From: Volker Lendecke <vl@samba.org>
Date: Mon, 4 Aug 2025 12:59:15 +0000 (+0200)
Subject: libcli: Add tls_verify_peer_state to smbXcli_transport
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd15054462b12904c3c7583dbf5d01c7e82eec0d;p=thirdparty%2Fsamba.git

libcli: Add tls_verify_peer_state to smbXcli_transport

We have to carry a copy over from the tstream_tls_params used to
connect, we can't get this information out once the tls-protected
tstream is established

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c15dfa34021..8a9c97bfd67 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -51,6 +51,7 @@ struct smbXcli_transport {
 	struct smb_transport transport;
 	int sock_fd;
 	struct tstream_context *tstream;
+	enum tls_verify_peer_state verify_peer;
 	struct samba_sockaddr laddr;
 	struct samba_sockaddr raddr;
 
@@ -423,11 +424,13 @@ static int smbXcli_transport_tstream_monitor_recv(struct tevent_req *req)
 	return sys_errno;
 }
 
-struct smbXcli_transport *smbXcli_transport_tstream(TALLOC_CTX *mem_ctx,
-						    struct tstream_context **pstream,
-						    const struct samba_sockaddr *laddr,
-						    const struct samba_sockaddr *raddr,
-						    const struct smb_transport *tp)
+struct smbXcli_transport *smbXcli_transport_tstream(
+	TALLOC_CTX *mem_ctx,
+	struct tstream_context **pstream,
+	enum tls_verify_peer_state verify_peer,
+	const struct samba_sockaddr *laddr,
+	const struct samba_sockaddr *raddr,
+	const struct smb_transport *tp)
 {
 	struct smbXcli_transport *xtp = NULL;
 
@@ -438,6 +441,7 @@ struct smbXcli_transport *smbXcli_transport_tstream(TALLOC_CTX *mem_ctx,
 
 	xtp->transport = *tp;
 	xtp->sock_fd = -1;
+	xtp->verify_peer = verify_peer;
 
 	xtp->laddr = *laddr;
 	xtp->raddr = *raddr;
@@ -508,9 +512,11 @@ static int smbXcli_transport_bsd_monitor_recv(struct tevent_req *req)
 	return wait_for_error_recv(req);
 }
 
-struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX *mem_ctx,
-						int *_fd,
-						const struct smb_transport *tp)
+struct smbXcli_transport *smbXcli_transport_bsd(
+	TALLOC_CTX *mem_ctx,
+	int *_fd,
+	enum tls_verify_peer_state verify_peer,
+	const struct smb_transport *tp)
 {
 	struct smbXcli_transport *xtp = NULL;
 	int fd = *_fd;
@@ -523,6 +529,7 @@ struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX *mem_ctx,
 
 	xtp->transport = *tp;
 	xtp->sock_fd = fd;
+	xtp->verify_peer = verify_peer;
 
 	xtp->laddr.sa_socklen = sizeof(xtp->laddr.u);
 	ret = getsockname(fd, &xtp->laddr.u.sa, &xtp->laddr.sa_socklen);
@@ -557,9 +564,10 @@ struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX *mem_ctx,
 }
 
 struct smbXcli_transport *smbXcli_transport_bsd_tstream(
-						TALLOC_CTX *mem_ctx,
-						int *fd,
-						const struct smb_transport *tp)
+	TALLOC_CTX *mem_ctx,
+	int *fd,
+	enum tls_verify_peer_state verify_peer,
+	const struct smb_transport *tp)
 {
 	struct samba_sockaddr laddr = {
 		.sa_socklen = sizeof(struct sockaddr_storage),
@@ -593,7 +601,8 @@ struct smbXcli_transport *smbXcli_transport_bsd_tstream(
 	*fd = -1;
 	tstream_bsd_optimize_readv(tstream, true);
 
-	xtp = smbXcli_transport_tstream(mem_ctx, &tstream, &laddr, &raddr, tp);
+	xtp = smbXcli_transport_tstream(
+		mem_ctx, &tstream, verify_peer, &laddr, &raddr, tp);
 	TALLOC_FREE(tstream);
 	return xtp;
 }
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 0e6bc468a18..e4e7ab180eb 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -29,6 +29,7 @@
 #include "libcli/util/ntstatus.h"
 #include "lib/util/time.h"
 #include "lib/util/data_blob.h"
+#include "source4/lib/tls/tls.h"
 
 struct smbXcli_transport;
 struct smbXcli_conn;
@@ -44,20 +45,25 @@ struct smb311_capabilities;
 struct samba_sockaddr;
 struct tstream_context;
 
-struct smbXcli_transport *smbXcli_transport_tstream(TALLOC_CTX *mem_ctx,
-						    struct tstream_context **pstream,
-						    const struct samba_sockaddr *laddr,
-						    const struct samba_sockaddr *raddr,
-						    const struct smb_transport *tp);
+struct smbXcli_transport *smbXcli_transport_tstream(
+	TALLOC_CTX *mem_ctx,
+	struct tstream_context **pstream,
+	enum tls_verify_peer_state verify_peer,
+	const struct samba_sockaddr *laddr,
+	const struct samba_sockaddr *raddr,
+	const struct smb_transport *tp);
 
-struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX *mem_ctx,
-						int *_fd,
-						const struct smb_transport *tp);
+struct smbXcli_transport *smbXcli_transport_bsd(
+	TALLOC_CTX *mem_ctx,
+	int *_fd,
+	enum tls_verify_peer_state verify_peer,
+	const struct smb_transport *tp);
 
 struct smbXcli_transport *smbXcli_transport_bsd_tstream(
-						TALLOC_CTX *mem_ctx,
-						int *fd,
-						const struct smb_transport *tp);
+	TALLOC_CTX *mem_ctx,
+	int *fd,
+	enum tls_verify_peer_state verify_peer,
+	const struct smb_transport *tp);
 
