Context Navigation

seal.c@ 832

Visit:

Last change on this file since 832 was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 22.6 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	SMB Transport encryption (sealing) code - server code.
4	Copyright (C) Jeremy Allison 2007.
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21	#include "smbd/smbd.h"
22	#include "smbd/globals.h"
23	#include "../libcli/auth/spnego.h"
24	#include "../libcli/auth/ntlmssp.h"
25	#include "ntlmssp_wrap.h"
26	#include "smb_crypt.h"
27	#include "../lib/util/asn1.h"
28	#include "auth.h"
29	#include "libsmb/libsmb.h"
30
31	/******************************************************************************
32	Server side encryption.
33	******************************************************************************/
34
35	/******************************************************************************
36	Global server state.
37	******************************************************************************/
38
39	struct smb_srv_trans_enc_ctx {
40	struct smb_trans_enc_state *es;
41	struct auth_ntlmssp_state auth_ntlmssp_state; / Must be kept in sync with pointer in ec->ntlmssp_state. */
42	};
43
44	/******************************************************************************
45	Return global enc context - this must change if we ever do multiple contexts.
46	******************************************************************************/
47
48	uint16_t srv_enc_ctx(void)
49	{
50	return srv_trans_enc_ctx->es->enc_ctx_num;
51	}
52
53	/******************************************************************************
54	Is this an incoming encrypted packet ?
55	******************************************************************************/
56
57	bool is_encrypted_packet(const uint8_t *inbuf)
58	{
59	NTSTATUS status;
60	uint16_t enc_num;
61
62	/* Ignore non-session messages or non 0xFF'E' messages. */
63	if(CVAL(inbuf,0)
64	\|\| (smb_len(inbuf) < 8)
65	\|\| !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
66	return false;
67	}
68
69	status = get_enc_ctx_num(inbuf, &enc_num);
70	if (!NT_STATUS_IS_OK(status)) {
71	return false;
72	}
73
74	/* Encrypted messages are 0xFF'E'<ctx> */
75	if (srv_trans_enc_ctx && enc_num == srv_enc_ctx()) {
76	return true;
77	}
78	return false;
79	}
80
81	/******************************************************************************
82	Create an auth_ntlmssp_state and ensure pointer copy is correct.
83	******************************************************************************/
84
85	static NTSTATUS make_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
86	{
87	NTSTATUS status = auth_ntlmssp_start(&ec->auth_ntlmssp_state);
88	if (!NT_STATUS_IS_OK(status)) {
89	return nt_status_squash(status);
90	}
91
92	/*
93	* We must remember to update the pointer copy for the common
94	* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
95	*/
96	ec->es->s.ntlmssp_state = auth_ntlmssp_get_ntlmssp_state(ec->auth_ntlmssp_state);
97	return status;
98	}
99
100	/******************************************************************************
101	Destroy an auth_ntlmssp_state and ensure pointer copy is correct.
102	******************************************************************************/
103
104	static void destroy_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
105	{
106	/*
107	* We must remember to update the pointer copy for the common
108	* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
109	*/
110
111	if (ec->auth_ntlmssp_state) {
112	TALLOC_FREE(ec->auth_ntlmssp_state);
113	/* The auth_ntlmssp_end killed this already. */
114	ec->es->s.ntlmssp_state = NULL;
115	}
116	}
117
118	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
119
120	/******************************************************************************
121	Import a name.
122	******************************************************************************/
123
124	static NTSTATUS get_srv_gss_creds(const char *service,
125	const char *name,
126	gss_cred_usage_t cred_type,
127	gss_cred_id_t *p_srv_cred)
128	{
129	OM_uint32 ret;
130	OM_uint32 min;
131	gss_name_t srv_name;
132	gss_buffer_desc input_name;
133	char *host_princ_s = NULL;
134	NTSTATUS status = NT_STATUS_OK;
135
136	gss_OID_desc nt_hostbased_service =
137	{10, CONST_DISCARD(char *,"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")};
138
139	if (asprintf(&host_princ_s, "%s@%s", service, name) == -1) {
140	return NT_STATUS_NO_MEMORY;
141	}
142
143	input_name.value = host_princ_s;
144	input_name.length = strlen(host_princ_s) + 1;
145
146	ret = gss_import_name(&min,
147	&input_name,
148	&nt_hostbased_service,
149	&srv_name);
150
151	DEBUG(10,("get_srv_gss_creds: imported name %s\n",
152	host_princ_s ));
153
154	if (ret != GSS_S_COMPLETE) {
155	SAFE_FREE(host_princ_s);
156	return map_nt_error_from_gss(ret, min);
157	}
158
159	/*
160	* We're accessing the krb5.keytab file here.
