search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-smbd: Use gensec_spnego in smb seal server
[Samba.git] / source3 / smbd / seal.c
blob8c4ebea04a273ca40f777b1d560c60655549620d
1 /*
2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/auth/spnego.h"
24 #include "../libcli/smb/smb_seal.h"
25 #include "../lib/util/asn1.h"
26 #include "auth.h"
27 #include "libsmb/libsmb.h"
28 #include "../lib/tsocket/tsocket.h"
29 #include "auth/gensec/gensec.h"
30
31 /******************************************************************************
32 Server side encryption.
33 ******************************************************************************/
34
35 /******************************************************************************
36 Return global enc context - this must change if we ever do multiple contexts.
37 ******************************************************************************/
38
39 static uint16_t srv_enc_ctx(const struct smb_trans_enc_state *es)
40 {
41 return es->enc_ctx_num;
42 }
43
44 /******************************************************************************
45 Is this an incoming encrypted packet ?
46 ******************************************************************************/
47
48 bool is_encrypted_packet(struct smbd_server_connection *sconn,
49 const uint8_t *inbuf)
50 {
51 NTSTATUS status;
52 uint16_t enc_num;
53
54 /* Ignore non-session messages or non 0xFF'E' messages. */
55 if(CVAL(inbuf,0)
56 || (smb_len(inbuf) < 8)
57 || !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
58 return false;
59 }
60
61 status = get_enc_ctx_num(inbuf, &enc_num);
62 if (!NT_STATUS_IS_OK(status)) {
63 return false;
64 }
65
66 /* Encrypted messages are 0xFF'E'<ctx> */
67 if (srv_trans_enc_ctx && enc_num == srv_enc_ctx(srv_trans_enc_ctx)) {
68 return true;
69 }
70 return false;
71 }
72
73 /******************************************************************************
74 Create an gensec_security and ensure pointer copy is correct.
75 ******************************************************************************/
76
77 static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
78 struct smb_trans_enc_state *es)
79 {
80 struct gensec_security *gensec_security;
81 NTSTATUS status;
82
83 status = auth_generic_prepare(NULL, remote_address,
84 &gensec_security);
85 if (!NT_STATUS_IS_OK(status)) {
86 return nt_status_squash(status);
87 }
88
89 gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
90
91 /*
92 * We could be accessing the secrets.tdb or krb5.keytab file here.
93 * ensure we have permissions to do so.
94 */
95 become_root();
96
97 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
98
99 unbecome_root();
100
101 if (!NT_STATUS_IS_OK(status)) {
102 TALLOC_FREE(gensec_security);
103 return nt_status_squash(status);
104 }
105
106 es->gensec_security = gensec_security;
107
108 return status;
109 }
110
111 /******************************************************************************
112 Shutdown a server encryption context.
113 ******************************************************************************/
114
115 static void srv_free_encryption_context(struct smb_trans_enc_state **pp_es)
116 {
117 struct smb_trans_enc_state *es = *pp_es;
118
119 if (!es) {
120 return;
121 }
122
123 common_free_encryption_state(&es);
124
125 SAFE_FREE(es);
126 *pp_es = NULL;
127 }
128
129 /******************************************************************************
130 Create a server encryption context.
131 ******************************************************************************/
132
133 static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
134 struct smb_trans_enc_state **pp_es)
135 {
136 NTSTATUS status;
137 struct smb_trans_enc_state *es;
138
139 *pp_es = NULL;
140
141 ZERO_STRUCTP(partial_srv_trans_enc_ctx);
142 es = SMB_MALLOC_P(struct smb_trans_enc_state);
143 if (!es) {
144 return NT_STATUS_NO_MEMORY;
145 }
146 ZERO_STRUCTP(es);
147 status = make_auth_gensec(remote_address,
148 es);
149 if (!NT_STATUS_IS_OK(status)) {
150 srv_free_encryption_context(&es);
151 return status;
152 }
153 *pp_es = es;
154 return NT_STATUS_OK;
155 }
156
157 /******************************************************************************
158 Free an encryption-allocated buffer.
159 ******************************************************************************/
160
161 void srv_free_enc_buffer(struct smbd_server_connection *sconn, char *buf)
162 {
163 /* We know this is an smb buffer, and we
164 * didn't malloc, only copy, for a keepalive,
165 * so ignore non-session messages. */
166
167 if(CVAL(buf,0)) {
168 return;
169 }
170
171 if (srv_trans_enc_ctx) {
172 common_free_enc_buffer(srv_trans_enc_ctx, buf);
173 }
174 }
175
176 /******************************************************************************
