for testing.
Jeremy.
lib/substitute.o lib/fsusage.o \
lib/ms_fnmatch.o lib/select.o lib/messages.o \
lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
- libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
+ lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
nsswitch/wb_client.o $(WBCOMMON_OBJ) \
- lib/pam_errors.o intl/lang_tdb.o \
+ lib/pam_errors.o intl/lang_tdb.o libsmb/smb_seal.o \
lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \
lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
{
;
}
+
+BOOL srv_encryption_on(void)
+{
+ return False;
+}
return ret;
}
+
+/******************************************************************************
+ Send/receive the request encryption blob.
+******************************************************************************/
+
+static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out)
+{
+ uint16 setup;
+ char param[2];
+ char *rparam=NULL, *rdata=NULL;
+ unsigned int rparam_count=0, rdata_count=0;
+ NTSTATUS status = NT_STATUS_OK;
+
+ setup = TRANSACT2_SETFSINFO;
+
+ SSVAL(param,0,SMB_REQUEST_TRANSPORT_ENCRYPTION);
+
+ if (!cli_send_trans(cli, SMBtrans2,
+ NULL,
+ 0, 0,
+ &setup, 1, 0,
+ param, 2, 0,
+ (char *)in->data, in->length, CLI_BUFFER_SIZE)) {
+ status = cli_nt_error(cli);
+ goto out;
+ }
+
+ if (!cli_receive_trans(cli, SMBtrans2,
+ &rparam, &rparam_count,
+ &rdata, &rdata_count)) {
+ status = cli_nt_error(cli);
+ goto out;
+ }
+
+ if (cli_is_error(cli)) {
+ status = cli_nt_error(cli);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ goto out;
+ }
+ }
+
+ *out = data_blob(rdata, rdata_count);
+
+ out:
+
+ SAFE_FREE(rparam);
+ SAFE_FREE(rdata);
+ return status;
+}
+
+/******************************************************************************
+ Start a raw ntlmssp encryption.
+******************************************************************************/
+
+NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
+ const char *user,
+ const char *pass,
+ const char *domain)
+{
+ DATA_BLOB blob_in = data_blob(NULL, 0);
+ DATA_BLOB blob_out = data_blob(NULL, 0);
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ struct smb_trans_enc_state *es = NULL;
+
+ es = SMB_MALLOC_P(struct smb_trans_enc_state);
+ if (!es) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ ZERO_STRUCTP(es);
+ es->smb_enc_type = SMB_TRANS_ENC_NTLM;
+ status = ntlmssp_client_start(&es->ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ ntlmssp_want_feature(es->ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ es->ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
+
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->ntlmssp_state, user))) {
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->ntlmssp_state, domain))) {
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->ntlmssp_state, pass))) {
+ goto fail;
+ }
+
+ do {
+ status = ntlmssp_update(es->ntlmssp_state, blob_in, &blob_out);
+ data_blob_free(&blob_in);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
+ status = enc_blob_send_receive(cli, &blob_out, &blob_in);
+ }
+ data_blob_free(&blob_out);
+ } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+
+ data_blob_free(&blob_in);
+
+ if (NT_STATUS_IS_OK(status)) {
+ /* Replace the old state, if any. */
+ if (cli->trans_enc_state) {
+ common_free_encryption_state(&cli->trans_enc_state);
+ }
+ cli->trans_enc_state = es;
+ cli->trans_enc_state->enc_on = True;
+ }
+
+ fail:
+
+ common_free_encryption_state(&es);
+ return status;
+}
return NT_STATUS_OK;
}
+ /* Ignore session keepalives. */
+ if(CVAL(buffer,0) == SMBkeepalive) {
+ *buf_out = buffer;
+ return NT_STATUS_OK;
+ }
+
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
} else {
/* Not decrypting. */
return NT_STATUS_OK;
}
+
+ /* Ignore session keepalives. */
+ if(CVAL(buf,0) == SMBkeepalive) {
+ return NT_STATUS_OK;
+ }
+
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
} else {
{
return common_encrypt_buffer(cli->trans_enc_state, cli->outbuf, buf_out);
}
-
-/******************************************************************************
- Start a raw ntlmssp encryption.
-******************************************************************************/
-
-NTSTATUS cli_ntlm_smb_encryption_on(struct cli_state *cli,
- const char *user,
- const char *pass,
- const char *workgroup)
-{
-
-}
void cli_calculate_sign_mac(struct cli_state *cli)
{
- cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+ if (!cli_encryption_on(cli)) {
+ cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+ }
}
/**
BOOL cli_check_sign_mac(struct cli_state *cli)
{
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) {
free_signing_context(&cli->sign_info);
return False;
struct smb_sign_info *si = &cli->sign_info;
struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!si->doing_signing) {
return True;
}
struct smb_sign_info *si = &cli->sign_info;
struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
+ if (cli_encryption_on(cli)) {
+ return True;
+ }
if (!si->doing_signing) {
return True;
}
BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
{
/* Check if it's a session keepalive. */
- if(CVAL(inbuf,0) == SMBkeepalive)
+ if(CVAL(inbuf,0) == SMBkeepalive) {
return True;
+ }
+
+ /*
+ * If we have an encrypted transport
+ * don't sign - we're already doing that.
+ */
+
+ if (srv_encryption_on()) {
+ return True;
+ }
return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok);
}
void srv_calculate_sign_mac(char *outbuf)
{
/* Check if it's a session keepalive. */
- /* JRA Paranioa test - do we ever generate these in the server ? */
- if(CVAL(outbuf,0) == SMBkeepalive)
+ if(CVAL(outbuf,0) == SMBkeepalive) {
return;
+ }
+
+ /*
+ * If we have an encrypted transport
+ * don't check sign - we're already doing that.
+ */
+
+ if (srv_encryption_on()) {
+ return;
+ }
srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info);
}
Negotiation was successful - turn on server-side encryption.
******************************************************************************/
-void srv_encryption_start(void)
+static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
{
+ if (!ec || !ec->es) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
+ if ((ec->es->ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) !=
+ (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ /* Todo - check gssapi case. */
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+ Negotiation was successful - turn on server-side encryption.
+******************************************************************************/
+
+NTSTATUS srv_encryption_start(void)
+{
+ NTSTATUS status;
+
+ /* Check that we are really doing sign+seal. */
+ status = check_enc_good(partial_srv_trans_enc_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/* Throw away the context we're using currently (if any). */
srv_free_encryption_context(&srv_trans_enc_ctx);
srv_trans_enc_ctx->es->enc_on = True;
partial_srv_trans_enc_ctx = NULL;
+ return NT_STATUS_OK;
}
/******************************************************************************
if (NT_STATUS_IS_OK(status)) {
/* Server-side transport encryption is now *on*. */
- srv_encryption_start();
+ status = srv_encryption_start();
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_server_cleanly("Failure in setting up encrypted transport");
+ }
}
return -1;
}