From 8c395be5e514a28f13608a462c0c0e8417e21160 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 21 Mar 2007 23:49:57 +0000 Subject: r21922: Fixed the build by rather horrid means. I really need to restructure libsmb/smb_signing.c so it isn't in the base libs path but lives in libsmb instead (like smb_seal.c does). Jeremy. (This used to be commit 1b828f051d0782201f697de15ff973bd6b097d5b) --- source3/Makefile.in | 4 +-- source3/lib/util_sock.c | 57 ++++++++++++++++++++++--------------------- source3/libads/ads_status.c | 6 +++-- source3/libsmb/cliconnect.c | 20 +++++++-------- source3/libsmb/clientgen.c | 58 +++++++++++++++++++++++--------------------- source3/libsmb/smb_seal.c | 5 +++- source3/libsmb/smb_signing.c | 31 +---------------------- 7 files changed, 81 insertions(+), 100 deletions(-) diff --git a/source3/Makefile.in b/source3/Makefile.in index ce79246839..355ab16198 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -258,7 +258,7 @@ LIB_WITH_PROTO_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \ lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \ lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \ nsswitch/wb_client.o $(WBCOMMON_OBJ) \ - lib/pam_errors.o intl/lang_tdb.o libsmb/smb_seal.o \ + lib/pam_errors.o intl/lang_tdb.o \ lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \ lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \ lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \ @@ -313,7 +313,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \ libsmb/clistr.o libsmb/cliquota.o libsmb/clifsinfo.o libsmb/clidfs.o \ libsmb/smberr.o libsmb/credentials.o libsmb/pwd_cache.o \ libsmb/clioplock.o $(ERRORMAP_OBJ) libsmb/clirap2.o \ - $(DOSERR_OBJ) \ + libsmb/smb_seal.o $(DOSERR_OBJ) \ $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(LIBNMB_OBJ) RPC_CLIENT_OBJ1 = rpc_client/cli_netlogon.o diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c index 755ad39261..a58fb03e77 100644 --- a/source3/lib/util_sock.c +++ b/source3/lib/util_sock.c @@ -732,32 +732,32 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) BOOL receive_smb(int fd, char *buffer, unsigned int timeout) { - NTSTATUS status; - if (!receive_smb_raw(fd, buffer, timeout)) { return False; } - status = srv_decrypt_buffer(buffer); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("receive_smb: SMB decryption failed on incoming packet! Error %s\n", - nt_errstr(status) )); - if (smb_read_error == 0) { - smb_read_error = READ_BAD_DECRYPT; + if (srv_encryption_on()) { + NTSTATUS status = srv_decrypt_buffer(buffer); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("receive_smb: SMB decryption failed on incoming packet! Error %s\n", + nt_errstr(status) )); + if (smb_read_error == 0) { + smb_read_error = READ_BAD_DECRYPT; + } + return False; } - return False; - } - - /* Check the incoming SMB signature. */ - if (!srv_check_sign_mac(buffer, True)) { - DEBUG(0, ("receive_smb: SMB Signature verification failed on incoming packet!\n")); - if (smb_read_error == 0) { - smb_read_error = READ_BAD_SIG; + } else { + /* Check the incoming SMB signature. */ + if (!srv_check_sign_mac(buffer, True)) { + DEBUG(0, ("receive_smb: SMB Signature verification failed on incoming packet!\n")); + if (smb_read_error == 0) { + smb_read_error = READ_BAD_SIG; + } + return False; } - return False; - }; + } - return(True); + return True; } /**************************************************************************** @@ -766,20 +766,21 @@ BOOL receive_smb(int fd, char *buffer, unsigned int timeout) BOOL send_smb(int fd, char *buffer) { - NTSTATUS status; size_t len; size_t nwritten=0; ssize_t ret; - char *buf_out; + char *buf_out = buffer; /* Sign the outgoing packet if required. */ - srv_calculate_sign_mac(buffer); - - status = srv_encrypt_buffer(buffer, &buf_out); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("send_smb: SMB encryption failed on outgoing packet! Error %s\n", - nt_errstr(status) )); - return False; + if (!srv_encryption_on()) { + srv_calculate_sign_mac(buf_out); + } else { + NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("send_smb: SMB encryption failed on outgoing packet! Error %s\n", + nt_errstr(status) )); + return False; + } } len = smb_len(buf_out) + 4; diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c index 017d38c600..d022e5b323 100644 --- a/source3/libads/ads_status.c +++ b/source3/libads/ads_status.c @@ -84,6 +84,10 @@ NTSTATUS ads_ntstatus(ADS_STATUS status) #ifdef HAVE_KRB5 case ENUM_ADS_ERROR_KRB5: return krb5_to_nt_status(status.err.rc); +#endif +#ifdef HAVE_GSSAPI + case ENUM_ADS_ERROR_GSS: + return NT_STATUS_UNSUCCESSFUL; #endif default: break; @@ -143,5 +147,3 @@ const char *ads_errstr(ADS_STATUS status) } } - - diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3970731b45..15dac093da 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -742,25 +742,25 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); DATA_BLOB null_blob = data_blob(NULL, 0); - BOOL res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - res = cli_simple_set_signing(cli, key, null_blob); + if (!cli_encryption_on(cli)) { + BOOL res = cli_simple_set_signing(cli, key, null_blob); - data_blob_free(&key); - - if (res) { + if (res) { - /* 'resign' the last message, so we get the right sequence numbers - for checking the first reply from the server */ - cli_calculate_sign_mac(cli); + /* 'resign' the