From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Mon, 14 Aug 2017 12:13:18 +0200

Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add

 cli_state_is_encryption_on() helper function

This allows to check if the current cli_state uses encryption

(either via unix extentions or via SMB3).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/libsmb/clientgen.c | 13 +++++++++++++

 source3/libsmb/proto.h     |  1 +

 2 files changed, 14 insertions(+)

diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c

index bc5c1b1ce3c..3e8523e5ce8 100644

--- a/source3/libsmb/clientgen.c

+++ b/source3/libsmb/clientgen.c

@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)

 	return cli->smb1.pid;

 }

+bool cli_state_is_encryption_on(struct cli_state *cli)

+{

+	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {

+		return smb1cli_conn_encryption_on(cli->conn);

+	}

+

+	if (cli->smb2.tcon == NULL) {

+		return false;

+	}

+

+	return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);

+}

+

 bool cli_state_has_tcon(struct cli_state *cli)

 {

 	uint16_t tid = cli_state_get_tid(cli);

diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h

index 764f3fc1b12..67fa43e4e4a 100644

--- a/source3/libsmb/proto.h

+++ b/source3/libsmb/proto.h

@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);

 uint16_t cli_state_get_vc_num(struct cli_state *cli);

 uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);

 uint32_t cli_getpid(struct cli_state *cli);

+bool cli_state_is_encryption_on(struct cli_state *cli);

 bool cli_state_has_tcon(struct cli_state *cli);

 uint16_t cli_state_get_tid(struct cli_state *cli);

 uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);

-- 

2.13.5

From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Sat, 17 Dec 2016 10:36:49 +0100

Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of

 cli_state_is_encryption_on()

This will keep enforced encryption across dfs referrals.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze@samba.org>

---

 source3/libsmb/clidfs.c         | 4 ++--

 source3/libsmb/libsmb_context.c | 2 +-

 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c

index c477d7c6a46..99818a681e3 100644

--- a/source3/libsmb/clidfs.c

+++ b/source3/libsmb/clidfs.c

@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,

 			     "IPC$",

 			     dfs_auth_info,

 			     false,

-			     smb1cli_conn_encryption_on(rootcli->conn),

+			     cli_state_is_encryption_on(rootcli),

 			     smbXcli_conn_protocol(rootcli->conn),

 			     0,

 			     0x20,

@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,

 				dfs_refs[count].share,

 				dfs_auth_info,

 				false,

-				smb1cli_conn_encryption_on(rootcli->conn),

+				cli_state_is_encryption_on(rootcli),

 				smbXcli_conn_protocol(rootcli->conn),

 				0,

 				0x20,

diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c

index ed6ca2b1b9f..b55cf1e2d15 100644

--- a/source3/libsmb/libsmb_context.c

+++ b/source3/libsmb/libsmb_context.c

@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,

                 for (s = context->internal->servers; s; s = s->next) {

                         num_servers++;

-                        if (!smb1cli_conn_encryption_on(s->cli->conn)) {

+                        if (!cli_state_is_encryption_on(s->cli)) {

                                 return (void *)false;

                         }

                 }

-- 

2.13.5