177 Decrypt an incoming buffer.
178 ******************************************************************************/
179
180 NTSTATUS srv_decrypt_buffer(struct smbd_server_connection *sconn, char *buf)
181 {
182 /* Ignore non-session messages. */
183 if(CVAL(buf,0)) {
184 return NT_STATUS_OK;
185 }
186
187 if (srv_trans_enc_ctx) {
188 return common_decrypt_buffer(srv_trans_enc_ctx, buf);
189 }
190
191 return NT_STATUS_OK;
192 }
193
194 /******************************************************************************
195 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
196 ******************************************************************************/
197
198 NTSTATUS srv_encrypt_buffer(struct smbd_server_connection *sconn, char *buf,
199 char **buf_out)
200 {
201 *buf_out = buf;
202
203 /* Ignore non-session messages. */
204 if(CVAL(buf,0)) {
205 return NT_STATUS_OK;
206 }
207
208 if (srv_trans_enc_ctx) {
209 return common_encrypt_buffer(srv_trans_enc_ctx, buf, buf_out);
210 }
211 /* Not encrypting. */
212 return NT_STATUS_OK;
213 }
214
215 /******************************************************************************
216 Do the SPNEGO encryption negotiation. Parameters are in/out.
217 ******************************************************************************/
218
219 NTSTATUS srv_request_encryption_setup(connection_struct *conn,
220 unsigned char **ppdata,
221 size_t *p_data_size,
222 unsigned char **pparam,
223 size_t *p_param_size)
224 {
225 NTSTATUS status;
226 DATA_BLOB blob = data_blob_const(*ppdata, *p_data_size);
227 DATA_BLOB response = data_blob_null;
228 struct smb_trans_enc_state *es;
229
230 SAFE_FREE(*pparam);
231 *p_param_size = 0;
232
233 if (!partial_srv_trans_enc_ctx) {
234 /* This is the initial step. */
235 status = make_srv_encryption_context(conn->sconn->remote_address,
236 &partial_srv_trans_enc_ctx);
237 if (!NT_STATUS_IS_OK(status)) {
238 return status;
239 }
240 }
241
242 es = partial_srv_trans_enc_ctx;
243 if (!es || es->gensec_security == NULL) {
244 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
245 return NT_STATUS_INVALID_PARAMETER;
246 }
247
248 /* Second step. */
249 become_root();
250 status = gensec_update(es->gensec_security,
251 talloc_tos(), NULL,
252 blob, &response);
253 unbecome_root();
254 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
255 !NT_STATUS_IS_OK(status)) {
256 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
257 return nt_status_squash(status);
258 }
259
260 if (NT_STATUS_IS_OK(status)) {
261 /* Return the context we're using for this encryption state. */
262 if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
263 return NT_STATUS_NO_MEMORY;
264 }
265 SSVAL(*pparam, 0, es->enc_ctx_num);
266 *p_param_size = 2;
267 }
268
269 /* Return the raw blob. */
270 SAFE_FREE(*ppdata);
271 *ppdata = (unsigned char *)memdup(response.data, response.length);
272 if ((*ppdata) == NULL && response.length > 0)
273 return NT_STATUS_NO_MEMORY;
274 *p_data_size = response.length;
275 data_blob_free(&response);
276 return status;
277 }
278
279 /******************************************************************************
280 Negotiation was successful - turn on server-side encryption.
281 ******************************************************************************/
282
283 static NTSTATUS check_enc_good(struct smb_trans_enc_state *es)
284 {
285 if (!es) {
286 return NT_STATUS_LOGON_FAILURE;
287 }
288
289 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SIGN)) {
290 return NT_STATUS_INVALID_PARAMETER;
291 }
292
293 if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SEAL)) {
294 return NT_STATUS_INVALID_PARAMETER;
295 }
296 return NT_STATUS_OK;
297 }
298
299 /******************************************************************************
300 Negotiation was successful - turn on server-side encryption.
301 ******************************************************************************/
302
303 NTSTATUS srv_encryption_start(connection_struct *conn)
304 {
305 NTSTATUS status;
306
307 /* Check that we are really doing sign+seal. */
308 status = check_enc_good(partial_srv_trans_enc_ctx);
309 if (!NT_STATUS_IS_OK(status)) {
310 return status;
311 }
312 /* Throw away the context we're using currently (if any). */
313 srv_free_encryption_context(&srv_trans_enc_ctx);
314
315 /* Steal the partial pointer. Deliberate shallow copy. */
316 srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
317 srv_trans_enc_ctx->enc_on = true;
318
319 partial_srv_trans_enc_ctx = NULL;
320
321 DEBUG(1,("srv_encryption_start: context negotiated\n"));
322 return NT_STATUS_OK;
323 }
324
325 /******************************************************************************
326 Shutdown all server contexts.
327 ******************************************************************************/
328
329 void server_encryption_shutdown(struct smbd_server_connection *sconn)
330 {
331 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
332 srv_free_encryption_context(&srv_trans_enc_ctx);
333 }
Samba GIT mirror