search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbd: pass smbXsrv_connection to smb1 encryption functions
[Samba.git] / source3 / smbd / seal.c
blobe088d749d4634ba735473b23dcd4f41e85b7a725
1 /*
2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/auth/spnego.h"
24 #include "../libcli/smb/smb_seal.h"
25 #include "../lib/util/asn1.h"
26 #include "auth.h"
27 #include "libsmb/libsmb.h"
28 #include "../lib/tsocket/tsocket.h"
29 #include "auth/gensec/gensec.h"
30
31 /******************************************************************************
32 Server side encryption.
33 ******************************************************************************/
34
35 /******************************************************************************
36 Return global enc context - this must change if we ever do multiple contexts.
37 ******************************************************************************/
38
39 static uint16_t srv_enc_ctx(const struct smb_trans_enc_state *es)
40 {
41 return es->enc_ctx_num;
42 }
43
44 /******************************************************************************
45 Is this an incoming encrypted packet ?
46 ******************************************************************************/
47
48 bool is_encrypted_packet(const uint8_t *inbuf)
49 {
50 NTSTATUS status;
51 uint16_t enc_num;
52
53 /* Ignore non-session messages or non 0xFF'E' messages. */
54 if(CVAL(inbuf,0)
55 || (smb_len(inbuf) < 8)
56 || !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
57 return false;
58 }
59
60 status = get_enc_ctx_num(inbuf, &enc_num);
61 if (!NT_STATUS_IS_OK(status)) {
62 return false;
63 }
64
65 /* Encrypted messages are 0xFF'E'<ctx> */
66 if (srv_trans_enc_ctx && enc_num == srv_enc_ctx(srv_trans_enc_ctx)) {
67 return true;
68 }
69 return false;
70 }
71
72 /******************************************************************************
73 Create an gensec_security and ensure pointer copy is correct.
74 ******************************************************************************/
75
76 static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
77 struct smb_trans_enc_state *es)
78 {
79 NTSTATUS status;
80
81 status = auth_generic_prepare(es, remote_address,
82 &es->gensec_security);
83 if (!NT_STATUS_IS_OK(status)) {
84 return nt_status_squash(status);
85 }
86
87 gensec_want_feature(es->gensec_security, GENSEC_FEATURE_SEAL);
88
89 /*
90 * We could be accessing the secrets.tdb or krb5.keytab file here.
91 * ensure we have permissions to do so.
92 */
93 become_root();
94
95 status = gensec_start_mech_by_oid(es->gensec_security, GENSEC_OID_SPNEGO);
96
97 unbecome_root();
98
99 if (!NT_STATUS_IS_OK(status)) {
100 return nt_status_squash(status);
101 }
102
103 return status;
104 }
105
106 /******************************************************************************
107 Create a server encryption context.
108 ******************************************************************************/
109
110 static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
111 struct smb_trans_enc_state **pp_es)
112 {
113 NTSTATUS status;
114 struct smb_trans_enc_state *es;
115
116 *pp_es = NULL;
117
118 ZERO_STRUCTP(partial_srv_trans_enc_ctx);
119 es = talloc_zero(NULL, struct smb_trans_enc_state);
120 if (!es) {
121 return NT_STATUS_NO_MEMORY;
122 }
123 status = make_auth_gensec(remote_address,
124 es);
125 if (!NT_STATUS_IS_OK(status)) {
126 TALLOC_FREE(es);
127 return status;
128 }
129 *pp_es = es;
130 return NT_STATUS_OK;
131 }
132
133 /******************************************************************************
134 Free an encryption-allocated buffer.
135 ******************************************************************************/
136
137 void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
138 {
139 /* We know this is an smb buffer, and we
140 * didn't malloc, only copy, for a keepalive,
141 * so ignore non-session messages. */
142
143 if(CVAL(buf,0)) {
144 return;
145 }
146
147 if (srv_trans_enc_ctx) {
148 common_free_enc_buffer(srv_trans_enc_ctx, buf);
149 }
150 }
151
152 /******************************************************************************