161	* ensure we have permissions to do so.
162	*/
163	become_root();
164
165	ret = gss_acquire_cred(&min,
166	srv_name,
167	GSS_C_INDEFINITE,
168	GSS_C_NULL_OID_SET,
169	cred_type,
170	p_srv_cred,
171	NULL,
172	NULL);
173	unbecome_root();
174
175	if (ret != GSS_S_COMPLETE) {
176	ADS_STATUS adss = ADS_ERROR_GSS(ret, min);
177	DEBUG(10,("get_srv_gss_creds: gss_acquire_cred failed with %s\n",
178	ads_errstr(adss)));
179	status = map_nt_error_from_gss(ret, min);
180	}
181
182	SAFE_FREE(host_princ_s);
183	gss_release_name(&min, &srv_name);
184	return status;
185	}
186
187	/******************************************************************************
188	Create a gss state.
189	Try and get the cifs/server@realm principal first, then fall back to
190	host/server@realm.
191	******************************************************************************/
192
193	static NTSTATUS make_auth_gss(struct smb_srv_trans_enc_ctx *ec)
194	{
195	NTSTATUS status;
196	gss_cred_id_t srv_cred;
197	fstring fqdn;
198
199	name_to_fqdn(fqdn, global_myname());
200	strlower_m(fqdn);
201
202	status = get_srv_gss_creds("cifs", fqdn, GSS_C_ACCEPT, &srv_cred);
203	if (!NT_STATUS_IS_OK(status)) {
204	status = get_srv_gss_creds("host", fqdn, GSS_C_ACCEPT, &srv_cred);
205	if (!NT_STATUS_IS_OK(status)) {
206	return nt_status_squash(status);
207	}
208	}
209
210	ec->es->s.gss_state = SMB_MALLOC_P(struct smb_tran_enc_state_gss);
211	if (!ec->es->s.gss_state) {
212	OM_uint32 min;
213	gss_release_cred(&min, &srv_cred);
214	return NT_STATUS_NO_MEMORY;
215	}
216	ZERO_STRUCTP(ec->es->s.gss_state);
217	ec->es->s.gss_state->creds = srv_cred;
218
219	/* No context yet. */
220	ec->es->s.gss_state->gss_ctx = GSS_C_NO_CONTEXT;
221
222	return NT_STATUS_OK;
223	}
224	#endif
225
226	/******************************************************************************
227	Shutdown a server encryption context.
228	******************************************************************************/
229
230	static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec)
231	{
232	struct smb_srv_trans_enc_ctx ec = pp_ec;
233
234	if (!ec) {
235	return;
236	}
237
238	if (ec->es) {
239	switch (ec->es->smb_enc_type) {
240	case SMB_TRANS_ENC_NTLM:
241	destroy_auth_ntlmssp(ec);
242	break;
243	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
244	case SMB_TRANS_ENC_GSS:
245	break;
246	#endif
247	}
248	common_free_encryption_state(&ec->es);
249	}
250
251	SAFE_FREE(ec);
252	*pp_ec = NULL;
253	}
254
255	/******************************************************************************
