From 9885da4b6645465a3b9020f5d430892c949a8254 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 17 Aug 2018 11:35:41 +0200 Subject: smb2_server: set req->do_encryption = true earlier The STATUS_SESSION_EXPIRED error was returned unencrypted, if the request was encrypted. If clients use SMB3 encryption and the kerberos authenticated session expires, clients disconnect the connection instead of doing a reauthentication. From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/ The sender encrypts the message if any of the following conditions is satisfied: - If the sender is sending a response to an encrypted request. - If Session.EncryptData is TRUE and the request or response being sent is not NEGOTIATE. - If Session.EncryptData is FALSE, the request or response being sent is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and .EncryptData is TRUE. [MS-SMB2] 3.3.4.1.4 Encrypting the Message If Connection.Dialect belongs to the SMB 3.x dialect family and Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST encrypt the message before sending, if any of the following conditions are satisfied: - If the message being sent is any response to a client request for which Request.IsEncrypted is TRUE. - If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP. - If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE. The server MUST encrypt the message as specified in section 3.1.4.3, before sending it to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144 (cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Oct 10 15:51:31 CEST 2018 on sn-devel-144 --- selftest/knownfail.d/session-expire | 2 -- source3/smbd/smb2_server.c | 15 ++++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) delete mode 100644 selftest/knownfail.d/session-expire diff --git a/selftest/knownfail.d/session-expire b/selftest/knownfail.d/session-expire deleted file mode 100644 index 033564afb58..00000000000 --- a/selftest/knownfail.d/session-expire +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.smb2.session krb5.expire1e -^samba3.smb2.session krb5.expire2e diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 177e5ffc2f2..af065e9e43f 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2364,7 +2364,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->async_internal = false; req->do_signing = false; - req->do_encryption = false; + if (opcode != SMB2_OP_SESSSETUP) { + req->do_encryption = encryption_desired; + } else { + req->do_encryption = false; + } req->was_encrypted = false; if (intf_v->iov_len == SMB2_TF_HDR_SIZE) { const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req); @@ -2388,9 +2392,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) } req->was_encrypted = true; + req->do_encryption = true; } if (encryption_required && !req->was_encrypted) { + req->do_encryption = true; return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); } @@ -2526,15 +2532,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) encryption_required = true; } if (encryption_required && !req->was_encrypted) { + req->do_encryption = true; return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); + } else if (encryption_desired) { + req->do_encryption = true; } } - if (req->was_encrypted || encryption_desired) { - req->do_encryption = true; - } - if (req->session) { bool update_session_global = false; bool update_tcon_global = false; -- cgit v1.2.1