Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.3.x/source/smbd/seal.c@ 621

Visit:

Last change on this file since 621 was 206, checked in by Herwig Bauernfeind, 16 years ago
Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 21.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	SMB Transport encryption (sealing) code - server code.
4	Copyright (C) Jeremy Allison 2007.
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	/******************************************************************************
23	Server side encryption.
24	******************************************************************************/
25
26	/******************************************************************************
27	Global server state.
28	******************************************************************************/
29
30	struct smb_srv_trans_enc_ctx {
31	struct smb_trans_enc_state *es;
32	AUTH_NTLMSSP_STATE auth_ntlmssp_state; / Must be kept in sync with pointer in ec->ntlmssp_state. */
33	};
34
35	static struct smb_srv_trans_enc_ctx *partial_srv_trans_enc_ctx;
36	static struct smb_srv_trans_enc_ctx *srv_trans_enc_ctx;
37
38	/******************************************************************************
39	Return global enc context - this must change if we ever do multiple contexts.
40	******************************************************************************/
41
42	uint16_t srv_enc_ctx(void)
43	{
44	return srv_trans_enc_ctx->es->enc_ctx_num;
45	}
46
47	/******************************************************************************
48	Is this an incoming encrypted packet ?
49	******************************************************************************/
50
51	bool is_encrypted_packet(const uint8_t *inbuf)
52	{
53	NTSTATUS status;
54	uint16_t enc_num;
55
56	/* Ignore non-session messages or non 0xFF'E' messages. */
57	if(CVAL(inbuf,0) \|\| !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
58	return false;
59	}
60
61	status = get_enc_ctx_num(inbuf, &enc_num);
62	if (!NT_STATUS_IS_OK(status)) {
63	return false;
64	}
65
66	/* Encrypted messages are 0xFF'E'<ctx> */
67	if (srv_trans_enc_ctx && enc_num == srv_enc_ctx()) {
68	return true;
69	}
70	return false;
71	}
72
73	/******************************************************************************
74	Create an auth_ntlmssp_state and ensure pointer copy is correct.
75	******************************************************************************/
76
77	static NTSTATUS make_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
78	{
79	NTSTATUS status = auth_ntlmssp_start(&ec->auth_ntlmssp_state);
80	if (!NT_STATUS_IS_OK(status)) {
81	return nt_status_squash(status);
82	}
83
84	/*
85	* We must remember to update the pointer copy for the common
86	* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
87	*/
88	ec->es->s.ntlmssp_state = ec->auth_ntlmssp_state->ntlmssp_state;
89	return status;
90	}
91
92	/******************************************************************************
93	Destroy an auth_ntlmssp_state and ensure pointer copy is correct.
94	******************************************************************************/
95
96	static void destroy_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
97	{
98	/*
99	* We must remember to update the pointer copy for the common
100	* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
101	*/
102
103	if (ec->auth_ntlmssp_state) {
104	auth_ntlmssp_end(&ec->auth_ntlmssp_state);
105	/* The auth_ntlmssp_end killed this already. */
106	ec->es->s.ntlmssp_state = NULL;
107	}
108	}
109
110	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
111
112	/******************************************************************************
113	Import a name.
114	******************************************************************************/
115
116	static NTSTATUS get_srv_gss_creds(const char *service,
117	const char *name,
118	gss_cred_usage_t cred_type,
119	gss_cred_id_t *p_srv_cred)
120	{
121	OM_uint32 ret;
122	OM_uint32 min;
123	gss_name_t srv_name;
124	gss_buffer_desc input_name;
125	char *host_princ_s = NULL;
126	NTSTATUS status = NT_STATUS_OK;
127
128	gss_OID_desc nt_hostbased_service =
129	{10, CONST_DISCARD(char *,"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")};
130
131	if (asprintf(&host_princ_s, "%s@%s", service, name) == -1) {
132	return NT_STATUS_NO_MEMORY;
133	}
134
135	input_name.value = host_princ_s;
136	input_name.length = strlen(host_princ_s) + 1;
137
138	ret = gss_import_name(&min,
139	&input_name,
140	&nt_hostbased_service,
141	&srv_name);
142
143	DEBUG(10,("get_srv_gss_creds: imported name %s\n",
144	host_princ_s ));
145
146	if (ret != GSS_S_COMPLETE) {
147	SAFE_FREE(host_princ_s);
148	return map_nt_error_from_gss(ret, min);
149	}
150
151	/*
152	* We're accessing the krb5.keytab file here.