256	Create a server encryption context.
257	******************************************************************************/
258
259	static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type, struct smb_srv_trans_enc_ctx **pp_ec)
260	{
261	struct smb_srv_trans_enc_ctx *ec;
262
263	*pp_ec = NULL;
264
265	ec = SMB_MALLOC_P(struct smb_srv_trans_enc_ctx);
266	if (!ec) {
267	return NT_STATUS_NO_MEMORY;
268	}
269	ZERO_STRUCTP(partial_srv_trans_enc_ctx);
270	ec->es = SMB_MALLOC_P(struct smb_trans_enc_state);
271	if (!ec->es) {
272	SAFE_FREE(ec);
273	return NT_STATUS_NO_MEMORY;
274	}
275	ZERO_STRUCTP(ec->es);
276	ec->es->smb_enc_type = smb_enc_type;
277	switch (smb_enc_type) {
278	case SMB_TRANS_ENC_NTLM:
279	{
280	NTSTATUS status = make_auth_ntlmssp(ec);
281	if (!NT_STATUS_IS_OK(status)) {
282	srv_free_encryption_context(&ec);
283	return status;
284	}
285	}
286	break;
287
288	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
289	case SMB_TRANS_ENC_GSS:
290	/* Acquire our credentials by calling gss_acquire_cred here. */
291	{
292	NTSTATUS status = make_auth_gss(ec);
293	if (!NT_STATUS_IS_OK(status)) {
294	srv_free_encryption_context(&ec);
295	return status;
296	}
297	}
298	break;
299	#endif
300	default:
301	srv_free_encryption_context(&ec);
302	return NT_STATUS_INVALID_PARAMETER;
303	}
304	*pp_ec = ec;
305	return NT_STATUS_OK;
306	}
307
308	/******************************************************************************
309	Free an encryption-allocated buffer.
310	******************************************************************************/
311
312	void srv_free_enc_buffer(char *buf)
313	{
314	/* We know this is an smb buffer, and we
315	* didn't malloc, only copy, for a keepalive,
316	* so ignore non-session messages. */
317
318	if(CVAL(buf,0)) {
319	return;
320	}
321
322	if (srv_trans_enc_ctx) {
323	common_free_enc_buffer(srv_trans_enc_ctx->es, buf);
324	}
325	}
326
327	/******************************************************************************
328	Decrypt an incoming buffer.
329	******************************************************************************/
330
331	NTSTATUS srv_decrypt_buffer(char *buf)
332	{
333	/* Ignore non-session messages. */
334	if(CVAL(buf,0)) {
335	return NT_STATUS_OK;
336	}
337
338	if (srv_trans_enc_ctx) {
339	return common_decrypt_buffer(srv_trans_enc_ctx->es, buf);
340	}
341
342	return NT_STATUS_OK;
343	}
344
345	/******************************************************************************
346	Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
347	******************************************************************************/
348
349	NTSTATUS srv_encrypt_buffer(char buf, char *buf_out)
350	{
351	*buf_out = buf;
352
353	/* Ignore non-session messages. */
354	if(CVAL(buf,0)) {
355	return NT_STATUS_OK;
356	}
357
358	if (srv_trans_enc_ctx) {
359	return common_encrypt_buffer(srv_trans_enc_ctx->es, buf, buf_out);
360	}
361	/* Not encrypting. */
362	return NT_STATUS_OK;
363	}
364
365	/******************************************************************************
366	Do the gss encryption negotiation. Parameters are in/out.
367	Until success we do everything on the partial enc ctx.
368	******************************************************************************/
369
370	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
371	static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char *ppdata, size_t p_data_size, DATA_BLOB secblob)
372	{
373	OM_uint32 ret;
374	OM_uint32 min;
375	OM_uint32 flags = 0;
376	gss_buffer_desc in_buf, out_buf;
377	struct smb_tran_enc_state_gss *gss_state;
378	DATA_BLOB auth_reply = data_blob_null;
379	DATA_BLOB response = data_blob_null;
380	NTSTATUS status;
381
382	if (!partial_srv_trans_enc_ctx) {
383	status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx);
384	if (!NT_STATUS_IS_OK(status)) {
385	return status;
386	}
387	}
388
389	gss_state = partial_srv_trans_enc_ctx->es->s.gss_state;
390
391	in_buf.value = secblob.data;
392	in_buf.length = secblob.length;
393
394	out_buf.value = NULL;
395	out_buf.length = 0;
396
397	become_root();
398
399	ret = gss_accept_sec_context(&min,
400	&gss_state->gss_ctx,
401	gss_state->creds,
402	&in_buf,
403	GSS_C_NO_CHANNEL_BINDINGS,
404	NULL,
405	NULL, /* Ignore oids. */
406	&out_buf, /* To return. */
407	&flags,
408	NULL, /* Ingore time. */
409	NULL); /* Ignore delegated creds. */
410	unbecome_root();
411
412	status = gss_err_to_ntstatus(ret, min);
413	if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
