[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Oct 21 02:23:04 MDT 2011
The branch, master has been updated
via 75d146d libcli/smb: move smb_seal.c to the toplevel
via 321204e s3-ntlmssp Remove references to auth_ntlmssp_context from the rpc code
via 38de149 s3-seal Remove struct smb_srv_trans_enc_ctx
via 0fe4192 s3-ntlmssp Remove references to auth_ntlmssp_context from the smb sealing code
via 0a08398 s3-ntlmssp Remove auth_ntlmssp_session_key()
via 3f07988 s3-ntlmssp Remove auth_ntlmssp_want_feature()
via b9b170a s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
via bd29f79 s3-ntlmssp use gensec_{seal,unseal,sign,check}_packet
via 487545d s3-ntlmssp Remove auth_ntlmssp_negotiated_sign() and auth_ntlmssp_negotiated_seal()
via 083025c s3-ntlmssp Remove auth_ntlmssp_update wrapper
via 915fe79 s3-auth remove auth_ntlmssp_session_info()
via 21a434d s3:smbd/seal: pass talloc_tos() auth_ntlmssp_update(), because we free a few lines later
via 07f67d8 s3:libsmb/smb_seal: always use SAFE_FREE(buf) in common_free_enc_buffer()
via 12e2579 s3:libsmb/smb_seal: use plain malloc() in common_ntlm_encrypt_buffer()
via 2a3bf9e s3:libsmb/smb_seal: avoid ads_errstr() dependency and use gssapi_error_string()
via 8df8277 s3:libsmb/smb_seal: make use of common [_]smb_[set]len_nbt() macros
via 6d2aaef s3:include: make smb_setlen() a macro
via e03b312 libcli/smb: add smb_setlen_[nbt|tcp] macros
via 32938ce libcli/smb: move some common defines to smb_constants.h
from 1af128b build: compile (but do not install) netapi examples
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 75d146d3ed4196b0856ea6eb56482a1a67fdf707
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 19 13:47:39 2011 +0200
libcli/smb: move smb_seal.c to the toplevel
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Fri Oct 21 10:22:39 CEST 2011 on sn-devel-104
commit 321204eaeb05107b9a6d5ed464a11cd5018c97c6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 19 18:39:27 2011 +1100
s3-ntlmssp Remove references to auth_ntlmssp_context from the rpc code
We always dereferenced auth_ntlmssp_state->gensec_security, so now we
do not bother passing around the whole auth_ntlmssp_state.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 38de149e9b7e6150d4410bd964548ee22ffe8199
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 19 16:33:04 2011 +1100
s3-seal Remove struct smb_srv_trans_enc_ctx
This structure added no value, particularly after the move to gensec.
It was added at a time when auth_ntlmssp_state was not available in
the client. This changed a while back (the wrapper was extended with
client calls), and the move to gensec again reinforced that we do not
need the extra complexity.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0fe419205444f2c4f33581ea77a732e6d069e318
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 19 15:57:18 2011 +1100
s3-ntlmssp Remove references to auth_ntlmssp_context from the smb sealing code
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0a0839821adb8a4e959e10128e9c103f82e0ff80
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 21:55:24 2011 +1100
s3-ntlmssp Remove auth_ntlmssp_session_key()
We now just call the gensec_session_key() directly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 3f079885b21f22ec4f27cccaa6f59ebce0e56067
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 21:43:40 2011 +1100
s3-ntlmssp Remove auth_ntlmssp_want_feature()
We now just call the gensec_want_feature() directly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b9b170a9dd640dbde0a707b972fdb0c611e68df5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 20 11:53:40 2011 +0200
s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
This should not make a difference for NTLMSSP as it still calls the
low level ntlmssp_[un]seal_packet() functions with the same input parameters.
If we convert the gss-api/krb5 based code to gensec we have to use
gensec_[un]wrap() as the wire format is different compared to
gensec_[un]seal_packet() there.
