[SCM] Samba Shared Repository - branch master updated
Jim McDonough
jmcd at samba.org
Tue Mar 16 07:54:04 MDT 2010
The branch, master has been updated
via a0e2632... s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close
via f6ae16e... smb_traffic_analyzer.c: optimize marshalling function and document
via 002193d... vfs_smb_traffic_analyzer.c: added function static char *smb_traffic_analyzer_anonymize
via c1fb55c... Simplify the code a bit by creating the functions: smb_traffic_analyzer_encrypt - doing the encryption of a data block, smb_traffic_analyzer_create_header - create the protocol header, smb_traffic_analyzer_write_data - actually write the data to the socket.
via 56dfc09... Update the manpage of vfs_smb_traffic_analyzer and add smbta-util.
via 69d7d6c... Add the number of common data blocks to the protocol.
via 4940da2... Put all the protocol stuff into a separate header file.
via 5b7179d... Add smbta-util to manage the encryption key.
via 6437df7... Implement AES encryption of the data block.
via 3f5f2d8... Implement anonymization for protocol v2.
via b745730... Make all remarks compatible to the linux kernel coding styleguide.
via 81c6b87... Added an exact description of the V2 protocol. I don't think it should have it's place the man page, because this is developer information.
via a45db59... Move the creation of the header.
via 9702dcf... Fetch the SID of the user we are running as and send with the common data.
via 654cff4... Additionally send the vfs function id with the protocol.
via 27f4f51... According to the linux kernel coding styleguide, it's better to align the switch and it's case statements in the same column. This saves us one indentation level.
via cdd1906... Don't use typedefs on the VFS function data structures as typedefs are evil according to the linux kernel coding styleguide.
via 8cb5bac... Add read,pread,write,pwrite support to the V2 protocol.
via 541fb43... Enable AES encryption of the data if a key was found in secrets.tdb.
via 7bff1ea... Add rmdir, chdir, and rename as supported VFS functions
via e959bdc... The format of data we are sending over the network will be flexible when sending over the network in protocol v2. To be able to do this, we create a new va-list function that is creating the buffer to send. Also it makes it easier for the receiver to parse the data; it sends an initial header containing the full length of the buffer to be send. For the individual strings, it sends sub headers containing the length of the upcoming substring to be send. With the header-data-header-data [..] structure we don't need to quote the sub strings finally enabling having all possible character sets in filenames etc..
via dcff7d3... Create structs carrying the data of individual VFS functions, and hand those over to the send function, which then casts the void pointer to the struct required by looking at the id. This allows us to return different result data depending on the VFS function that is running. Make the protocol v1 sender compatible to this. Adapt the existing VFS functions to use the new data structures. Make use of the new functionality and extend the mkdir VFS logger function to return the creation mode additionally.
via 2a643ef... Introduce smb_traffic_analyzer protocol v2.
from 8353aa3... s4:idl change level to type in lsa_ForestTrustRecord.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a0e2632e119c2e3e086cd485d448b44836c1499b
Author: Holger Hetterich <hhetter at novell.com>
Date: Mon Feb 15 17:47:30 2010 +0100
s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close
commit f6ae16e318145224cc38180628e542bb3fc6bb8c
Author: Holger Hetterich <hhetter at novell.com>
Date: Sun Feb 7 20:39:58 2010 +0100
smb_traffic_analyzer.c: optimize marshalling function and document
Collect all data that is needed, and use only one talloc_asprintf
operation to create the string of common data. This simplifies
the code a bit and is most probably faster than the old method.
Also, #define SMBTA_COMMON_DATA_COUNT as a complete string,
speeding things up because we know the value at compile time.
commit 002193d34bc9ff385a866af2d39ed713a5bef1bf
Author: Holger Hetterich <hhetter at novell.com>
Date: Sat Feb 6 11:36:14 2010 +0100
vfs_smb_traffic_analyzer.c: added function
static char *smb_traffic_analyzer_anonymize
This takes a lot of code out of the main functions,
and makes it a bit simpler. Do the anonymization in a function.
