source3/smbd/seal.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    SMB Transport encryption (sealing) code - server code.
   4    Copyright (C) Jeremy Allison 2007.
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/smbd.h"
  22 #include "smbd/globals.h"
  23 #include "../libcli/smb/smb_seal.h"
  24 #include "auth.h"
  25 #include "libsmb/libsmb.h"
  26 #include "../lib/tsocket/tsocket.h"
  27 #include "auth/gensec/gensec.h"
  28
  29 /******************************************************************************
  30  Server side encryption.
  31 ******************************************************************************/
  32
  33 /******************************************************************************
  34  Return global enc context - this must change if we ever do multiple contexts.
  35 ******************************************************************************/
  36
  37 static uint16_t srv_enc_ctx(const struct smb_trans_enc_state *es)
  38 {
  39         return es->enc_ctx_num;
  40 }
  41
  42 /******************************************************************************
  43  Is this an incoming encrypted packet ?
  44 ******************************************************************************/
  45
  46 bool is_encrypted_packet(const uint8_t *inbuf)
  47 {
  48         NTSTATUS status;
  49         uint16_t enc_num;
  50
  51         /* Ignore non-session messages or non 0xFF'E' messages. */
  52         if(CVAL(inbuf,0)
  53            || (smb_len(inbuf) < 8)
  54            || !(inbuf[4] == 0xFF && inbuf[5] == 'E')) {
  55                 return false;
  56         }
  57
  58         status = get_enc_ctx_num(inbuf, &enc_num);
  59         if (!NT_STATUS_IS_OK(status)) {
  60                 return false;
  61         }
  62
  63         /* Encrypted messages are 0xFF'E'<ctx> */
  64         if (srv_trans_enc_ctx && enc_num == srv_enc_ctx(srv_trans_enc_ctx)) {
  65                 return true;
  66         }
  67         return false;
  68 }
  69
  70 /******************************************************************************
  71  Create an gensec_security and ensure pointer copy is correct.
  72 ******************************************************************************/
  73
  74 static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
  75                                  const struct tsocket_address *local_address,
  76                                  struct smb_trans_enc_state *es)
  77 {
  78         NTSTATUS status;
  79
  80         status = auth_generic_prepare(es, remote_address,
  81                                       local_address,
  82                                       "SMB encryption",
  83                                       &es->gensec_security);
  84         if (!NT_STATUS_IS_OK(status)) {
  85                 return nt_status_squash(status);
  86         }
  87
  88         gensec_want_feature(es->gensec_security, GENSEC_FEATURE_SEAL);
  89
  90         /*
  91          * We could be accessing the secrets.tdb or krb5.keytab file here.
  92          * ensure we have permissions to do so.
  93          */
  94         become_root();
  95
  96         status = gensec_start_mech_by_oid(es->gensec_security, GENSEC_OID_SPNEGO);
  97
  98         unbecome_root();
  99
 100         if (!NT_STATUS_IS_OK(status)) {
 101                 return nt_status_squash(status);
 102         }
 103
 104         return status;
 105 }
 106
 107 /******************************************************************************
 108  Create a server encryption context.
 109 ******************************************************************************/
 110
 111 static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
 112                                             const struct tsocket_address *local_address,
 113                                             struct smb_trans_enc_state **pp_es)
 114 {
 115         NTSTATUS status;
 116         struct smb_trans_enc_state *es;
 117
 118         *pp_es = NULL;
 119
 120         ZERO_STRUCTP(partial_srv_trans_enc_ctx);
 121         es = talloc_zero(NULL, struct smb_trans_enc_state);
 122         if (!es) {
 123                 return NT_STATUS_NO_MEMORY;
 124         }
 125         status = make_auth_gensec(remote_address,
 126                                   local_address,
 127                                   es);
 128         if (!NT_STATUS_IS_OK(status)) {
 129                 TALLOC_FREE(es);
 130                 return status;
 131         }
 132         *pp_es = es;
 133         return NT_STATUS_OK;
 134 }
 135
 136 /******************************************************************************
 137  Free an encryption-allocated buffer.
 138 ******************************************************************************/
 139
 140 void srv_free_enc_buffer(struct smbXsrv_connection *xconn, char *buf)
 141 {
 142         /* We know this is an smb buffer, and we
 143          * didn't malloc, only copy, for a keepalive,
 144          * so ignore non-session messages. */
 145
 146         if(CVAL(buf,0)) {
 147                 return;
 148         }
 149
 150         if (srv_trans_enc_ctx) {
 151                 common_free_enc_buffer(srv_trans_enc_ctx, buf);
 152         }
 153 }
 154
 155 /******************************************************************************
