svn commit: samba r21865 - in branches/SAMBA_3_0/source: . include
lib libsmb
jra at samba.org
jra at samba.org
Sat Mar 17 00:32:56 GMT 2007
Author: jra
Date: 2007-03-17 00:32:54 +0000 (Sat, 17 Mar 2007)
New Revision: 21865
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21865
Log:
Add in the stubs for SMB transport encryption. Will flesh
these out as I implement. Don't add to SAMBA_3_0_25, this
is experimental code.
NFSv4 you're now officially on notice... :-).
Jeremy.
Added:
branches/SAMBA_3_0/source/libsmb/smb_seal.c
Modified:
branches/SAMBA_3_0/source/Makefile.in
branches/SAMBA_3_0/source/include/smb.h
branches/SAMBA_3_0/source/include/trans2.h
branches/SAMBA_3_0/source/lib/util_sock.c
branches/SAMBA_3_0/source/libsmb/clientgen.c
branches/SAMBA_3_0/source/libsmb/clierror.c
Changeset:
Modified: branches/SAMBA_3_0/source/Makefile.in
===================================================================
--- branches/SAMBA_3_0/source/Makefile.in 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/Makefile.in 2007-03-17 00:32:54 UTC (rev 21865)
@@ -256,7 +256,7 @@
lib/substitute.o lib/fsusage.o \
lib/ms_fnmatch.o lib/select.o lib/messages.o \
lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
- lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
+ libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
nsswitch/wb_client.o $(WBCOMMON_OBJ) \
lib/pam_errors.o intl/lang_tdb.o \
lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
Modified: branches/SAMBA_3_0/source/include/smb.h
===================================================================
--- branches/SAMBA_3_0/source/include/smb.h 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/include/smb.h 2007-03-17 00:32:54 UTC (rev 21865)
@@ -79,6 +79,7 @@
#define WRITE_ERROR 4 /* This error code can go into the client smb_rw_error. */
#define READ_BAD_SIG 5
#define DO_NOT_DO_TDIS 6 /* cli_close_connection() check for this when smbfs wants to keep tree connected */
+#define READ_BAD_DECRYPT 7
#define DIR_STRUCT_SIZE 43
Modified: branches/SAMBA_3_0/source/include/trans2.h
===================================================================
--- branches/SAMBA_3_0/source/include/trans2.h 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/include/trans2.h 2007-03-17 00:32:54 UTC (rev 21865)
@@ -529,8 +529,8 @@
(chflags) and lsattr */
#define CIFS_UNIX_POSIX_PATHNAMES_CAP 0x10 /* Use POSIX pathnames on the wire. */
#define CIFS_UNIX_POSIX_PATH_OPERATIONS_CAP 0x20 /* We can cope with POSIX open/mkdir/unlink etc. */
+#define CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP 0x40 /* We can do SPNEGO negotiations for encryption. */
-
#define SMB_QUERY_POSIX_FS_INFO 0x201
/* Returns FILE_SYSTEM_POSIX_INFO struct as follows
@@ -652,6 +652,27 @@
DOM_SID[] - list of SIDs (may be empty)
*/
+/*
+ * The following trans2 is done between client and server
+ * as a FSINFO call to set up the encryption state for transport
+ * encryption.
+ *
+ * The request looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI request.
+ *
+ * The reply looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI reply - if error
+ * is NT_STATUS_OK then we're done, if it's
+ * NT_STATUS_MORE_PROCESSING_REQUIRED then the
+ * client needs to keep going. If it's an
+ * error it can be any NT_STATUS error.
+ *
+ */
+
+#define SMB_REQUEST_TRANSPORT_ENCRYPTION 0x203
+
/* The query/set info levels for POSIX ACLs. */
#define SMB_QUERY_POSIX_ACL 0x204
#define SMB_SET_POSIX_ACL 0x204
Modified: branches/SAMBA_3_0/source/lib/util_sock.c
===================================================================
--- branches/SAMBA_3_0/source/lib/util_sock.c 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/lib/util_sock.c 2007-03-17 00:32:54 UTC (rev 21865)
@@ -732,15 +732,28 @@
BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
{
+ NTSTATUS status;
+
if (!receive_smb_raw(fd, buffer, timeout)) {
return False;
}
+ status = srv_decrypt_buffer(buffer);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("receive_smb: SMB decryption failed on incoming packet! Error %s\n",
+ nt_errstr(status) ));
+ if (smb_read_error == 0) {
+ smb_read_error = READ_BAD_DECRYPT;
+ }
+ return False;
+ }
+
/* Check the incoming SMB signature. */
if (!srv_check_sign_mac(buffer, True)) {
DEBUG(0, ("receive_smb: SMB Signature verification failed on incoming packet!\n"));
- if (smb_read_error == 0)
+ if (smb_read_error == 0) {
smb_read_error = READ_BAD_SIG;
+ }
return False;
};
@@ -753,6 +766,7 @@
BOOL send_smb(int fd, char *buffer)
{
+ NTSTATUS status;
size_t len;
size_t nwritten=0;
ssize_t ret;
@@ -760,6 +774,13 @@
/* Sign the outgoing packet if required. */
srv_calculate_sign_mac(buffer);
+ status = srv_encrypt_buffer(buffer);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("send_smb: SMB encryption failed on outgoing packet! Error %s\n",
+ nt_errstr(status) ));
+ return False;
+ }
+
len = smb_len(buffer) + 4;
while (nwritten < len) {
Modified: branches/SAMBA_3_0/source/libsmb/clientgen.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/clientgen.c 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/libsmb/clientgen.c 2007-03-17 00:32:54 UTC (rev 21865)
@@ -54,9 +54,13 @@
should never go into a blocking read.