153	* ensure we have permissions to do so.
154	*/
155	become_root();
156
157	ret = gss_acquire_cred(&min,
158	srv_name,
159	GSS_C_INDEFINITE,
160	GSS_C_NULL_OID_SET,
161	cred_type,
162	p_srv_cred,
163	NULL,
164	NULL);
165	unbecome_root();
166
167	if (ret != GSS_S_COMPLETE) {
168	ADS_STATUS adss = ADS_ERROR_GSS(ret, min);
169	DEBUG(10,("get_srv_gss_creds: gss_acquire_cred failed with %s\n",
170	ads_errstr(adss)));
171	status = map_nt_error_from_gss(ret, min);
172	}
173
174	SAFE_FREE(host_princ_s);
175	gss_release_name(&min, &srv_name);
176	return status;
177	}
178
179	/******************************************************************************
180	Create a gss state.
181	Try and get the cifs/server@realm principal first, then fall back to
182	host/server@realm.
183	******************************************************************************/
184
185	static NTSTATUS make_auth_gss(struct smb_srv_trans_enc_ctx *ec)
186	{
187	NTSTATUS status;
188	gss_cred_id_t srv_cred;
189	fstring fqdn;
190
191	name_to_fqdn(fqdn, global_myname());
192	strlower_m(fqdn);
193
194	status = get_srv_gss_creds("cifs", fqdn, GSS_C_ACCEPT, &srv_cred);
195	if (!NT_STATUS_IS_OK(status)) {
196	status = get_srv_gss_creds("host", fqdn, GSS_C_ACCEPT, &srv_cred);
197	if (!NT_STATUS_IS_OK(status)) {
198	return nt_status_squash(status);
199	}
200	}
201
202	ec->es->s.gss_state = SMB_MALLOC_P(struct smb_tran_enc_state_gss);
203	if (!ec->es->s.gss_state) {
204	OM_uint32 min;
205	gss_release_cred(&min, &srv_cred);
206	return NT_STATUS_NO_MEMORY;
207	}
208	ZERO_STRUCTP(ec->es->s.gss_state);
209	ec->es->s.gss_state->creds = srv_cred;
210
211	/* No context yet. */
212	ec->es->s.gss_state->gss_ctx = GSS_C_NO_CONTEXT;
213
214	return NT_STATUS_OK;
215	}
216	#endif
217
218	/******************************************************************************
219	Shutdown a server encryption context.
220	******************************************************************************/
221
222	static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec)
223	{
224	struct smb_srv_trans_enc_ctx ec = pp_ec;
225
226	if (!ec) {
227	return;
228	}
229
230	if (ec->es) {
231	switch (ec->es->smb_enc_type) {
232	case SMB_TRANS_ENC_NTLM:
233	destroy_auth_ntlmssp(ec);
234	break;
235	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
236	case SMB_TRANS_ENC_GSS:
237	break;
238	#endif
239	}
240	common_free_encryption_state(&ec->es);
241	}
242
243	SAFE_FREE(ec);
244	*pp_ec = NULL;
245	}
246
247	/******************************************************************************