 156  Decrypt an incoming buffer.
 157 ******************************************************************************/
 158
 159 NTSTATUS srv_decrypt_buffer(struct smbXsrv_connection *xconn, char *buf)
 160 {
 161         /* Ignore non-session messages. */
 162         if(CVAL(buf,0)) {
 163                 return NT_STATUS_OK;
 164         }
 165
 166         if (srv_trans_enc_ctx) {
 167                 return common_decrypt_buffer(srv_trans_enc_ctx, buf);
 168         }
 169
 170         return NT_STATUS_OK;
 171 }
 172
 173 /******************************************************************************
 174  Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
 175 ******************************************************************************/
 176
 177 NTSTATUS srv_encrypt_buffer(struct smbXsrv_connection *xconn, char *buf,
 178                             char **buf_out)
 179 {
 180         *buf_out = buf;
 181
 182         /* Ignore non-session messages. */
 183         if(CVAL(buf,0)) {
 184                 return NT_STATUS_OK;
 185         }
 186
 187         if (srv_trans_enc_ctx) {
 188                 return common_encrypt_buffer(srv_trans_enc_ctx, buf, buf_out);
 189         }
 190         /* Not encrypting. */
 191         return NT_STATUS_OK;
 192 }
 193
 194 /******************************************************************************
 195  Do the SPNEGO encryption negotiation. Parameters are in/out.
 196 ******************************************************************************/
 197
 198 NTSTATUS srv_request_encryption_setup(connection_struct *conn,
 199                                         unsigned char **ppdata,
 200                                         size_t *p_data_size,
 201                                         unsigned char **pparam,
 202                                         size_t *p_param_size)
 203 {
 204         NTSTATUS status;
 205         DATA_BLOB blob = data_blob_const(*ppdata, *p_data_size);
 206         DATA_BLOB response = data_blob_null;
 207         struct smb_trans_enc_state *es;
 208
 209         SAFE_FREE(*pparam);
 210         *p_param_size = 0;
 211
 212         if (!partial_srv_trans_enc_ctx) {
 213                 /* This is the initial step. */
 214                 status = make_srv_encryption_context(conn->sconn->remote_address,
 215                                                      conn->sconn->local_address,
 216                                         &partial_srv_trans_enc_ctx);
 217                 if (!NT_STATUS_IS_OK(status)) {
 218                         return status;
 219                 }
 220         }
 221
 222         es = partial_srv_trans_enc_ctx;
 223         if (!es || es->gensec_security == NULL) {
 224                 TALLOC_FREE(partial_srv_trans_enc_ctx);
 225                 return NT_STATUS_INVALID_PARAMETER;
 226         }
 227
 228         /* Second step. */
 229         become_root();
 230         status = gensec_update(es->gensec_security,
 231                                talloc_tos(),
 232                                blob, &response);
 233         unbecome_root();
 234         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 235             !NT_STATUS_IS_OK(status)) {
 236                 TALLOC_FREE(partial_srv_trans_enc_ctx);
 237                 return nt_status_squash(status);
 238         }
 239
 240         if (NT_STATUS_IS_OK(status)) {
 241                 /* Return the context we're using for this encryption state. */
 242                 if (!(*pparam = SMB_MALLOC_ARRAY(unsigned char, 2))) {
 243                         return NT_STATUS_NO_MEMORY;
 244                 }
 245                 SSVAL(*pparam, 0, es->enc_ctx_num);
 246                 *p_param_size = 2;
 247         }
 248
 249         /* Return the raw blob. */
 250         SAFE_FREE(*ppdata);
 251         *ppdata = (unsigned char *)smb_memdup(response.data, response.length);
 252         if ((*ppdata) == NULL && response.length > 0)
 253                 return NT_STATUS_NO_MEMORY;
 254         *p_data_size = response.length;
 255         data_blob_free(&response);
 256         return status;
 257 }
 258
 259 /******************************************************************************
 260  Negotiation was successful - turn on server-side encryption.
 261 ******************************************************************************/
 262
 263 static NTSTATUS check_enc_good(struct smb_trans_enc_state *es)
 264 {
 265         if (!es) {
 266                 return NT_STATUS_LOGON_FAILURE;
 267         }
 268
 269         if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SIGN)) {
 270                 return NT_STATUS_INVALID_PARAMETER;
 271         }
 272
 273         if (!gensec_have_feature(es->gensec_security, GENSEC_FEATURE_SEAL)) {
 274                 return NT_STATUS_INVALID_PARAMETER;
 275         }
 276         return NT_STATUS_OK;
 277 }
 278
 279 /******************************************************************************
 280  Negotiation was successful - turn on server-side encryption.
 281 ******************************************************************************/
 282
 283 NTSTATUS srv_encryption_start(connection_struct *conn)
 284 {
 285         NTSTATUS status;
 286
 287         /* Check that we are really doing sign+seal. */
 288         status = check_enc_good(partial_srv_trans_enc_ctx);
 289         if (!NT_STATUS_IS_OK(status)) {
 290                 return status;
 291         }
 292         /* Throw away the context we're using currently (if any). */
 293         TALLOC_FREE(srv_trans_enc_ctx);
 294
 295         /* Steal the partial pointer. Deliberate shallow copy. */
 296         srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
 297         srv_trans_enc_ctx->enc_on = true;
 298
 299         partial_srv_trans_enc_ctx = NULL;
 300
 301         DEBUG(1,("srv_encryption_start: context negotiated\n"));
 302         return NT_STATUS_OK;
 303 }
 304
 305 /******************************************************************************
 306  Shutdown all server contexts.
 307 ******************************************************************************/
 308
 309 void server_encryption_shutdown(struct smbXsrv_connection *xconn)
 310 {
 311         TALLOC_FREE(partial_srv_trans_enc_ctx);
 312         TALLOC_FREE(srv_trans_enc_ctx);
 313 }