Andrew Bartlett
Split from another commit by Stefan Metzmacher <metze at samba.org>
commit bd29f79463009ff7383cb17a3f766fddcdb1f302
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 21:27:39 2011 +1100
s3-ntlmssp use gensec_{seal,unseal,sign,check}_packet
This avoids the indirection via the auth_ntlmsssp wrapper functions.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 487545d48fc0625aab20aa8f46897e2bd622554f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 21:20:01 2011 +1100
s3-ntlmssp Remove auth_ntlmssp_negotiated_sign() and auth_ntlmssp_negotiated_seal()
We now just call the gensec_have_feature() directly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 083025ccd53fe3ee90fcc81eb8d4c566e11fd6ac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 21:13:16 2011 +1100
s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 915fe7981b48537bb000ae5f90e630caacf657e0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 18 20:58:47 2011 +1100
s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 21a434d817895ab228d09fcf0efe83246d97fcca
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 16:40:14 2011 +0200
s3:smbd/seal: pass talloc_tos() auth_ntlmssp_update(), because we free a few lines later
metze
commit 07f67d8612ca547975a153b8291b077e68058a8a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 13:46:05 2011 +0200
s3:libsmb/smb_seal: always use SAFE_FREE(buf) in common_free_enc_buffer()
There's no need to do gss-api specific stuff, the buffer is always
malloc'ed.
metze
commit 12e257999b71e24fdc991adf80753421280cec79
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 13:44:14 2011 +0200
s3:libsmb/smb_seal: use plain malloc() in common_ntlm_encrypt_buffer()
metze
commit 2a3bf9eb2fb2c8138162410d75f60c7b57bcf32a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 13:23:27 2011 +0200
s3:libsmb/smb_seal: avoid ads_errstr() dependency and use gssapi_error_string()
metze
commit 8df8277b0aad2ede775b73bc372cb446b3b28a25
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 09:47:53 2011 +0200
s3:libsmb/smb_seal: make use of common [_]smb_[set]len_nbt() macros
metze
commit 6d2aaef787791fbcea9dcc6bca9e8f10d65dc746
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 09:44:02 2011 +0200
s3:include: make smb_setlen() a macro
metze
commit e03b312b12785dc226c8f63e5d728e158fad38fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 09:42:10 2011 +0200
libcli/smb: add smb_setlen_[nbt|tcp] macros
metze
commit 32938ce60dff821964dbc199c47abe2e7a8fa1ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 20 09:40:01 2011 +0200
libcli/smb: move some common defines to smb_constants.h
metze
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb_common.h | 1 +
libcli/smb/smb_constants.h | 35 ++++
{source3/libsmb => libcli/smb}/smb_seal.c | 205 ++++++++++----------
.../include/smb_crypt.h => libcli/smb/smb_seal.h | 4 +-
libcli/smb/wscript_build | 5 +-
source3/Makefile.in | 3 +-
source3/auth/auth_ntlmssp.c | 11 -
source3/auth/proto.h | 3 -
source3/include/ntlmssp_wrap.h | 36 ----
source3/include/proto.h | 1 -
source3/include/smb.h | 27 ---
source3/include/smb_macros.h | 1 +
source3/lib/util.c | 14 --
source3/librpc/crypto/cli_spnego.c | 85 +++++----
source3/librpc/crypto/spnego.h | 2 +-
source3/librpc/rpc/dcerpc_helpers.c | 79 ++++----
source3/libsmb/async_smb.c | 2 +-
source3/libsmb/clientgen.c | 2 +-
source3/libsmb/clifsinfo.c | 29 ++-
source3/libsmb/ntlmssp_wrap.c | 87 ---------
source3/rpc_client/cli_pipe.c | 17 +-
source3/rpc_server/dcesrv_ntlmssp.c | 29 ++--
source3/rpc_server/dcesrv_ntlmssp.h | 10 +-
source3/rpc_server/dcesrv_spnego.c | 8 +-
source3/rpc_server/srv_pipe.c | 42 ++--
source3/smbd/globals.c | 4 +-
source3/smbd/globals.h | 5 +-
