From 071db6fdbff694681fa1793ee678a9a0af3e266a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 21 Mar 2007 00:25:08 +0000 Subject: r21897: Add in a basic raw NTLM encrypt request. Now for testing. Jeremy. (This used to be commit 783a7b3085a155d9652cd725bf2960cd272cb554) --- source3/Makefile.in | 4 +- source3/lib/dummysmbd.c | 5 ++ source3/libsmb/clifsinfo.c | 113 +++++++++++++++++++++++++++++++++++++++++++ source3/libsmb/smb_seal.c | 24 ++++----- source3/libsmb/smb_signing.c | 38 +++++++++++++-- source3/smbd/seal.c | 31 +++++++++++- source3/smbd/trans2.c | 5 +- 7 files changed, 200 insertions(+), 20 deletions(-) (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 4d3fb106cd..ce79246839 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -256,9 +256,9 @@ LIB_WITH_PROTO_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \ lib/substitute.o lib/fsusage.o \ lib/ms_fnmatch.o lib/select.o lib/messages.o \ lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \ - libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \ + lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \ nsswitch/wb_client.o $(WBCOMMON_OBJ) \ - lib/pam_errors.o intl/lang_tdb.o \ + lib/pam_errors.o intl/lang_tdb.o libsmb/smb_seal.o \ lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \ lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \ lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \ diff --git a/source3/lib/dummysmbd.c b/source3/lib/dummysmbd.c index 6017a12928..ed64d9b783 100644 --- a/source3/lib/dummysmbd.c +++ b/source3/lib/dummysmbd.c @@ -63,3 +63,8 @@ void srv_free_enc_buffer(char *buf) { ; } + +BOOL srv_encryption_on(void) +{ + return False; +} diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 9c3b6e3aed..52e12a38e3 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -302,3 +302,116 @@ cleanup: return ret; } + +/****************************************************************************** + Send/receive the request encryption blob. +******************************************************************************/ + +static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out) +{ + uint16 setup; + char param[2]; + char *rparam=NULL, *rdata=NULL; + unsigned int rparam_count=0, rdata_count=0; + NTSTATUS status = NT_STATUS_OK; + + setup = TRANSACT2_SETFSINFO; + + SSVAL(param,0,SMB_REQUEST_TRANSPORT_ENCRYPTION); + + if (!cli_send_trans(cli, SMBtrans2, + NULL, + 0, 0, + &setup, 1, 0, + param, 2, 0, + (char *)in->data, in->length, CLI_BUFFER_SIZE)) { + status = cli_nt_error(cli); + goto out; + } + + if (!cli_receive_trans(cli, SMBtrans2, + &rparam, &rparam_count, + &rdata, &rdata_count)) { + status = cli_nt_error(cli); + goto out; + } + + if (cli_is_error(cli)) { + status = cli_nt_error(cli); + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + goto out; + } + } + + *out = data_blob(rdata, rdata_count); + + out: + + SAFE_FREE(rparam); + SAFE_FREE(rdata); + return status; +} + +/****************************************************************************** + Start a raw ntlmssp encryption. +******************************************************************************/ + +NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, + const char *user, + const char *pass, + const char *domain) +{ + DATA_BLOB blob_in = data_blob(NULL, 0); + DATA_BLOB blob_out = data_blob(NULL, 0); + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + struct smb_trans_enc_state *es = NULL; + + es = SMB_MALLOC_P(struct smb_trans_enc_state); + if (!es) { + return NT_STATUS_NO_MEMORY; + } + ZERO_STRUCTP(es); + es->smb_enc_type = SMB_TRANS_ENC_NTLM; + status = ntlmssp_client_start(&es->ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + ntlmssp_want_feature(es->ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); + es->ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL); + + if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->ntlmssp_state, user))) { + goto fail; + } + if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->ntlmssp_state, domain))) { + goto fail; + } + if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->ntlmssp_state, pass))) { + goto fail; + } + + do { + status = ntlmssp_update(es->ntlmssp_state, blob_in, &blob_out); + data_blob_free(&blob_in); + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) { + status = enc_blob_send_receive(cli, &blob_out, &blob_in); + } + data_blob_free(&blob_out); + } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + + data_blob_free(&blob_in); + + if (NT_STATUS_IS_OK(status)) { + /* Replace the old state, if any. */ + if (cli->trans_enc_state) { + common_free_encryption_state(&cli->trans_enc_state); + } + cli->trans_enc_state = es; + cli->trans_enc_state->enc_on = True; + } + + fail: + + common_free_encryption_state(&es); + return status; +} diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c index 06662e53fb..a509438f07 100644 --- a/source3/libsmb/smb_seal.c +++ b/source3/libsmb/smb_seal.c @@ -154,6 +154,12 @@ NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer, cha return NT_STATUS_OK; } + /* Ignore session keepalives. */ + if(CVAL(buffer,0) == SMBkeepalive) { + *buf_out = buffer; + return NT_STATUS_OK; + } + if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) { return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out); } else { @@ -177,6 +183,12 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf) /* Not decrypting. */ return NT_STATUS_OK; } + + /* Ignore session keepalives. */ + if(CVAL(buf,0) == SMBkeepalive) { + return NT_STATUS_OK; + } + if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) { return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf); } else { @@ -282,15 +294,3 @@ NTSTATUS cli_encrypt_message(struct cli_state *cli, char **buf_out) { return common_encrypt_buffer(cli->trans_enc_state, cli->outbuf, buf_out); } - -/****************************************************************************** - Start a raw ntlmssp encryption. -******************************************************************************/ - -NTSTATUS cli_ntlm_smb_encryption_on(struct cli_state *cli, - const char *user, - const char *pass, - const char *workgroup) -{ - -} diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c index df74b2db36..66a15e9408 100644 --- a/source3/libsmb/smb_signing.c +++ b/source3/libsmb/smb_signing.c @@ -585,7 +585,9 @@ void cli_free_signing_context(struct cli_state *cli) void cli_calculate_sign_mac(struct cli_state *cli) { - cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info); + if (!cli_encryption_on(cli)) { + cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info); + } } /** @@ -596,6 +598,9 @@ void cli_calculate_sign_mac(struct cli_state *cli) BOOL cli_check_sign_mac(struct cli_state *cli) { + if (cli_encryption_on(cli)) { + return True; + } if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) { free_signing_context(&cli->sign_info); return False; @@ -612,6 +617,9 @@ BOOL client_set_trans_sign_state_on(struct cli_state *cli, uint16 mid) struct smb_sign_info *si = &cli->sign_info; struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context; + if (cli_encryption_on(cli)) { + return True; + } if (!si->doing_signing) { return True; } @@ -637,6 +645,9 @@ BOOL client_set_trans_sign_state_off(struct cli_state *cli, uint16 mid) struct smb_sign_info *si = &cli->sign_info; struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context; + if (cli_encryption_on(cli)) { + return True; + } if (!si->doing_signing) { return True; } @@ -798,8 +809,18 @@ BOOL srv_oplock_set_signing(BOOL onoff) BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok) { /* Check if it's a session keepalive. */ - if(CVAL(inbuf,0) == SMBkeepalive) + if(CVAL(inbuf,0) == SMBkeepalive) { return True; + } + + /* + * If we have an encrypted transport + * don't sign - we're already doing that. + */ + + if (srv_encryption_on()) { + return True; + } return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok); } @@ -811,9 +832,18 @@ BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok) void srv_calculate_sign_mac(char *outbuf) { /* Check if it's a session keepalive. */ - /* JRA Paranioa test - do we ever generate these in the server ? */ - if(CVAL(outbuf,0) == SMBkeepalive) + if(CVAL(outbuf,0) == SMBkeepalive) { return; + } + + /* + * If we have an encrypted transport + * don't check sign - we're already doing that. + */ + + if (srv_encryption_on()) { + return; + } srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info); } diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index 9910a84f4c..8283346c28 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -385,8 +385,36 @@ NTSTATUS srv_request_encryption_setup(unsigned char **ppdata, size_t *p_data_siz Negotiation was successful - turn on server-side encryption. ******************************************************************************/ -void srv_encryption_start(void) +static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec) { + if (!ec || !ec->es) { + return NT_STATUS_LOGON_FAILURE; + } + + if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) { + if ((ec->es->ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) != + (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + } + /* Todo - check gssapi case. */ + + return NT_STATUS_OK; +} + +/****************************************************************************** + Negotiation was successful - turn on server-side encryption. +******************************************************************************/ + +NTSTATUS srv_encryption_start(void) +{ + NTSTATUS status; + + /* Check that we are really doing sign+seal. */ + status = check_enc_good(partial_srv_trans_enc_ctx); + if (!NT_STATUS_IS_OK(status)) { + return status; + } /* Throw away the context we're using currently (if any). */ srv_free_encryption_context(&srv_trans_enc_ctx); @@ -395,6 +423,7 @@ void srv_encryption_start(void) srv_trans_enc_ctx->es->enc_on = True; partial_srv_trans_enc_ctx = NULL; + return NT_STATUS_OK; } /****************************************************************************** diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 25fd6621e9..158642a588 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2781,7 +2781,10 @@ cap_low = 0x%x, cap_high = 0x%x\n", if (NT_STATUS_IS_OK(status)) { /* Server-side transport encryption is now *on*. */ - srv_encryption_start(); + status = srv_encryption_start(); + if (!NT_STATUS_IS_OK(status)) { + exit_server_cleanly("Failure in setting up encrypted transport"); + } } return -1; } -- cgit