414	return status;
415	}
416
417	/* Ensure we've got sign+seal available. */
418	if (ret == GSS_S_COMPLETE) {
419	if ((flags & (GSS_C_INTEG_FLAG\|GSS_C_CONF_FLAG\|GSS_C_REPLAY_FLAG\|GSS_C_SEQUENCE_FLAG)) !=
420	(GSS_C_INTEG_FLAG\|GSS_C_CONF_FLAG\|GSS_C_REPLAY_FLAG\|GSS_C_SEQUENCE_FLAG)) {
421	DEBUG(0,("srv_enc_spnego_gss_negotiate: quality of service not good enough "
422	"for SMB sealing.\n"));
423	gss_release_buffer(&min, &out_buf);
424	return NT_STATUS_ACCESS_DENIED;
425	}
426	}
427
428	auth_reply = data_blob(out_buf.value, out_buf.length);
429	gss_release_buffer(&min, &out_buf);
430
431	/* Wrap in SPNEGO. */
432	response = spnego_gen_auth_response(talloc_tos(), &auth_reply, status, OID_KERBEROS5);
433	data_blob_free(&auth_reply);
434
435	SAFE_FREE(*ppdata);
436	ppdata = (unsigned char )memdup(response.data, response.length);
437	if ((*ppdata) == NULL && response.length > 0) {
438	status = NT_STATUS_NO_MEMORY;
439	}
440	*p_data_size = response.length;
441
442	data_blob_free(&response);
443
444	return status;
445	}
446	#endif
447
448	/******************************************************************************
449	Do the NTLM SPNEGO (or raw) encryption negotiation. Parameters are in/out.
450	Until success we do everything on the partial enc ctx.
451	******************************************************************************/
452
453	static NTSTATUS srv_enc_ntlm_negotiate(unsigned char *ppdata, size_t p_data_size, DATA_BLOB secblob, bool spnego_wrap)
454	{
455	NTSTATUS status;
456	DATA_BLOB chal = data_blob_null;
457	DATA_BLOB response = data_blob_null;
458
459	status = make_srv_encryption_context(SMB_TRANS_ENC_NTLM, &partial_srv_trans_enc_ctx);
460	if (!NT_STATUS_IS_OK(status)) {
461	return status;
462	}
463
464	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, secblob, &chal);
465
466	/* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
467	* for success ... */
468
469	if (spnego_wrap) {
470	response = spnego_gen_auth_response(talloc_tos(), &chal, status, OID_NTLMSSP);
471	data_blob_free(&chal);
472	} else {
473	/* Return the raw blob. */
474	response = chal;
475	}
476
477	SAFE_FREE(*ppdata);
478	ppdata = (unsigned char )memdup(response.data, response.length);
479	if ((*ppdata) == NULL && response.length > 0) {
480	status = NT_STATUS_NO_MEMORY;
481	}
482	*p_data_size = response.length;
483	data_blob_free(&response);
484
485	return status;
486	}
487
488	/******************************************************************************
489	Do the SPNEGO encryption negotiation. Parameters are in/out.
490	Based off code in smbd/sesssionsetup.c
491	Until success we do everything on the partial enc ctx.
492	******************************************************************************/
493
494	static NTSTATUS srv_enc_spnego_negotiate(connection_struct *conn,
495	unsigned char **ppdata,
496	size_t *p_data_size,
497	unsigned char **pparam,
498	size_t *p_param_size)
499	{
500	NTSTATUS status;
501	DATA_BLOB blob = data_blob_null;
502	DATA_BLOB secblob = data_blob_null;
503	char *kerb_mech = NULL;
504
505	blob = data_blob_const(ppdata, p_data_size);
506
507	status = parse_spnego_mechanisms(talloc_tos(), blob, &secblob, &kerb_mech);
508	if (!NT_STATUS_IS_OK(status)) {
509	return nt_status_squash(status);
510	}
511
512	/* We should have no partial context at this point. */
513
514	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
515
516	if (kerb_mech) {
517	TALLOC_FREE(kerb_mech);
518
519	#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
520	status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
521	#else
522	/* Currently we don't SPNEGO negotiate
523	* back to NTLMSSP as we do in sessionsetupX. We should... */
524	return NT_STATUS_LOGON_FAILURE;
525	#endif
526	} else {
527	status = srv_enc_ntlm_negotiate(ppdata, p_data_size, secblob, true);
528	}
529
530	data_blob_free(&secblob);
531
532	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
533	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
534	return nt_status_squash(status);
535	}
536
537	if (NT_STATUS_IS_OK(status)) {
538	/* Return the context we're using for this encryption state. */
539	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
540	return NT_STATUS_NO_MEMORY;
541	}
542	SSVAL(*pparam,0,partial_srv_trans_enc_ctx->es->enc_ctx_num);
543	*p_param_size = 2;
544	}
545
546	return status;
547	}
548
549	/******************************************************************************
