source: vendor/current/source3/smbd/seal.c

Last change on this file was 988, checked in by Silvan Scherrer, 9 years ago

Samba Server: update vendor to version 4.4.3
File size: 8.8 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18*/
19
20#include "includes.h"
21#include "smbd/smbd.h"
22#include "smbd/globals.h"
23#include "../libcli/smb/smb_seal.h"
24#include "auth.h"
25#include "libsmb/libsmb.h"
26#include "../lib/tsocket/tsocket.h"
27#include "auth/gensec/gensec.h"
28
29/******************************************************************************
30 Server side encryption.
31******************************************************************************/
32
33/******************************************************************************
34 Return global enc context - this must change if we ever do multiple contexts.
35******************************************************************************/
36
37static uint16_t srv_enc_ctx(const struct smb_trans_enc_state *es)
38{
39 return es->enc_ctx_num;
40}
41
42/******************************************************************************
43 Is this an incoming encrypted packet ?
44******************************************************************************/
45
46bool is_encrypted_packet(const uint8_t *inbuf)
47{
48 NTSTATUS status;
49 uint16_t enc_num;
50
51 /* Ignore non-session messages or non 0xFF'E' messages. */
52 if(CVAL(inbuf,0)
53 || (smb_len(inbuf) < 8)
54 || !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
55 return false;
56 }
57
58 status = get_enc_ctx_num(inbuf, &enc_num);
59 if (!NT_STATUS_IS_OK(status)) {
60 return false;
61 }
62
63 /* Encrypted messages are 0xFF'E'<ctx> */
64 if (srv_trans_enc_ctx && enc_num == srv_enc_ctx(srv_trans_enc_ctx)) {
65 return true;
66 }
67 return false;
68}
69
70/******************************************************************************
71 Create an gensec_security and ensure pointer copy is correct.
72******************************************************************************/
73
74static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
75 struct smb_trans_enc_state *es)
76{
77 NTSTATUS status;
78
79 status = auth_generic_prepare(es, remote_address,
80 &es->gensec_security);
81 if (!NT_STATUS_IS_OK(status)) {
82 return nt_status_squash(status);
83 }
84
85 gensec_want_feature(es->gensec_security, GENSEC_FEATURE_SEAL);
86
87 /*
88 * We could be accessing the secrets.tdb or krb5.keytab file here.
89 * ensure we have permissions to do so.
90 */
91 become_root();
92
93 status = gensec_start_mech_by_oid(es->gensec_security, GENSEC_OID_SPNEGO);
94
95 unbecome_root();
96
97 if (!NT_STATUS_IS_OK(status)) {
98 return nt_status_squash(status);
99 }
100
101 return status;
102}
103
104/******************************************************************************
105 Create a server encryption context.
106******************************************************************************/
107
108static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
109 struct smb_trans_enc_state **pp_es)
110{
111 NTSTATUS status;
112 struct smb_trans_enc_state *es;
113
114 *pp_es = NULL;
115
116 ZERO_STRUCTP(partial_srv_trans_enc_ctx);
117 es = talloc_zero(NULL, struct smb_trans_enc_state);
118 if (!es) {
119 return NT_STATUS_NO_MEMORY;
120 }
121 status = make_auth_gensec(remote_address,
122 es);
123 if (!NT_STATUS_IS_OK(status)) {
124 TALLOC_FREE(es);
125 return status;
126 }
127 *pp_es = es;
128 return NT_STATUS_OK;
129}
130
131/******************************************************************************
132 Free an encryption-allocated buffer.
133******************************************************************************/
134
135void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
136{
137 /* We know this is an smb buffer, and we
138 * didn't malloc, only copy, for a keepalive,
139 * so ignore non-session messages. */
140
141 if(CVAL(buf,0)) {
142 return;
143 }
144
145 if (srv_trans_enc_ctx) {
146 common_free_enc_buffer(srv_trans_enc_ctx, buf);
147 }
148}
149
150/******************************************************************************
