summaryrefslogtreecommitdiff
path: root/source3/include
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-12-26 17:12:36 -0800
committerJeremy Allison <jra@samba.org>2007-12-26 17:12:36 -0800
commitafc93255d183eefb68e45b8ec6275f6a62cf9795 (patch)
tree712efc0cd3c95d30c0e44055b25807c41533bc1f /source3/include
parent23c965d9472058c566a1b9f8a44964acd5c8a446 (diff)
downloadsamba-afc93255d183eefb68e45b8ec6275f6a62cf9795.tar.gz
Add SMB encryption. Still fixing client decrypt but
negotiation works. Jeremy. (This used to be commit d78045601af787731f0737b8627450018902b104)
Diffstat (limited to 'source3/include')
-rw-r--r--source3/include/client.h26
-rw-r--r--source3/include/smb.h3
-rw-r--r--source3/include/smb_macros.h16
-rw-r--r--source3/include/trans2.h24
4 files changed, 57 insertions, 12 deletions
diff --git a/source3/include/client.h b/source3/include/client.h
index 0047b2bf235..f8adf567de9 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -27,7 +27,9 @@
will be a multiple of the page size on almost any system */
#define CLI_BUFFER_SIZE (0xFFFF)
#define CLI_SAMBA_MAX_LARGE_READX_SIZE (127*1024) /* Works for Samba servers */
+#define CLI_SAMBA_MAX_LARGE_WRITEX_SIZE (127*1024) /* Works for Samba servers */
#define CLI_WINDOWS_MAX_LARGE_READX_SIZE ((64*1024)-2) /* Windows servers are broken.... */
+#define CLI_WINDOWS_MAX_LARGE_WRITEX_SIZE ((64*1024)-2) /* Windows servers are broken.... */
#define CLI_SAMBA_MAX_POSIX_LARGE_READX_SIZE (0xFFFF00) /* 24-bit len. */
#define CLI_SAMBA_MAX_POSIX_LARGE_WRITEX_SIZE (0xFFFF00) /* 24-bit len. */
@@ -79,6 +81,28 @@ struct rpc_pipe_client {
struct dcinfo *dc;
};
+/* Transport encryption state. */
+enum smb_trans_enc_type { SMB_TRANS_ENC_NTLM, SMB_TRANS_ENC_GSS };
+
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+struct smb_tran_enc_state_gss {
+ gss_ctx_id_t gss_ctx;
+ gss_cred_id_t creds;
+};
+#endif
+
+struct smb_trans_enc_state {
+ enum smb_trans_enc_type smb_enc_type;
+ uint16 enc_ctx_num;
+ bool enc_on;
+ union {
+ NTLMSSP_STATE *ntlmssp_state;
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+ struct smb_tran_enc_state_gss *gss_state;
+#endif
+ } s;
+};
+
struct cli_state {
int port;
int fd;
@@ -142,6 +166,8 @@ struct cli_state {
smb_sign_info sign_info;
+ struct smb_trans_enc_state *trans_enc_state; /* Setup if we're encrypting SMB's. */
+
/* the session key for this CLI, outside
any per-pipe authenticaion */
DATA_BLOB user_session_key;
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 63ae51ecd4f..2ffd530fb06 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -80,7 +80,8 @@ enum smb_read_errors {
SMB_WRITE_ERROR, /* This error code can go into the client smb_rw_error. */
SMB_READ_BAD_SIG,
SMB_NO_MEMORY,
- SMB_DO_NOT_DO_TDIS /* cli_close_connection() check for this when smbfs wants to keep tree connected */
+ SMB_DO_NOT_DO_TDIS, /* cli_close_connection() check for this when smbfs wants to keep tree connected */
+ SMB_READ_BAD_DECRYPT
};
#define DIR_STRUCT_SIZE 43
diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
index 0dfb5969948..9bacdce1db7 100644
--- a/source3/include/smb_macros.h
+++ b/source3/include/smb_macros.h
@@ -158,11 +158,10 @@
#define SMB_LARGE_LKLEN_OFFSET_HIGH(indx) (12 + (20 * (indx)))
#define SMB_LARGE_LKLEN_OFFSET_LOW(indx) (16 + (20 * (indx)))
