2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/auth/spnego.h"
24 #include "../libcli/smb/smb_seal.h"
25 #include "../lib/util/asn1.h"
27 #include "libsmb/libsmb.h"
28 #include "../lib/tsocket/tsocket.h"
29 #include "auth/gensec/gensec.h"
31 /******************************************************************************
32 Server side encryption.
33 ******************************************************************************/
35 /******************************************************************************
36 Return global enc context - this must change if we ever do multiple contexts.
37 ******************************************************************************/
39 static uint16_t srv_enc_ctx(const struct smb_trans_enc_state
*es
)
41 return es
->enc_ctx_num
;
44 /******************************************************************************
45 Is this an incoming encrypted packet ?
46 ******************************************************************************/
48 bool is_encrypted_packet(struct smbd_server_connection
*sconn
,
54 /* Ignore non-session messages or non 0xFF'E' messages. */
56 || (smb_len(inbuf
) < 8)
57 || !(inbuf
[4] == 0xFF && inbuf
[5] == 'E')) {
61 status
= get_enc_ctx_num(inbuf
, &enc_num
);
62 if (!NT_STATUS_IS_OK(status
)) {
66 /* Encrypted messages are 0xFF'E'<ctx> */
67 if (srv_trans_enc_ctx
&& enc_num
== srv_enc_ctx(srv_trans_enc_ctx
)) {
73 /******************************************************************************
74 Create an gensec_security and ensure pointer copy is correct.
75 ******************************************************************************/
77 static NTSTATUS
make_auth_gensec(const struct tsocket_address
*remote_address
,
78 struct smb_trans_enc_state
*es
)
82 status
= auth_generic_prepare(es
, remote_address
,
83 &es
->gensec_security
);
84 if (!NT_STATUS_IS_OK(status
)) {
85 return nt_status_squash(status
);
88 gensec_want_feature(es
->gensec_security
, GENSEC_FEATURE_SEAL
);
91 * We could be accessing the secrets.tdb or krb5.keytab file here.
92 * ensure we have permissions to do so.
96 status
= gensec_start_mech_by_oid(es
->gensec_security
, GENSEC_OID_SPNEGO
);
100 if (!NT_STATUS_IS_OK(status
)) {
101 return nt_status_squash(status
);
107 /******************************************************************************
108 Create a server encryption context.
109 ******************************************************************************/
111 static NTSTATUS
make_srv_encryption_context(const struct tsocket_address
*remote_address
,
112 struct smb_trans_enc_state
**pp_es
)
115 struct smb_trans_enc_state
*es
;
119 ZERO_STRUCTP(partial_srv_trans_enc_ctx
);
120 es
= talloc_zero(NULL
, struct smb_trans_enc_state
);
122 return NT_STATUS_NO_MEMORY
;
124 status
= make_auth_gensec(remote_address
,
126 if (!NT_STATUS_IS_OK(status
)) {
134 /******************************************************************************
135 Free an encryption-allocated buffer.
136 ******************************************************************************/
138 void srv_free_enc_buffer(struct smbd_server_connection
*sconn
, char *buf
)
140 /* We know this is an smb buffer, and we
141 * didn't malloc, only copy, for a keepalive,
142 * so ignore non-session messages. */
148 if (srv_trans_enc_ctx
) {
149 common_free_enc_buffer(srv_trans_enc_ctx
, buf
);
153 /******************************************************************************
154 Decrypt an incoming buffer.
155 ******************************************************************************/
157 NTSTATUS
srv_decrypt_buffer(struct smbd_server_connection
*sconn
, char *buf
)
159 /* Ignore non-session messages. */
164 if (srv_trans_enc_ctx
) {
165 return common_decrypt_buffer(srv_trans_enc_ctx
, buf
);
171 /******************************************************************************
172 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
173 ******************************************************************************/
175 NTSTATUS
srv_encrypt_buffer(struct smbd_server_connection
*sconn
, char *buf
,
180 /* Ignore non-session messages. */
185 if (srv_trans_enc_ctx
) {
186 return common_encrypt_buffer(srv_trans_enc_ctx
, buf
, buf_out
);
188 /* Not encrypting. */
192 /******************************************************************************
