From 5b7179d2a3708246c44c5c5126368588f9da74a0 Mon Sep 17 00:00:00 2001 From: Holger Hetterich Date: Tue, 2 Feb 2010 00:14:28 +0100 Subject: Add smbta-util to manage the encryption key. This program allows the administrator to enable or disable AES encryption when using vfs_smb_traffic_analyzer. It also generates new keys, stores them to a file, so that the file can be reused on another client or server. --- source3/Makefile.in | 17 ++- source3/modules/vfs_smb_traffic_analyzer.c | 1 + source3/utils/smbta-util.c | 211 +++++++++++++++++++++++++++++ 3 files changed, 225 insertions(+), 4 deletions(-) create mode 100644 source3/utils/smbta-util.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 9d42047a0b..4c12157704 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -209,15 +209,16 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \ SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \ - bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@ + bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@ \ + bin/smbta-util@EXEEXT@ BIN_PROGS2 = bin/smbcontrol@EXEEXT@ bin/smbtree@EXEEXT@ $(TDBBACKUP) \ bin/nmblookup@EXEEXT@ bin/pdbedit@EXEEXT@ $(TDBDUMP) \ $(TDBTOOL) BIN_PROGS3 = bin/smbpasswd@EXEEXT@ bin/rpcclient@EXEEXT@ bin/smbcacls@EXEEXT@ \ bin/profiles@EXEEXT@ bin/ntlm_auth@EXEEXT@ bin/sharesec@EXEEXT@ \ - bin/smbcquotas@EXEEXT@ bin/eventlogadm@EXEEXT@ + bin/smbcquotas@EXEEXT@ bin/eventlogadm@EXEEXT@ BIN_PROGS4 = bin/ldbedit@EXEEXT@ bin/ldbsearch@EXEEXT@ bin/ldbadd@EXEEXT@ \ - bin/ldbdel@EXEEXT@ bin/ldbmodify@EXEEXT@ bin/ldbrename@EXEEXT@ + bin/ldbdel@EXEEXT@ bin/ldbmodify@EXEEXT@ bin/ldbrename@EXEEXT@ TORTURE_PROGS = bin/smbtorture@EXEEXT@ bin/msgtest@EXEEXT@ \ bin/masktest@EXEEXT@ bin/locktest@EXEEXT@ \ @@ -882,6 +883,10 @@ TESTPARM_OBJ = utils/testparm.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \ $(LIBSMB_ERR_OBJ) +SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \ + $(LOCKING_OBJ) $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) \ + $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ) + TEST_LP_LOAD_OBJ = param/test_lp_load.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ $(POPT_LIB_OBJ) $(LIBSAMBA_OBJ) @@ -1619,6 +1624,11 @@ bin/testparm@EXEEXT@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ $(LIBTALLOC @$(CC) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) +bin/smbta-util@EXEEXT@: $(BINARY_PREREQS) $(SMBTA_UTIL_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) + @echo Linking $@ + @$(CC) -o $@ $(SMBTA_UTIL_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ + $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) + bin/smbstatus@EXEEXT@: $(BINARY_PREREQS) $(STATUS_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) @echo Linking $@ @$(CC) -o $@ $(STATUS_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ @@ -1854,7 +1864,6 @@ $(LIBTALLOC_SHARED_TARGET): $(LIBTALLOC_SHARED_TARGET_SONAME) $(LIBTALLOC_STATIC_TARGET): $(BINARY_PREREQS) $(LIBTALLOC_OBJ0) @echo Linking non-shared library $@ @-$(AR) -rc $@ $(LIBTALLOC_OBJ0) - libtalloc: $(LIBTALLOC) cleanlibtalloc:: diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c index 9bc0d2ef73..4465425927 100644 --- a/source3/modules/vfs_smb_traffic_analyzer.c +++ b/source3/modules/vfs_smb_traffic_analyzer.c @@ -542,6 +542,7 @@ static void smb_traffic_analyzer_send_data(vfs_handle_struct *handle, " found, encrypting data!\n")); AES_KEY key; samba_AES_set_encrypt_key(akey, 128, &key); + free(akey); s1 = strlen(str) / 16; s2 = strlen(str) % 16; DEBUG(10, ("smb_traffic_analyzer_send_data_socket: found %i" diff --git a/source3/utils/smbta-util.c b/source3/utils/smbta-util.c new file mode 100644 index 0000000000..13686ae7a0 --- /dev/null +++ b/source3/utils/smbta-util.c @@ -0,0 +1,211 @@ +/* + smbta-util: tool for controlling encryption with + vfs_smb_traffic_analyzer + Copyright (C) 2010 Holger Hetterich + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +#include "includes.h" + + +static void delete_key(); + + +static void help() +{ +printf("-h print this help message.