-#define ERROR_DOS(class,code) error_packet(outbuf,class,code,NT_STATUS_OK,__LINE__,__FILE__)
-#define ERROR_NT(status) error_packet(outbuf,0,0,status,__LINE__,__FILE__)
-#define ERROR_OPEN(status) error_open(outbuf,status,__LINE__,__FILE__)
-#define ERROR_FORCE_NT(status) error_packet(outbuf,-1,-1,status,__LINE__,__FILE__)
-#define ERROR_BOTH(status,class,code) error_packet(outbuf,class,code,status,__LINE__,__FILE__)
+#define ERROR_DOS(class,code) error_packet(inbuf,outbuf,class,code,NT_STATUS_OK,__LINE__,__FILE__)
+#define ERROR_NT(status) error_packet(inbuf,outbuf,0,0,status,__LINE__,__FILE__)
+#define ERROR_FORCE_NT(status) error_packet(inbuf,outbuf,-1,-1,status,__LINE__,__FILE__)
+#define ERROR_BOTH(status,class,code) error_packet(inbuf,outbuf,class,code,status,__LINE__,__FILE__)
#define reply_nterror(req,status) reply_nt_error(req,status,__LINE__,__FILE__)
#define reply_force_nterror(req,status) reply_force_nt_error(req,status,__LINE__,__FILE__)
@@ -170,9 +169,6 @@
#define reply_botherror(req,status,eclass,ecode) reply_both_error(req,eclass,ecode,status,__LINE__,__FILE__)
#define reply_unixerror(req,defclass,deferror) reply_unix_error(req,defclass,deferror,NT_STATUS_OK,__LINE__,__FILE__)
-/* this is how errors are generated */
-#define UNIXERROR(defclass,deferror) unix_error_packet(outbuf,defclass,deferror,NT_STATUS_OK,__LINE__,__FILE__)
-
/* these are the datagram types */
#define DGRAM_DIRECT_UNIQUE 0x10
@@ -189,8 +185,8 @@
#define smb_offset(p,buf) (PTR_DIFF(p,buf+4) + chain_size)
#define smb_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|((PVAL(buf,1)&1)<<16))
-#define _smb_setlen(buf,len) do { buf[0] = 0; buf[1] = (len&0x10000)>>16; \
- buf[2] = (len&0xFF00)>>8; buf[3] = len&0xFF; } while (0)
+#define _smb_setlen(buf,len) do { buf[0] = 0; buf[1] = ((len)&0x10000)>>16; \
+ buf[2] = ((len)&0xFF00)>>8; buf[3] = (len)&0xFF; } while (0)
#define smb_len_large(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|(PVAL(buf,1)<<16))
#define _smb_setlen_large(buf,len) do { buf[0] = 0; buf[1] = ((len)&0xFF0000)>>16; \
diff --git a/source3/include/trans2.h b/source3/include/trans2.h
index f7f3ef21497..8ed075d4181 100644
--- a/source3/include/trans2.h
+++ b/source3/include/trans2.h
@@ -566,7 +566,6 @@ findfirst/findnext is SMB_FIND_FILE_UNIX_INFO2.
__u8 * psid_list may be empty
*/
-
/* ... more as we think of them :-). */
/* SMB POSIX ACL definitions. */
@@ -653,6 +652,29 @@ enum smb_whoami_flags {
DOM_SID[] - list of SIDs (may be empty)
*/
+/*
+ * The following trans2 is done between client and server
+ * as a FSINFO call to set up the encryption state for transport
+ * encryption.
+ * This is a subcommand of the TRANS2_QFSINFO.
+ *
+ * The request looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI request.
+ *
+ * The reply looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI reply - if error
+ * is NT_STATUS_OK then we're done, if it's
+ * NT_STATUS_MORE_PROCESSING_REQUIRED then the
+ * client needs to keep going. If it's an
+ * error it can be any NT_STATUS error.
+ *
+ */
+
+#define SMB_REQUEST_TRANSPORT_ENCRYPTION 0x203 /* QFSINFO */
+
+
/* The query/set info levels for POSIX ACLs. */
#define SMB_QUERY_POSIX_ACL 0x204
#define SMB_SET_POSIX_ACL 0x204