diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source3/smbd/seal.c | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source3/smbd/seal.c | 313 |
1 files changed, 313 insertions, 0 deletions
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c new file mode 100644 index 0000000..8a0dbeb --- /dev/null +++ b/source3/smbd/seal.c @@ -0,0 +1,313 @@ +/* + Unix SMB/CIFS implementation. + SMB Transport encryption (sealing) code - server code. + Copyright (C) Jeremy Allison 2007. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "smbd/smbd.h" +#include "smbd/globals.h" +#include "../libcli/smb/smb_seal.h" +#include "auth.h" +#include "libsmb/libsmb.h" +#include "../lib/tsocket/tsocket.h" +#include "auth/gensec/gensec.h" + +/****************************************************************************** + Server side encryption. +******************************************************************************/ + +/****************************************************************************** + Return global enc context - this must change if we ever do multiple contexts. +******************************************************************************/ + +static uint16_t srv_enc_ctx(const struct smb_trans_enc_state *es) +{ + return es->enc_ctx_num; +} + +/****************************************************************************** + Is this an incoming encrypted packet ? +******************************************************************************/ + +bool is_encrypted_packet(const uint8_t *inbuf) +{ + NTSTATUS status; + uint16_t enc_num; + + /* Ignore non-session messages or non 0xFF'E' messages. */ + if(CVAL(inbuf,0) + || (smb_len(inbuf) < 8) + || !(inbuf[4] == 0xFF && inbuf[5] == 'E')) { + return false; + } + + status = get_enc_ctx_num(inbuf, &enc_num); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + /* Encrypted messages are 0xFF'E'<ctx> */ + if (srv_trans_enc_ctx && enc_num == srv_enc_ctx(srv_trans_enc_ctx)) { + return true; + } + return false; +} + +/****************************************************************************** + Create an gensec_security and ensure pointer copy is correct. +******************************************************************************/ + +static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, + struct smb_trans_enc_state *es) +{ + NTSTATUS status; + + status = auth_generic_prepare(es, remote_address, + local_address, + "SMB encryption", + &es->gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return nt_status_squash(status); + } + + gensec_want_feature(es->gensec_security, GENSEC_FEATURE_SEAL); + + /* + * We could be accessing the secrets.tdb or krb5.keytab file here. + * ensure we have permissions to do so. + */ + become_root(); + + status = gensec_start_mech_by_oid(es->gensec_security, GENSEC_OID_SPNEGO); + + unbecome_root(); + + if (!NT_STATUS_IS_OK(status)) { + return nt_status_squash(status); + } + + return status; +} + +/****************************************************************************** + Create a server encryption context. +******************************************************************************/ + +static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, + struct smb_trans_enc_state **pp_es) +{ + NTSTATUS status; + struct smb_trans_enc_state *es; + + *pp_es = NULL; + + ZERO_STRUCTP(partial_srv_trans_enc_ctx); + es = talloc_zero(NULL, struct smb_trans_enc_state); + if (!es) { + return NT_STATUS_NO_MEMORY; + } + status = make_auth_gensec(remote_address, + local_address, + es); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(es); + return status; + } + *pp_es = es; + return NT_STATUS_OK; +} + +/****************************************************************************** + Free an encryption-allocated buffer. +******************************************************************************/ + +void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf) +{ + /* We know this is an smb buffer, and we + * didn't malloc, only copy, for a keepalive, + * so ignore non-session messages. */ + + if(CVAL(buf,0)) { + return; + } + + if (srv_trans_enc_ctx) { + common_free_enc_buffer(srv_trans_enc_ctx, buf); + } +} + +/****************************************************************************** + Decrypt an incoming buffer. +******************************************************************************/ + +NTSTATUS srv_decrypt_buffer(struct smbXsrv_connection *xconn, char *buf) +{ + /* Ignore non-session messages. */ + if(CVAL(buf,0)) { + return NT_STATUS_OK; + } + + if (srv_trans_enc_ctx) { + return common_decrypt_buffer(srv_trans_enc_ctx, buf); + } + + return NT_STATUS_OK; +} + +/****************************************************************************** + Encrypt an outgoing buffer. Return the encrypted pointer in buf_out. +******************************************************************************/ + +NTSTATUS srv_encrypt_buffer(struct smbXsrv_connection *xconn, char *buf, + char **buf_out) +{ + *buf_out = buf; + + /* Ignore non-session messages. */ + if(CVAL(buf,0)) { + return NT_STATUS_OK; + } + + if (srv_trans_enc_ctx) { + return common_encrypt_buffer(srv_trans_enc_ctx, buf, buf_out); + } + /* Not encrypting. */ + return NT_STATUS_OK; +} + +/****************************************************************************** + Do the SPNEGO encryption negotiation. Parameters are in/out. +******************************************************************************/ + +NTSTATUS srv_request_encryption_setup(connection_struct *conn, + unsigned char **ppdata, + size_t *p_data_size, + unsigned char **pparam, + size_t *p_param_size) +{ + NTSTATUS status; + DATA_BLOB blob = data_blob_const(*ppdata, *p_data_size); + DATA_BLOB response = data_blob_null; + struct smb_trans_enc_state *es; + + SAFE_FREE(*pparam); + *p_param_size = 0; + + if (!partial_srv_trans_enc_ctx) { + /* This is the initial step. */ + status = make_srv_encryption_context(conn->sconn->remote_address, + conn->sconn->local_address, + &partial_srv_trans_enc_ctx); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + + es = partial_srv_trans_enc_ctx; + if (!es || es->gensec_security == NULL) { + TALLOC_FREE(partial_srv_trans_enc_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + /* Second step. */ + become_root(); + status = gensec_update(es->gensec_security, + talloc_tos(), + blob, &response); + unbecome_root(); + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && + !NT_STATUS_IS_OK(status)) { + TALLOC_FREE(partial_srv_trans_enc_ctx); + return nt_status_squash(status); + } + + if (NT_STATUS_IS_OK(status)) { + /* Return the context we're using for this encryption state. */ + if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) { + return NT_STATUS_NO_MEMORY; + } + SSVAL(*pparam, 0, es->enc_ctx_num); + *p_param_size = 2; + } + + /* Return the raw blob. */ + SAFE_FREE(*ppdata); + *ppdata = (unsigned char *)smb_memdup(response.data, response.length); + if ((*ppdata) == NULL && response.length > 0) + return NT_STATUS_NO_MEMORY; + *p_data_size = response.length; + data_blob_free(&response); + return status; +} + +/****************************************************************************** + Negotiation was successful - turn on server-side encryption. +******************************************************************************/ + +static NTSTATUS check_enc_good(struct smb_trans_enc_state *es) +{ + if (!es) { + return NT_STATUS_LOGON_FAILURE; + } + + if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + return NT_STATUS_OK; +} + +/****************************************************************************** + Negotiation was successful - turn on server-side encryption. +******************************************************************************/ + +NTSTATUS srv_encryption_start(connection_struct *conn) +{ + NTSTATUS status; + + /* Check that we are really doing sign+seal. */ + status = check_enc_good(partial_srv_trans_enc_ctx); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + /* Throw away the context we're using currently (if any). */ + TALLOC_FREE(srv_trans_enc_ctx); + + /* Steal the partial pointer. Deliberate shallow copy. */ + srv_trans_enc_ctx = partial_srv_trans_enc_ctx; + srv_trans_enc_ctx->enc_on = true; + + partial_srv_trans_enc_ctx = NULL; + + DEBUG(1,("srv_encryption_start: context negotiated\n")); + return NT_STATUS_OK; +} + +/****************************************************************************** + Shutdown all server contexts. +******************************************************************************/ + +void server_encryption_shutdown(struct smbXsrv_connection *xconn) +{ + TALLOC_FREE(partial_srv_trans_enc_ctx); + TALLOC_FREE(srv_trans_enc_ctx); +} |