2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/smb/smb_seal.h"
25 #include "libsmb/libsmb.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "auth/gensec/gensec.h"
29 /******************************************************************************
30 Server side encryption.
31 ******************************************************************************/
33 /******************************************************************************
34 Return global enc context - this must change if we ever do multiple contexts.
35 ******************************************************************************/
37 static uint16_t srv_enc_ctx(const struct smb_trans_enc_state
*es
)
39 return es
->enc_ctx_num
;
42 /******************************************************************************
43 Is this an incoming encrypted packet ?
44 ******************************************************************************/
46 bool is_encrypted_packet(const uint8_t *inbuf
)
51 /* Ignore non-session messages or non 0xFF'E' messages. */
53 || (smb_len(inbuf
) < 8)
54 || !(inbuf
[4] == 0xFF && inbuf
[5] == 'E')) {
58 status
= get_enc_ctx_num(inbuf
, &enc_num
);
59 if (!NT_STATUS_IS_OK(status
)) {
63 /* Encrypted messages are 0xFF'E'<ctx> */
64 if (srv_trans_enc_ctx
&& enc_num
== srv_enc_ctx(srv_trans_enc_ctx
)) {
70 /******************************************************************************
71 Create an gensec_security and ensure pointer copy is correct.
72 ******************************************************************************/
74 static NTSTATUS
make_auth_gensec(const struct tsocket_address
*remote_address
,
75 struct smb_trans_enc_state
*es
)
79 status
= auth_generic_prepare(es
, remote_address
,
80 &es
->gensec_security
);
81 if (!NT_STATUS_IS_OK(status
)) {
82 return nt_status_squash(status
);
85 gensec_want_feature(es
->gensec_security
, GENSEC_FEATURE_SEAL
);
88 * We could be accessing the secrets.tdb or krb5.keytab file here.
89 * ensure we have permissions to do so.
93 status
= gensec_start_mech_by_oid(es
->gensec_security
, GENSEC_OID_SPNEGO
);
97 if (!NT_STATUS_IS_OK(status
)) {
98 return nt_status_squash(status
);
104 /******************************************************************************
105 Create a server encryption context.
106 ******************************************************************************/
108 static NTSTATUS
make_srv_encryption_context(const struct tsocket_address
*remote_address
,
109 struct smb_trans_enc_state
**pp_es
)
112 struct smb_trans_enc_state
*es
;
116 ZERO_STRUCTP(partial_srv_trans_enc_ctx
);
117 es
= talloc_zero(NULL
, struct smb_trans_enc_state
);
119 return NT_STATUS_NO_MEMORY
;
121 status
= make_auth_gensec(remote_address
,
123 if (!NT_STATUS_IS_OK(status
)) {
131 /******************************************************************************
132 Free an encryption-allocated buffer.
133 ******************************************************************************/
135 void srv_free_enc_buffer(struct smbXsrv_connection
*xconn
, char *buf
)
137 /* We know this is an smb buffer, and we
138 * didn't malloc, only copy, for a keepalive,
139 * so ignore non-session messages. */
145 if (srv_trans_enc_ctx
) {
146 common_free_enc_buffer(srv_trans_enc_ctx
, buf
);
150 /******************************************************************************
151 Decrypt an incoming buffer.
152 ******************************************************************************/
154 NTSTATUS
srv_decrypt_buffer(struct smbXsrv_connection
*xconn
, char *buf
)
156 /* Ignore non-session messages. */
161 if (srv_trans_enc_ctx
) {
162 return common_decrypt_buffer(srv_trans_enc_ctx
, buf
);
168 /******************************************************************************
169 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
170 ******************************************************************************/
172 NTSTATUS
srv_encrypt_buffer(struct smbXsrv_connection
*xconn
, char *buf
,
177 /* Ignore non-session messages. */
182 if (srv_trans_enc_ctx
) {
183 return common_encrypt_buffer(srv_trans_enc_ctx
, buf
, buf_out
);
185 /* Not encrypting. */
189 /******************************************************************************