\n"); +printf("-f install the key from a file and activate\n"); +printf(" encryption.\n"); +printf("-g generate a key, save it to a file, and activate encryption.\n"); +printf("-u uninstall a key, and deactivate encryption.\n"); +printf("-c create a file from an installed key.\n"); +printf("-s check if a key is installed, and print the key to stdout.\n"); +printf("\n"); +} + +static void check_key() +{ size_t size; + if (!secrets_init()) { + printf("Error opening secrets database."); + exit(1); + } + char *akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); + if (akey != NULL) { + printf("A key is installed: %s\n",akey); + printf("Encryption activated.\n"); + free(akey); + exit(0); + } else printf("No key is installed.\n"); + exit(1); +} + +static void create_keyfile(char *filename, char *key) +{ + FILE *keyfile; + keyfile = fopen(filename, "w"); + if (keyfile == NULL) { + printf("error creating the keyfile!\n"); + exit(0); + } + fprintf(keyfile, "%s", key); + fclose(keyfile); + printf("File '%s' has been created.\n", filename); +} + +/** + * Load a key from a file. The caller has to free the + * returned string. + */ +static char *load_key_from_file(char *filename) +{ + FILE *keyfile; + char *key = malloc(sizeof(char) * 17); + int l; + keyfile = fopen(filename, "r"); + if (keyfile == NULL) { + printf("Error opening the keyfile!\n"); + exit(0); + } + l = fscanf(keyfile, "%s", key); + if (strlen(key) != 16) { + printf("Key file in wrong format\n"); + fclose(keyfile); + exit(0); + } + return key; +} + +static void create_file_from_key(char *filename) +{ + size_t size; + char *akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); + if (akey == NULL) { + printf("No key is installed! Can't create file.\n"); + exit(1); + } + create_keyfile(filename, akey); + free(akey); +} + +/** + * Generate a random key. The user has to free the returned + * string. + */ +static char *generate_key() +{ + char *key = malloc(sizeof(char)*17); + int f; + srand( (unsigned)time( NULL ) ); + for ( f = 0; f < 16; f++) { + *(key+f) = (rand() % 128) +32; + } + *(key+16)='\0'; + printf("Random key generated.\n"); + return key; +} + +static void create_new_key_and_activate( char *filename ) +{ + if (!secrets_init()) { + printf("Error opening secrets database."); + exit(1); + } + + char *key = generate_key(); + delete_key(); + secrets_store("smb_traffic_analyzer_key", key, strlen(key)+1 ); + printf("Key installed, encryption activated.\n"); + create_file_from_key(filename); + free(key); +} + +static void delete_key() +{ + size_t size; + char *akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); + if (akey != NULL) { + free(akey); + secrets_delete("smb_traffic_analyzer_key"); + printf("Removed installed key. Encryption deactivated.\n"); + } else { + printf("No key is installed.\n"); + } +} + + +static void load_key_from_file_and_activate( char *filename) +{ + char *key; + char *akey; + size_t size; + key = load_key_from_file(filename); + printf("Loaded key from %s.\n",filename); + akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); + if (akey != NULL) { + printf("Removing the old key.\n"); + delete_key(); + } + printf("Installing the key from file %s\n",filename); + secrets_store("smb_traffic_analyzer_key", key, strlen(key)+1); + free(key); +} + +static void process_arguments(int argc, char **argv) +{ + char co; + while ((co = getopt(argc, argv, "hf:g:uc:s")) != EOF) { + switch(co) { + case 'h': + help(); + exit(0); + case 's': + check_key(); + break; + case 'g': + create_new_key_and_activate(optarg); + break; + case 'u': + delete_key(); + break; + case 'c': + create_file_from_key(optarg); + break; + case 'f': + load_key_from_file_and_activate(optarg); + break; + default: + help(); + break; + } + } +} + +int main(int argc, char **argv) +{ + sec_init(); + load_case_tables(); + + if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { + fprintf(stderr, "Can't load %s - run testparm to debug it\n", + get_dyn_CONFIGFILE()); + exit(1); + } + + if (argc == 1) { + help(); + exit(1); + } + + process_arguments(argc, argv); +} -- cgit