summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-03-21 00:25:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:18:46 -0500
commit071db6fdbff694681fa1793ee678a9a0af3e266a (patch)
tree53a916c3350b9b9a75fc647095c3f4bb78dc88cc
parent6b0dcfa62d23980351e852eec05123c0a9823f1d (diff)
downloadsamba-071db6fdbff694681fa1793ee678a9a0af3e266a.tar.gz
samba-071db6fdbff694681fa1793ee678a9a0af3e266a.tar.bz2
samba-071db6fdbff694681fa1793ee678a9a0af3e266a.zip
r21897: Add in a basic raw NTLM encrypt request. Now
for testing. Jeremy. (This used to be commit 783a7b3085a155d9652cd725bf2960cd272cb554)
-rw-r--r--source3/Makefile.in4
-rw-r--r--source3/lib/dummysmbd.c5
-rw-r--r--source3/libsmb/clifsinfo.c113
-rw-r--r--source3/libsmb/smb_seal.c24
-rw-r--r--source3/libsmb/smb_signing.c38
-rw-r--r--source3/smbd/seal.c31
-rw-r--r--source3/smbd/trans2.c5
7 files changed, 200 insertions, 20 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 4d3fb106cd..ce79246839 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -256,9 +256,9 @@ LIB_WITH_PROTO_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
lib/substitute.o lib/fsusage.o \
lib/ms_fnmatch.o lib/select.o lib/messages.o \
lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
- libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
+ lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
nsswitch/wb_client.o $(WBCOMMON_OBJ) \
- lib/pam_errors.o intl/lang_tdb.o \
+ lib/pam_errors.o intl/lang_tdb.o libsmb/smb_seal.o \
lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \
lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
diff --git a/source3/lib/dummysmbd.c b/source3/lib/dummysmbd.c
index 6017a12928..ed64d9b783 100644
--- a/source3/lib/dummysmbd.c
+++ b/source3/lib/dummysmbd.c
@@ -63,3 +63,8 @@ void srv_free_enc_buffer(char *buf)
{
;
}
+
+BOOL srv_encryption_on(void)
+{
+ return False;
+}
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 9c3b6e3aed..52e12a38e3 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -302,3 +302,116 @@ cleanup:
return ret;
}
+
+/******************************************************************************
+ Send/receive the request encryption blob.
+******************************************************************************/
+
+static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out)
+{
+ uint16 setup;
+ char param[2];
+ char *rparam=NULL, *rdata=NULL;
+ unsigned int rparam_count=0, rdata_count=0;
+ NTSTATUS status = NT_STATUS_OK;
+
+ setup = TRANSACT2_SETFSINFO;
+
+ SSVAL(param,0,SMB_REQUEST_TRANSPORT_ENCRYPTION);
+
+ if (!cli_send_trans(cli, SMBtrans2,
+ NULL,
+ 0, 0,
+ &setup, 1, 0,
+ param, 2, 0,
+ (char *)in->data, in->length, CLI_BUFFER_SIZE)) {
+ status = cli_nt_error(cli);
+ goto out;
+ }
+
+ if (!cli_receive_trans(cli, SMBtrans2,
+ &rparam, &rparam_count,
+ &rdata, &rdata_count)) {
+ status = cli_nt_error(cli);
+ goto out;
+ }
+
+ if (cli_is_error(cli)) {
+ status = cli_nt_error(cli);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ goto out;
+ }
+ }
+
+ *out = data_blob(rdata, rdata_count);
+
+ out:
+
+ SAFE_FREE(rparam);
+ SAFE_FREE(rdata);
+ return status;
+}
+
+/******************************************************************************
+ Start a raw ntlmssp encryption.
+******************************************************************************/
+
+NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
+ const char *user,
+ const char *pass,
+ const char *domain)
+{
+ DATA_BLOB blob_in = data_blob(NULL, 0);
+ DATA_BLOB blob_out = data_blob(NULL, 0);
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ struct smb_trans_enc_state *es = NULL;
+
+ es = SMB_MALLOC_P(struct smb_trans_enc_state);
+ if (!es) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ ZERO_STRUCTP(es);
+ es->smb_enc_type = SMB_TRANS_ENC_NTLM;
+ status = ntlmssp_client_start(&es->ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ ntlmssp_want_feature(es->ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ es->ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
+
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->ntlmssp_state, user))) {
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->ntlmssp_state, domain))) {
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->ntlmssp_state, pass))) {
+ goto fail;
+ }
+
+ do {
+ status = ntlmssp_update(es->ntlmssp_state, blob_in, &blob_out);
+ data_blob_free(&blob_in);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
+ status = enc_blob_send_receive(cli, &blob_out, &blob_in);
+ }
+ data_blob_free(&blob_out);
+ } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+
+ data_blob_free(&blob_in);
+
+ if (NT_STATUS_IS_OK(status)) {
+ /* Replace the old state, if any. */
+ if (cli->trans_enc_state) {
+ common_free_encryption_state(&cli->trans_enc_state);
+ }
+ cli->trans_enc_state = es;
+ cli->trans_enc_state->enc_on = True;
+ }
+
+ fail:
+
+ common_free_encryption_state(&es);
+ return status;
+}
diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c
index 06662e53fb..a509438f07 100644
--- a/source3/libsmb/smb_seal.c
+++ b/source3/libsmb/smb_seal.c
@@ -154,6 +154,12 @@ NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer, cha
return NT_STATUS_OK;
}
+ /* Ignore session keepalives. */
+ if(CVAL(buffer,0) == SMBkeepalive) {
+ *buf_out = buffer;
+ return NT_STATUS_OK;
+ }
+
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
} else {
@@ -177,6 +183,12 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf)
/* Not decrypting. */
return NT_STATUS_OK;
}
+
+ /* Ignore session keepalives. */
+ if(CVAL(buf,0) == SMBkeepalive) {
+ return NT_STATUS_OK;
+ }
+
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
} else {
@@ -282,15 +294,3 @@ NTSTATUS cli_encrypt_message(struct cli_state *cli, char **buf_out)
{
return common_encrypt_buffer(cli->trans_enc_state, cli->outbuf, buf_out);
}
-
-/******************************************************************************
- Start a raw ntlmssp encryption.