****************************************************************************/
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
+static BOOL client_receive_smb(struct cli_state *cli)
{
BOOL ret;
+ NTSTATUS status;
+ int fd = cli->fd;
+ char *buffer = cli->inbuf;
+ unsigned int timeout = cli->timeout;
for(;;) {
ret = receive_smb_raw(fd, buffer, timeout);
@@ -71,6 +75,15 @@
if(CVAL(buffer,0) != SMBkeepalive)
break;
}
+ status = cli_decrypt_message(cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("SMB decryption failed on incoming packet! Error %s\n",
+ nt_errstr(status)));
+ cli->smb_rw_error = READ_BAD_DECRYPT;
+ close(cli->fd);
+ cli->fd = -1;
+ return False;
+ }
show_msg(buffer);
return ret;
}
@@ -88,7 +101,7 @@
return False;
again:
- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
+ ret = client_receive_smb(cli);
if (ret) {
/* it might be an oplock break request */
@@ -132,7 +145,7 @@
DEBUG(6,("write_socket(%d,%d)\n",fd,(int)len));
ret = write_data(fd,buf,len);
-
+
DEBUG(6,("write_socket(%d,%d) wrote %d\n",fd,(int)len,(int)ret));
if(ret <= 0)
DEBUG(0,("write_socket: Error writing %d bytes to socket %d: ERRNO = %s\n",
@@ -147,16 +160,28 @@
BOOL cli_send_smb(struct cli_state *cli)
{
+ NTSTATUS status;
size_t len;
size_t nwritten=0;
ssize_t ret;
/* fd == -1 causes segfaults -- Tom (tom at ninja.nl) */
- if (cli->fd == -1)
+ if (cli->fd == -1) {
return False;
+ }
cli_calculate_sign_mac(cli);
+ status = cli_encrypt_message(cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ close(cli->fd);
+ cli->fd = -1;
+ cli->smb_rw_error = WRITE_ERROR;
+ DEBUG(0,("Error in encrypting client message. Error %s\n",
+ nt_errstr(status) ));
+ return False;
+ }
+
len = smb_len(cli->outbuf) + 4;
while (nwritten < len) {
@@ -173,8 +198,9 @@
}
/* Increment the mid so we can tell between responses. */
cli->mid++;
- if (!cli->mid)
+ if (!cli->mid) {
cli->mid++;
+ }
return True;
}
Modified: branches/SAMBA_3_0/source/libsmb/clierror.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/clierror.c 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/libsmb/clierror.c 2007-03-17 00:32:54 UTC (rev 21865)
@@ -84,6 +84,7 @@
case WRITE_ERROR:
return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
case READ_BAD_SIG:
+ case READ_BAD_DECRYPT:
return NT_STATUS_INVALID_PARAMETER;
default:
break;
@@ -133,6 +134,10 @@
slprintf(cli_error_message, sizeof(cli_error_message) - 1,
"Server packet had invalid SMB signature!");
break;
+ case READ_BAD_DECRYPT:
+ slprintf(cli_error_message, sizeof(cli_error_message) - 1,
+ "Server packet could not be decrypted !");
+ break;
default:
slprintf(cli_error_message, sizeof(cli_error_message) - 1,
"Unknown error code %d\n", cli->smb_rw_error );
Added: branches/SAMBA_3_0/source/libsmb/smb_seal.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/smb_seal.c 2007-03-17 00:15:18 UTC (rev 21864)
+++ branches/SAMBA_3_0/source/libsmb/smb_seal.c 2007-03-17 00:32:54 UTC (rev 21865)
@@ -0,0 +1,41 @@
+/*
+ Unix SMB/CIFS implementation.
+ SMB Transport encryption (sealing) code.
+ Copyright (C) Jeremy Allison 2007.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+NTSTATUS cli_decrypt_message(struct cli_state *cli)
+{
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cli_encrypt_message(struct cli_state *cli)
+{
+ return NT_STATUS_OK;
+}
+
+NTSTATUS srv_decrypt_buffer(char *buffer)
+{
+ return NT_STATUS_OK;
+}
+
+NTSTATUS srv_encrypt_buffer(char *buffer)
+{
+ return NT_STATUS_OK;
+}
More information about the samba-cvs
mailing list