 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
 					 struct smbXcli_transport **ptransport,
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index 5e7587ae314..b6189d1891e 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -403,9 +403,10 @@ struct smbsock_connect_state {
 	struct smbsock_connect_substate substates[SMB_TRANSPORTS_MAX_TRANSPORTS];
 	struct smbXcli_transport *transport;
 	struct smbXcli_transport *(*create_bsd_transport)(
-						TALLOC_CTX *mem_ctx,
-						int *fd,
-						const struct smb_transport *tp);
+		TALLOC_CTX *mem_ctx,
+		int *fd,
+		enum tls_verify_peer_state verify_peer,
+		const struct smb_transport *tp);
 };
 
 static void smbsock_connect_cleanup(struct tevent_req *req,
@@ -821,9 +822,11 @@ static void smbsock_connect_nbt_connected(struct tevent_req *subreq)
 		 * will free all other subreqs
 		 */
 		set_socket_options(s->sockfd, lp_socket_options());
-		state->transport = state->create_bsd_transport(state,
-							       &s->sockfd,
-							       &s->transport);
+		state->transport = state->create_bsd_transport(
+			state,
+			&s->sockfd,
+			TLS_VERIFY_PEER_NO_CHECK,
+			&s->transport);
 		if (tevent_req_nomem(state->transport, req)) {
 			return;
 		}
@@ -883,9 +886,11 @@ static void smbsock_connect_tcp_connected(struct tevent_req *subreq)
 		 * will free all other subreqs
 		 */
 		set_socket_options(s->sockfd, lp_socket_options());
-		state->transport = state->create_bsd_transport(state,
-							       &s->sockfd,
-							       &s->transport);
+		state->transport = state->create_bsd_transport(
+			state,
+			&s->sockfd,
+			TLS_VERIFY_PEER_NO_CHECK,
+			&s->transport);
 		if (tevent_req_nomem(state->transport, req)) {
 			return;
 		}
@@ -1048,9 +1053,11 @@ static void smbsock_connect_quic_ready(struct tevent_req *subreq)
 		 * smbsock_connect_cleanup()
 		 * will free all other subreqs
 		 */
-		state->transport = state->create_bsd_transport(state,
-							       &s->sockfd,
-							       &s->transport);
+		state->transport = state->create_bsd_transport(
+			state,
+			&s->sockfd,
+			tstream_tls_params_verify_peer(state->quic_tlsp),
+			&s->transport);
 		if (tevent_req_nomem(state->transport, req)) {
 			return;
 		}
@@ -1171,11 +1178,13 @@ static void smbsock_connect_ngtcp2_ready(struct tevent_req *subreq)
 		 * smbsock_connect_cleanup()
 		 * will free all other subreqs
 		 */
-		state->transport = smbXcli_transport_tstream(state,
-							     &tstream,
-							     &s->laddr,
-							     &s->raddr,
-							     &s->transport);
+		state->transport = smbXcli_transport_tstream(
+			state,
+			&tstream,
+			tstream_tls_params_verify_peer(state->quic_tlsp),
+			&s->laddr,
+			&s->raddr,
+			&s->transport);
 		if (tevent_req_nomem(state->transport, req)) {
 			return;
 		}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 3d592429390..a9822381b26 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -15135,7 +15135,10 @@ static bool run_smb1_truncated_sesssetup(int dummy)
 		return false;
 	}
 
-	xtp = smbXcli_transport_bsd(talloc_tos(), &fd, &tp);
+	xtp = smbXcli_transport_bsd(talloc_tos(),
+				    &fd,
+				    TLS_VERIFY_PEER_NO_CHECK,
+				    &tp);
 	if (xtp == NULL) {
 		d_fprintf(stderr, "smbXcli_transport_bsd failed\n");
 		return false;
@@ -15335,7 +15338,10 @@ static bool run_smb1_negotiate_exit(int dummy)
 		return false;
 	}
 
-	xtp = smbXcli_transport_bsd(talloc_tos(), &fd, &tp);
+	xtp = smbXcli_transport_bsd(talloc_tos(),
+				    &fd,
+				    TLS_VERIFY_PEER_NO_CHECK,
+				    &tp);
 	if (xtp == NULL) {
 		d_fprintf(stderr, "smbXcli_transport_bsd failed\n");
 		return false;
@@ -15457,7 +15463,10 @@ static bool run_ign_bad_negprot(int dummy)
 		return false;
 	}
 
-	xtp = smbXcli_transport_bsd(talloc_tos(), &fd, &tp);
+	xtp = smbXcli_transport_bsd(talloc_tos(),
+				    &fd,
+				    TLS_VERIFY_PEER_NO_CHECK,
+				    &tp);
 	if (xtp == NULL) {
 		d_fprintf(stderr, "smbXcli_transport_bsd failed\n");
 		return false;
diff --git a/source4/torture/smb2/multichannel.c b/source4/torture/smb2/multichannel.c
index 76684e142ba..b9899dfec9d 100644
--- a/source4/torture/smb2/multichannel.c
+++ b/source4/torture/smb2/multichannel.c
@@ -2568,7 +2568,10 @@ static bool test_multichannel_bug_15346(struct torture_context *tctx,
 		torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 						"socket_connect_multi failed");
 
-		xtp = smbXcli_transport_bsd(state->conns, &sock->fd, &tp);
+		xtp = smbXcli_transport_bsd(state->conns,
+					    &sock->fd,
+					    TLS_VERIFY_PEER_NO_CHECK,
+					    &tp);
 		torture_assert_goto(tctx, xtp != NULL, ret, done,
 				    "smbXcli_transport_bsd failed");
 		TALLOC_FREE(sock);