r21865: Add in the stubs for SMB transport encryption. Will flesh

these out as I implement. Don't add to SAMBA_3_0_25, this
is experimental code.
NFSv4 you're now officially on notice... :-).
Jeremy.
(This used to be commit 5bfe638f2172e272741997100ee5ae8ff280494d)

7 files changed, 123 insertions, 8 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 83150a44de..40351900c8 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -256,7 +256,7 @@ LIB_WITH_PROTO_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
 	  lib/substitute.o lib/fsusage.o \
 	  lib/ms_fnmatch.o lib/select.o lib/messages.o \
 	  lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
-	  lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
+	  libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
 	  nsswitch/wb_client.o $(WBCOMMON_OBJ) \
 	  lib/pam_errors.o intl/lang_tdb.o \
 	  lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
diff --git a/source3/include/smb.h b/source3/include/smb.h
index a54cebac10..2eed76eb80 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -79,6 +79,7 @@
 #define WRITE_ERROR 4 /* This error code can go into the client smb_rw_error. */
 #define READ_BAD_SIG 5
 #define DO_NOT_DO_TDIS 6 /* cli_close_connection() check for this when smbfs wants to keep tree connected */
+#define READ_BAD_DECRYPT 7
 
 #define DIR_STRUCT_SIZE 43
 
diff --git a/source3/include/trans2.h b/source3/include/trans2.h
index 67a0e0fc52..32ea7d927f 100644
--- a/source3/include/trans2.h
+++ b/source3/include/trans2.h
@@ -529,7 +529,7 @@ findfirst/findnext is SMB_FIND_FILE_UNIX_INFO2.
 						(chflags) and lsattr */
 #define CIFS_UNIX_POSIX_PATHNAMES_CAP	   0x10 /* Use POSIX pathnames on the wire. */
 #define CIFS_UNIX_POSIX_PATH_OPERATIONS_CAP	   0x20 /* We can cope with POSIX open/mkdir/unlink etc. */
-
+#define CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP	0x40 /* We can do SPNEGO negotiations for encryption. */
 
 #define SMB_QUERY_POSIX_FS_INFO     0x201
 
@@ -652,6 +652,27 @@ enum smb_whoami_flags {
 	DOM_SID[] -		list of SIDs (may be empty)
 */
 
+/*
+ * The following trans2 is done between client and server 
+ * as a FSINFO call to set up the encryption state for transport
+ * encryption.
+ *
+ * The request looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI request.
+ *
+ * The reply looks like :
+ *
+ * [data block] -> SPNEGO framed GSSAPI reply - if error
+ *                 is NT_STATUS_OK then we're done, if it's
+ *                 NT_STATUS_MORE_PROCESSING_REQUIRED then the
+ *                 client needs to keep going. If it's an
+ *                 error it can be any NT_STATUS error.
+ *
+ */
+
+#define SMB_REQUEST_TRANSPORT_ENCRYPTION     0x203
+
 /* The query/set info levels for POSIX ACLs. */
 #define SMB_QUERY_POSIX_ACL  0x204
 #define SMB_SET_POSIX_ACL  0x204
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
index 2866a443d4..663502bef0 100644
--- a/source3/lib/util_sock.c
+++ b/source3/lib/util_sock.c
@@ -732,15 +732,28 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
 
 BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
 {
+	NTSTATUS status;
+
 	if (!receive_smb_raw(fd, buffer, timeout)) {
 		return False;
 	}
 
+	status = srv_decrypt_buffer(buffer);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("receive_smb: SMB decryption failed on incoming packet! Error %s\n",
+			nt_errstr(status) ));
+		if (smb_read_error == 0) {
+			smb_read_error = READ_BAD_DECRYPT;
+		}
+		return False;
+	}
+
 	/* Check the incoming SMB signature. */
 	if (!srv_check_sign_mac(buffer, True)) {
 		DEBUG(0, ("receive_smb: SMB Signature verification failed on incoming packet!\n"));
-		if (smb_read_error == 0)
+		if (smb_read_error == 0) {
 			smb_read_error = READ_BAD_SIG;
+		}
 		return False;
 	};
 
@@ -753,6 +766,7 @@ BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
 
 BOOL send_smb(int fd, char *buffer)
 {
+	NTSTATUS status;
 	size_t len;
 	size_t nwritten=0;
 	ssize_t ret;
@@ -760,6 +774,13 @@ BOOL send_smb(int fd, char *buffer)
 	/* Sign the outgoing packet if required. */
 	srv_calculate_sign_mac(buffer);
 
+	status = srv_encrypt_buffer(buffer);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("send_smb: SMB encryption failed on outgoing packet! Error %s\n",
+			nt_errstr(status) ));
+		return False;
+	}
+
 	len = smb_len(buffer) + 4;
 
 	while (nwritten < len) {
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 68ecb131b1..cdf36d9b9c 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -54,9 +54,13 @@ int cli_set_port(struct cli_state *cli, int port)
  should never go into a blocking read.
 ****************************************************************************/
 
