s3:smbd: improve the error returns for invalid session binding requests

This brings us closer to what a Windows Server with GMAC signing
returns.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail.d/smb2.session b/selftest/knownfail.d/smb2.session
index be898a8b771c11abc4980bade3e46744da88a735..a85fb37bf95429918e01e41363c6fdd039c8e92d 100644 (file)
--- a/selftest/knownfail.d/smb2.session
+++ b/selftest/knownfail.d/smb2.session
@@ -1,28 +1,4 @@
-^samba3.smb2.session.*.bind_negative_smb3signCtoHs
+# These tests fail with INVALID_PARAMETER as
+# we required the same client guid for session binds
 ^samba3.smb2.session.*.bind_negative_smb3signCtoHd
-^samba3.smb2.session.*.bind_negative_smb3signCtoGs
-^samba3.smb2.session.*.bind_negative_smb3signCtoGd
-^samba3.smb2.session.*.bind_negative_smb3signHtoCs
 ^samba3.smb2.session.*.bind_negative_smb3signHtoCd
-^samba3.smb2.session.*.bind_negative_smb3signHtoGs
-^samba3.smb2.session.*.bind_negative_smb3signHtoGd
-^samba3.smb2.session.*.bind_negative_smb3signGtoCs
-^samba3.smb2.session.*.bind_negative_smb3signGtoCd
-^samba3.smb2.session.*.bind_negative_smb3signGtoHs
-^samba3.smb2.session.*.bind_negative_smb3signGtoHd
-^samba3.smb2.session.*.bind_negative_smb3sneGtoCs
-^samba3.smb2.session.*.bind_negative_smb3sneGtoCd
-^samba3.smb2.session.*.bind_negative_smb3sneGtoHs
-^samba3.smb2.session.*.bind_negative_smb3sneGtoHd
-^samba3.smb2.session.*.bind_negative_smb3sneCtoGs
-^samba3.smb2.session.*.bind_negative_smb3sneCtoGd
-^samba3.smb2.session.*.bind_negative_smb3sneHtoGs
-^samba3.smb2.session.*.bind_negative_smb3sneHtoGd
-^samba3.smb2.session.*.bind_negative_smb3signC30toGs
-^samba3.smb2.session.*.bind_negative_smb3signC30toGd
-^samba3.smb2.session.*.bind_negative_smb3signH2XtoGs
-^samba3.smb2.session.*.bind_negative_smb3signH2XtoGd
-^samba3.smb2.session.*.bind_negative_smb3signGtoC30s
-^samba3.smb2.session.*.bind_negative_smb3signGtoC30d
-^samba3.smb2.session.*.bind_negative_smb3signGtoH2Xs
-^samba3.smb2.session.*.bind_negative_smb3signGtoH2Xd

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 68d5018214d7ab0e3d1d424a3de7684a1d9485bf..8cbad36cc7b7cfa14fff2d5e4c794821bb564308 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -691,23 +691,36 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
        state->in_security_buffer = in_security_buffer;
 
        if (in_flags & SMB2_SESSION_FLAG_BINDING) {
-               if (smb2req->xconn->protocol < PROTOCOL_SMB3_00) {
-                       tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
+               if (in_session_id == 0) {
+                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
                        return tevent_req_post(req, ev);
                }
 
-               if (!smb2req->xconn->client->server_multi_channel_enabled) {
-                       tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
+               if (smb2req->session == NULL) {
+                       tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
                        return tevent_req_post(req, ev);
                }
 
-               if (in_session_id == 0) {
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               if ((smb2req->session->global->signing_algo >= SMB2_SIGNING_AES128_GMAC) &&
+                   (smb2req->xconn->smb2.server.sign_algo != smb2req->session->global->signing_algo))
+               {
+                       tevent_req_nterror(req, NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
+                       return tevent_req_post(req, ev);
+               }
+               if ((smb2req->xconn->smb2.server.sign_algo >= SMB2_SIGNING_AES128_GMAC) &&
+                   (smb2req->session->global->signing_algo != smb2req->xconn->smb2.server.sign_algo))
+               {
+                       tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
                        return tevent_req_post(req, ev);
                }
 
-               if (smb2req->session == NULL) {
-                       tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
+               if (smb2req->xconn->protocol < PROTOCOL_SMB3_00) {
+                       tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
+                       return tevent_req_post(req, ev);
+               }
+
+               if (!smb2req->xconn->client->server_multi_channel_enabled) {
+                       tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
                        return tevent_req_post(req, ev);
                }
 
@@ -723,17 +736,19 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
                        return tevent_req_post(req, ev);
                }
 
-               if (smb2req->session->global->signing_algo
-                   != smb2req->xconn->smb2.server.sign_algo)
+               if (smb2req->session->global->encryption_cipher
+                   != smb2req->xconn->smb2.server.cipher)
                {
                        tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
                        return tevent_req_post(req, ev);
                }
 
-               if (smb2req->session->global->encryption_cipher
-                   != smb2req->xconn->smb2.server.cipher)
-               {
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               status = smb2req->session->status;
+               if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_LOGON_SESSION_STATE)) {
+                       /*
+                        * This comes from smb2srv_session_lookup_global().
+                        */
+                       tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
                        return tevent_req_post(req, ev);
                }