248	Create a server encryption context.
249	******************************************************************************/
250
251	static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type, struct smb_srv_trans_enc_ctx **pp_ec)
252	{
253	struct smb_srv_trans_enc_ctx *ec;
254
255	*pp_ec = NULL;
256
257	ec = SMB_MALLOC_P(struct smb_srv_trans_enc_ctx);
258	if (!ec) {
259	return NT_STATUS_NO_MEMORY;
260	}
261	ZERO_STRUCTP(partial_srv_trans_enc_ctx);
262	ec->es = SMB_MALLOC_P(struct smb_trans_enc_state);
263	if (!ec->es) {
264	SAFE_FREE(ec);
265	return NT_STATUS_NO_MEMORY;
266	}
267	ZERO_STRUCTP(ec->es);
268	ec->es->smb_enc_type = smb_enc_type;
269	switch (smb_enc_type) {
270	case SMB_TRANS_ENC_NTLM:
271	{
272	NTSTATUS status = make_auth_ntlmssp(ec);
273	if (!NT_STATUS_IS_OK(status)) {
274	srv_free_encryption_context(&ec);
275	return status;
276	}
277	}
278	break;
279
280	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
281	case SMB_TRANS_ENC_GSS:
282	/* Acquire our credentials by calling gss_acquire_cred here. */
283	{
284	NTSTATUS status = make_auth_gss(ec);
285	if (!NT_STATUS_IS_OK(status)) {
286	srv_free_encryption_context(&ec);
287	return status;
288	}
289	}
290	break;
291	#endif
292	default:
293	srv_free_encryption_context(&ec);
294	return NT_STATUS_INVALID_PARAMETER;
295	}
296	*pp_ec = ec;
297	return NT_STATUS_OK;
298	}
299
300	/******************************************************************************
301	Free an encryption-allocated buffer.
302	******************************************************************************/
303
304	void srv_free_enc_buffer(char *buf)
305	{
306	/* We know this is an smb buffer, and we
307	* didn't malloc, only copy, for a keepalive,
308	* so ignore non-session messages. */
309
310	if(CVAL(buf,0)) {
311	return;
312	}
313
314	if (srv_trans_enc_ctx) {
315	common_free_enc_buffer(srv_trans_enc_ctx->es, buf);
316	}
317	}
318
319	/******************************************************************************
320	Decrypt an incoming buffer.
321	******************************************************************************/
322
323	NTSTATUS srv_decrypt_buffer(char *buf)
324	{
325	/* Ignore non-session messages. */
326	if(CVAL(buf,0)) {
327	return NT_STATUS_OK;
328	}
329
330	if (srv_trans_enc_ctx) {
331	return common_decrypt_buffer(srv_trans_enc_ctx->es, buf);
332	}
333
334	return NT_STATUS_OK;
335	}
336
337	/******************************************************************************
338	Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
339	******************************************************************************/
340
341	NTSTATUS srv_encrypt_buffer(char buf, char *buf_out)
342	{
343	*buf_out = buf;
344
345	/* Ignore non-session messages. */
346	if(CVAL(buf,0)) {
347	return NT_STATUS_OK;
348	}
349
350	if (srv_trans_enc_ctx) {
351	return common_encrypt_buffer(srv_trans_enc_ctx->es, buf, buf_out);
352	}
353	/* Not encrypting. */
354	return NT_STATUS_OK;
355	}
356
357	/******************************************************************************
