2 Unix SMB/CIFS implementation.
3 SMB Transport encryption (sealing) code - server code.
4 Copyright (C) Jeremy Allison 2007.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /******************************************************************************
24 Server side encryption.
25 ******************************************************************************/
27 /******************************************************************************
29 ******************************************************************************/
31 struct smb_srv_trans_enc_ctx {
32 struct smb_trans_enc_state *es;
33 AUTH_NTLMSSP_STATE *auth_ntlmssp_state; /* Must be kept in sync with pointer in ec->ntlmssp_state. */
36 static struct smb_srv_trans_enc_ctx *partial_srv_trans_enc_ctx;
37 static struct smb_srv_trans_enc_ctx *srv_trans_enc_ctx;
39 /******************************************************************************
40 Is server encryption on ?
41 ******************************************************************************/
43 BOOL srv_encryption_on(void)
45 if (srv_trans_enc_ctx) {
46 return common_encryption_on(srv_trans_enc_ctx->es);
51 /******************************************************************************
52 Shutdown a server encryption state.
53 ******************************************************************************/
55 static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec)
57 struct smb_srv_trans_enc_ctx *ec = *pp_ec;
64 struct smb_trans_enc_state *es = ec->es;
65 if (es->smb_enc_type == SMB_TRANS_ENC_NTLM &&
66 ec->auth_ntlmssp_state) {
67 auth_ntlmssp_end(&ec->auth_ntlmssp_state);
68 /* The auth_ntlmssp_end killed this already. */
69 es->ntlmssp_state = NULL;
71 common_free_encryption_state(&ec->es);
78 /******************************************************************************
79 Free an encryption-allocated buffer.
80 ******************************************************************************/
82 void srv_free_enc_buffer(char *buf)
84 if (srv_trans_enc_ctx) {
85 return common_free_enc_buffer(srv_trans_enc_ctx->es, buf);
89 /******************************************************************************
90 Decrypt an incoming buffer.
91 ******************************************************************************/
93 NTSTATUS srv_decrypt_buffer(char *buf)
95 if (srv_trans_enc_ctx) {
96 return common_decrypt_buffer(srv_trans_enc_ctx->es, buf);
101 /******************************************************************************
102 Encrypt an outgoing buffer. Return the encrypted pointer in buf_out.
103 ******************************************************************************/
105 NTSTATUS srv_encrypt_buffer(char *buffer, char **buf_out)
107 if (srv_trans_enc_ctx) {
108 return common_encrypt_buffer(srv_trans_enc_ctx->es, buffer, buf_out);
110 /* Not encrypting. */
115 /******************************************************************************
116 Do the gss encryption negotiation. Parameters are in/out.
117 Until success we do everything on the partial enc ctx.
118 ******************************************************************************/
120 #if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
121 static NTSTATUS srv_enc_spnego_gss_negotiate(char **ppdata, size_t *p_data_size, DATA_BLOB *psecblob)
123 return NT_STATUS_NOT_SUPPORTED;
127 /******************************************************************************
128 Do the SPNEGO encryption negotiation. Parameters are in/out.
129 Covers the NTLM case. Based off code in smbd/sesssionsetup.c
130 Until success we do everything on the partial enc ctx.
131 ******************************************************************************/
133 static NTSTATUS srv_enc_spnego_negotiate(unsigned char **ppdata, size_t *p_data_size)
136 DATA_BLOB blob = data_blob(NULL,0);
137 DATA_BLOB secblob = data_blob(NULL, 0);
138 DATA_BLOB chal = data_blob(NULL, 0);
139 DATA_BLOB response = data_blob(NULL, 0);
140 BOOL got_kerberos_mechanism = False;
141 struct smb_srv_trans_enc_ctx *ec = NULL;
143 blob = data_blob_const(*ppdata, *p_data_size);
145 status = parse_spnego_mechanisms(blob, &secblob, &got_kerberos_mechanism);
146 if (!NT_STATUS_IS_OK(status)) {
147 return nt_status_squash(status);
150 /* We should have no partial context at this point. */
152 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
154 partial_srv_trans_enc_ctx = SMB_MALLOC_P(struct smb_srv_trans_enc_ctx);
155 if (!partial_srv_trans_enc_ctx) {
156 data_blob_free(&secblob);
157 return NT_STATUS_NO_MEMORY;
159 ZERO_STRUCTP(partial_srv_trans_enc_ctx);
161 #if defined(HAVE_GSSAPI_SUPPORT) && defined(HAVE_KRB5)
162 if (got_kerberos_mechanism && lp_use_kerberos_keytab()) ) {
163 status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, &secblob);
164 if (!NT_STATUS_IS_OK(status)) {
165 data_blob_free(&secblob);
166 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
172 /* Deal with an NTLM enc. setup. */
173 ec = partial_srv_trans_enc_ctx;
175 status = auth_ntlmssp_start(&ec->auth_ntlmssp_state);
176 if (!NT_STATUS_IS_OK(status)) {
177 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
178 return nt_status_squash(status);
181 status = auth_ntlmssp_update(ec->auth_ntlmssp_state, secblob, &chal);
182 data_blob_free(&secblob);
184 /* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
187 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
188 data_blob_free(&chal);
191 *ppdata = response.data;
192 *p_data_size = response.length;
197 /******************************************************************************
198 Complete a SPNEGO encryption negotiation. Parameters are in/out.
199 ******************************************************************************/
201 static NTSTATUS srv_enc_spnego_auth(unsigned char **ppdata, size_t *p_data_size)
203 return NT_STATUS_NOT_SUPPORTED;
206 /******************************************************************************
207 Do the SPNEGO encryption negotiation. Parameters are in/out.
208 ******************************************************************************/
210 NTSTATUS srv_request_encryption_setup(unsigned char **ppdata, size_t *p_data_size)
212 unsigned char *pdata = *ppdata;
214 if (*p_data_size < 1) {
215 return NT_STATUS_INVALID_PARAMETER;
218 if (pdata[0] == ASN1_APPLICATION(0)) {
220 * Until success we do everything on the partial
223 /* its a negTokenTarg packet */
224 return srv_enc_spnego_negotiate(ppdata, p_data_size);
227 if (pdata[0] == ASN1_CONTEXT(1)) {
228 /* Its a auth packet */
229 return srv_enc_spnego_auth(ppdata, p_data_size);
232 return NT_STATUS_INVALID_PARAMETER;
235 /******************************************************************************
236 Negotiation was successful - turn on server-side encryption.
237 ******************************************************************************/
239 void srv_encryption_start(void)
241 srv_free_encryption_context(&srv_trans_enc_ctx);
242 /* Steal the partial pointer. Deliberate shallow copy. */
243 srv_trans_enc_ctx = partial_srv_trans_enc_ctx;
244 srv_trans_enc_ctx->es->enc_on = True;
246 partial_srv_trans_enc_ctx = NULL;
249 /******************************************************************************
250 Shutdown all server contexts.
251 ******************************************************************************/
253 void server_encryption_shutdown(void)
255 srv_free_encryption_context(&partial_srv_trans_enc_ctx);
256 srv_free_encryption_context(&srv_trans_enc_ctx);