From: Stefan Metzmacher Date: Wed, 14 Jul 2021 10:13:49 +0000 (+0200) Subject: libcli/smb: let 'client smb3 encryption algorithms' disable aes-128-ccm for SMB3_0* X-Git-Tag: samba-4.15.0rc1~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf1459f458bd8cb03cf1cd3f3ed2e5d8568203b7;p=thirdparty%2Fsamba.git libcli/smb: let 'client smb3 encryption algorithms' disable aes-128-ccm for SMB3_0* SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless 'client smb3 encryption algorithms' allows them. Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 74bf04ea605..f428308dc63 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4870,6 +4870,8 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta UINT16_MAX); /* max_dyn_len */ } +static NTSTATUS smbXcli_negprot_smb3_check_capabilities(struct tevent_req *req); + static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) { struct tevent_req *req = @@ -5013,6 +5015,12 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) { conn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; } + + status = smbXcli_negprot_smb3_check_capabilities(req); + if (tevent_req_nterror(req, status)) { + return; + } + tevent_req_done(req); return; } @@ -5234,9 +5242,30 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) return; } + status = smbXcli_negprot_smb3_check_capabilities(req); + if (tevent_req_nterror(req, status)) { + return; + } + tevent_req_done(req); } +static NTSTATUS smbXcli_negprot_smb3_check_capabilities(struct tevent_req *req) +{ + struct smbXcli_negprot_state *state = + tevent_req_data(req, + struct smbXcli_negprot_state); + struct smbXcli_conn *conn = state->conn; + + return smb311_capabilities_check(&conn->smb2.client.smb3_capabilities, + "smbXcli_negprot", + DBGLVL_ERR, + NT_STATUS_ACCESS_DENIED, + "client", + conn->protocol, + conn->smb2.server.cipher); +} + static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn, TALLOC_CTX *tmp_mem, uint8_t *inbuf)