last message, so we get the right sequence numbers + for checking the first reply from the server */ + cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli)) { - nt_status = NT_STATUS_ACCESS_DENIED; + if (!cli_check_sign_mac(cli)) { + nt_status = NT_STATUS_ACCESS_DENIED; + } } } + data_blob_free(&key); } /* we have a reference counter on ntlmssp_state, if we are signing diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index 52ffdc24e7..1aa0ddcc10 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -57,7 +57,6 @@ int cli_set_port(struct cli_state *cli, int port) static BOOL client_receive_smb(struct cli_state *cli) { BOOL ret; - NTSTATUS status; int fd = cli->fd; char *buffer = cli->inbuf; unsigned int timeout = cli->timeout; @@ -75,14 +74,16 @@ static BOOL client_receive_smb(struct cli_state *cli) if(CVAL(buffer,0) != SMBkeepalive) break; } - status = cli_decrypt_message(cli); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("SMB decryption failed on incoming packet! Error %s\n", - nt_errstr(status))); - cli->smb_rw_error = READ_BAD_DECRYPT; - close(cli->fd); - cli->fd = -1; - return False; + if (cli_encryption_on(cli)) { + NTSTATUS status = cli_decrypt_message(cli); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("SMB decryption failed on incoming packet! Error %s\n", + nt_errstr(status))); + cli->smb_rw_error = READ_BAD_DECRYPT; + close(cli->fd); + cli->fd = -1; + return False; + } } show_msg(buffer); return ret; @@ -129,13 +130,15 @@ BOOL cli_receive_smb(struct cli_state *cli) return ret; } - if (!cli_check_sign_mac(cli)) { - DEBUG(0, ("SMB Signature verification failed on incoming packet!\n")); - cli->smb_rw_error = READ_BAD_SIG; - close(cli->fd); - cli->fd = -1; - return False; - }; + if (!cli_encryption_on(cli)) { + if (!cli_check_sign_mac(cli)) { + DEBUG(0, ("SMB Signature verification failed on incoming packet!\n")); + cli->smb_rw_error = READ_BAD_SIG; + close(cli->fd); + cli->fd = -1; + return False; + } + } return True; } @@ -160,7 +163,6 @@ static ssize_t write_socket(int fd, const char *buf, size_t len) BOOL cli_send_smb(struct cli_state *cli) { - NTSTATUS status; size_t len; size_t nwritten=0; ssize_t ret; @@ -171,16 +173,18 @@ BOOL cli_send_smb(struct cli_state *cli) return False; } - cli_calculate_sign_mac(cli); - - status = cli_encrypt_message(cli, &buf_out); - if (!NT_STATUS_IS_OK(status)) { - close(cli->fd); - cli->fd = -1; - cli->smb_rw_error = WRITE_ERROR; - DEBUG(0,("Error in encrypting client message. Error %s\n", - nt_errstr(status) )); - return False; + if (cli_encryption_on(cli)) { + NTSTATUS status = cli_encrypt_message(cli, &buf_out); + if (!NT_STATUS_IS_OK(status)) { + close(cli->fd); + cli->fd = -1; + cli->smb_rw_error = WRITE_ERROR; + DEBUG(0,("Error in encrypting client message. Error %s\n", + nt_errstr(status) )); + return False; + } + } else { + cli_calculate_sign_mac(cli); } len = smb_len(buf_out) + 4; diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c index f16c1402a2..d08b27e7cd 100644 --- a/source3/libsmb/smb_seal.c +++ b/source3/libsmb/smb_seal.c @@ -163,8 +163,11 @@ NTSTATUS common_ntlm_encrypt_buffer(NTLMSSP_STATE *ntlmssp_state, char *buf, cha &out_buf); if (ret != GSS_S_COMPLETE) { + ADS_STATUS adss = ADS_ERROR_GSS(ret, minor); + DEBUG(0,("common_gss_encrypt_buffer: gss_wrap failed. Error %s\n", + ads_errstr(adss) )); /* Um - no mapping for gss-errs to NTSTATUS yet. */ - return NT_STATUS_UNSUCCESSFUL; + return ads_ntstatus(adss); } if (!flags_got) { diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c index 66a15e9408..0395208986 100644 --- a/source3/libsmb/smb_signing.c +++ b/source3/libsmb/smb_signing.c @@ -585,9 +585,7 @@ void cli_free_signing_context(struct cli_state *cli) void cli_calculate_sign_mac(struct cli_state *cli) { - if (!cli_encryption_on(cli)) { - cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info); - } + cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info); } /** @@ -598,9 +596,6 @@ void cli_calculate_sign_mac(struct cli_state *cli) BOOL cli_check_sign_mac(struct cli_state *cli) { - if (cli_encryption_on(cli)) { - return True; - } if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) { free_signing_context(&cli->sign_info); return False; @@ -617,9 +612,6 @@ BOOL client_set_trans_sign_state_on(struct cli_state *cli, uint16 mid) struct smb_sign_info *si = &cli->sign_info; struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context; - if (cli_encryption_on(cli)) { - return True; - } if (!si->doing_signing) { return True; } @@ -645,9 +637,6 @@ BOOL client_set_trans_sign_state_off(struct cli_state *cli, uint16 mid) struct smb_sign_info *si = &cli->sign_info; struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context; - if (cli_encryption_on(cli)) { - return True; - } if (!si->doing_signing) { return True; } @@ -813,15 +802,6 @@ BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok) return True; } - /* - * If we have an encrypted transport - * don't sign - we're already doing that. - */ - - if (srv_encryption_on()) { - return True; - } - return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok); } @@ -836,15 +816,6 @@ void srv_calculate_sign_mac(char *outbuf) return; } - /* - * If we have an encrypted transport - * don't check sign - we're already doing that. - */ - - if (srv_encryption_on()) { - return; - } - srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info); } -- cgit