190 Do the SPNEGO encryption negotiation. Parameters are in/out.
191 ******************************************************************************/
193 NTSTATUS
srv_request_encryption_setup(connection_struct
*conn
,
194 unsigned char **ppdata
,
196 unsigned char **pparam
,
197 size_t *p_param_size
)
200 DATA_BLOB blob
= data_blob_const(*ppdata
, *p_data_size
);
201 DATA_BLOB response
= data_blob_null
;
202 struct smb_trans_enc_state
*es
;
207 if (!partial_srv_trans_enc_ctx
) {
208 /* This is the initial step. */
209 status
= make_srv_encryption_context(conn
->sconn
->remote_address
,
210 &partial_srv_trans_enc_ctx
);
211 if (!NT_STATUS_IS_OK(status
)) {
216 es
= partial_srv_trans_enc_ctx
;
217 if (!es
|| es
->gensec_security
== NULL
) {
218 TALLOC_FREE(partial_srv_trans_enc_ctx
);
219 return NT_STATUS_INVALID_PARAMETER
;
224 status
= gensec_update(es
->gensec_security
,
228 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
229 !NT_STATUS_IS_OK(status
)) {
230 TALLOC_FREE(partial_srv_trans_enc_ctx
);
231 return nt_status_squash(status
);
234 if (NT_STATUS_IS_OK(status
)) {
235 /* Return the context we're using for this encryption state. */
236 if (!(*pparam
= SMB_MALLOC_ARRAY(unsigned char, 2))) {
237 return NT_STATUS_NO_MEMORY
;
239 SSVAL(*pparam
, 0, es
->enc_ctx_num
);
243 /* Return the raw blob. */
245 *ppdata
= (unsigned char *)smb_memdup(response
.data
, response
.length
);
246 if ((*ppdata
) == NULL
&& response
.length
> 0)
247 return NT_STATUS_NO_MEMORY
;
248 *p_data_size
= response
.length
;
249 data_blob_free(&response
);
253 /******************************************************************************
254 Negotiation was successful - turn on server-side encryption.
255 ******************************************************************************/
257 static NTSTATUS
check_enc_good(struct smb_trans_enc_state
*es
)
260 return NT_STATUS_LOGON_FAILURE
;
263 if (!gensec_have_feature(es
->gensec_security
, GENSEC_FEATURE_SIGN
)) {
264 return NT_STATUS_INVALID_PARAMETER
;
267 if (!gensec_have_feature(es
->gensec_security
, GENSEC_FEATURE_SEAL
)) {
268 return NT_STATUS_INVALID_PARAMETER
;
273 /******************************************************************************
274 Negotiation was successful - turn on server-side encryption.
275 ******************************************************************************/
277 NTSTATUS
srv_encryption_start(connection_struct
*conn
)
281 /* Check that we are really doing sign+seal. */
282 status
= check_enc_good(partial_srv_trans_enc_ctx
);
283 if (!NT_STATUS_IS_OK(status
)) {
286 /* Throw away the context we're using currently (if any). */
287 TALLOC_FREE(srv_trans_enc_ctx
);
289 /* Steal the partial pointer. Deliberate shallow copy. */
290 srv_trans_enc_ctx
= partial_srv_trans_enc_ctx
;
291 srv_trans_enc_ctx
->enc_on
= true;
293 partial_srv_trans_enc_ctx
= NULL
;
295 DEBUG(1,("srv_encryption_start: context negotiated\n"));
299 /******************************************************************************
300 Shutdown all server contexts.
301 ******************************************************************************/
303 void server_encryption_shutdown(struct smbXsrv_connection
*xconn
)
305 TALLOC_FREE(partial_srv_trans_enc_ctx
);
306 TALLOC_FREE(srv_trans_enc_ctx
);