358	Do the gss encryption negotiation. Parameters are in/out.
359	Until success we do everything on the partial enc ctx.
360	******************************************************************************/
361
362	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
363	static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char *ppdata, size_t p_data_size, DATA_BLOB secblob)
364	{
365	OM_uint32 ret;
366	OM_uint32 min;
367	OM_uint32 flags = 0;
368	gss_buffer_desc in_buf, out_buf;
369	struct smb_tran_enc_state_gss *gss_state;
370	DATA_BLOB auth_reply = data_blob_null;
371	DATA_BLOB response = data_blob_null;
372	NTSTATUS status;
373
374	if (!partial_srv_trans_enc_ctx) {
375	status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx);
376	if (!NT_STATUS_IS_OK(status)) {
377	return status;
378	}
379	}
380
381	gss_state = partial_srv_trans_enc_ctx->es->s.gss_state;
382
383	in_buf.value = secblob.data;
384	in_buf.length = secblob.length;
385
386	out_buf.value = NULL;
387	out_buf.length = 0;
388
389	become_root();
390
391	ret = gss_accept_sec_context(&min,
392	&gss_state->gss_ctx,
393	gss_state->creds,
394	&in_buf,
395	GSS_C_NO_CHANNEL_BINDINGS,
396	NULL,
397	NULL, /* Ignore oids. */
398	&out_buf, /* To return. */
399	&flags,
400	NULL, /* Ingore time. */
401	NULL); /* Ignore delegated creds. */
402	unbecome_root();
403
404	status = gss_err_to_ntstatus(ret, min);
405	if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
406	return status;
407	}
408
409	/* Ensure we've got sign+seal available. */
410	if (ret == GSS_S_COMPLETE) {
411	if ((flags & (GSS_C_INTEG_FLAG\|GSS_C_CONF_FLAG\|GSS_C_REPLAY_FLAG\|GSS_C_SEQUENCE_FLAG)) !=
412	(GSS_C_INTEG_FLAG\|GSS_C_CONF_FLAG\|GSS_C_REPLAY_FLAG\|GSS_C_SEQUENCE_FLAG)) {
413	DEBUG(0,("srv_enc_spnego_gss_negotiate: quality of service not good enough "
414	"for SMB sealing.\n"));
415	gss_release_buffer(&min, &out_buf);
416	return NT_STATUS_ACCESS_DENIED;
417	}
418	}
419
420	auth_reply = data_blob(out_buf.value, out_buf.length);
421	gss_release_buffer(&min, &out_buf);
422
423	/* Wrap in SPNEGO. */
424	response = spnego_gen_auth_response(&auth_reply, status, OID_KERBEROS5);
425	data_blob_free(&auth_reply);
426
427	SAFE_FREE(*ppdata);
428	*ppdata = response.data;
429	*p_data_size = response.length;
430
431	return status;
432	}
433	#endif
434
435	/******************************************************************************
436	Do the NTLM SPNEGO (or raw) encryption negotiation. Parameters are in/out.
437	Until success we do everything on the partial enc ctx.
438	******************************************************************************/
439
440	static NTSTATUS srv_enc_ntlm_negotiate(unsigned char *ppdata, size_t p_data_size, DATA_BLOB secblob, bool spnego_wrap)
441	{
442	NTSTATUS status;
443	DATA_BLOB chal = data_blob_null;
444	DATA_BLOB response = data_blob_null;
445
446	status = make_srv_encryption_context(SMB_TRANS_ENC_NTLM, &partial_srv_trans_enc_ctx);
447	if (!NT_STATUS_IS_OK(status)) {
448	return status;
449	}
450
451	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, secblob, &chal);
452
453	/* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
454	* for success ... */
455
456	if (spnego_wrap) {
457	response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
458	data_blob_free(&chal);
459	} else {
460	/* Return the raw blob. */
461	response = chal;
462	}
463
464	SAFE_FREE(*ppdata);
465	*ppdata = response.data;
466	*p_data_size = response.length;
467	return status;
468	}
469
470	/******************************************************************************
