signing.active) { - /* TODO: workout the correct error code */ - smb2srv_send_error(req, NT_STATUS_FOOBAR); - return NT_STATUS_OK; - } - + req->is_signed = true; status = smb2_check_signature(&req->in, req->session->session_info->session_key); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/smb_server/smb2/smb2_server.h b/source4/smb_server/smb2/smb2_server.h index ae4abbd71e..d45e0861af 100644 --- a/source4/smb_server/smb2/smb2_server.h +++ b/source4/smb_server/smb2/smb2_server.h @@ -62,6 +62,8 @@ struct smb2srv_request { uint8_t _chained_file_handle[16]; uint8_t *chained_file_handle; + bool is_signed; + struct smb2_request_buffer in; struct smb2_request_buffer out; }; -- cgit From 2a36568129877273f6c559bd5c3bdb8f2efef8c7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 09:48:44 +0200 Subject: smb2srv: async replies with STATUS_PENDING are not signed ..., but the they may have the sign flag set. metze (This used to be commit 43e43dead030f6bffd06631007fdb162c3c6b2b5) --- source4/smb_server/smb2/receive.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index bcc91e4ee3..1fe6f0b877 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -506,6 +506,8 @@ static NTSTATUS smb2srv_init_pending(struct smbsrv_connection *smb_conn) NTSTATUS smb2srv_queue_pending(struct smb2srv_request *req) { + NTSTATUS status; + bool signing_used = false; int id; if (req->pending_id) { @@ -521,10 +523,35 @@ NTSTATUS smb2srv_queue_pending(struct smb2srv_request *req) DLIST_ADD_END(req->smb_conn->requests2.list, req, struct smb2srv_request *); req->pending_id = id; + if (req->smb_conn->connection->event.fde == NULL) { + /* the socket has been destroyed - no point trying to send an error! */ + return NT_STATUS_REMOTE_DISCONNECT; + } + talloc_set_destructor(req, smb2srv_request_deny_destructor); - smb2srv_send_error(req, STATUS_PENDING); - talloc_set_destructor(req, smb2srv_request_destructor); + status = smb2srv_setup_reply(req, 8, true, 0); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + SIVAL(req->out.hdr, SMB2_HDR_STATUS, NT_STATUS_V(STATUS_PENDING)); + + SSVAL(req->out.body, 0x02, 0); + SIVAL(req->out.body, 0x04, 0); + + /* if the real reply will be signed set the signed flags, but don't sign */ + if (req->is_signed) { + SIVAL(req->out.hdr, SMB2_HDR_FLAGS, IVAL(req->out.hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED); + signing_used = req->is_signed; + req->is_signed = false; + } + + smb2srv_send_reply(req); + + req->is_signed = signing_used; + + talloc_set_destructor(req, smb2srv_request_destructor); return NT_STATUS_OK; } -- cgit From dbcdbb33485b034b48b32e4801a538bbc239d1c2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 12:44:25 +0200 Subject: libcli/raw: fix the special NTCREATE_OPTIONS_*_MASK values We now reuse ignored values for the ntvfs backend private flags. metze (This used to be commit 14eda93aeface307e1ffd1ea012d8f236fa78290) --- source4/libcli/raw/smb.h | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'source4') diff --git a/source4/libcli/raw/smb.h b/source4/libcli/raw/smb.h index 8663792f78..d4091acf48 100644 --- a/source4/libcli/raw/smb.h +++ b/source4/libcli/raw/smb.h @@ -167,17 +167,30 @@ #define NTCREATEX_OPTIONS_NO_RECALL 0x00400000 /* Must be ignored by the server, per MS-SMB 2.2.8 */ #define NTCREATEX_OPTIONS_FREE_SPACE_QUERY 0x00800000 -/* create options these bits are for private use by backends, they are - not valid on the wire */ -#define NTCREATEX_OPTIONS_PRIVATE_MASK 0xFF000000 -#define NTCREATEX_OPTIONS_PRIVATE_DENY_DOS 0x01000000 -#define NTCREATEX_OPTIONS_PRIVATE_DENY_FCB 0x02000000 -#define NTCREATEX_OPTIONS_MUST_IGNORE_MASK ( NTCREATEX_OPTIONS_TREE_CONNECTION | NTCREATEX_OPTIONS_COMPLETE_IF_OPLOCKED | NTCREATEX_OPTIONS_OPEN_FOR_RECOVERY | NTCREATEX_OPTIONS_FREE_SPACE_QUERY | NTCREATEX_OPTIONS_OPFILTER ) +#define NTCREATEX_OPTIONS_MUST_IGNORE_MASK (NTCREATEX_OPTIONS_TREE_CONNECTION | \ + NTCREATEX_OPTIONS_OPEN_FOR_RECOVERY | \ + NTCREATEX_OPTIONS_FREE_SPACE_QUERY | \ + 0x000F0000) -#define NTCREATEX_OPTIONS_NOT_SUPPORTED_MASK (0x000F0000 | NTCREATEX_OPTIONS_OPEN_BY_FILE_ID) +#define NTCREATEX_OPTIONS_NOT_SUPPORTED_MASK (NTCREATEX_OPTIONS_OPEN_BY_FILE_ID) +#define NTCREATEX_OPTIONS_INVALID_PARAM_MASK (NTCREATEX_OPTIONS_OPFILTER | \ + NTCREATEX_OPTIONS_SYNC_ALERT | \ + NTCREATEX_OPTIONS_ASYNC_ALERT | \ + NTCREATEX_OPTIONS_OPFILTER | \ + 0xFF000000) +/* + * We reuse some ignored flags for private use. + * This values have different meaning for some ntvfs backends. + * + * TODO: use values that are ignore for sure... + */ +#define NTCREATEX_OPTIONS_PRIVATE_DENY_DOS 0x00010000 +#define NTCREATEX_OPTIONS_PRIVATE_DENY_FCB 0x00020000 +#define NTCREATEX_OPTIONS_PRIVATE_MASK (NTCREATEX_OPTIONS_PRIVATE_DENY_DOS | \ + NTCREATEX_OPTIONS_PRIVATE_DENY_FCB) /* ntcreatex impersonation field */ #define NTCREATEX_IMPERSONATION_ANONYMOUS 0 -- cgit From cc60d5a0320f824f7dc7b8abbe9cb0ccd668dda2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 12:37:31 +0200 Subject: pvfs: fix handling of create_option flags metze (This used to be commit 3c6cadf76861d6522c5ec41953df1ba2fac4910d) --- source4/ntvfs/posix/pvfs_open.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c index 6114b2052c..c127885a68 100644 --- a/source4/ntvfs/posix/pvfs_open.c +++ b/source4/ntvfs/posix/pvfs_open.c @@ -1181,6 +1181,7 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, int fd; struct odb_lock *lck; uint32_t create_options; + uint32_t create_options_must_ignore_mask; uint32_t share_access; uint32_t access_mask; uint32_t create_action = NTCREATEX_ACTION_EXISTED; @@ -1206,13 +1207,22 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs, return NT_STATUS_INVALID_PARAMETER; } - /* These options are ignored */ - create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK; + /* + * These options are ignored, + * but we reuse some of them as private values for the generic mapping + */ + create_options_must_ignore_mask = NTCREATEX_OPTIONS_MUST_IGNORE_MASK; + create_options_must_ignore_mask &= ~NTCREATEX_OPTIONS_PRIVATE_MASK; + create_options &= ~create_options_must_ignore_mask; if (create_options & NTCREATEX_OPTIONS_NOT_SUPPORTED_MASK) { return NT_STATUS_NOT_SUPPORTED; } + if (create_options & NTCREATEX_OPTIONS_INVALID_PARAM_MASK) { + return NT_STATUS_INVALID_PARAMETER; + } + /* TODO: When we implement HSM, add a hook here not to pull * the actual file off tape, when this option is passed from * the client */ -- cgit From 2a336a63d704b1a5cf8e9a2961f48285081256ac Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 12:48:37 +0200 Subject: libcli/smb2: add SMB2_CREATE_OPTIONS_NOT_SUPPORTED_MASK SMB2 returns NOT_SUPPORTED to some more NTCREATE_OPTIONS. metze (This used to be commit 3ea08d430370717463ffab44fed9c42db1002d97) --- source4/libcli/smb2/smb2.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h index 5d6341a15b..f00107de60 100644 --- a/source4/libcli/smb2/smb2.h +++ b/source4/libcli/smb2/smb2.h @@ -276,7 +276,9 @@ struct smb2_request { #define SMB2_CREATE_TAG_TWRP "TWrp" #define SMB2_CREATE_TAG_QFID "QFid" - +/* SMB2 Create ignore some more create_options */ +#define SMB2_CREATE_OPTIONS_NOT_SUPPORTED_MASK (NTCREATEX_OPTIONS_TREE_CONNECTION | \ + NTCREATEX_OPTIONS_OPFILTER) /* check that a body has the expected size -- cgit From 548ed8d9586bbf9504bec5064a14893f5827b0e4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 09:52:45 +0200 Subject: ntvfs_generic: fix handling of create_options for SMB2 metze (This used to be commit cbd585d2a1e179615eba773cb07385524369c686) --- source4/ntvfs/ntvfs_generic.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'source4') diff --git a/source4/ntvfs/ntvfs_generic.c b/source4/ntvfs/ntvfs_generic.c index 4f3a7e2198..c34bb7125e 100644 --- a/source4/ntvfs/ntvfs_generic.c +++ b/source4/ntvfs/ntvfs_generic.c @@ -532,16 +532,14 @@ NTSTATUS ntvfs_map_open(struct ntvfs_module_context *ntvfs, } /* we need to check these bits before we check the private mask */ - if (io2->generic.in.create_options & NTCREATEX_OPTIONS_NOT_SUPPORTED_MASK) { + if (io2->generic.in.create_options & SMB2_CREATE_OPTIONS_NOT_SUPPORTED_MASK) { status = NT_STATUS_NOT_SUPPORTED; break; } - /* we use a couple of bits of the create options internally */ - if (io2->generic.in.create_options & NTCREATEX_OPTIONS_PRIVATE_MASK) { - status = NT_STATUS_INVALID_PARAMETER; - break; - } + /* TODO: find out why only SMB2 ignores these */ + io2->generic.in.create_options &= ~NTCREATEX_OPTIONS_SYNC_ALERT; + io2->generic.in.create_options &= ~NTCREATEX_OPTIONS_ASYNC_ALERT; status = ntvfs->ops->open(ntvfs, req, io2); break; -- cgit From 80f2f10839521a873c37e6000d14ce2df2690f7a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 09:54:22 +0200 Subject: SMB2-CREATE: be more strict in error checking metze (This used to be commit d7d4df78c1de19d0cd7a63daaa2fa0863a243a12) --- source4/torture/smb2/create.