source3/smbd/negprot.c | 4 +-
source3/smbd/seal.c | 171 +++++++----------
source3/smbd/sesssetup.c | 25 ++--
source3/smbd/smb2_sesssetup.c | 41 ++--
source3/wscript_build | 2 +-
source4/libcli/raw/smb.h | 28 ---
33 files changed, 412 insertions(+), 606 deletions(-)
rename {source3/libsmb => libcli/smb}/smb_seal.c (71%)
rename source3/include/smb_crypt.h => libcli/smb/smb_seal.h (94%)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb_common.h b/libcli/smb/smb_common.h
index 1f21e55..228e451 100644
--- a/libcli/smb/smb_common.h
+++ b/libcli/smb/smb_common.h
@@ -28,5 +28,6 @@
#include "libcli/smb/smb_constants.h"
#include "libcli/smb/smb_util.h"
#include "libcli/smb/smb_unix_ext.h"
+#include "libcli/smb/smb_seal.h"
#endif
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 91330dd..3bedf25 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -32,11 +32,46 @@
#define NBSSretarget 0x84 /* retarget session response */
#define NBSSkeepalive 0x85 /* keepalive */
+#define SMB_MAGIC 0x424D53FF /* 0xFF 'S' 'M' 'B' */
+
+/* the basic packet size, assuming no words or bytes. Does not include the NBT header */
+#define MIN_SMB_SIZE 35
+
+/* when using NBT encapsulation every packet has a 4 byte header */
+#define NBT_HDR_SIZE 4
+
+/* offsets into message header for common items - NOTE: These have
+ changed from being offsets from the base of the NBT packet to the base of the SMB packet.
+ this has reduced all these values by 4
+*/
+#define HDR_COM 4
+#define HDR_RCLS 5
+#define HDR_REH 6
+#define HDR_ERR 7
+#define HDR_FLG 9
+#define HDR_FLG2 10
+#define HDR_PIDHIGH 12
+#define HDR_SS_FIELD 14
+#define HDR_TID 24
+#define HDR_PID 26
+#define HDR_UID 28
+#define HDR_MID 30
+#define HDR_WCT 32
+#define HDR_VWV 33
+
#define smb_len_nbt(buf) (RIVAL(buf, 0) & 0x1FFFF)
#define _smb_setlen_nbt(buf,len) RSIVAL(buf, 0, (len) & 0x1FFFF)
+#define smb_setlen_nbt(buf, len) do { \
+ _smb_setlen_nbt(buf, len); \
+ SIVAL(buf, 4, SMB_MAGIC); \
+} while (0)
#define smb_len_tcp(buf) (RIVAL(buf, 0) & 0xFFFFFF)
#define _smb_setlen_tcp(buf,len) RSIVAL(buf, 0, (len) & 0xFFFFFF)
+#define smb_setlen_tcp(buf, len) do { \
+ _smb_setlen_tcp(buf, len); \
+ SIVAL(buf, 4, SMB_MAGIC); \
+} while (0)
/* protocol types. It assumes that higher protocols include lower protocols
as subsets. */
diff --git a/source3/libsmb/smb_seal.c b/libcli/smb/smb_seal.c
similarity index 71%
rename from source3/libsmb/smb_seal.c
rename to libcli/smb/smb_seal.c
index 4afd617..bf9576f 100644
--- a/source3/libsmb/smb_seal.c
+++ b/libcli/smb/smb_seal.c
@@ -1,28 +1,28 @@
-/*
+/*
Unix SMB/CIFS implementation.
SMB Transport encryption (sealing) code.
Copyright (C) Jeremy Allison 2007.
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "../auth/ntlmssp/ntlmssp.h"
-#include "smb_crypt.h"
-#include "libsmb/libsmb.h"
-#include "ntlmssp_wrap.h"
+#include "smb_common.h"
+#include "libcli/auth/krb5_wrap.h"
+#include "auth/gensec/gensec.h"
+#undef malloc
/******************************************************************************
Pull out the encryption context for this packet. 0 means global context.
@@ -30,7 +30,7 @@
NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16_t *p_enc_ctx_num)
{
- if (smb_len(buf) < 8) {
+ if (smb_len_nbt(buf) < 8) {
return NT_STATUS_INVALID_BUFFER_SIZE;
}
@@ -53,7 +53,7 @@ NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16_t *p_enc_ctx_num)
static void smb_set_enclen(char *buf,int len,uint16_t enc_ctx_num)
{
- _smb_setlen(buf,len);
+ _smb_setlen_nbt(buf,len);
SCVAL(buf,4,0xFF);
SCVAL(buf,5,'E');
@@ -72,109 +72,95 @@ bool common_encryption_on(struct smb_trans_enc_state *es)
/******************************************************************************
Generic code for client and server.