471	Do the SPNEGO encryption negotiation. Parameters are in/out.
472	Based off code in smbd/sesssionsetup.c
473	Until success we do everything on the partial enc ctx.
474	******************************************************************************/
475
476	static NTSTATUS srv_enc_spnego_negotiate(connection_struct *conn,
477	unsigned char **ppdata,
478	size_t *p_data_size,
479	unsigned char **pparam,
480	size_t *p_param_size)
481	{
482	NTSTATUS status;
483	DATA_BLOB blob = data_blob_null;
484	DATA_BLOB secblob = data_blob_null;
485	char *kerb_mech = NULL;
486
487	blob = data_blob_const(ppdata, p_data_size);
488
489	status = parse_spnego_mechanisms(blob, &secblob, &kerb_mech);
490	if (!NT_STATUS_IS_OK(status)) {
491	return nt_status_squash(status);
492	}
493
494	/* We should have no partial context at this point. */
495
496	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
497
498	if (kerb_mech) {
499	SAFE_FREE(kerb_mech);
500
501	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
502	status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
503	#else
504	/* Currently we don't SPNEGO negotiate
505	* back to NTLMSSP as we do in sessionsetupX. We should... */
506	return NT_STATUS_LOGON_FAILURE;
507	#endif
508	} else {
509	status = srv_enc_ntlm_negotiate(ppdata, p_data_size, secblob, true);
510	}
511
512	data_blob_free(&secblob);
513
514	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
515	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
516	return nt_status_squash(status);
517	}
518
519	if (NT_STATUS_IS_OK(status)) {
520	/* Return the context we're using for this encryption state. */
521	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
522	return NT_STATUS_NO_MEMORY;
523	}
524	SSVAL(*pparam,0,partial_srv_trans_enc_ctx->es->enc_ctx_num);
525	*p_param_size = 2;
526	}
527
528	return status;
529	}
530
531	/******************************************************************************
532	Complete a SPNEGO encryption negotiation. Parameters are in/out.
533	We only get this for a NTLM auth second stage.
534	******************************************************************************/
535
536	static NTSTATUS srv_enc_spnego_ntlm_auth(connection_struct *conn,
537	unsigned char **ppdata,
538	size_t *p_data_size,
539	unsigned char **pparam,
540	size_t *p_param_size)
541	{
542	NTSTATUS status;
543	DATA_BLOB blob = data_blob_null;
544	DATA_BLOB auth = data_blob_null;
545	DATA_BLOB auth_reply = data_blob_null;
546	DATA_BLOB response = data_blob_null;
547	struct smb_srv_trans_enc_ctx *ec = partial_srv_trans_enc_ctx;
548
549	/* We must have a partial context here. */
550
551	if (!ec \|\| !ec->es \|\| ec->auth_ntlmssp_state == NULL \|\| ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
552	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
553	return NT_STATUS_INVALID_PARAMETER;
554	}
555
556	blob = data_blob_const(ppdata, p_data_size);
557	if (!spnego_parse_auth(blob, &auth)) {
558	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
559	return NT_STATUS_INVALID_PARAMETER;
560	}
561
562	status = auth_ntlmssp_update(ec->auth_ntlmssp_state, auth, &auth_reply);
563	data_blob_free(&auth);
564
565	/* From RFC4178.
566	*
567	* supportedMech
568	*
569	* This field SHALL only be present in the first reply from the
570	* target.
571	* So set mechOID to NULL here.
572	*/
573
574	response = spnego_gen_auth_response(&auth_reply, status, NULL);
575	data_blob_free(&auth_reply);
576
577	if (NT_STATUS_IS_OK(status)) {
578	/* Return the context we're using for this encryption state. */
579	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
580	return NT_STATUS_NO_MEMORY;
581	}
582	SSVAL(*pparam,0,ec->es->enc_ctx_num);
583	*p_param_size = 2;
584	}
585
586	SAFE_FREE(*ppdata);
587	*ppdata = response.data;
588	*p_data_size = response.length;
589	return status;
590	}
591
592	/******************************************************************************
593	Raw NTLM encryption negotiation. Parameters are in/out.
594	This function does both steps.
595	******************************************************************************/
596
597	static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn,
598	unsigned char **ppdata,
599	size_t *p_data_size,
600	unsigned char **pparam,
601	size_t *p_param_size)
602	{
603	NTSTATUS status;
604	DATA_BLOB blob = data_blob_const(ppdata, p_data_size);
605	DATA_BLOB response = data_blob_null;
606	struct smb_srv_trans_enc_ctx *ec;
607
608	if (!partial_srv_trans_enc_ctx) {
609	/* This is the initial step. */
610	status = srv_enc_ntlm_negotiate(ppdata, p_data_size, blob, false);
611	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
612	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
613	return nt_status_squash(status);
614	}
615	return status;
616	}
617
618	ec = partial_srv_trans_enc_ctx;
619	if (!ec \|\| !ec->es \|\| ec->auth_ntlmssp_state == NULL \|\| ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
620	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
621	return NT_STATUS_INVALID_PARAMETER;
622	}
623
624	/* Second step. */
625	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, blob, &response);
626
627	if (NT_STATUS_IS_OK(status)) {
628	/* Return the context we're using for this encryption state. */
629	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
630	return NT_STATUS_NO_MEMORY;
631	}
632	SSVAL(*pparam,0,ec->es->enc_ctx_num);
633	*p_param_size = 2;
634	}
635
636	/* Return the raw blob. */
637	SAFE_FREE(*ppdata);
638	*ppdata = response.data;
639	*p_data_size = response.length;
640	return status;
641	}
642
643	/******************************************************************************
