diff options
author | Jeremy Allison <jra@samba.org> | 2007-12-27 23:51:03 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2007-12-27 23:51:03 -0800 |
commit | afce2b245a8ff137a4ecea547c3cfb65ab58dc15 (patch) | |
tree | 56c8f1258e0f042977b2f0defef53f96b9f6bfe8 | |
parent | 33f01360e0a40f6d1fa03035979d816ff9198d85 (diff) | |
download | samba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.tar.gz samba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.tar.bz2 samba-afce2b245a8ff137a4ecea547c3cfb65ab58dc15.zip |
Add the capability to set "smb encrypt = required"
on a share (or global) and have the server reply with
ACCESS_DENIED for all non-encrypted traffic (except
that used to query encryption requirements and set
encryption state).
Jeremy.
(This used to be commit d241bfa57729bb934ada6beabf842a2ca7b4f8a2)
-rw-r--r-- | source3/client/client.c | 17 | ||||
-rw-r--r-- | source3/include/smb.h | 1 | ||||
-rw-r--r-- | source3/smbd/process.c | 10 | ||||
-rw-r--r-- | source3/smbd/service.c | 2 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 33 |
5 files changed, 60 insertions, 3 deletions
diff --git a/source3/client/client.c b/source3/client/client.c index 665a051190..53669bc8d0 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -2466,17 +2466,30 @@ static int cmd_posix(void) return 1; } } + if (caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP) { + caps = talloc_asprintf_append(caps, "posix_encrypt "); + if (!caps) { + return 1; + } + } + if (caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP) { + caps = talloc_asprintf_append(caps, "mandatory_posix_encrypt "); + if (!caps) { + return 1; + } + } if (*caps && caps[strlen(caps)-1] == ' ') { caps[strlen(caps)-1] = '\0'; } + + d_printf("Server supports CIFS capabilities %s\n", caps); + if (!cli_set_unix_extensions_capabilities(cli, major, minor, caplow, caphigh)) { d_printf("Can't set UNIX CIFS extensions capabilities. %s.\n", cli_errstr(cli)); return 1; } - d_printf("Selecting server supported CIFS capabilities %s\n", caps); - if (caplow & CIFS_UNIX_POSIX_PATHNAMES_CAP) { CLI_DIRSEP_CHAR = '/'; *CLI_DIRSEP_STR = '/'; diff --git a/source3/include/smb.h b/source3/include/smb.h index 2ffd530fb0..aca0009688 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -658,6 +658,7 @@ typedef struct connection_struct { bool used; int num_files_open; unsigned int num_smb_operations; /* Count of smb operations on this tree. */ + int encrypt_level; /* Semantics requested by the client or forced by the server config. */ bool case_sensitive; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 1260d52c77..48a6d18bc9 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1457,6 +1457,16 @@ static void switch_message(uint8 type, struct smb_request *req, int size) reply_doserror(req, ERRSRV, ERRaccess); return; } + + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + /* An encrypted packet has 0xFF 'E' at offset 4 + * which is little endian 0x45FF */ + uint8 com = CVAL(req->inbuf,smb_com); + if (com != SMBtrans2 && com != SMBtranss2) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } conn->num_smb_operations++; } diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 8e69a3b381..65fc818144 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -795,6 +795,8 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, conn->case_preserve = lp_preservecase(snum); conn->short_case_preserve = lp_shortpreservecase(snum); + conn->encrypt_level = lp_smb_encrypt(snum); + conn->veto_list = NULL; conn->hide_list = NULL; conn->veto_oplock_list = NULL; diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index ee4787199e..7625eaed7d 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2430,6 +2430,16 @@ static void call_trans2qfsinfo(connection_struct *conn, info_level = SVAL(params,0); + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (info_level != SMB_QUERY_CIFS_UNIX_INFO) { + DEBUG(0,("call_trans2qfsinfo: encryption required " + "and info level 0x%x sent.\n", + (unsigned int)info_level)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level)); if(SMB_VFS_STAT(conn,".",&st)!=0) { @@ -2736,7 +2746,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned return; } - switch (lp_smb_encrypt(SNUM(conn))) { + switch (conn->encrypt_level) { case 0: encrypt_caps = 0; break; @@ -2968,6 +2978,16 @@ static void call_trans2setfsinfo(connection_struct *conn, info_level = SVAL(params,2); + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (info_level != SMB_REQUEST_TRANSPORT_ENCRYPTION) { + DEBUG(0,("call_trans2setfsinfo: encryption required " + "and info level 0x%x sent.\n", + (unsigned int)info_level)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + switch(info_level) { case SMB_SET_CIFS_UNIX_INFO: { @@ -7060,6 +7080,17 @@ static void handle_trans2(connection_struct *conn, struct smb_request *req, SSVAL(req->inbuf,smb_flg2,req->flags2); } + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (state->call != TRANSACT2_QFSINFO && + state->call != TRANSACT2_SETFSINFO) { + DEBUG(0,("handle_trans2: encryption required " + "with call 0x%x\n", + (unsigned int)state->call)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + /* Now we must call the relevant TRANS2 function */ switch(state->call) { case TRANSACT2_OPEN: |