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c index 744c5d2b6c..6edacbfd07 100644 --- a/source4/torture/smb2/create.c +++ b/source4/torture/smb2/create.c @@ -54,6 +54,7 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre TALLOC_CTX *tmp_ctx = talloc_new(tree); uint32_t access_mask, file_attributes, file_attributes_set, denied_mask; uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; + uint32_t not_a_directory_mask, unexpected_mask; union smb_fileinfo q; ZERO_STRUCT(io); @@ -104,7 +105,11 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre io.in.file_attributes = 0; io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; - ok_mask = not_supported_mask = invalid_parameter_mask = 0; + ok_mask = 0; + not_supported_mask = 0; + invalid_parameter_mask = 0; + not_a_directory_mask = 0; + unexpected_mask = 0; { int i; for (i=0;i<32;i++) { @@ -117,11 +122,14 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre not_supported_mask |= 1< Date: Thu, 14 Aug 2008 09:54:51 +0200 Subject: SMB2-CREATE: be more strict in checking file attributes metze (This used to be commit ba9d0f6b3c60346df757e7c4c3f5704c0bf26d11) --- source4/torture/smb2/create.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'source4') diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c index 6edacbfd07..a8effca396 100644 --- a/source4/torture/smb2/create.c +++ b/source4/torture/smb2/create.c @@ -52,7 +52,7 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre struct smb2_create io; NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_new(tree); - uint32_t access_mask, file_attributes, file_attributes_set, denied_mask; + uint32_t access_mask, file_attributes_set; uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; uint32_t not_a_directory_mask, unexpected_mask; union smb_fileinfo q; @@ -166,9 +166,10 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; io.in.file_attributes = 0; - file_attributes = 0; + ok_mask = 0; + invalid_parameter_mask = 0; + unexpected_mask = 0; file_attributes_set = 0; - denied_mask = 0; { int i; for (i=0;i<32;i++) { @@ -176,21 +177,28 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre smb2_deltree(tree, FNAME); status = smb2_create(tree, tmp_ctx, &io); if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - file_attributes |= io.in.file_attributes; - } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - denied_mask |= io.in.file_attributes; - } else { - CHECK_STATUS(status, NT_STATUS_OK); + invalid_parameter_mask |= 1< Date: Thu, 14 Aug 2008 13:12:07 +0200 Subject: SMB2-CREATE: add a special test for FILE_ATTRIBUTE_ENCRYPTED Some standalone server (and samba4) doesn't support this. metze (This used to be commit 6d8fd4c0089d7e632ec91027a77321aca8c6acc7) --- source4/torture/smb2/create.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c index a8effca396..4d1b4a7ed0 100644 --- a/source4/torture/smb2/create.c +++ b/source4/torture/smb2/create.c @@ -174,6 +174,9 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre int i; for (i=0;i<32;i++) { io.in.file_attributes = 1< Date: Wed, 13 Aug 2008 07:18:35 +0200 Subject: gensec_gssapi: only cache the session key in STAGE_DONE The key may change because we switch from initiator to acceptor subkey. metze (This used to be commit 66244092a457b2cde6339cb31dcfa73b122ba9b5) --- source4/auth/gensec/gensec_gssapi.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source4') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0df40dc82f..20d08078be 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1236,12 +1236,16 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_NO_USER_SESSION_KEY; } - DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(subkey))); - gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); + DEBUG(10, ("Got KRB5 session key of length %d%s\n", + (int)KRB5_KEY_LENGTH(subkey), + (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":"")); + *session_key = data_blob_talloc(gensec_gssapi_state, + KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey); - *session_key = gensec_gssapi_state->session_key; + if (gensec_gssapi_state->sasl_state == STAGE_DONE) { + /* only cache in the done stage */ + gensec_gssapi_state->session_key = *session_key; + } dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); return NT_STATUS_OK; -- cgit From 69d074af81e57c67ee85314c2b5f7a642844ae88 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 09:52:20 +0200 Subject: gsskrb5: always return an acceptor subkey For non cfx keys it's the same as the intiator subkey. This matches windows behavior. metze (This used to be commit 6a8b07c39558f240b89e833ecba15d8b9fc020e8) --- .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'source4') diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index 8dbd087da6..a6f0f31246 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -520,16 +520,30 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, if(ctx->flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; + int use_subkey = 0; _gsskrb5i_is_cfx(ctx, &is_cfx); if (is_cfx != 0 || (ap_options & AP_OPTS_USE_SUBKEY)) { - kret = krb5_auth_con_addflags(context, - ctx->auth_context, - KRB5_AUTH_CONTEXT_USE_SUBKEY, - NULL); + use_subkey = 1; + } else { + krb5_keyblock *rkey; + kret = krb5_auth_con_getremotesubkey(context, ctx->auth_context, &rkey); + if (kret == 0) { + kret = krb5_auth_con_setlocalsubkey(context, ctx->auth_context, rkey); + if (kret == 0) { + use_subkey = 1; + } + krb5_free_keyblock(context, rkey); + } + } + if (use_subkey) { ctx->more_flags |= ACCEPTOR_SUBKEY; + krb5_auth_con_addflags(context, + ctx->auth_context, + KRB5_AUTH_CONTEXT_USE_SUBKEY, + NULL); } kret = krb5_mk_rep(context, -- cgit From e75f1072b6c3735690d7b20682036b8bc5977dc5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 13 Aug 2008 07:22:36 +0200 Subject: Revert "krb5: always generate the acceptor subkey as the same enctype as the used service key" This reverts commit dbb94133e0313cae933d261af0bf1210807a6d11. As we fixed gensec_gssapi to only return a session key when it's have the correct session key, this hack isn't needed anymore. metze (This used to be commit 697cd1896bccaa55ee422f17d9312d787ca699ed) --- source4/heimdal/lib/krb5/rd_req.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source4') diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index e80aaa6789..ddf1f69ae4 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -463,8 +463,6 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; -#if 0 -/* it's bad to use a different enctype as the client */ if (etypes.val) { int i; @@ -475,7 +473,6 @@ krb5_verify_ap_req2(krb5_context context, } } } -#endif /* save key */ ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); -- cgit From c1c6c1b609ab57186dab7b13c56bfe4475a733f7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Aug 2008 15:14:53 +0200 Subject: RAW-OPEN: be more strict in create_option checking metze (This used to be commit d548f5dee5980eae0aea25f1314238eb4f963568) --- source4/torture/raw/open.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/torture/raw/open.c b/source4/torture/raw/open.c index 39ff443ccd..f3494ea3d0 100644 --- a/source4/torture/raw/open.c +++ b/source4/torture/raw/open.c @@ -845,6 +845,7 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context bool ret = true; int i; uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; + uint32_t not_a_directory_mask, unexpected_mask; struct { uint32_t open_disp; bool with_file; @@ -1004,13 +1005,16 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context smbcli_close(cli->tree, fnum); } - ok_mask = not_supported_mask = invalid_parameter_mask = 0; - io.ntcreatex.in.file_attr = 0; io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; /* Check for options that should return NOT_SUPPORTED, OK or INVALID_PARAMETER */ + ok_mask = 0; + not_supported_mask = 0; + invalid_parameter_mask = 0; + not_a_directory_mask = 0; + unexpected_mask = 0; for (i=0; i < 32; i++) { uint32_t create_option = 1<tree, io.ntcreatex.out.file.fnum); } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { invalid_parameter_mask |= create_option; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_A_DIRECTORY)) { + not_a_directory_mask |= 1<tree, fname); -- cgit