151 Decrypt an incoming buffer.
152******************************************************************************/
153
154NTSTATUS srv_decrypt_buffer(struct smbXsrv_connection *xconn, char *buf)
155{
156 /* Ignore non-session messages. */
157 if(CVAL(buf,0)) {
158 return NT_STATUS_OK;
159 }
160
161 if (srv_trans_enc_ctx) {
162 return common_decrypt_buffer(srv_trans_enc_ctx, buf);
163 }
164
165 return NT_STATUS_OK;
166}
167
168/******************************************************************************
169 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
170******************************************************************************/
171
172NTSTATUS srv_encrypt_buffer(struct smbXsrv_connection *xconn, char *buf,
173 char **buf_out)
174{
175 *buf_out = buf;
176
177 /* Ignore non-session messages. */
178 if(CVAL(buf,0)) {
179 return NT_STATUS_OK;
180 }
181
182 if (srv_trans_enc_ctx) {
183 return common_encrypt_buffer(srv_trans_enc_ctx, buf, buf_out);
184 }
185 /* Not encrypting. */
186 return NT_STATUS_OK;
187}
188
189/******************************************************************************
190 Do the SPNEGO encryption negotiation. Parameters are in/out.
191******************************************************************************/
192
193NTSTATUS srv_request_encryption_setup(connection_struct *conn,
194 unsigned char **ppdata,
195 size_t *p_data_size,
196 unsigned char **pparam,
197 size_t *p_param_size)
198{
199 NTSTATUS status;
200 DATA_BLOB blob = data_blob_const(*ppdata, *p_data_size);
201 DATA_BLOB response = data_blob_null;
202 struct smb_trans_enc_state *es;
203
204 SAFE_FREE(*pparam);
205 *p_param_size = 0;
206
207 if (!partial_srv_trans_enc_ctx) {
208 /* This is the initial step. */
209 status = make_srv_encryption_context(conn->sconn->remote_address,
210 &partial_srv_trans_enc_ctx);
211 if (!NT_STATUS_IS_OK(status)) {
212 return status;
213 }
214 }
215
216 es = partial_srv_trans_enc_ctx;
217 if (!es || es->gensec_security == NULL) {
218 TALLOC_FREE(partial_srv_trans_enc_ctx);
219 return NT_STATUS_INVALID_PARAMETER;
220 }
221
222 /* Second step. */
223 become_root();
224 status = gensec_update(es->gensec_security,
225 talloc_tos(),
226 blob, &response);
227 unbecome_root();
228 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
229 !NT_STATUS_IS_OK(status)) {
230 TALLOC_FREE(partial_srv_trans_enc_ctx);
231 return nt_status_squash(status);
232 }
233
234 if (NT_STATUS_IS_OK(status)) {
235 /* Return the context we're using for this encryption state. */
236 if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
237 return NT_STATUS_NO_MEMORY;
238 }
239 SSVAL(*pparam, 0, es->enc_ctx_num);
240 *p_param_size = 2;
241 }
242
243 /* Return the raw blob. */
244 SAFE_FREE(*ppdata);
245 *ppdata = (unsigned char *)smb_memdup(response.data, response.length);
246 if ((*ppdata) == NULL && response.length > 0)
247 return NT_STATUS_NO_MEMORY;
248 *p_data_size = response.length;
249 data_blob_free(&response);
250 return status;
251}
252
253/******************************************************************************
254 Negotiation was successful - turn on server-side encryption.
255******************************************************************************/
256
257static NTSTATUS check_enc_good(struct smb_trans_enc_state *es)
258{
259 if (!es) {
260 return NT_STATUS_LOGON_FAILURE;
261 }
262
263 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SIGN)) {
264 return NT_STATUS_INVALID_PARAMETER;
265 }
266
267 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SEAL)) {
268 return NT_STATUS_INVALID_PARAMETER;
269 }
270 return NT_STATUS_OK;
271}
272
273/******************************************************************************
274 Negotiation was successful - turn on server-side encryption.
275******************************************************************************/
276
277NTSTATUS srv_encryption_start(connection_struct *conn)
278{
279 NTSTATUS status;
280
281 /* Check that we are really doing sign+seal. */
282 status = check_enc_good(partial_srv_trans_enc_ctx);
283 if (!NT_STATUS_IS_OK(status)) {
284 return status;
285 }
286 /* Throw away the context we're using currently (if any). */
287 TALLOC_FREE(srv_trans_enc_ctx);
288
289 /* Steal the partial pointer. Deliberate shallow copy. */
290 srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
291 srv_trans_enc_ctx->enc_on = true;
292
293 partial_srv_trans_enc_ctx = NULL;
294
295 DEBUG(1,("srv_encryption_start: context negotiated\n"));
296 return NT_STATUS_OK;
297}
298
299/******************************************************************************
300 Shutdown all server contexts.
301******************************************************************************/
302
303void server_encryption_shutdown(struct smbXsrv_connection *xconn)
304{
305 TALLOC_FREE(partial_srv_trans_enc_ctx);
306 TALLOC_FREE(srv_trans_enc_ctx);
307}
Note: See TracBrowser for help on using the repository browser.