644	Do the SPNEGO encryption negotiation. Parameters are in/out.
645	******************************************************************************/
646
647	NTSTATUS srv_request_encryption_setup(connection_struct *conn,
648	unsigned char **ppdata,
649	size_t *p_data_size,
650	unsigned char **pparam,
651	size_t *p_param_size)
652	{
653	unsigned char pdata = ppdata;
654
655	SAFE_FREE(*pparam);
656	*p_param_size = 0;
657
658	if (*p_data_size < 1) {
659	return NT_STATUS_INVALID_PARAMETER;
660	}
661
662	if (pdata[0] == ASN1_APPLICATION(0)) {
663	/* its a negTokenTarg packet */
664	return srv_enc_spnego_negotiate(conn, ppdata, p_data_size, pparam, p_param_size);
665	}
666
667	if (pdata[0] == ASN1_CONTEXT(1)) {
668	/* It's an auth packet */
669	return srv_enc_spnego_ntlm_auth(conn, ppdata, p_data_size, pparam, p_param_size);
670	}
671
672	/* Maybe it's a raw unwrapped auth ? */
673	if (*p_data_size < 7) {
674	return NT_STATUS_INVALID_PARAMETER;
675	}
676
677	if (strncmp((char *)pdata, "NTLMSSP", 7) == 0) {
678	return srv_enc_raw_ntlm_auth(conn, ppdata, p_data_size, pparam, p_param_size);
679	}
680
681	DEBUG(1,("srv_request_encryption_setup: Unknown packet\n"));
682
683	return NT_STATUS_LOGON_FAILURE;
684	}
685
686	/******************************************************************************
687	Negotiation was successful - turn on server-side encryption.
688	******************************************************************************/
689
690	static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
691	{
692	if (!ec \|\| !ec->es) {
693	return NT_STATUS_LOGON_FAILURE;
694	}
695
696	if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
697	if ((ec->es->s.ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN\|NTLMSSP_NEGOTIATE_SEAL)) !=
698	(NTLMSSP_NEGOTIATE_SIGN\|NTLMSSP_NEGOTIATE_SEAL)) {
699	return NT_STATUS_INVALID_PARAMETER;
700	}
701	}
702	/* Todo - check gssapi case. */
703
704	return NT_STATUS_OK;
705	}
706
707	/******************************************************************************
708	Negotiation was successful - turn on server-side encryption.
709	******************************************************************************/
710
711	NTSTATUS srv_encryption_start(connection_struct *conn)
712	{
713	NTSTATUS status;
714
715	/* Check that we are really doing sign+seal. */
716	status = check_enc_good(partial_srv_trans_enc_ctx);
717	if (!NT_STATUS_IS_OK(status)) {
718	return status;
719	}
720	/* Throw away the context we're using currently (if any). */
721	srv_free_encryption_context(&srv_trans_enc_ctx);
722
723	/* Steal the partial pointer. Deliberate shallow copy. */
724	srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
725	srv_trans_enc_ctx->es->enc_on = true;
726
727	partial_srv_trans_enc_ctx = NULL;
728
729	DEBUG(1,("srv_encryption_start: context negotiated\n"));
730	return NT_STATUS_OK;
731	}
732
733	/******************************************************************************
734	Shutdown all server contexts.
735	******************************************************************************/
736
737	void server_encryption_shutdown(void)
738	{
739	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
740	srv_free_encryption_context(&srv_trans_enc_ctx);
741	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: