diff options
author | Jeremy Allison <jra@samba.org> | 2007-12-26 17:12:36 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2007-12-26 17:12:36 -0800 |
commit | afc93255d183eefb68e45b8ec6275f6a62cf9795 (patch) | |
tree | 712efc0cd3c95d30c0e44055b25807c41533bc1f /source3/include | |
parent | 23c965d9472058c566a1b9f8a44964acd5c8a446 (diff) | |
download | samba-afc93255d183eefb68e45b8ec6275f6a62cf9795.tar.gz |
Add SMB encryption. Still fixing client decrypt but
negotiation works.
Jeremy.
(This used to be commit d78045601af787731f0737b8627450018902b104)
Diffstat (limited to 'source3/include')
-rw-r--r-- | source3/include/client.h | 26 | ||||
-rw-r--r-- | source3/include/smb.h | 3 | ||||
-rw-r--r-- | source3/include/smb_macros.h | 16 | ||||
-rw-r--r-- | source3/include/trans2.h | 24 |
4 files changed, 57 insertions, 12 deletions
diff --git a/source3/include/client.h b/source3/include/client.h index 0047b2bf235..f8adf567de9 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -27,7 +27,9 @@ will be a multiple of the page size on almost any system */ #define CLI_BUFFER_SIZE (0xFFFF) #define CLI_SAMBA_MAX_LARGE_READX_SIZE (127*1024) /* Works for Samba servers */ +#define CLI_SAMBA_MAX_LARGE_WRITEX_SIZE (127*1024) /* Works for Samba servers */ #define CLI_WINDOWS_MAX_LARGE_READX_SIZE ((64*1024)-2) /* Windows servers are broken.... */ +#define CLI_WINDOWS_MAX_LARGE_WRITEX_SIZE ((64*1024)-2) /* Windows servers are broken.... */ #define CLI_SAMBA_MAX_POSIX_LARGE_READX_SIZE (0xFFFF00) /* 24-bit len. */ #define CLI_SAMBA_MAX_POSIX_LARGE_WRITEX_SIZE (0xFFFF00) /* 24-bit len. */ @@ -79,6 +81,28 @@ struct rpc_pipe_client { struct dcinfo *dc; }; +/* Transport encryption state. */ +enum smb_trans_enc_type { SMB_TRANS_ENC_NTLM, SMB_TRANS_ENC_GSS }; + +#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5) +struct smb_tran_enc_state_gss { + gss_ctx_id_t gss_ctx; + gss_cred_id_t creds; +}; +#endif + +struct smb_trans_enc_state { + enum smb_trans_enc_type smb_enc_type; + uint16 enc_ctx_num; + bool enc_on; + union { + NTLMSSP_STATE *ntlmssp_state; +#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5) + struct smb_tran_enc_state_gss *gss_state; +#endif + } s; +}; + struct cli_state { int port; int fd; @@ -142,6 +166,8 @@ struct cli_state { smb_sign_info sign_info; + struct smb_trans_enc_state *trans_enc_state; /* Setup if we're encrypting SMB's. */ + /* the session key for this CLI, outside any per-pipe authenticaion */ DATA_BLOB user_session_key; diff --git a/source3/include/smb.h b/source3/include/smb.h index 63ae51ecd4f..2ffd530fb06 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -80,7 +80,8 @@ enum smb_read_errors { SMB_WRITE_ERROR, /* This error code can go into the client smb_rw_error. */ SMB_READ_BAD_SIG, SMB_NO_MEMORY, - SMB_DO_NOT_DO_TDIS /* cli_close_connection() check for this when smbfs wants to keep tree connected */ + SMB_DO_NOT_DO_TDIS, /* cli_close_connection() check for this when smbfs wants to keep tree connected */ + SMB_READ_BAD_DECRYPT }; #define DIR_STRUCT_SIZE 43 diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index 0dfb5969948..9bacdce1db7 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -158,11 +158,10 @@ #define SMB_LARGE_LKLEN_OFFSET_HIGH(indx) (12 + (20 * (indx))) #define