- NTLM decrypt an incoming buffer.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so cope with the same for compatibility.
+ GENSEC decrypt an incoming buffer.
******************************************************************************/
-static NTSTATUS common_ntlm_decrypt_buffer(struct auth_ntlmssp_state *auth_ntlmssp_state, char *buf)
+static NTSTATUS common_gensec_decrypt_buffer(struct gensec_security *gensec,
+ char *buf)
{
NTSTATUS status;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
- size_t data_len;
- char *inbuf;
- DATA_BLOB sig;
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
+ DATA_BLOB in_buf, out_buf;
+ TALLOC_CTX *frame;
- if (buf_len < 8 + NTLMSSP_SIG_SIZE) {
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- inbuf = (char *)smb_xmemdup(buf, buf_len);
-
- /* Adjust for the signature. */
- data_len = buf_len - 8 - NTLMSSP_SIG_SIZE;
+ frame = talloc_stackframe();
- /* Point at the signature. */
- sig = data_blob_const(inbuf+8, NTLMSSP_SIG_SIZE);
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
- status = auth_ntlmssp_unseal_packet(auth_ntlmssp_state,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'E' <enc> <ctx> */
- data_len,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ status = gensec_unwrap(gensec, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- SAFE_FREE(inbuf);
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- memcpy(buf + 8, inbuf + 8 + NTLMSSP_SIG_SIZE, data_len);
+ if (out_buf.length > in_buf.length) {
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap size (%u) too large (%u) !\n",
+ (unsigned int)out_buf.length,
+ (unsigned int)in_buf.length ));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ memcpy(buf + 8, out_buf.data, out_buf.length);
/* Reset the length and overwrite the header. */
- smb_setlen(buf,data_len + 4);
+ smb_setlen_nbt(buf, out_buf.length + 4);
+
+ TALLOC_FREE(frame);
- SAFE_FREE(inbuf);
return NT_STATUS_OK;
}
/******************************************************************************
Generic code for client and server.
NTLM encrypt an outgoing buffer. Return the encrypted pointer in ppbuf_out.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so do the same for compatibility.
******************************************************************************/
-static NTSTATUS common_ntlm_encrypt_buffer(struct auth_ntlmssp_state *auth_ntlmssp_state,
- uint16_t enc_ctx_num,
- char *buf,
- char **ppbuf_out)
+static NTSTATUS common_gensec_encrypt_buffer(struct gensec_security *gensec,
+ uint16_t enc_ctx_num,
+ char *buf,
+ char **ppbuf_out)
{
NTSTATUS status;
- char *buf_out;
- size_t data_len = smb_len(buf) - 4; /* Ignore the 0xFF SMB bytes. */
- DATA_BLOB sig;
+ DATA_BLOB in_buf, out_buf;
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
TALLOC_CTX *frame;
+
*ppbuf_out = NULL;
- if (data_len == 0) {
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
frame = talloc_stackframe();
- /*
- * We know smb_len can't return a value > 128k, so no int overflow
- * check needed.