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
+static BOOL client_receive_smb(struct cli_state *cli)
 {
 	BOOL ret;
+	NTSTATUS status;
+	int fd = cli->fd;
+	char *buffer = cli->inbuf;
+	unsigned int timeout = cli->timeout;
 
 	for(;;) {
 		ret = receive_smb_raw(fd, buffer, timeout);
@@ -71,6 +75,15 @@ static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
 		if(CVAL(buffer,0) != SMBkeepalive)
 			break;
 	}
+	status = cli_decrypt_message(cli);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("SMB decryption failed on incoming packet! Error %s\n",
+			nt_errstr(status)));
+		cli->smb_rw_error = READ_BAD_DECRYPT;
+		close(cli->fd);
+		cli->fd = -1;
+		return False;
+	}
 	show_msg(buffer);
 	return ret;
 }
@@ -88,7 +101,7 @@ BOOL cli_receive_smb(struct cli_state *cli)
 		return False; 
 
  again:
-	ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
+	ret = client_receive_smb(cli);
 	
 	if (ret) {
 		/* it might be an oplock break request */
@@ -132,7 +145,7 @@ static ssize_t write_socket(int fd, const char *buf, size_t len)
                                                                                                                                             
         DEBUG(6,("write_socket(%d,%d)\n",fd,(int)len));
         ret = write_data(fd,buf,len);
-                                                                                                                                            
+
         DEBUG(6,("write_socket(%d,%d) wrote %d\n",fd,(int)len,(int)ret));
         if(ret <= 0)
                 DEBUG(0,("write_socket: Error writing %d bytes to socket %d: ERRNO = %s\n",
@@ -147,16 +160,28 @@ static ssize_t write_socket(int fd, const char *buf, size_t len)
 
 BOOL cli_send_smb(struct cli_state *cli)
 {
+	NTSTATUS status;
 	size_t len;
 	size_t nwritten=0;
 	ssize_t ret;
 
 	/* fd == -1 causes segfaults -- Tom (tom@ninja.nl) */
-	if (cli->fd == -1)
+	if (cli->fd == -1) {
 		return False;
+	}
 
 	cli_calculate_sign_mac(cli);
 
+	status = cli_encrypt_message(cli);
+	if (!NT_STATUS_IS_OK(status)) {
+		close(cli->fd);
+		cli->fd = -1;
+		cli->smb_rw_error = WRITE_ERROR;
+		DEBUG(0,("Error in encrypting client message. Error %s\n",
+			nt_errstr(status) ));
+		return False;
+	}
+
 	len = smb_len(cli->outbuf) + 4;
 
 	while (nwritten < len) {
@@ -173,8 +198,9 @@ BOOL cli_send_smb(struct cli_state *cli)
 	}
 	/* Increment the mid so we can tell between responses. */
 	cli->mid++;
-	if (!cli->mid)
+	if (!cli->mid) {
 		cli->mid++;
+	}
 	return True;
 }
 
diff --git a/source3/libsmb/clierror.c b/source3/libsmb/clierror.c
index f85fc5c552..4b222c9015 100644
--- a/source3/libsmb/clierror.c
+++ b/source3/libsmb/clierror.c
@@ -84,6 +84,7 @@ static NTSTATUS cli_smb_rw_error_to_ntstatus(struct cli_state *cli)
 		case WRITE_ERROR:
 			return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 	        case READ_BAD_SIG:
+	        case READ_BAD_DECRYPT:
 			return NT_STATUS_INVALID_PARAMETER;
 	        default:
 			break;
@@ -133,6 +134,10 @@ const char *cli_errstr(struct cli_state *cli)
 				slprintf(cli_error_message, sizeof(cli_error_message) - 1,
 					"Server packet had invalid SMB signature!");
 				break;
+		        case READ_BAD_DECRYPT:
+				slprintf(cli_error_message, sizeof(cli_error_message) - 1,
+					"Server packet could not be decrypted !");
+				break;
 		        default:
 				slprintf(cli_error_message, sizeof(cli_error_message) - 1,
 					"Unknown error code %d\n", cli->smb_rw_error );
diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c
new file mode 100644
index 0000000000..eb35fc05f9
--- /dev/null
+++ b/source3/libsmb/smb_seal.c
@@ -0,0 +1,41 @@
+/* 
+   Unix SMB/CIFS implementation.
+   SMB Transport encryption (sealing) code.
+   Copyright (C) Jeremy Allison 2007.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+NTSTATUS cli_decrypt_message(struct cli_state *cli)
+{
+	return NT_STATUS_OK;
+}
+
+NTSTATUS cli_encrypt_message(struct cli_state *cli)
+{
+	return NT_STATUS_OK;
+}
+
+NTSTATUS srv_decrypt_buffer(char *buffer)
+{
+	return NT_STATUS_OK;
+}
+
+NTSTATUS srv_encrypt_buffer(char *buffer)
+{
+	return NT_STATUS_OK;
+}