From 19d0fde1ace012e366182b511c528f7ab6a0ed37 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 20 Jun 2024 06:07:27 +0200 Subject: Merging upstream version 2:4.20.2+dfsg. Signed-off-by: Daniel Baumann --- source3/utils/conn_tdb.c | 12 +++++-- source3/utils/conn_tdb.h | 1 + source3/utils/net_ads.c | 6 ++++ source3/utils/net_registry.c | 2 +- source3/utils/sharesec.c | 8 ++--- source3/utils/smbcacls.c | 15 ++++---- source3/utils/status.c | 82 ++++++++++++++++++++++++++++++++++++++++---- source3/utils/status.h | 1 + source3/utils/status_json.c | 2 ++ 9 files changed, 108 insertions(+), 21 deletions(-) (limited to 'source3/utils') diff --git a/source3/utils/conn_tdb.c b/source3/utils/conn_tdb.c index 3724bd4..3f4ef00 100644 --- a/source3/utils/conn_tdb.c +++ b/source3/utils/conn_tdb.c @@ -27,6 +27,7 @@ #include "conn_tdb.h" #include "util_tdb.h" #include "lib/util/string_wrappers.h" +#include "../libcli/security/session.h" struct connections_forall_state { struct db_context *session_by_pid; @@ -44,7 +45,7 @@ struct connections_forall_session { uint16_t cipher; uint16_t dialect; uint16_t signing; - uint8_t signing_flags; + bool authenticated; }; static int collect_sessions_fn(struct smbXsrv_session_global0 *global, @@ -56,6 +57,7 @@ static int collect_sessions_fn(struct smbXsrv_session_global0 *global, uint32_t id = global->session_global_id; struct connections_forall_session sess; + enum security_user_level ul; if (global->auth_session_info == NULL) { sess.uid = -1; @@ -69,7 +71,12 @@ static int collect_sessions_fn(struct smbXsrv_session_global0 *global, sess.cipher = global->channels[0].encryption_cipher; sess.signing = global->channels[0].signing_algo; sess.dialect = global->connection_dialect; - sess.signing_flags = global->signing_flags; + ul = security_session_user_level(global->auth_session_info, NULL); + if (ul >= SECURITY_USER) { + sess.authenticated = true; + } else { + sess.authenticated = false; + } status = dbwrap_store(state->session_by_pid, make_tdb_data((void*)&id, sizeof(id)), @@ -134,6 +141,7 @@ static int traverse_tcon_fn(struct smbXsrv_tcon_global0 *global, data.dialect = sess.dialect; data.signing = sess.signing; data.signing_flags = global->signing_flags; + data.authenticated = sess.authenticated; state->count++; diff --git a/source3/utils/conn_tdb.h b/source3/utils/conn_tdb.h index 2a6e04e..23a5e21 100644 --- a/source3/utils/conn_tdb.h +++ b/source3/utils/conn_tdb.h @@ -36,6 +36,7 @@ struct connections_data { uint16_t dialect; uint8_t signing_flags; uint16_t signing; + bool authenticated; }; /* The following definitions come from lib/conn_tdb.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index d95a209..43fa026 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -521,6 +521,11 @@ static int net_ads_info_json(ADS_STRUCT *ads) goto failure; } + ret = json_add_string (&jsobj, "Workgroup", ads->config.workgroup); + if (ret != 0) { + goto failure; + } + ret = json_add_string (&jsobj, "Realm", ads->config.realm); if (ret != 0) { goto failure; @@ -627,6 +632,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv) d_printf(_("LDAP server: %s\n"), addr); d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name); + d_printf(_("Workgroup: %s\n"), ads->config.workgroup); d_printf(_("Realm: %s\n"), ads->config.realm); d_printf(_("Bind Path: %s\n"), ads->config.bind_path); d_printf(_("LDAP port: %d\n"), ads->ldap.port); diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index 5d1314e..b47a8ff 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -1146,7 +1146,7 @@ static int registry_value_cmp( if (v1->type == v2->type) { return data_blob_cmp(&v1->data, &v2->data); } - return v1->type - v2->type; + return NUMERIC_CMP(v1->type, v2->type); } static WERROR precheck_create_val(struct precheck_ctx *ctx, diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c index a6481e2..4175729 100644 --- a/source3/utils/sharesec.c +++ b/source3/utils/sharesec.c @@ -120,19 +120,19 @@ static int ace_compare(struct security_ace *ace1, struct security_ace *ace2) return 0; if (ace1->type != ace2->type) - return ace2->type - ace1->type; + return NUMERIC_CMP(ace2->type, ace1->type); if (dom_sid_compare(&ace1->trustee, &ace2->trustee)) return dom_sid_compare(&ace1->trustee, &ace2->trustee); if (ace1->flags != ace2->flags) - return ace1->flags - ace2->flags; + return NUMERIC_CMP(ace1->flags, ace2->flags); if (ace1->access_mask != ace2->access_mask) - return ace1->access_mask - ace2->access_mask; + return NUMERIC_CMP(ace1->access_mask, ace2->access_mask); if (ace1->size != ace2->size) - return ace1->size - ace2->size; + return NUMERIC_CMP(ace1->size, ace2->size); return memcmp(ace1, ace2, sizeof(struct security_ace)); } diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index e0591ac..5df7158 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -510,22 +510,23 @@ static int ace_compare(struct security_ace *ace1, struct security_ace *ace2) return -1; if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) && (ace2->flags & SEC_ACE_FLAG_INHERITED_ACE)) - return ace1 - ace2; - - if (ace1->type != ace2->type) - return ace2->type - ace1->type; + return NUMERIC_CMP(ace2->type, ace1->type); + if (ace1->type != ace2->type) { + /* note the reverse order */ + return NUMERIC_CMP(ace2->type, ace1->type); + } if (dom_sid_compare(&ace1->trustee, &ace2->trustee)) return dom_sid_compare(&ace1->trustee, &ace2->trustee); if (ace1->flags != ace2->flags) - return ace1->flags - ace2->flags; + return NUMERIC_CMP(ace1->flags, ace2->flags); if (ace1->access_mask != ace2->access_mask) - return ace1->access_mask - ace2->access_mask; + return NUMERIC_CMP(ace1->access_mask, ace2->access_mask); if (ace1->size != ace2->size) - return ace1->size - ace2->size; + return NUMERIC_CMP(ace1->size, ace2->size); return memcmp(ace1, ace2, sizeof(struct security_ace)); } diff --git a/source3/utils/status.c b/source3/utils/status.c index 4102b41..02a5f6d 100644 --- a/source3/utils/status.c +++ b/source3/utils/status.c @@ -483,9 +483,33 @@ static int traverse_connections_stdout(struct traverse_state *state, char *server_id, const char *machine, const char *timestr, - const char *encryption, - const char *signing) + const char *encryption_cipher, + enum crypto_degree encryption_degree, + const char *signing_cipher, + enum crypto_degree signing_degree) { + fstring encryption; + fstring signing; + + if (encryption_degree == CRYPTO_DEGREE_FULL) { + fstr_sprintf(encryption, "%s", encryption_cipher); + } else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) { + fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher); + } else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) { + fstr_sprintf(encryption, "partial(%s)", encryption_cipher); + } else { + fstr_sprintf(encryption, "-"); + } + if (signing_degree == CRYPTO_DEGREE_FULL) { + fstr_sprintf(signing, "%s", signing_cipher); + } else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) { + fstr_sprintf(signing, "anonymous(%s)", signing_cipher); + } else if (signing_degree == CRYPTO_DEGREE_PARTIAL) { + fstr_sprintf(signing, "partial(%s)", signing_cipher); + } else { + fstr_sprintf(signing, "-"); + } + d_printf("%-12s %-7s %-13s %-32s %-12s %-12s\n", servicename, server_id, machine, timestr, encryption, signing); @@ -538,7 +562,9 @@ static int traverse_connections(const struct connections_data *crec, return -1; } - if (smbXsrv_is_encrypted(crec->encryption_flags)) { + if (smbXsrv_is_encrypted(crec->encryption_flags) || + smbXsrv_is_partially_encrypted(crec->encryption_flags)) + { switch (crec->cipher) { case SMB_ENCRYPTION_GSSAPI: encryption = "GSSAPI"; @@ -549,14 +575,31 @@ static int traverse_connections(const struct connections_data *crec, case SMB2_ENCRYPTION_AES128_GCM: encryption = "AES-128-GCM"; break; + case SMB2_ENCRYPTION_AES256_CCM: + encryption = "AES-256-CCM"; + break; + case SMB2_ENCRYPTION_AES256_GCM: + encryption = "AES-256-GCM"; + break; default: encryption = "???"; break; } - encryption_degree = CRYPTO_DEGREE_FULL; + if (smbXsrv_is_encrypted(crec->encryption_flags)) { + encryption_degree = CRYPTO_DEGREE_FULL; + } else if (smbXsrv_is_partially_encrypted(crec->encryption_flags)) { + encryption_degree = CRYPTO_DEGREE_PARTIAL; + } + if (encryption_degree != CRYPTO_DEGREE_NONE && + !crec->authenticated) + { + encryption_degree = CRYPTO_DEGREE_ANONYMOUS; + } } - if (smbXsrv_is_signed(crec->signing_flags)) { + if (smbXsrv_is_signed(crec->signing_flags) || + smbXsrv_is_partially_signed(crec->signing_flags)) + { switch (crec->signing) { case SMB2_SIGNING_MD5_SMB1: signing = "HMAC-MD5"; @@ -574,7 +617,16 @@ static int traverse_connections(const struct connections_data *crec, signing = "???"; break; } - signing_degree = CRYPTO_DEGREE_FULL; + if (smbXsrv_is_signed(crec->signing_flags)) { + signing_degree = CRYPTO_DEGREE_FULL; + } else if (smbXsrv_is_partially_signed(crec->signing_flags)) { + signing_degree = CRYPTO_DEGREE_PARTIAL; + } + if (signing_degree != CRYPTO_DEGREE_NONE && + !crec->authenticated) + { + signing_degree = CRYPTO_DEGREE_ANONYMOUS; + } } if (!state->json_output) { @@ -584,7 +636,9 @@ static int traverse_connections(const struct connections_data *crec, crec->machine, timestr, encryption, - signing); + encryption_degree, + signing, + signing_degree); } else { result = traverse_connections_json(state, crec, @@ -615,6 +669,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state, if (encryption_degree == CRYPTO_DEGREE_FULL) { fstr_sprintf(encryption, "%s", encryption_cipher); + } else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) { + fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher); } else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) { fstr_sprintf(encryption, "partial(%s)", encryption_cipher); } else { @@ -622,6 +678,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state, } if (signing_degree == CRYPTO_DEGREE_FULL) { fstr_sprintf(signing, "%s", signing_cipher); + } else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) { + fstr_sprintf(signing, "anonymous(%s)", signing_cipher); } else if (signing_degree == CRYPTO_DEGREE_PARTIAL) { fstr_sprintf(signing, "partial(%s)", signing_cipher); } else { @@ -756,6 +814,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session, } else if (smbXsrv_is_partially_encrypted(session->encryption_flags)) { encryption_degree = CRYPTO_DEGREE_PARTIAL; } + if (encryption_degree != CRYPTO_DEGREE_NONE && + !session->authenticated) + { + encryption_degree = CRYPTO_DEGREE_ANONYMOUS; + } } if (smbXsrv_is_signed(session->signing_flags) || @@ -783,6 +846,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session, } else if (smbXsrv_is_partially_signed(session->signing_flags)) { signing_degree = CRYPTO_DEGREE_PARTIAL; } + if (signing_degree != CRYPTO_DEGREE_NONE && + !session->authenticated) + { + signing_degree = CRYPTO_DEGREE_ANONYMOUS; + } } diff --git a/source3/utils/status.h b/source3/utils/status.h index c08aba4..6674f0d 100644 --- a/source3/utils/status.h +++ b/source3/utils/status.h @@ -38,6 +38,7 @@ struct traverse_state { enum crypto_degree { CRYPTO_DEGREE_NONE, CRYPTO_DEGREE_PARTIAL, + CRYPTO_DEGREE_ANONYMOUS, CRYPTO_DEGREE_FULL }; diff --git a/source3/utils/status_json.c b/source3/utils/status_json.c index ee24a3b..f558c91 100644 --- a/source3/utils/status_json.c +++ b/source3/utils/status_json.c @@ -258,6 +258,8 @@ static int add_crypto_to_json(struct json_object *parent_json, if (degree == CRYPTO_DEGREE_NONE) { degree_str = "none"; + } else if (degree == CRYPTO_DEGREE_ANONYMOUS) { + degree_str = "anonymous"; } else if (degree == CRYPTO_DEGREE_PARTIAL) { degree_str = "partial"; } else { -- cgit v1.2.3