2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /******************************************************************************
24 Server side encryption.
25 ******************************************************************************/
27 /******************************************************************************
29 ******************************************************************************/
31 struct smb_srv_trans_enc_ctx {
32 struct smb_trans_enc_state *es;
33 AUTH_NTLMSSP_STATE *auth_ntlmssp_state; /* Must be kept in sync with pointer in ec->ntlmssp_state. */
36 static struct smb_srv_trans_enc_ctx *partial_srv_trans_enc_ctx;
37 static struct smb_srv_trans_enc_ctx *srv_trans_enc_ctx;
39 /******************************************************************************
40 Is server encryption on ?
41 ******************************************************************************/
43 BOOL srv_encryption_on(void)
45 if (srv_trans_enc_ctx) {
46 return common_encryption_on(srv_trans_enc_ctx->es);
51 /******************************************************************************
52 Shutdown a server encryption state.
53 ******************************************************************************/
55 static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec)
57 struct smb_srv_trans_enc_ctx *ec = *pp_ec;
64 struct smb_trans_enc_state *es = ec->es;
65 if (es->smb_enc_type == SMB_TRANS_ENC_NTLM &&
66 ec->auth_ntlmssp_state) {
67 auth_ntlmssp_end(&ec->auth_ntlmssp_state);
68 /* The auth_ntlmssp_end killed this already. */
69 es->ntlmssp_state = NULL;
71 common_free_encryption_state(&ec->es);
78 /******************************************************************************
79 Free an encryption-allocated buffer.
80 ******************************************************************************/
82 void srv_free_enc_buffer(char *buf)
84 if (srv_trans_enc_ctx) {
85 return common_free_enc_buffer(srv_trans_enc_ctx->es, buf);
89 /******************************************************************************
90 Decrypt an incoming buffer.
91 ******************************************************************************/
93 NTSTATUS srv_decrypt_buffer(char *buf)
95 if (srv_trans_enc_ctx) {
96 return common_decrypt_buffer(srv_trans_enc_ctx->es, buf);
101 /******************************************************************************
102 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
103 ******************************************************************************/
105 NTSTATUS srv_encrypt_buffer(char *buffer, char **buf_out)
107 if (srv_trans_enc_ctx) {
108 return common_encrypt_buffer(srv_trans_enc_ctx->es, buffer, buf_out);
110 /* Not encrypting. */
115 /******************************************************************************
116 Do the gss encryption negotiation. Parameters are in/out.
117 Until success we do everything on the partial enc ctx.
118 ******************************************************************************/
120 #if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
121 static NTSTATUS srv_enc_spnego_gss_negotiate(char **ppdata, size_t *p_data_size, DATA_BLOB secblob)
123 return NT_STATUS_NOT_SUPPORTED;
127 /******************************************************************************
128 Do the NTLM SPNEGO encryption negotiation. Parameters are in/out.
129 Until success we do everything on the partial enc ctx.
130 ******************************************************************************/
132 static NTSTATUS srv_enc_spnego_ntlm_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob)
135 DATA_BLOB chal = data_blob(NULL, 0);
136 DATA_BLOB response = data_blob(NULL, 0);
137 struct smb_srv_trans_enc_ctx *ec = partial_srv_trans_enc_ctx;
139 status = auth_ntlmssp_start(&ec->auth_ntlmssp_state);
140 if (!NT_STATUS_IS_OK(status)) {
141 return nt_status_squash(status);
144 status = auth_ntlmssp_update(ec->auth_ntlmssp_state, secblob, &chal);
146 /* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
149 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
150 data_blob_free(&chal);
153 *ppdata = response.data;
154 *p_data_size = response.length;
158 /******************************************************************************