550	Complete a SPNEGO encryption negotiation. Parameters are in/out.
551	We only get this for a NTLM auth second stage.
552	******************************************************************************/
553
554	static NTSTATUS srv_enc_spnego_ntlm_auth(connection_struct *conn,
555	unsigned char **ppdata,
556	size_t *p_data_size,
557	unsigned char **pparam,
558	size_t *p_param_size)
559	{
560	NTSTATUS status;
561	DATA_BLOB blob = data_blob_null;
562	DATA_BLOB auth = data_blob_null;
563	DATA_BLOB auth_reply = data_blob_null;
564	DATA_BLOB response = data_blob_null;
565	struct smb_srv_trans_enc_ctx *ec = partial_srv_trans_enc_ctx;
566
567	/* We must have a partial context here. */
568
569	if (!ec \|\| !ec->es \|\| ec->auth_ntlmssp_state == NULL \|\| ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
570	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
571	return NT_STATUS_INVALID_PARAMETER;
572	}
573
574	blob = data_blob_const(ppdata, p_data_size);
575	if (!spnego_parse_auth(talloc_tos(), blob, &auth)) {
576	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
577	return NT_STATUS_INVALID_PARAMETER;
578	}
579
580	status = auth_ntlmssp_update(ec->auth_ntlmssp_state, auth, &auth_reply);
581	data_blob_free(&auth);
582
583	/* From RFC4178.
584	*
585	* supportedMech
586	*
587	* This field SHALL only be present in the first reply from the
588	* target.
589	* So set mechOID to NULL here.
590	*/
591
592	response = spnego_gen_auth_response(talloc_tos(), &auth_reply, status, NULL);
593	data_blob_free(&auth_reply);
594
595	if (NT_STATUS_IS_OK(status)) {
596	/* Return the context we're using for this encryption state. */
597	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
598	return NT_STATUS_NO_MEMORY;
599	}
600	SSVAL(*pparam,0,ec->es->enc_ctx_num);
601	*p_param_size = 2;
602	}
603
604	SAFE_FREE(*ppdata);
605	ppdata = (unsigned char )memdup(response.data, response.length);
606	if ((*ppdata) == NULL && response.length > 0)
607	return NT_STATUS_NO_MEMORY;
608	*p_data_size = response.length;
609	data_blob_free(&response);
610	return status;
611	}
612
613	/******************************************************************************
614	Raw NTLM encryption negotiation. Parameters are in/out.
615	This function does both steps.
616	******************************************************************************/
617
618	static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn,
619	unsigned char **ppdata,
620	size_t *p_data_size,
621	unsigned char **pparam,
622	size_t *p_param_size)
623	{
624	NTSTATUS status;
625	DATA_BLOB blob = data_blob_const(ppdata, p_data_size);
626	DATA_BLOB response = data_blob_null;
627	struct smb_srv_trans_enc_ctx *ec;
628
629	if (!partial_srv_trans_enc_ctx) {
630	/* This is the initial step. */
631	status = srv_enc_ntlm_negotiate(ppdata, p_data_size, blob, false);
632	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
633	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
634	return nt_status_squash(status);
635	}
636	return status;
637	}
638
639	ec = partial_srv_trans_enc_ctx;
640	if (!ec \|\| !ec->es \|\| ec->auth_ntlmssp_state == NULL \|\| ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
641	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
642	return NT_STATUS_INVALID_PARAMETER;
643	}
644
645	/* Second step. */
646	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, blob, &response);
647
648	if (NT_STATUS_IS_OK(status)) {
649	/* Return the context we're using for this encryption state. */
650	if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
651	return NT_STATUS_NO_MEMORY;
652	}
653	SSVAL(*pparam,0,ec->es->enc_ctx_num);
654	*p_param_size = 2;
655	}
656
657	/* Return the raw blob. */
658	SAFE_FREE(*ppdata);
659	ppdata = (unsigned char )memdup(response.data, response.length);
660	if ((*ppdata) == NULL && response.length > 0)
661	return NT_STATUS_NO_MEMORY;
662	*p_data_size = response.length;
663	data_blob_free(&response);
664	return status;
665	}
666
667	/******************************************************************************
