source/smb_server/smb/signing.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Copyright (C) Andrew Tridgell              2004
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smb_server/smb_server.h"
  22 #include "libcli/raw/libcliraw.h"
  23 #include "libcli/raw/raw_proto.h"
  24 #include "param/param.h"
  25
  26
  27 /*
  28   sign an outgoing packet
  29 */
  30 void smbsrv_sign_packet(struct smbsrv_request *req)
  31 {
  32 #if 0
  33         /* enable this when packet signing is preventing you working out why valgrind
  34            says that data is uninitialised */
  35         file_save("pkt.dat", req->out.buffer, req->out.size);
  36 #endif
  37
  38         switch (req->smb_conn->signing.signing_state) {
  39         case SMB_SIGNING_ENGINE_OFF:
  40                 break;
  41
  42         case SMB_SIGNING_ENGINE_BSRSPYL:
  43                 /* mark the packet as signed - BEFORE we sign it...*/
  44                 mark_packet_signed(&req->out);
  45
  46                 /* I wonder what BSRSPYL stands for - but this is what MS
  47                    actually sends! */
  48                 memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8);
  49                 break;
  50
  51         case SMB_SIGNING_ENGINE_ON:
  52
  53                 sign_outgoing_message(&req->out,
  54                                       &req->smb_conn->signing.mac_key,
  55                                       req->seq_num+1);
  56                 break;
  57         }
  58         return;
  59 }
  60
  61
  62
  63 /*
  64   setup the signing key for a connection. Called after authentication succeeds
  65   in a session setup
  66 */
  67 bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn,
  68                           DATA_BLOB *session_key,
  69                           DATA_BLOB *response)
  70 {
  71         if (!set_smb_signing_common(&smb_conn->signing)) {
  72                 return false;
  73         }
  74         return smbcli_simple_set_signing(smb_conn,
  75                                          &smb_conn->signing, session_key, response);
  76 }
  77
  78 void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
  79                             DATA_BLOB *session_key,
  80                             DATA_BLOB *response,
  81                             bool authenticated_session)
  82 {
  83         if (!smb_conn->signing.seen_valid) {
  84                 DEBUG(5, ("Client did not send a valid signature on "
  85                           "SPNEGO session setup - ignored, expect good next time\n"));
  86                 /* force things back on (most clients do not sign this packet)... */
  87                 smbsrv_setup_signing(smb_conn, session_key, response);
  88                 smb_conn->signing.next_seq_num = 2;
  89
  90                 /* If mandetory_signing is set, and this was an authenticated logon, then force on */
  91                 if (smb_conn->signing.mandatory_signing && authenticated_session) {
  92                         DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n"));
  93                         /* if this is mandatory, then
  94                          * pretend we have seen a
  95                          * valid packet, so we don't
  96                          * turn it off */
  97                         smb_conn->signing.seen_valid = true;
  98                 }
  99         }
 100 }
 101
 102 bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
 103 {
 104         smb_conn->signing.mac_key = data_blob(NULL, 0);
 105         if (!smbcli_set_signing_off(&smb_conn->signing)) {
 106                 return false;
 107         }
 108
 109         switch (lp_server_signing(smb_conn->lp_ctx)) {
 110         case SMB_SIGNING_OFF:
 111                 smb_conn->signing.allow_smb_signing = false;
 112                 break;
 113         case SMB_SIGNING_SUPPORTED:
 114                 smb_conn->signing.allow_smb_signing = true;
 115                 break;
 116         case SMB_SIGNING_REQUIRED:
 117                 smb_conn->signing.allow_smb_signing = true;
 118                 smb_conn->signing.mandatory_signing = true;
 119                 break;
 120         case SMB_SIGNING_AUTO:
 121                 if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
 122                         smb_conn->signing.allow_smb_signing = true;
 123                         smb_conn->signing.mandatory_signing = true;
 124                 } else {
 125                         smb_conn->signing.allow_smb_signing = true;
 126                 }
 127                 break;
 128         }
 129         return true;
 130 }
 131
 132 /*
 133   allocate a sequence number to a request
 134 */
 135 static void req_signing_alloc_seq_num(struct smbsrv_request *req)
 136 {
 137         req->seq_num = req->smb_conn->signing.next_seq_num;
 138
 139         if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
 140                 req->smb_conn->signing.next_seq_num += 2;
 141         }
 142 }
 143
 144 /*
 145   called for requests that do not produce a reply of their own
 146 */
 147 void smbsrv_signing_no_reply(struct smbsrv_request *req)
 148 {
 149         if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
 150                 req->smb_conn->signing.next_seq_num--;
 151         }
 152 }
 153
 154 /***********************************************************
 155  SMB signing - Simple implementation - check a MAC sent by client
 156 ************************************************************/
 157 /**
 158  * Check a packet supplied by the server.
 159  * @return false if we had an established signing connection
 160  *         which had a back checksum, true otherwise
 161  */
 162 bool smbsrv_signing_check_incoming(struct smbsrv_request *req,
 163                                    bool single_increment)
 164 {
 165         bool good;
 166
 167         req_signing_alloc_seq_num(req);
 168         if (single_increment) {
 169                 smbsrv_signing_no_reply(req);
 170         }
 171
 172         switch (req->smb_conn->signing.signing_state)
 173         {
 174         case SMB_SIGNING_ENGINE_OFF:
 175                 return true;
 176         case SMB_SIGNING_ENGINE_BSRSPYL:
 177         case SMB_SIGNING_ENGINE_ON:
 178         {
 179                 if (req->in.size < (HDR_SS_FIELD + 8)) {
 180                         return false;
 181                 } else {
 182                         good = check_signed_incoming_message(&req->in,
 183                                                              &req->smb_conn->signing.mac_key,
 184                                                              req->seq_num);
 185
 186                         return signing_good(&req->smb_conn->signing,
 187                                             req->seq_num+1, good);
 188                 }
 189         }
 190         }
 191         return false;
 192 }