SMB_LARGE_LKLEN_OFFSET_LOW(indx) (16 + (20 * (indx))) -#define ERROR_DOS(class,code) error_packet(outbuf,class,code,NT_STATUS_OK,__LINE__,__FILE__) -#define ERROR_NT(status) error_packet(outbuf,0,0,status,__LINE__,__FILE__) -#define ERROR_OPEN(status) error_open(outbuf,status,__LINE__,__FILE__) -#define ERROR_FORCE_NT(status) error_packet(outbuf,-1,-1,status,__LINE__,__FILE__) -#define ERROR_BOTH(status,class,code) error_packet(outbuf,class,code,status,__LINE__,__FILE__) +#define ERROR_DOS(class,code) error_packet(inbuf,outbuf,class,code,NT_STATUS_OK,__LINE__,__FILE__) +#define ERROR_NT(status) error_packet(inbuf,outbuf,0,0,status,__LINE__,__FILE__) +#define ERROR_FORCE_NT(status) error_packet(inbuf,outbuf,-1,-1,status,__LINE__,__FILE__) +#define ERROR_BOTH(status,class,code) error_packet(inbuf,outbuf,class,code,status,__LINE__,__FILE__) #define reply_nterror(req,status) reply_nt_error(req,status,__LINE__,__FILE__) #define reply_force_nterror(req,status) reply_force_nt_error(req,status,__LINE__,__FILE__) @@ -170,9 +169,6 @@ #define reply_botherror(req,status,eclass,ecode) reply_both_error(req,eclass,ecode,status,__LINE__,__FILE__) #define reply_unixerror(req,defclass,deferror) reply_unix_error(req,defclass,deferror,NT_STATUS_OK,__LINE__,__FILE__) -/* this is how errors are generated */ -#define UNIXERROR(defclass,deferror) unix_error_packet(outbuf,defclass,deferror,NT_STATUS_OK,__LINE__,__FILE__) - /* these are the datagram types */ #define DGRAM_DIRECT_UNIQUE 0x10 @@ -189,8 +185,8 @@ #define smb_offset(p,buf) (PTR_DIFF(p,buf+4) + chain_size) #define smb_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|((PVAL(buf,1)&1)<<16)) -#define _smb_setlen(buf,len) do { buf[0] = 0; buf[1] = (len&0x10000)>>16; \ - buf[2] = (len&0xFF00)>>8; buf[3] = len&0xFF; } while (0) +#define _smb_setlen(buf,len) do { buf[0] = 0; buf[1] = ((len)&0x10000)>>16; \ + buf[2] = ((len)&0xFF00)>>8; buf[3] = (len)&0xFF; } while (0) #define smb_len_large(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|(PVAL(buf,1)<<16)) #define _smb_setlen_large(buf,len) do { buf[0] = 0; buf[1] = ((len)&0xFF0000)>>16; \ diff --git a/source3/include/trans2.h b/source3/include/trans2.h index f7f3ef21497..8ed075d4181 100644 --- a/source3/include/trans2.h +++ b/source3/include/trans2.h @@ -566,7 +566,6 @@ findfirst/findnext is SMB_FIND_FILE_UNIX_INFO2. __u8 * psid_list may be empty */ - /* ... more as we think of them :-). */ /* SMB POSIX ACL definitions. */ @@ -653,6 +652,29 @@ enum smb_whoami_flags { DOM_SID[] - list of SIDs (may be empty) */ +/* + * The following trans2 is done between client and server + * as a FSINFO call to set up the encryption state for transport + * encryption. + * This is a subcommand of the TRANS2_QFSINFO. + * + * The request looks like : + * + * [data block] -> SPNEGO framed GSSAPI request. + * + * The reply looks like : + * + * [data block] -> SPNEGO framed GSSAPI reply - if error + * is NT_STATUS_OK then we're done, if it's + * NT_STATUS_MORE_PROCESSING_REQUIRED then the + * client needs to keep going. If it's an + * error it can be any NT_STATUS error. + * + */ + +#define SMB_REQUEST_TRANSPORT_ENCRYPTION 0x203 /* QFSINFO */ + + /* The query/set info levels for POSIX ACLs. */ #define SMB_QUERY_POSIX_ACL 0x204 #define SMB_SET_POSIX_ACL 0x204 |