- */
-
- buf_out = SMB_XMALLOC_ARRAY(char, 8 + NTLMSSP_SIG_SIZE + data_len);
-
- /* Copy the data from the original buffer. */
-
- memcpy(buf_out + 8 + NTLMSSP_SIG_SIZE, buf + 8, data_len);
-
- smb_set_enclen(buf_out, smb_len(buf) + NTLMSSP_SIG_SIZE, enc_ctx_num);
-
- ZERO_STRUCT(sig);
-
- status = auth_ntlmssp_seal_packet(auth_ntlmssp_state,
- frame,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'S' <enc> <ctx> */
- data_len,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ status = gensec_wrap(gensec, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(frame);
- SAFE_FREE(buf_out);
+ DEBUG(0,("common_gensec_encrypt_buffer: gensec_wrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- /* First 16 data bytes are signature for SSPI compatibility. */
- memcpy(buf_out + 8, sig.data, NTLMSSP_SIG_SIZE);
- talloc_free(frame);
- *ppbuf_out = buf_out;
+ *ppbuf_out = (char *)malloc(out_buf.length + 8); /* We know this can't wrap. */
+ if (!*ppbuf_out) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ memcpy(*ppbuf_out+8, out_buf.data, out_buf.length);
+ smb_set_enclen(*ppbuf_out, out_buf.length + 4, enc_ctx_num);
+
+ TALLOC_FREE(frame);
+
return NT_STATUS_OK;
}
@@ -192,7 +178,7 @@ static NTSTATUS common_gss_decrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
OM_uint32 minor = 0;
int flags_got = 0;
gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
@@ -206,17 +192,26 @@ static NTSTATUS common_gss_decrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
&in_buf,
&out_buf,
&flags_got, /* did we get sign+seal ? */
- (gss_qop_t *) NULL);
+ (gss_qop_t *) NULL);
if (ret != GSS_S_COMPLETE) {
- ADS_STATUS adss = ADS_ERROR_GSS(ret, minor);
- DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap failed. Error %s\n",
- ads_errstr(adss) ));
- return map_nt_error_from_gss(ret, minor);
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ char *gss_err;
+
+ gss_err = gssapi_error_string(talloc_tos(),
+ ret, minor,
+ GSS_C_NULL_OID);
+ DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap failed. "
+ "Error [%d/%d] - %s - %s\n",
+ ret, minor, nt_errstr(status),
+ gss_err ? gss_err : "<unknown>"));
+ talloc_free(gss_err);
+
+ return status;
}
if (out_buf.length > in_buf.length) {
- DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap size (%u) too large (%u) !\n",
+ DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap size (%u) too large (%u) !\n",
(unsigned int)out_buf.length,
(unsigned int)in_buf.length ));
gss_release_buffer(&minor, &out_buf);
@@ -225,7 +220,7 @@ static NTSTATUS common_gss_decrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
memcpy(buf + 8, out_buf.value, out_buf.length);
/* Reset the length and overwrite the header. */
- smb_setlen(buf, out_buf.length + 4);
+ smb_setlen_nbt(buf, out_buf.length + 4);
gss_release_buffer(&minor, &out_buf);
return NT_STATUS_OK;
@@ -238,7 +233,7 @@ static NTSTATUS common_gss_decrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_state,
uint16_t enc_ctx_num,
- char *buf,
+ char *buf,
char **ppbuf_out)
{
gss_ctx_id_t gss_ctx = gss_state->gss_ctx;
@@ -246,7 +241,7 @@ static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
OM_uint32 minor = 0;
int flags_got = 0;
gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
*ppbuf_out = NULL;
@@ -266,10 +261,19 @@ static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
&out_buf);
if (ret != GSS_S_COMPLETE) {
- ADS_STATUS adss = ADS_ERROR_GSS(ret, minor);
- DEBUG(0,("common_gss_encrypt_buffer: gss_wrap failed. Error %s\n",
- ads_errstr(adss) ));
- return map_nt_error_from_gss(ret, minor);
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ char *gss_err;
+
+ gss_err = gssapi_error_string(talloc_tos(),
+ ret, minor,
+ GSS_C_NULL_OID);
+ DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap failed. "
+ "Error [%d/%d] - %s - %s\n",
+ ret, minor, nt_errstr(status),
+ gss_err ? gss_err : "<unknown>"));
+ talloc_free(gss_err);
+
+ return status;
}
if (!flags_got) {
@@ -278,7 +282,7 @@ static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
return NT_STATUS_NOT_SUPPORTED;
}
- /* Ya see - this is why I *hate* gss-api. I don't
+ /* Ya see - this is why I *hate* gss-api. I don't
* want to have to malloc another buffer of the
* same size + 8 bytes just to get a continuous
* header + buffer, but gss won't let me pass in
@@ -290,7 +294,7 @@ static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_sta
* bother :-*(. JRA.