153 Decrypt an incoming buffer.
154 ******************************************************************************/
155
156 NTSTATUS srv_decrypt_buffer(struct smbXsrv_connection *xconn, char *buf)
157 {
158 /* Ignore non-session messages. */
159 if(CVAL(buf,0)) {
160 return NT_STATUS_OK;
161 }
162
163 if (srv_trans_enc_ctx) {
164 return common_decrypt_buffer(srv_trans_enc_ctx, buf);
165 }
166
167 return NT_STATUS_OK;
168 }
169
170 /******************************************************************************
171 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
172 ******************************************************************************/
173
174 NTSTATUS srv_encrypt_buffer(struct smbXsrv_connection *xconn, char *buf,
175 char **buf_out)
176 {
177 *buf_out = buf;
178
179 /* Ignore non-session messages. */
180 if(CVAL(buf,0)) {
181 return NT_STATUS_OK;
182 }
183
184 if (srv_trans_enc_ctx) {
185 return common_encrypt_buffer(srv_trans_enc_ctx, buf, buf_out);
186 }
187 /* Not encrypting. */
188 return NT_STATUS_OK;
189 }
190
191 /******************************************************************************
192 Do the SPNEGO encryption negotiation. Parameters are in/out.
193 ******************************************************************************/
194
195 NTSTATUS srv_request_encryption_setup(connection_struct *conn,
196 unsigned char **ppdata,
197 size_t *p_data_size,
198 unsigned char **pparam,
199 size_t *p_param_size)
200 {
201 NTSTATUS status;
202 DATA_BLOB blob = data_blob_const(*ppdata, *p_data_size);
203 DATA_BLOB response = data_blob_null;
204 struct smb_trans_enc_state *es;
205
206 SAFE_FREE(*pparam);
207 *p_param_size = 0;
208
209 if (!partial_srv_trans_enc_ctx) {
210 /* This is the initial step. */
211 status = make_srv_encryption_context(conn->sconn->remote_address,
212 &partial_srv_trans_enc_ctx);
213 if (!NT_STATUS_IS_OK(status)) {
214 return status;
215 }
216 }
217
218 es = partial_srv_trans_enc_ctx;
219 if (!es || es->gensec_security == NULL) {
220 TALLOC_FREE(partial_srv_trans_enc_ctx);
221 return NT_STATUS_INVALID_PARAMETER;
222 }
223
224 /* Second step. */
225 become_root();
226 status = gensec_update(es->gensec_security,
227 talloc_tos(),
228 blob, &response);
229 unbecome_root();
230 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
231 !NT_STATUS_IS_OK(status)) {
232 TALLOC_FREE(partial_srv_trans_enc_ctx);
233 return nt_status_squash(status);
234 }
235
236 if (NT_STATUS_IS_OK(status)) {
237 /* Return the context we're using for this encryption state. */
238 if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
239 return NT_STATUS_NO_MEMORY;
240 }
241 SSVAL(*pparam, 0, es->enc_ctx_num);
242 *p_param_size = 2;
243 }
244
245 /* Return the raw blob. */
246 SAFE_FREE(*ppdata);
247 *ppdata = (unsigned char *)smb_memdup(response.data, response.length);
248 if ((*ppdata) == NULL && response.length > 0)
249 return NT_STATUS_NO_MEMORY;
250 *p_data_size = response.length;
251 data_blob_free(&response);
252 return status;
253 }
254
255 /******************************************************************************
256 Negotiation was successful - turn on server-side encryption.
257 ******************************************************************************/
258
259 static NTSTATUS check_enc_good(struct smb_trans_enc_state *es)
260 {
261 if (!es) {
262 return NT_STATUS_LOGON_FAILURE;
263 }
264
265 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SIGN)) {
266 return NT_STATUS_INVALID_PARAMETER;
267 }
268
269 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SEAL)) {
270 return NT_STATUS_INVALID_PARAMETER;
271 }
272 return NT_STATUS_OK;
273 }
274
275 /******************************************************************************
276 Negotiation was successful - turn on server-side encryption.
277 ******************************************************************************/
278
279 NTSTATUS srv_encryption_start(connection_struct *conn)
280 {
281 NTSTATUS status;
282
283 /* Check that we are really doing sign+seal. */
284 status = check_enc_good(partial_srv_trans_enc_ctx);
285 if (!NT_STATUS_IS_OK(status)) {
286 return status;
287 }
288 /* Throw away the context we're using currently (if any). */
289 TALLOC_FREE(srv_trans_enc_ctx);
290
291 /* Steal the partial pointer. Deliberate shallow copy. */
292 srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
293 srv_trans_enc_ctx->enc_on = true;
294
295 partial_srv_trans_enc_ctx = NULL;
296
297 DEBUG(1,("srv_encryption_start: context negotiated\n"));
298 return NT_STATUS_OK;
299 }
300
301 /******************************************************************************
302 Shutdown all server contexts.
303 ******************************************************************************/
304
305 void server_encryption_shutdown(struct smbXsrv_connection *xconn)
306 {
307 TALLOC_FREE(partial_srv_trans_enc_ctx);
308 TALLOC_FREE(srv_trans_enc_ctx);
309 }
Samba GIT mirror