diff options
author | Jeremy Allison <jra@samba.org> | 2007-12-27 23:51:03 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2007-12-27 23:51:03 -0800 |
commit | d241bfa57729bb934ada6beabf842a2ca7b4f8a2 (patch) | |
tree | 44f400a29fc9746a22d39ed948a9f5c9cda2e440 /source/smbd/trans2.c | |
parent | 2135dfe91bf1ae114a18c15286b535662200677d (diff) | |
download | samba-d241bfa57729bb934ada6beabf842a2ca7b4f8a2.tar.gz samba-d241bfa57729bb934ada6beabf842a2ca7b4f8a2.tar.xz samba-d241bfa57729bb934ada6beabf842a2ca7b4f8a2.zip |
Add the capability to set "smb encrypt = required"
on a share (or global) and have the server reply with
ACCESS_DENIED for all non-encrypted traffic (except
that used to query encryption requirements and set
encryption state).
Jeremy.
Diffstat (limited to 'source/smbd/trans2.c')
-rw-r--r-- | source/smbd/trans2.c | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index ee4787199e5..7625eaed7df 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -2430,6 +2430,16 @@ static void call_trans2qfsinfo(connection_struct *conn, info_level = SVAL(params,0); + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (info_level != SMB_QUERY_CIFS_UNIX_INFO) { + DEBUG(0,("call_trans2qfsinfo: encryption required " + "and info level 0x%x sent.\n", + (unsigned int)info_level)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + DEBUG(3,("call_trans2qfsinfo: level = %d\n", info_level)); if(SMB_VFS_STAT(conn,".",&st)!=0) { @@ -2736,7 +2746,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned return; } - switch (lp_smb_encrypt(SNUM(conn))) { + switch (conn->encrypt_level) { case 0: encrypt_caps = 0; break; @@ -2968,6 +2978,16 @@ static void call_trans2setfsinfo(connection_struct *conn, info_level = SVAL(params,2); + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (info_level != SMB_REQUEST_TRANSPORT_ENCRYPTION) { + DEBUG(0,("call_trans2setfsinfo: encryption required " + "and info level 0x%x sent.\n", + (unsigned int)info_level)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + switch(info_level) { case SMB_SET_CIFS_UNIX_INFO: { @@ -7060,6 +7080,17 @@ static void handle_trans2(connection_struct *conn, struct smb_request *req, SSVAL(req->inbuf,smb_flg2,req->flags2); } + if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) { + if (state->call != TRANSACT2_QFSINFO && + state->call != TRANSACT2_SETFSINFO) { + DEBUG(0,("handle_trans2: encryption required " + "with call 0x%x\n", + (unsigned int)state->call)); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } + } + /* Now we must call the relevant TRANS2 function */ switch(state->call) { case TRANSACT2_OPEN: |