*/
- *ppbuf_out = (char *)SMB_MALLOC(out_buf.length + 8); /* We know this can't wrap. */
+ *ppbuf_out = (char *)malloc(out_buf.length + 8); /* We know this can't wrap. */
if (!*ppbuf_out) {
gss_release_buffer(&minor, &out_buf);
return NT_STATUS_NO_MEMORY;
@@ -319,7 +323,7 @@ NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer, cha
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_encrypt_buffer(es->s.auth_ntlmssp_state, es->enc_ctx_num, buffer, buf_out);
+ return common_gensec_encrypt_buffer(es->s.gensec_security, es->enc_ctx_num, buffer, buf_out);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_encrypt_buffer(es->s.gss_state, es->enc_ctx_num, buffer, buf_out);
@@ -344,7 +348,7 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf)
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_decrypt_buffer(es->s.auth_ntlmssp_state, buf);
+ return common_gensec_decrypt_buffer(es->s.gensec_security, buf);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_decrypt_buffer(es->s.gss_state, buf);
@@ -387,8 +391,8 @@ void common_free_encryption_state(struct smb_trans_enc_state **pp_es)
}
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- if (es->s.auth_ntlmssp_state) {
- TALLOC_FREE(es->s.auth_ntlmssp_state);
+ if (es->s.gensec_security) {
+ TALLOC_FREE(es->s.gensec_security);
}
}
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
@@ -420,18 +424,5 @@ void common_free_enc_buffer(struct smb_trans_enc_state *es, char *buf)
return;
}
- if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- SAFE_FREE(buf);
- return;
- }
-
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- if (es->smb_enc_type == SMB_TRANS_ENC_GSS) {
- OM_uint32 min;
- gss_buffer_desc rel_buf;
- rel_buf.value = buf;
- rel_buf.length = smb_len(buf) + 4;
- gss_release_buffer(&min, &rel_buf);
- }
-#endif
+ SAFE_FREE(buf);
}
diff --git a/source3/include/smb_crypt.h b/libcli/smb/smb_seal.h
similarity index 94%
rename from source3/include/smb_crypt.h
rename to libcli/smb/smb_seal.h
index e4070b5..fcee205 100644
--- a/source3/include/smb_crypt.h
+++ b/libcli/smb/smb_seal.h
@@ -52,14 +52,14 @@ struct smb_trans_enc_state {
uint16_t enc_ctx_num;
bool enc_on;
union {
- struct auth_ntlmssp_state *auth_ntlmssp_state;
+ struct gensec_security *gensec_security;
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
struct smb_tran_enc_state_gss *gss_state;
#endif
} s;
};
-/* The following definitions come from libsmb/smb_seal.c */
+/* The following definitions come from smb_seal.c */
NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16_t *p_enc_ctx_num);
bool common_encryption_on(struct smb_trans_enc_state *es);
diff --git a/libcli/smb/wscript_build b/libcli/smb/wscript_build
index 8043c80..6334958 100644
--- a/libcli/smb/wscript_build
+++ b/libcli/smb/wscript_build
@@ -2,12 +2,13 @@
bld.SAMBA_LIBRARY('cli_smb_common',
- source='smb2_create_blob.c smb2_signing.c util.c',
+ source='smb_seal.c smb2_create_blob.c smb2_signing.c util.c',
autoproto='smb_common_proto.h',
- deps='LIBCRYPTO',
+ deps='LIBCRYPTO errors gssapi gensec KRB5_WRAP',
public_deps='talloc samba-util',
private_library=True,
public_headers='''smb_common.h smb2_constants.h smb_constants.h
+ smb_seal.h
smb2_create_blob.h smb2_signing.h smb_util.h smb_unix_ext.h
''',
)
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 6bf03d3..62aff34 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -602,8 +602,9 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
libsmb/clitrans.o libsmb/clisecdesc.o libsmb/clidgram.o \
libsmb/clistr.o libsmb/cliquota.o libsmb/clifsinfo.o libsmb/clidfs.o \
libsmb/clioplock.o libsmb/clirap2.o \
- libsmb/smb_seal.o libsmb/async_smb.o \
+ libsmb/async_smb.o \
libsmb/read_smb.o libsmb/clisigning.o \
+ ../libcli/smb/smb_seal.o \
libsmb/smb2cli_base.o \
--
Samba Shared Repository
More information about the samba-cvs
mailing list