summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-12-27 23:51:03 -0800
committerJeremy Allison <jra@samba.org>2007-12-27 23:51:03 -0800
commitafce2b245a8ff137a4ecea547c3cfb65ab58dc15 (patch)
tree56c8f1258e0f042977b2f0defef53f96b9f6bfe8
parent33f01360e0a40f6d1fa03035979d816ff9198d85 (diff)
downloadsamba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.tar.gz
samba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.tar.bz2
samba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.zip
Add the capability to set "smb encrypt = required"
on a share (or global) and have the server reply with ACCESS_DENIED for all non-encrypted traffic (except that used to query encryption requirements and set encryption state). Jeremy. (This used to be commit d241bfa57729bb934ada6beabf842a2ca7b4f8a2)
-rw-r--r--source3/client/client.c17
-rw-r--r--source3/include/smb.h1
-rw-r--r--source3/smbd/process.c10
-rw-r--r--source3/smbd/service.c2
-rw-r--r--source3/smbd/trans2.c33
5 files changed, 60 insertions, 3 deletions
diff --git a/source3/client/client.c b/source3/client/client.c
index 665a051190..53669bc8d0 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2466,17 +2466,30 @@ static int cmd_posix(void)
return 1;
}
}
+ if (caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP) {
+ caps = talloc_asprintf_append(caps, "posix_encrypt ");
+ if (!caps) {
+ return 1;
+ }
+ }
+ if (caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP) {
+ caps = talloc_asprintf_append(caps, "mandatory_posix_encrypt ");
+ if (!caps) {
+ return 1;
+ }
+ }
if (*caps && caps[strlen(caps)-1] == ' ') {
caps[strlen(caps)-1] = '\0';
}
+
+ d_printf("Server supports CIFS capabilities %s\n", caps);
+
if (!cli_set_unix_extensions_capabilities(cli, major, minor, caplow, caphigh)) {
d_printf("Can't set UNIX CIFS extensions capabilities. %s.\n", cli_errstr(cli));
return 1;
}
- d_printf("Selecting server supported CIFS capabilities %s\n", caps);
-
if (caplow & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
CLI_DIRSEP_CHAR = '/';
*CLI_DIRSEP_STR = '/';
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 2ffd530fb0..aca0009688 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -658,6 +658,7 @@ typedef struct connection_struct {
bool used;
int num_files_open;
unsigned int num_smb_operations; /* Count of smb operations on this tree. */
+ int encrypt_level;
/* Semantics requested by the client or forced by the server config. */
bool case_sensitive;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 1260d52c77..48a6d18bc9 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1457,6 +1457,16 @@ static void switch_message(uint8 type, struct smb_request *req, int size)
reply_doserror(req, ERRSRV, ERRaccess);
return;
}
+
+ if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) {
+ /* An encrypted packet has 0xFF 'E' at offset 4
+ * which is little endian 0x45FF */
+ uint8 com = CVAL(req->inbuf,smb_com);
+ if (com != SMBtrans2 && com != SMBtranss2) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ }
conn->num_smb_operations++;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 8e69a3b381..65fc818144 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -795,6 +795,8 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
conn->case_preserve = lp_preservecase(snum);
conn->short_case_preserve = lp_shortpreservecase(snum);
+ conn->encrypt_level = lp_smb_encrypt(snum);
+
conn->veto_list = NULL;
conn->hide_list = NULL;
conn->veto_oplock_list = NULL;
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index ee4787199e..7625eaed7d 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2430,6 +2430,16 @@ static void call_trans2qfsinfo(connection_struct *conn,
info_level = SVAL(params,0);
+ if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) {
+ if (info_level != SMB_QUERY_CIFS_UNIX_INFO) {
+ DEBUG(0,("call_trans2qfsinfo: encryption required "
+ "and info level 0x%x sent.\n",
+ (unsigned int)info_level));
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ }
+
DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level));
if(SMB_VFS_STAT(conn,".",&st)!=0) {
@@ -2736,7 +2746,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned
return;
}
- switch (lp_smb_encrypt(SNUM(conn))) {
+ switch (conn->encrypt_level) {
case 0:
encrypt_caps = 0;
break;
@@ -2968,6 +2978,16 @@ static void call_trans2setfsinfo(connection_struct *conn,
info_level = SVAL(params,2);
+ if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) {
+ if (info_level != SMB_REQUEST_TRANSPORT_ENCRYPTION) {
+ DEBUG(0,("call_trans2setfsinfo: encryption required "
+ "and info level 0x%x sent.\n",
+ (unsigned int)info_level));
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ }
+
switch(info_level) {
case SMB_SET_CIFS_UNIX_INFO:
{
@@ -7060,6 +7080,17 @@ static void handle_trans2(connection_struct *conn, struct smb_request *req,
SSVAL(req->inbuf,smb_flg2,req->flags2);
}
+ if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) {
+ if (state->call != TRANSACT2_QFSINFO &&
+ state->call != TRANSACT2_SETFSINFO) {
+ DEBUG(0,("handle_trans2: encryption required "
+ "with call 0x%x\n",
+ (unsigned int)state->call));
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+ }
+
/* Now we must call the relevant TRANS2 function */
switch(state->call) {
case TRANSACT2_OPEN: