svn commit: samba r21917 - in branches/SAMBA_3_0/source: include
libsmb smbd
jra at samba.org
jra at samba.org
Wed Mar 21 19:15:15 GMT 2007
Author: jra
Date: 2007-03-21 19:15:14 +0000 (Wed, 21 Mar 2007)
New Revision: 21917
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21917
Log:
Start to do the gss versions of sign+seal.
Jeremy.
Modified:
branches/SAMBA_3_0/source/include/client.h
branches/SAMBA_3_0/source/include/includes.h
branches/SAMBA_3_0/source/libsmb/smb_seal.c
branches/SAMBA_3_0/source/smbd/seal.c
Changeset:
Modified: branches/SAMBA_3_0/source/include/client.h
===================================================================
--- branches/SAMBA_3_0/source/include/client.h 2007-03-21 18:33:13 UTC (rev 21916)
+++ branches/SAMBA_3_0/source/include/client.h 2007-03-21 19:15:14 UTC (rev 21917)
@@ -79,14 +79,14 @@
};
/* Transport encryption state. */
-enum smb_trans_enc_type { SMB_TRANS_ENC_NTLM, SMB_TRANS_ENC_KRB5 };
+enum smb_trans_enc_type { SMB_TRANS_ENC_NTLM, SMB_TRANS_ENC_GSS };
struct smb_trans_enc_state {
enum smb_trans_enc_type smb_enc_type;
BOOL enc_on;
union {
NTLMSSP_STATE *ntlmssp_state;
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
gss_ctx_id_t context_handle;
#endif
};
Modified: branches/SAMBA_3_0/source/include/includes.h
===================================================================
--- branches/SAMBA_3_0/source/include/includes.h 2007-03-21 18:33:13 UTC (rev 21916)
+++ branches/SAMBA_3_0/source/include/includes.h 2007-03-21 19:15:14 UTC (rev 21917)
@@ -1187,10 +1187,10 @@
krb5_data *reply);
/* Call for SMB transport encryption. */
-#if defined(HAVE_GSSAPI_SUPPORT)
+#if defined(HAVE_GSSAPI)
NTSTATUS common_gss_decrypt_buffer(gss_ctx_id_t context_handle, char *buf);
#endif
-#if defined(HAVE_GSSAPI_SUPPORT)
+#if defined(HAVE_GSSAPI)
NTSTATUS common_gss_encrypt_buffer(gss_ctx_id_t context_handle, char *buf, char **buf_out);
#endif
Modified: branches/SAMBA_3_0/source/libsmb/smb_seal.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/smb_seal.c 2007-03-21 18:33:13 UTC (rev 21916)
+++ branches/SAMBA_3_0/source/libsmb/smb_seal.c 2007-03-21 19:15:14 UTC (rev 21917)
@@ -124,7 +124,7 @@
gss-api decrypt an incoming buffer.
******************************************************************************/
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
NTSTATUS common_gss_decrypt_buffer(gss_ctx_id_t context_handle, char *buf)
{
return NT_STATUS_NOT_SUPPORTED;
@@ -136,10 +136,65 @@
gss-api encrypt an outgoing buffer. Return the alloced encrypted pointer in buf_out.
