From 84f6b0f962a9106e0c108cdcd5eb5a1599cd8097 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 14 Aug 2012 09:30:43 +0200 Subject: [PATCH] libcli/smb: fix smb2cli_req_compound_submit for multiple encrypted messages There should be only one SMB2_TRANSFORM header for all compound requests. metze --- libcli/smb/smbXcli_base.c | 167 +++++++++++++++++++++++++++++----------------- 1 file changed, 104 insertions(+), 63 deletions(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index d9b17f83bb8..58232ba7eac 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -243,6 +243,7 @@ struct smbXcli_req_state { bool should_sign; bool should_encrypt; + uint64_t encryption_session_id; bool signing_skipped; bool notify_async; @@ -2601,14 +2602,17 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs, struct tevent_req *subreq; struct iovec *iov; int i, num_iov, nbt_len; + int tf_iov = -1; + const DATA_BLOB *encryption_key = NULL; + uint64_t encryption_session_id = 0; /* - * 1 for the nbt length - * per request: TRANSFORM, HDR, fixed, dyn, padding + * 1 for the nbt length, optional TRANSFORM + * per request: HDR, fixed, dyn, padding * -1 because the last one does not need padding */ - iov = talloc_array(reqs[0], struct iovec, 1 + 5*num_reqs - 1); + iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1); if (iov == NULL) { return NT_STATUS_NO_MEMORY; } @@ -2616,8 +2620,65 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs, num_iov = 1; nbt_len = 0; + /* + * the session of the first request that requires encryption + * specifies the encryption key. + */ + for (i=0; iconn)) { + return NT_STATUS_CONNECTION_DISCONNECTED; + } + + if ((state->conn->protocol != PROTOCOL_NONE) && + (state->conn->protocol < PROTOCOL_SMB2_02)) { + return NT_STATUS_REVISION_MISMATCH; + } + + if (state->session == NULL) { + continue; + } + + if (!state->smb2.should_encrypt) { + continue; + } + + encryption_key = &state->session->smb2->encryption_key; + if (encryption_key->length == 0) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + encryption_session_id = state->session->smb2->session_id; + + tf_iov = num_iov; + iov[num_iov].iov_base = state->smb2.transform; + iov[num_iov].iov_len = sizeof(state->smb2.transform); + num_iov += 1; + + SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC); + SBVAL(state->smb2.transform, SMB2_TF_NONCE, + state->session->smb2->nonce_low); + SBVAL(state->smb2.transform, SMB2_TF_NONCE+8, + state->session->smb2->nonce_high); + SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, + encryption_session_id); + + state->session->smb2->nonce_low += 1; + if (state->session->smb2->nonce_low == 0) { + state->session->smb2->nonce_high += 1; + state->session->smb2->nonce_low += 1; + } + + nbt_len += SMB2_TF_HDR_SIZE; + break; + } + for (i=0; ismb2.hdr, SMB2_HDR_MESSAGE_ID, mid); skip_credits: - if (state->session) { + if (state->session && encryption_key == NULL) { /* * We prefer the channel signing key if it is * already there. @@ -2711,17 +2771,6 @@ skip_credits: if (signing_key && signing_key->length == 0) { signing_key = NULL; } - - if (state->smb2.should_encrypt) { - encryption_key = &state->session->smb2->encryption_key; - } - } - - if (encryption_key) { - tf_iov = num_iov; - iov[num_iov].iov_base = state->smb2.transform; - iov[num_iov].iov_len = sizeof(state->smb2.transform); - num_iov += 1; } hdr_iov = num_iov; @@ -2754,53 +2803,9 @@ skip_credits: SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen); } - if (encryption_key) { - NTSTATUS status; - uint8_t *buf; - int vi; - - SBVAL(state->smb2.transform, SMB2_TF_NONCE, - state->session->smb2->nonce_low); - SBVAL(state->smb2.transform, SMB2_TF_NONCE+8, - state->session->smb2->nonce_high); - - state->session->smb2->nonce_low += 1; - if (state->session->smb2->nonce_low == 0) { - state->session->smb2->nonce_high += 1; - state->session->smb2->nonce_low += 1; - } - - buf = talloc_array(iov, uint8_t, reqlen); - if (buf == NULL) { - return NT_STATUS_NO_MEMORY; - } + state->smb2.encryption_session_id = encryption_session_id; - reqlen += SMB2_TF_HDR_SIZE; - - /* - * We copy the buffers before encrypting them, - * this is at least currently needed for the - * to keep state->smb2.hdr. - * - * Also the callers may expect there buffers - * to be const. - */ - for (vi = hdr_iov; vi < num_iov; vi++) { - struct iovec *v = &iov[vi]; - const uint8_t *o = (const uint8_t *)v->iov_base; - - memcpy(buf, o, v->iov_len); - v->iov_base = (void *)buf; - buf += v->iov_len; - } - - status = smb2_signing_encrypt_pdu(*encryption_key, - state->session->conn->protocol, - &iov[tf_iov], num_iov - tf_iov); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } else if (signing_key) { + if (signing_key != NULL) { NTSTATUS status; status = smb2_signing_sign_pdu(*signing_key, @@ -2824,6 +2829,42 @@ skip_credits: iov[0].iov_base = state->length_hdr; iov[0].iov_len = sizeof(state->length_hdr); + if (encryption_key != NULL) { + NTSTATUS status; + size_t buflen = nbt_len - SMB2_TF_HDR_SIZE; + uint8_t *buf; + int vi; + + buf = talloc_array(iov, uint8_t, buflen); + if (buf == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * We copy the buffers before encrypting them, + * this is at least currently needed for the + * to keep state->smb2.hdr. + * + * Also the callers may expect there buffers + * to be const. + */ + for (vi = tf_iov + 1; vi < num_iov; vi++) { + struct iovec *v = &iov[vi]; + const uint8_t *o = (const uint8_t *)v->iov_base; + + memcpy(buf, o, v->iov_len); + v->iov_base = (void *)buf; + buf += v->iov_len; + } + + status = smb2_signing_encrypt_pdu(*encryption_key, + state->conn->protocol, + &iov[tf_iov], num_iov - tf_iov); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + if (state->conn->dispatch_incoming == NULL) { state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming; } -- 2.11.4.GIT