668	Do the SPNEGO encryption negotiation. Parameters are in/out.
669	******************************************************************************/
670
671	NTSTATUS srv_request_encryption_setup(connection_struct *conn,
672	unsigned char **ppdata,
673	size_t *p_data_size,
674	unsigned char **pparam,
675	size_t *p_param_size)
676	{
677	unsigned char pdata = ppdata;
678
679	SAFE_FREE(*pparam);
680	*p_param_size = 0;
681
682	if (*p_data_size < 1) {
683	return NT_STATUS_INVALID_PARAMETER;
684	}
685
686	if (pdata[0] == ASN1_APPLICATION(0)) {
687	/* its a negTokenTarg packet */
688	return srv_enc_spnego_negotiate(conn, ppdata, p_data_size, pparam, p_param_size);
689	}
690
691	if (pdata[0] == ASN1_CONTEXT(1)) {
692	/* It's an auth packet */
693	return srv_enc_spnego_ntlm_auth(conn, ppdata, p_data_size, pparam, p_param_size);
694	}
695
696	/* Maybe it's a raw unwrapped auth ? */
697	if (*p_data_size < 7) {
698	return NT_STATUS_INVALID_PARAMETER;
699	}
700
701	if (strncmp((char *)pdata, "NTLMSSP", 7) == 0) {
702	return srv_enc_raw_ntlm_auth(conn, ppdata, p_data_size, pparam, p_param_size);
703	}
704
705	DEBUG(1,("srv_request_encryption_setup: Unknown packet\n"));
706
707	return NT_STATUS_LOGON_FAILURE;
708	}
709
710	/******************************************************************************
711	Negotiation was successful - turn on server-side encryption.
712	******************************************************************************/
713
714	static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
715	{
716	if (!ec \|\| !ec->es) {
717	return NT_STATUS_LOGON_FAILURE;
718	}
719
720	if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
721	if (!auth_ntlmssp_negotiated_sign((ec->auth_ntlmssp_state))) {
722	return NT_STATUS_INVALID_PARAMETER;
723	}
724
725	if (!auth_ntlmssp_negotiated_seal((ec->auth_ntlmssp_state))) {
726	return NT_STATUS_INVALID_PARAMETER;
727	}
728	}
729	/* Todo - check gssapi case. */
730
731	return NT_STATUS_OK;
732	}
733
734	/******************************************************************************
735	Negotiation was successful - turn on server-side encryption.
736	******************************************************************************/
737
738	NTSTATUS srv_encryption_start(connection_struct *conn)
739	{
740	NTSTATUS status;
741
742	/* Check that we are really doing sign+seal. */
743	status = check_enc_good(partial_srv_trans_enc_ctx);
744	if (!NT_STATUS_IS_OK(status)) {
745	return status;
746	}
747	/* Throw away the context we're using currently (if any). */
748	srv_free_encryption_context(&srv_trans_enc_ctx);
749
750	/* Steal the partial pointer. Deliberate shallow copy. */
751	srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
752	srv_trans_enc_ctx->es->enc_on = true;
753
754	partial_srv_trans_enc_ctx = NULL;
755
756	DEBUG(1,("srv_encryption_start: context negotiated\n"));
757	return NT_STATUS_OK;
758	}
759
760	/******************************************************************************
761	Shutdown all server contexts.
762	******************************************************************************/
763
764	void server_encryption_shutdown(void)
765	{
766	srv_free_encryption_context(&partial_srv_trans_enc_ctx);
767	srv_free_encryption_context(&srv_trans_enc_ctx);
768	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source3/smbd/seal.c@ 832

Download in other formats: