*/
#include "includes.h"
+#include "smb_crypt.h"
+#include "libsmb/libsmb.h"
+#include "libcli/auth/krb5_wrap.h"
+#include "auth/gensec/gensec.h"
+
+#undef malloc
/******************************************************************************
Pull out the encryption context for this packet. 0 means global context.
******************************************************************************/
-NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16 *p_enc_ctx_num)
+NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16_t *p_enc_ctx_num)
{
- if (smb_len(buf) < 8) {
+ if (smb_len_nbt(buf) < 8) {
return NT_STATUS_INVALID_BUFFER_SIZE;
}
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
+/*******************************************************************
+ Set the length and marker of an encrypted smb packet.
+********************************************************************/
+
+static void smb_set_enclen(char *buf,int len,uint16_t enc_ctx_num)
+{
+ _smb_setlen_nbt(buf,len);
+
+ SCVAL(buf,4,0xFF);
+ SCVAL(buf,5,'E');
+ SSVAL(buf,6,enc_ctx_num);
+}
+
/******************************************************************************
Generic code for client and server.
Is encryption turned on ?
/******************************************************************************
Generic code for client and server.
- NTLM decrypt an incoming buffer.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so cope with the same for compatibility.
+ GENSEC decrypt an incoming buffer.
******************************************************************************/
-NTSTATUS common_ntlm_decrypt_buffer(NTLMSSP_STATE *ntlmssp_state, char *buf)
+static NTSTATUS common_gensec_decrypt_buffer(struct gensec_security *gensec,
+ char *buf)
{
NTSTATUS status;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
- size_t data_len;
- char *inbuf;
- DATA_BLOB sig;
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
+ DATA_BLOB in_buf, out_buf;
+ TALLOC_CTX *frame;
- if (buf_len < 8 + NTLMSSP_SIG_SIZE) {
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- inbuf = (char *)smb_xmemdup(buf, buf_len);
+ frame = talloc_stackframe();
- /* Adjust for the signature. */
- data_len = buf_len - 8 - NTLMSSP_SIG_SIZE;
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
- /* Point at the signature. */
- sig = data_blob_const(inbuf+8, NTLMSSP_SIG_SIZE);
-
- status = ntlmssp_unseal_packet(ntlmssp_state,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'E' <enc> <ctx> */
- data_len,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ status = gensec_unwrap(gensec, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- SAFE_FREE(inbuf);
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- memcpy(buf + 8, inbuf + 8 + NTLMSSP_SIG_SIZE, data_len);
+ if (out_buf.length > in_buf.length) {
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap size (%u) too large (%u) !\n",
+ (unsigned int)out_buf.length,
+ (unsigned int)in_buf.length ));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ memcpy(buf + 8, out_buf.data, out_buf.length);
/* Reset the length and overwrite the header. */
- smb_setlen(buf,data_len + 4);
+ smb_setlen_nbt(buf, out_buf.length + 4);
+
+ TALLOC_FREE(frame);
- SAFE_FREE(inbuf);
return NT_STATUS_OK;
}
/******************************************************************************
Generic code for client and server.
NTLM encrypt an outgoing buffer. Return the encrypted pointer in ppbuf_out.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so do the same for compatibility.
******************************************************************************/
-NTSTATUS common_ntlm_encrypt_buffer(NTLMSSP_STATE *ntlmssp_state,
- uint16 enc_ctx_num,
- char *buf,
- char **ppbuf_out)
+static NTSTATUS common_gensec_encrypt_buffer(struct gensec_security *gensec,
+ uint16_t enc_ctx_num,
+ char *buf,
+ char **ppbuf_out)
{
NTSTATUS status;
- char *buf_out;
- size_t data_len = smb_len(buf) - 4; /* Ignore the 0xFF SMB bytes. */
- DATA_BLOB sig;
+ DATA_BLOB in_buf, out_buf;
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
+ TALLOC_CTX *frame;
*ppbuf_out = NULL;
- if (data_len == 0) {
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
- /*
- * We know smb_len can't return a value > 128k, so no int overflow
- * check needed.
- */
-
- buf_out = SMB_XMALLOC_ARRAY(char, 8 + NTLMSSP_SIG_SIZE + data_len);
-
- /* Copy the data from the original buffer. */
-
- memcpy(buf_out + 8 + NTLMSSP_SIG_SIZE, buf + 8, data_len);
-
- smb_set_enclen(buf_out, smb_len(buf) + NTLMSSP_SIG_SIZE, enc_ctx_num);
-
- ZERO_STRUCT(sig);
-
- status = ntlmssp_seal_packet(ntlmssp_state,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'S' <enc> <ctx> */
- data_len,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ frame = talloc_stackframe();
+ status = gensec_wrap(gensec, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- data_blob_free(&sig);
- SAFE_FREE(buf_out);
+ DEBUG(0,("common_gensec_encrypt_buffer: gensec_wrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- /* First 16 data bytes are signature for SSPI compatibility. */
- memcpy(buf_out + 8, sig.data, NTLMSSP_SIG_SIZE);
- data_blob_free(&sig);
- *ppbuf_out = buf_out;
+ *ppbuf_out = (char *)malloc(out_buf.length + 8); /* We know this can't wrap. */
+ if (!*ppbuf_out) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ memcpy(*ppbuf_out+8, out_buf.data, out_buf.length);
+ smb_set_enclen(*ppbuf_out, out_buf.length + 4, enc_ctx_num);
+
+ TALLOC_FREE(frame);
+
return NT_STATUS_OK;
}
OM_uint32 minor = 0;
int flags_got = 0;
gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
(gss_qop_t *) NULL);
if (ret != GSS_S_COMPLETE) {
- ADS_STATUS adss = ADS_ERROR_GSS(ret, minor);
- DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap failed. Error %s\n",
- ads_errstr(adss) ));
- return map_nt_error_from_gss(ret, minor);
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ char *gss_err;
+
+ gss_err = gssapi_error_string(talloc_tos(),
+ ret, minor,
+ GSS_C_NULL_OID);
+ DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap failed. "
+ "Error [%d/%d] - %s - %s\n",
+ ret, minor, nt_errstr(status),
+ gss_err ? gss_err : "<unknown>"));
+ talloc_free(gss_err);
+
+ return status;
}
if (out_buf.length > in_buf.length) {
- DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap size (%u) too large (%u) !\n",
+ DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap size (%u) too large (%u) !\n",
(unsigned int)out_buf.length,
(unsigned int)in_buf.length ));
gss_release_buffer(&minor, &out_buf);
memcpy(buf + 8, out_buf.value, out_buf.length);
/* Reset the length and overwrite the header. */
- smb_setlen(buf, out_buf.length + 4);
+ smb_setlen_nbt(buf, out_buf.length + 4);
gss_release_buffer(&minor, &out_buf);
return NT_STATUS_OK;
******************************************************************************/
static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_state,
- uint16 enc_ctx_num,
+ uint16_t enc_ctx_num,
char *buf,
char **ppbuf_out)
{
OM_uint32 minor = 0;
int flags_got = 0;
gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+ size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
*ppbuf_out = NULL;
&out_buf);
if (ret != GSS_S_COMPLETE) {
- ADS_STATUS adss = ADS_ERROR_GSS(ret, minor);
- DEBUG(0,("common_gss_encrypt_buffer: gss_wrap failed. Error %s\n",
- ads_errstr(adss) ));
- return map_nt_error_from_gss(ret, minor);
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ char *gss_err;
+
+ gss_err = gssapi_error_string(talloc_tos(),
+ ret, minor,
+ GSS_C_NULL_OID);
+ DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap failed. "
+ "Error [%d/%d] - %s - %s\n",
+ ret, minor, nt_errstr(status),
+ gss_err ? gss_err : "<unknown>"));
+ talloc_free(gss_err);
+
+ return status;
}
if (!flags_got) {
* bother :-*(. JRA.
*/
- *ppbuf_out = (char *)SMB_MALLOC(out_buf.length + 8); /* We know this can't wrap. */
+ *ppbuf_out = (char *)malloc(out_buf.length + 8); /* We know this can't wrap. */
if (!*ppbuf_out) {
gss_release_buffer(&minor, &out_buf);
return NT_STATUS_NO_MEMORY;
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_encrypt_buffer(es->s.ntlmssp_state, es->enc_ctx_num, buffer, buf_out);
+ return common_gensec_encrypt_buffer(es->s.gensec_security, es->enc_ctx_num, buffer, buf_out);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_encrypt_buffer(es->s.gss_state, es->enc_ctx_num, buffer, buf_out);
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_decrypt_buffer(es->s.ntlmssp_state, buf);
+ return common_gensec_decrypt_buffer(es->s.gensec_security, buf);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_decrypt_buffer(es->s.gss_state, buf);
}
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- if (es->s.ntlmssp_state) {
- ntlmssp_end(&es->s.ntlmssp_state);
+ if (es->s.gensec_security) {
+ TALLOC_FREE(es->s.gensec_security);
}
}
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
return;
}
- if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- SAFE_FREE(buf);
- return;
- }
-
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- if (es->smb_enc_type == SMB_TRANS_ENC_GSS) {
- OM_uint32 min;
- gss_buffer_desc rel_buf;
- rel_buf.value = buf;
- rel_buf.length = smb_len(buf) + 4;
- gss_release_buffer(&min, &rel_buf);
- }
-#endif
-}
-
-/******************************************************************************
- Client side encryption.
-******************************************************************************/
-
-/******************************************************************************
- Is client encryption on ?
-******************************************************************************/
-
-bool cli_encryption_on(struct cli_state *cli)
-{
- /* If we supported multiple encrytion contexts
- * here we'd look up based on tid.
- */
- return common_encryption_on(cli->trans_enc_state);
-}
-
-/******************************************************************************
- Shutdown a client encryption state.
-******************************************************************************/
-
-void cli_free_encryption_context(struct cli_state *cli)
-{
- common_free_encryption_state(&cli->trans_enc_state);
-}
-
-/******************************************************************************
- Free an encryption-allocated buffer.
-******************************************************************************/
-
-void cli_free_enc_buffer(struct cli_state *cli, char *buf)
-{
- /* We know this is an smb buffer, and we
- * didn't malloc, only copy, for a keepalive,
- * so ignore non-session messages. */
-
- if(CVAL(buf,0)) {
- return;
- }
-
- /* If we supported multiple encrytion contexts
- * here we'd look up based on tid.
- */
- common_free_enc_buffer(cli->trans_enc_state, buf);
-}
-
-/******************************************************************************
- Decrypt an incoming buffer.
-******************************************************************************/
-
-NTSTATUS cli_decrypt_message(struct cli_state *cli)
-{
- NTSTATUS status;
- uint16 enc_ctx_num;
-
- /* Ignore non-session messages. */
- if(CVAL(cli->inbuf,0)) {
- return NT_STATUS_OK;
- }
-
- status = get_enc_ctx_num((const uint8_t *)cli->inbuf, &enc_ctx_num);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
- return NT_STATUS_INVALID_HANDLE;
- }
-
- return common_decrypt_buffer(cli->trans_enc_state, cli->inbuf);
-}
-
-/******************************************************************************
- Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
-******************************************************************************/
-
-NTSTATUS cli_encrypt_message(struct cli_state *cli, char *buf, char **buf_out)
-{
- /* Ignore non-session messages. */
- if (CVAL(buf,0)) {
- return NT_STATUS_OK;
- }
-
- /* If we supported multiple encrytion contexts
- * here we'd look up based on tid.
- */
- return common_encrypt_buffer(cli->trans_enc_state, buf, buf_out);
+ SAFE_FREE(buf);
}
git.samba.org / rusty / samba.git / blobdiff