svn commit: samba r21897 - in branches/SAMBA_3_0/source: . lib libsmb smbd

jra at samba.org jra at samba.org
Wed Mar 21 00:25:11 GMT 2007 

Author: jra
Date: 2007-03-21 00:25:08 +0000 (Wed, 21 Mar 2007)
New Revision: 21897

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21897

Log:
Add in a basic raw NTLM encrypt request. Now
for testing.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/Makefile.in
   branches/SAMBA_3_0/source/lib/dummysmbd.c
   branches/SAMBA_3_0/source/libsmb/clifsinfo.c
   branches/SAMBA_3_0/source/libsmb/smb_seal.c
   branches/SAMBA_3_0/source/libsmb/smb_signing.c
   branches/SAMBA_3_0/source/smbd/seal.c
   branches/SAMBA_3_0/source/smbd/trans2.c


Changeset:
Modified: branches/SAMBA_3_0/source/Makefile.in
===================================================================
--- branches/SAMBA_3_0/source/Makefile.in	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/Makefile.in	2007-03-21 00:25:08 UTC (rev 21897)
@@ -256,9 +256,9 @@
 	  lib/substitute.o lib/fsusage.o \
 	  lib/ms_fnmatch.o lib/select.o lib/messages.o \
 	  lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
-	  libsmb/smb_seal.o lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
+	  lib/md5.o lib/hmacmd5.o lib/arc4.o lib/iconv.o \
 	  nsswitch/wb_client.o $(WBCOMMON_OBJ) \
-	  lib/pam_errors.o intl/lang_tdb.o \
+	  lib/pam_errors.o intl/lang_tdb.o libsmb/smb_seal.o \
 	  lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
 	  lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \
 	  lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \

Modified: branches/SAMBA_3_0/source/lib/dummysmbd.c
===================================================================
--- branches/SAMBA_3_0/source/lib/dummysmbd.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/lib/dummysmbd.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -63,3 +63,8 @@
 {
 	;
 }
+
+BOOL srv_encryption_on(void)
+{
+	return False;
+}

Modified: branches/SAMBA_3_0/source/libsmb/clifsinfo.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/clifsinfo.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/libsmb/clifsinfo.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -302,3 +302,116 @@
 
 	return ret;	
 }
+
+/******************************************************************************
+ Send/receive the request encryption blob.
+******************************************************************************/
+
+static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out)
+{
+	uint16 setup;
+	char param[2];
+	char *rparam=NULL, *rdata=NULL;
+	unsigned int rparam_count=0, rdata_count=0;
+	NTSTATUS status = NT_STATUS_OK;
+
+	setup = TRANSACT2_SETFSINFO;
+
+	SSVAL(param,0,SMB_REQUEST_TRANSPORT_ENCRYPTION);
+
+	if (!cli_send_trans(cli, SMBtrans2,
+				NULL,
+				0, 0,
+				&setup, 1, 0,
+				param, 2, 0,
+				(char *)in->data, in->length, CLI_BUFFER_SIZE)) {
+		status = cli_nt_error(cli);
+		goto out;
+	}
+
+	if (!cli_receive_trans(cli, SMBtrans2,
+				&rparam, &rparam_count,
+				&rdata, &rdata_count)) {
+		status = cli_nt_error(cli);
+		goto out;
+	}
+
+	if (cli_is_error(cli)) {
+		status = cli_nt_error(cli);
+		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+			goto out;
+		}
+	}
+
+	*out = data_blob(rdata, rdata_count);
+
+  out:
+
+	SAFE_FREE(rparam);
+	SAFE_FREE(rdata);
+	return status;
+}
+
+/******************************************************************************
+ Start a raw ntlmssp encryption.
+******************************************************************************/
+
+NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, 
+				const char *user,
+				const char *pass,
+				const char *domain)
+{
+	DATA_BLOB blob_in = data_blob(NULL, 0);
+	DATA_BLOB blob_out = data_blob(NULL, 0);
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	struct smb_trans_enc_state *es = NULL;
+
+	es = SMB_MALLOC_P(struct smb_trans_enc_state);
+	if (!es) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	ZERO_STRUCTP(es);
+	es->smb_enc_type = SMB_TRANS_ENC_NTLM;
+	status = ntlmssp_client_start(&es->ntlmssp_state);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
+
+	ntlmssp_want_feature(es->ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+	es->ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
+
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->ntlmssp_state, user))) {
+		goto fail;
+	}
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->ntlmssp_state, domain))) {
+		goto fail;
+	}
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->ntlmssp_state, pass))) {
+		goto fail;
+	}
+
+	do {
+		status = ntlmssp_update(es->ntlmssp_state, blob_in, &blob_out);
+		data_blob_free(&blob_in);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
+			status = enc_blob_send_receive(cli, &blob_out, &blob_in);
+		}
+		data_blob_free(&blob_out);
+	} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+
+	data_blob_free(&blob_in);
+
+	if (NT_STATUS_IS_OK(status)) {
+		/* Replace the old state, if any. */
+		if (cli->trans_enc_state) {
+			common_free_encryption_state(&cli->trans_enc_state);
+		}
+		cli->trans_enc_state = es;
+		cli->trans_enc_state->enc_on = True;
+	}
+
+  fail:
+
+	common_free_encryption_state(&es);
+	return status;
+}

Modified: branches/SAMBA_3_0/source/libsmb/smb_seal.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/smb_seal.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/libsmb/smb_seal.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -154,6 +154,12 @@
 		return NT_STATUS_OK;
 	}
 
+	/* Ignore session keepalives. */
+	if(CVAL(buffer,0) == SMBkeepalive) {
+		*buf_out = buffer;
+		return NT_STATUS_OK;
+	}
+
 	if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
 		return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
 	} else {
@@ -177,6 +183,12 @@
 		/* Not decrypting. */
 		return NT_STATUS_OK;
 	}
+
+	/* Ignore session keepalives. */
+	if(CVAL(buf,0) == SMBkeepalive) {
+		return NT_STATUS_OK;
+	}
+
 	if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
 		return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
 	} else {
@@ -282,15 +294,3 @@
 {
 	return common_encrypt_buffer(cli->trans_enc_state, cli->outbuf, buf_out);
 }
-
-/******************************************************************************
- Start a raw ntlmssp encryption.
-******************************************************************************/
-
-NTSTATUS cli_ntlm_smb_encryption_on(struct cli_state *cli, 
-				const char *user,
-				const char *pass,
-				const char *workgroup)
-{
-
-}

Modified: branches/SAMBA_3_0/source/libsmb/smb_signing.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/smb_signing.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/libsmb/smb_signing.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -585,7 +585,9 @@
  
 void cli_calculate_sign_mac(struct cli_state *cli)
 {
-	cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+	if (!cli_encryption_on(cli)) {
+		cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+	}
 }
 
 /**
@@ -596,6 +598,9 @@
  
 BOOL cli_check_sign_mac(struct cli_state *cli) 
 {
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) {
 		free_signing_context(&cli->sign_info);	
 		return False;
@@ -612,6 +617,9 @@
 	struct smb_sign_info *si = &cli->sign_info;
 	struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
 
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!si->doing_signing) {
 		return True;
 	}
@@ -637,6 +645,9 @@
 	struct smb_sign_info *si = &cli->sign_info;
 	struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
 
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!si->doing_signing) {
 		return True;
 	}
@@ -798,9 +809,19 @@
 BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
 {
 	/* Check if it's a session keepalive. */
-	if(CVAL(inbuf,0) == SMBkeepalive)
+	if(CVAL(inbuf,0) == SMBkeepalive) {
 		return True;
+	}
 
+	/* 
+	 * If we have an encrypted transport
+	 * don't sign - we're already doing that.
+	 */
+
+	if (srv_encryption_on()) {
+		return True;
+	}
+
 	return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok);
 }
 
@@ -811,10 +832,19 @@
 void srv_calculate_sign_mac(char *outbuf)
 {
 	/* Check if it's a session keepalive. */
-	/* JRA Paranioa test - do we ever generate these in the server ? */
-	if(CVAL(outbuf,0) == SMBkeepalive)
+	if(CVAL(outbuf,0) == SMBkeepalive) {
 		return;
+	}
 
+	/* 
+	 * If we have an encrypted transport
+	 * don't check sign - we're already doing that.
+	 */
+
+	if (srv_encryption_on()) {
+		return;
+	}
+
 	srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info);
 }
 

Modified: branches/SAMBA_3_0/source/smbd/seal.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/seal.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/smbd/seal.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -385,8 +385,36 @@
  Negotiation was successful - turn on server-side encryption.
 ******************************************************************************/
 
-void srv_encryption_start(void)
+static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
 {
+	if (!ec || !ec->es) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
+		if ((ec->es->ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) !=
+				(NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+	/* Todo - check gssapi case. */
+
+	return NT_STATUS_OK;
+}
+
+/******************************************************************************
+ Negotiation was successful - turn on server-side encryption.
+******************************************************************************/
+
+NTSTATUS srv_encryption_start(void)
+{
+	NTSTATUS status;
+
+	/* Check that we are really doing sign+seal. */
+	status = check_enc_good(partial_srv_trans_enc_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
 	/* Throw away the context we're using currently (if any). */
 	srv_free_encryption_context(&srv_trans_enc_ctx);
 
@@ -395,6 +423,7 @@
 	srv_trans_enc_ctx->es->enc_on = True;
 
 	partial_srv_trans_enc_ctx = NULL;
+	return NT_STATUS_OK;
 }
 
 /******************************************************************************

Modified: branches/SAMBA_3_0/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/trans2.c	2007-03-20 22:44:22 UTC (rev 21896)
+++ branches/SAMBA_3_0/source/smbd/trans2.c	2007-03-21 00:25:08 UTC (rev 21897)
@@ -2781,7 +2781,10 @@
 
 				if (NT_STATUS_IS_OK(status)) {
 					/* Server-side transport encryption is now *on*. */
-					srv_encryption_start();
+					status = srv_encryption_start();
+					if (!NT_STATUS_IS_OK(status)) {
+						exit_server_cleanly("Failure in setting up encrypted transport");
+					}
 				}
 				return -1;
 			}

More information about the samba-cvs mailing list