159 Do the SPNEGO encryption negotiation. Parameters are in/out.
160 Based off code in smbd/sesssionsetup.c
161 Until success we do everything on the partial enc ctx.
162 ******************************************************************************/
164 static NTSTATUS srv_enc_spnego_negotiate(unsigned char **ppdata, size_t *p_data_size)
167 DATA_BLOB blob = data_blob(NULL,0);
168 DATA_BLOB secblob = data_blob(NULL, 0);
169 BOOL got_kerberos_mechanism = False;
171 blob = data_blob_const(*ppdata, *p_data_size);
173 status = parse_spnego_mechanisms(blob, &secblob, &got_kerberos_mechanism);
174 if (!NT_STATUS_IS_OK(status)) {
175 return nt_status_squash(status);
178 /* We should have no partial context at this point. */
180 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
182 partial_srv_trans_enc_ctx = SMB_MALLOC_P(struct smb_srv_trans_enc_ctx);
183 if (!partial_srv_trans_enc_ctx) {
184 data_blob_free(&secblob);
185 return NT_STATUS_NO_MEMORY;
187 ZERO_STRUCTP(partial_srv_trans_enc_ctx);
189 #if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
190 if (got_kerberos_mechanism && lp_use_kerberos_keytab()) ) {
191 status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
195 status = srv_enc_spnego_ntlm_negotiate(ppdata, p_data_size, secblob);
198 data_blob_free(&secblob);
200 if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
201 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
207 /******************************************************************************
208 Complete a SPNEGO encryption negotiation. Parameters are in/out.
209 We only get this for a NTLM auth second stage.
210 ******************************************************************************/
212 static NTSTATUS srv_enc_spnego_ntlm_auth(unsigned char **ppdata, size_t *p_data_size)
215 DATA_BLOB blob = data_blob(NULL,0);
216 DATA_BLOB auth = data_blob(NULL,0);
217 DATA_BLOB auth_reply = data_blob(NULL,0);
218 DATA_BLOB response = data_blob(NULL,0);
219 struct smb_srv_trans_enc_ctx *ec = partial_srv_trans_enc_ctx;
221 /* We must have a partial context here. */
223 if (!ec || ec->auth_ntlmssp_state == NULL) {
224 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
225 return NT_STATUS_INVALID_PARAMETER;
228 blob = data_blob_const(*ppdata, *p_data_size);
229 if (!spnego_parse_auth(blob, &auth)) {
230 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
231 return NT_STATUS_INVALID_PARAMETER;
234 status = auth_ntlmssp_update(ec->auth_ntlmssp_state, auth, &auth_reply);
235 data_blob_free(&auth);
237 response = spnego_gen_auth_response(&auth_reply, status, OID_NTLMSSP);
238 data_blob_free(&auth_reply);
241 *ppdata = response.data;
242 *p_data_size = response.length;
246 /******************************************************************************
247 Do the SPNEGO encryption negotiation. Parameters are in/out.
248 ******************************************************************************/
250 NTSTATUS srv_request_encryption_setup(unsigned char **ppdata, size_t *p_data_size)
252 unsigned char *pdata = *ppdata;
254 if (*p_data_size < 1) {
255 return NT_STATUS_INVALID_PARAMETER;
258 if (pdata[0] == ASN1_APPLICATION(0)) {
260 * Until success we do everything on the partial
263 /* its a negTokenTarg packet */
264 return srv_enc_spnego_negotiate(ppdata, p_data_size);
267 if (pdata[0] == ASN1_CONTEXT(1)) {
268 /* Its a auth packet */
269 return srv_enc_spnego_ntlm_auth(ppdata, p_data_size);
272 return NT_STATUS_INVALID_PARAMETER;
275 /******************************************************************************
276 Negotiation was successful - turn on server-side encryption.
277 ******************************************************************************/
279 void srv_encryption_start(void)
281 /* Throw away the context we're using currently (if any). */
282 srv_free_encryption_context(&srv_trans_enc_ctx);
284 /* Steal the partial pointer. Deliberate shallow copy. */
285 srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
286 srv_trans_enc_ctx->es->enc_on = True;
288 partial_srv_trans_enc_ctx = NULL;
291 /******************************************************************************
292 Shutdown all server contexts.
293 ******************************************************************************/
295 void server_encryption_shutdown(void)
297 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
298 srv_free_encryption_context(&srv_trans_enc_ctx);