-******************************************************************************/
-
-NTSTATUS cli_ntlm_smb_encryption_on(struct cli_state *cli,
- const char *user,
- const char *pass,
- const char *workgroup)
-{
-
-}
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index df74b2db36..66a15e9408 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -585,7 +585,9 @@ void cli_free_signing_context(struct cli_state *cli)
void cli_calculate_sign_mac(struct cli_state *cli)
{
- cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+ if (!cli_encryption_on(cli)) {
+ cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+ }
}
/**
@@ -596,6 +598,9 @@ void cli_calculate_sign_mac(struct cli_state *cli)
BOOL cli_check_sign_mac(struct cli_state *cli)
{
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) {
free_signing_context(&cli->sign_info);
return False;
@@ -612,6 +617,9 @@ BOOL client_set_trans_sign_state_on(struct cli_state *cli, uint16 mid)
struct smb_sign_info *si = &cli->sign_info;
struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!si->doing_signing) {
return True;
}
@@ -637,6 +645,9 @@ BOOL client_set_trans_sign_state_off(struct cli_state *cli, uint16 mid)
struct smb_sign_info *si = &cli->sign_info;
struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!si->doing_signing) {
return True;
}
@@ -798,8 +809,18 @@ BOOL srv_oplock_set_signing(BOOL onoff)
BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
{
/* Check if it's a session keepalive. */
- if(CVAL(inbuf,0) == SMBkeepalive)
+ if(CVAL(inbuf,0) == SMBkeepalive) {
return True;
+ }
+
+ /*
+ * If we have an encrypted transport
+ * don't sign - we're already doing that.
+ */
+
+ if (srv_encryption_on()) {
+ return True;
+ }
return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok);
}
@@ -811,9 +832,18 @@ BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
void srv_calculate_sign_mac(char *outbuf)
{
/* Check if it's a session keepalive. */
- /* JRA Paranioa test - do we ever generate these in the server ? */
- if(CVAL(outbuf,0) == SMBkeepalive)
+ if(CVAL(outbuf,0) == SMBkeepalive) {
return;
+ }
+
+ /*
+ * If we have an encrypted transport
+ * don't check sign - we're already doing that.
+ */
+
+ if (srv_encryption_on()) {
+ return;
+ }
srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info);
}
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 9910a84f4c..8283346c28 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -385,8 +385,36 @@ NTSTATUS srv_request_encryption_setup(unsigned char **ppdata, size_t *p_data_siz
Negotiation was successful - turn on server-side encryption.
******************************************************************************/
-void srv_encryption_start(void)
+static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
{
+ if (!ec || !ec->es) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
+ if ((ec->es->ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) !=
+ (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ /* Todo - check gssapi case. */
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+ Negotiation was successful - turn on server-side encryption.
+******************************************************************************/
+
+NTSTATUS srv_encryption_start(void)
+{
+ NTSTATUS status;
+
+ /* Check that we are really doing sign+seal. */
+ status = check_enc_good(partial_srv_trans_enc_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/* Throw away the context we're using currently (if any). */
srv_free_encryption_context(&srv_trans_enc_ctx);
@@ -395,6 +423,7 @@ void srv_encryption_start(void)
srv_trans_enc_ctx->es->enc_on = True;
partial_srv_trans_enc_ctx = NULL;
+ return NT_STATUS_OK;
}
/******************************************************************************
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 25fd6621e9..158642a588 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2781,7 +2781,10 @@ cap_low = 0x%x, cap_high = 0x%x\n",
if (NT_STATUS_IS_OK(status)) {
/* Server-side transport encryption is now *on*. */
- srv_encryption_start();
+ status = srv_encryption_start();
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_server_cleanly("Failure in setting up encrypted transport");
+ }
}
return -1;
}