From 5a54c9b28abb1464c84cb4be15a49718d8ae6795 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 3 Jul 2023 15:14:38 +0200
Subject: [PATCH] s3:utils: let smbstatus report anonymous signing/encryption
 explicitly
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
---
 source3/utils/status.c      | 28 ++++++++++++++++++++++++++++
 source3/utils/status.h      |  1 +
 source3/utils/status_json.c |  2 ++
 3 files changed, 31 insertions(+)

diff --git a/source3/utils/status.c b/source3/utils/status.c
index d31a145451d..02a5f6dbaba 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -493,6 +493,8 @@ static int traverse_connections_stdout(struct traverse_state *state,
 
 	if (encryption_degree == CRYPTO_DEGREE_FULL) {
 		fstr_sprintf(encryption, "%s", encryption_cipher);
+	} else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) {
+		fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher);
 	} else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) {
 		fstr_sprintf(encryption, "partial(%s)", encryption_cipher);
 	} else {
@@ -500,6 +502,8 @@ static int traverse_connections_stdout(struct traverse_state *state,
 	}
 	if (signing_degree == CRYPTO_DEGREE_FULL) {
 		fstr_sprintf(signing, "%s", signing_cipher);
+	} else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) {
+		fstr_sprintf(signing, "anonymous(%s)", signing_cipher);
 	} else if (signing_degree == CRYPTO_DEGREE_PARTIAL) {
 		fstr_sprintf(signing, "partial(%s)", signing_cipher);
 	} else {
@@ -586,6 +590,11 @@ static int traverse_connections(const struct connections_data *crec,
 		} else if (smbXsrv_is_partially_encrypted(crec->encryption_flags)) {
 			encryption_degree = CRYPTO_DEGREE_PARTIAL;
 		}
+		if (encryption_degree != CRYPTO_DEGREE_NONE &&
+		    !crec->authenticated)
+		{
+			encryption_degree = CRYPTO_DEGREE_ANONYMOUS;
+		}
 	}
 
 	if (smbXsrv_is_signed(crec->signing_flags) ||
@@ -613,6 +622,11 @@ static int traverse_connections(const struct connections_data *crec,
 		} else if (smbXsrv_is_partially_signed(crec->signing_flags)) {
 			signing_degree = CRYPTO_DEGREE_PARTIAL;
 		}
+		if (signing_degree != CRYPTO_DEGREE_NONE &&
+		    !crec->authenticated)
+		{
+			signing_degree = CRYPTO_DEGREE_ANONYMOUS;
+		}
 	}
 
 	if (!state->json_output) {
@@ -655,6 +669,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state,
 
 	if (encryption_degree == CRYPTO_DEGREE_FULL) {
 		fstr_sprintf(encryption, "%s", encryption_cipher);
+	} else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) {
+		fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher);
 	} else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) {
 		fstr_sprintf(encryption, "partial(%s)", encryption_cipher);
 	} else {
@@ -662,6 +678,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state,
 	}
 	if (signing_degree == CRYPTO_DEGREE_FULL) {
 		fstr_sprintf(signing, "%s", signing_cipher);
+	} else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) {
+		fstr_sprintf(signing, "anonymous(%s)", signing_cipher);
 	} else if (signing_degree == CRYPTO_DEGREE_PARTIAL) {
 		fstr_sprintf(signing, "partial(%s)", signing_cipher);
 	} else {
@@ -796,6 +814,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
 		} else if (smbXsrv_is_partially_encrypted(session->encryption_flags)) {
 			encryption_degree = CRYPTO_DEGREE_PARTIAL;
 		}
+		if (encryption_degree != CRYPTO_DEGREE_NONE &&
+		    !session->authenticated)
+		{
+			encryption_degree = CRYPTO_DEGREE_ANONYMOUS;
+		}
 	}
 
 	if (smbXsrv_is_signed(session->signing_flags) ||
@@ -823,6 +846,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
 		} else if (smbXsrv_is_partially_signed(session->signing_flags)) {
 			signing_degree = CRYPTO_DEGREE_PARTIAL;
 		}
+		if (signing_degree != CRYPTO_DEGREE_NONE &&
+		    !session->authenticated)
+		{
+			signing_degree = CRYPTO_DEGREE_ANONYMOUS;
+		}
 	}
 
 
diff --git a/source3/utils/status.h b/source3/utils/status.h
index c08aba4c262..6674f0db54f 100644
--- a/source3/utils/status.h
+++ b/source3/utils/status.h
@@ -38,6 +38,7 @@ struct traverse_state {
 enum crypto_degree {
         CRYPTO_DEGREE_NONE,
         CRYPTO_DEGREE_PARTIAL,
+        CRYPTO_DEGREE_ANONYMOUS,
         CRYPTO_DEGREE_FULL
 };
 
diff --git a/source3/utils/status_json.c b/source3/utils/status_json.c
index ee24a3b31d9..f558c91dec7 100644
--- a/source3/utils/status_json.c
+++ b/source3/utils/status_json.c
@@ -258,6 +258,8 @@ static int add_crypto_to_json(struct json_object *parent_json,
 
 	if (degree == CRYPTO_DEGREE_NONE) {
 		degree_str = "none";
+	} else if (degree == CRYPTO_DEGREE_ANONYMOUS) {
+		degree_str = "anonymous";
 	} else if (degree == CRYPTO_DEGREE_PARTIAL) {
 		degree_str = "partial";
 	} else {
-- 
2.11.4.GIT