******************************************************************************/
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
- NTSTATUS common_gss_encrypt_buffer(gss_ctx_id_t context_handle, char *buf, char **buf_out)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+ NTSTATUS common_gss_encrypt_buffer(gss_ctx_id_t context_handle, char *buf, char **ppbuf_out)
{
- return NT_STATUS_NOT_SUPPORTED;
+ OM_uint32 ret = 0;
+ OM_uint32 minor = 0;
+ int flags_got = 0;
+ gss_buffer_desc in_buf, out_buf;
+ size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+
+ *ppbuf_out = NULL;
+
+ if (buf_len < 8) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ in_buf.value = buf + 8;
+ in_buf.length = buf_len - 8;
+
+ ret = gss_wrap(&minor,
+ context_handle,
+ True, /* we want sign+seal. */
+ GSS_C_QOP_DEFAULT,
+ &in_buf,
+ &flags_got, /* did we get sign+seal ? */
+ &out_buf);
+
+ if (ret != GSS_S_COMPLETE) {
+ /* Um - no mapping for gss-errs to NTSTATUS yet. */
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!flags_got) {
+ /* Sign+seal not supported. */
+ gss_release_buffer(&minor, &out_buf);
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ /* Ya see - this is why I *hate* gss-api. I don't
+ * want to have to malloc another buffer of the
+ * same size + 8 bytes just to get a continuous
+ * header + buffer, but gss won't let me pass in
+ * a pre-allocated buffer. Bastards (and you know
+ * who you are....). I might fix this by
+ * going to "encrypt_and_send" passing in a file
+ * descriptor and doing scatter-gather write with
+ * TCP cork on Linux. But I shouldn't have to
+ * bother :-*(. JRA.
+ */
+
+ *ppbuf_out = SMB_MALLOC(out_buf.length + 8); /* We know this can't wrap. */
+ if (!*ppbuf_out) {
+ gss_release_buffer(&minor, &out_buf);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ smb_setlen(*ppbuf_out, out_buf.length + 8);
+ memcpy(*ppbuf_out+8, out_buf.value, out_buf.length);
+ gss_release_buffer(&minor, &out_buf);
+ return NT_STATUS_OK;
}
#endif
@@ -162,14 +217,15 @@
return NT_STATUS_OK;
}
- if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
- } else {
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
- return common_gss_encrypt_buffer(es->context_handle, buffer, buf_out);
-#else
- return NT_STATUS_NOT_SUPPORTED;
+ switch (es->smb_enc_type) {
+ case SMB_TRANS_ENC_NTLM:
+ return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+ case SMB_TRANS_ENC_GSS:
+ return common_gss_encrypt_buffer(es->context_handle, buffer, buf_out);
#endif
+ default:
+ return NT_STATUS_NOT_SUPPORTED;
}
}
@@ -191,14 +247,15 @@
return NT_STATUS_OK;
}
- if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
- } else {
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
- return common_gss_decrypt_buffer(es->context_handle, buf);
-#else
- return NT_STATUS_NOT_SUPPORTED;
+ switch (es->smb_enc_type) {
+ case SMB_TRANS_ENC_NTLM:
+ return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+ case SMB_TRANS_ENC_GSS:
+ return common_gss_decrypt_buffer(es->context_handle, buf);
#endif
+ default:
+ return NT_STATUS_NOT_SUPPORTED;
}
}
@@ -219,7 +276,7 @@
ntlmssp_end(&es->ntlmssp_state);
}
}
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
if (es->smb_enc_type == SMB_TRANS_ENC_GSS) {
/* Free the gss context handle. */
}
@@ -251,7 +308,7 @@
return;
}
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
/* gss-api free buffer.... */
#endif
}
Modified: branches/SAMBA_3_0/source/smbd/seal.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/seal.c 2007-03-21 18:33:13 UTC (rev 21916)
+++ branches/SAMBA_3_0/source/smbd/seal.c 2007-03-21 19:15:14 UTC (rev 21917)
@@ -180,8 +180,8 @@
Until success we do everything on the partial enc ctx.
******************************************************************************/
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
-static NTSTATUS srv_enc_spnego_gss_negotiate(char **ppdata, size_t *p_data_size, DATA_BLOB secblob)
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob)
{
return NT_STATUS_NOT_SUPPORTED;
}
@@ -246,8 +246,8 @@
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
-#if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
- if (got_kerberos_mechanism && lp_use_kerberos_keytab()) ) {
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+ if (got_kerberos_mechanism && lp_use_kerberos_keytab() ) {
status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
} else
#endif
More information about the samba-cvs
mailing list