193 Do the SPNEGO encryption negotiation. Parameters are in/out.
194 ******************************************************************************/
196 NTSTATUS
srv_request_encryption_setup(connection_struct
*conn
,
197 unsigned char **ppdata
,
199 unsigned char **pparam
,
200 size_t *p_param_size
)
203 DATA_BLOB blob
= data_blob_const(*ppdata
, *p_data_size
);
204 DATA_BLOB response
= data_blob_null
;
205 struct smb_trans_enc_state
*es
;
210 if (!partial_srv_trans_enc_ctx
) {
211 /* This is the initial step. */
212 status
= make_srv_encryption_context(conn
->sconn
->remote_address
,
213 &partial_srv_trans_enc_ctx
);
214 if (!NT_STATUS_IS_OK(status
)) {
219 es
= partial_srv_trans_enc_ctx
;
220 if (!es
|| es
->gensec_security
== NULL
) {
221 TALLOC_FREE(partial_srv_trans_enc_ctx
);
222 return NT_STATUS_INVALID_PARAMETER
;
227 status
= gensec_update(es
->gensec_security
,
231 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
232 !NT_STATUS_IS_OK(status
)) {
233 TALLOC_FREE(partial_srv_trans_enc_ctx
);
234 return nt_status_squash(status
);
237 if (NT_STATUS_IS_OK(status
)) {
238 /* Return the context we're using for this encryption state. */
239 if (!(*pparam
= SMB_MALLOC_ARRAY(unsigned char, 2))) {
240 return NT_STATUS_NO_MEMORY
;
242 SSVAL(*pparam
, 0, es
->enc_ctx_num
);
246 /* Return the raw blob. */
248 *ppdata
= (unsigned char *)memdup(response
.data
, response
.length
);
249 if ((*ppdata
) == NULL
&& response
.length
> 0)
250 return NT_STATUS_NO_MEMORY
;
251 *p_data_size
= response
.length
;
252 data_blob_free(&response
);
256 /******************************************************************************
257 Negotiation was successful - turn on server-side encryption.
258 ******************************************************************************/
260 static NTSTATUS
check_enc_good(struct smb_trans_enc_state
*es
)
263 return NT_STATUS_LOGON_FAILURE
;
266 if (!gensec_have_feature(es
->gensec_security
, GENSEC_FEATURE_SIGN
)) {
267 return NT_STATUS_INVALID_PARAMETER
;
270 if (!gensec_have_feature(es
->gensec_security
, GENSEC_FEATURE_SEAL
)) {
271 return NT_STATUS_INVALID_PARAMETER
;
276 /******************************************************************************
277 Negotiation was successful - turn on server-side encryption.
278 ******************************************************************************/
280 NTSTATUS
srv_encryption_start(connection_struct
*conn
)
284 /* Check that we are really doing sign+seal. */
285 status
= check_enc_good(partial_srv_trans_enc_ctx
);
286 if (!NT_STATUS_IS_OK(status
)) {
289 /* Throw away the context we're using currently (if any). */
290 TALLOC_FREE(srv_trans_enc_ctx
);
292 /* Steal the partial pointer. Deliberate shallow copy. */
293 srv_trans_enc_ctx
= partial_srv_trans_enc_ctx
;
294 srv_trans_enc_ctx
->enc_on
= true;
296 partial_srv_trans_enc_ctx
= NULL
;
298 DEBUG(1,("srv_encryption_start: context negotiated\n"));
302 /******************************************************************************
303 Shutdown all server contexts.
304 ******************************************************************************/
306 void server_encryption_shutdown(struct smbd_server_connection
*sconn
)
308 TALLOC_FREE(partial_srv_trans_enc_ctx
);
309 TALLOC_FREE(srv_trans_enc_ctx
);