Since we already anonymized the username we don't need to do
this a second time in the v2 marshalling function.
commit c1fb55caa5bfc079bda6a6ef98ee591800789778
Author: Holger Hetterich <hhetter at novell.com>
Date: Thu Feb 4 22:03:53 2010 +0100
Simplify the code a bit by creating the functions:
smb_traffic_analyzer_encrypt - doing the encryption of a data block,
smb_traffic_analyzer_create_header - create the protocol header,
smb_traffic_analyzer_write_data - actually write the data to the
socket.
commit 56dfc0915c7a461fc53d32e9cbe29460a75c9b26
Author: Holger Hetterich <hhetter at novell.com>
Date: Sat Jan 30 17:43:50 2010 +0100
Update the manpage of vfs_smb_traffic_analyzer and add smbta-util.
commit 69d7d6c01a01cc81f7e28593701d3425adfce8ec
Author: Holger Hetterich <hhetter at novell.com>
Date: Tue Feb 2 20:04:40 2010 +0100
Add the number of common data blocks to the protocol.
Always send the number of common data blocks first. This way, we
can make the protocol backwards compatible. A receiver running with
an older subprotocol can just ignore if a newer sender sends more
common data.
Add a few remarks to the marshalling function. Add two #define lines
defining the protocol subrelease number and the number of common
data blocks to the header file.
commit 4940da2e99647b2d6ae3b4abf78c9904e4390074
Author: Holger Hetterich <hhetter at novell.com>
Date: Tue Feb 2 19:36:23 2010 +0100
Put all the protocol stuff into a separate header file.
All the structures and the vfs function identifier list is required
by the receiver. It's therefore very handy to have this in an extra
header file.
commit 5b7179d2a3708246c44c5c5126368588f9da74a0
Author: Holger Hetterich <hhetter at novell.com>
Date: Tue Feb 2 00:14:28 2010 +0100
Add smbta-util to manage the encryption key.
This program allows the administrator to enable or disable AES
encryption when using vfs_smb_traffic_analyzer. It also generates new
keys, stores them to a file, so that the file can be reused on another
client or server.
commit 6437df7d2ceedeb26be82e050b300ad55839a721
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Jan 29 21:34:27 2010 +0100
Implement AES encryption of the data block.
First try. This runs on 16 bytes long AES block size, and enlarges the
data block with 16 bytes, to make sure all bytes are in. The added
bytes are filled with '.'. It then creates a header featuring the new
length to be send, and finally sends the data block, then returns.
This code is untested, as creating the receiver will be my next step.
To simplify traffic_analyzer's code, this code should run as a function.
It's on the do-to-list.
commit 3f5f2d82bd2447ea6a3f7dc626ff9a11f7101055
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Jan 29 14:57:20 2010 +0100
Implement anonymization for protocol v2.
Since we need to care for the SID too, do the anonymization in the
marshalling function and anonymize both the username and the SID.
Remove the 'A' status flag from the header definition. A listener
could see from the unencrypted header if the module is anonymizing
or not, which is certainly not wanted.
commit b7457301616d27078338fc476273b99d0e78330b
Author: Holger Hetterich <hhetter at novell.com>
Date: Sat Jan 23 22:45:28 2010 +0100
Make all remarks compatible to the linux kernel coding styleguide.
commit 81c6b878b1cb665d7dd4b365af82a8c15b099d38
Author: Holger Hetterich <hhetter at novell.com>
Date: Sat Jan 23 22:03:22 2010 +0100
Added an exact description of the V2 protocol.
I don't think it should have it's place the man page, because this is
developer information.
commit a45db5948050b7a94181e0579fb9fc9f651aed74
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Jan 22 21:17:53 2010 +0100
Move the creation of the header.
Since the header block of the protocol contains the number of bytes to
come, we always send the header itself unmodified.
If we compress or crypt the data we are about to send, the length of the
data to send may change. Therefore, we no longer create the header in
smb_traffic_analyzer_create_string, but shortly before we send the data.
For both cases, encryption and normal, we create our own header, and
send it before the actual data.
In case of protocol v1, we don't need to create an extra header.
Just send the data, and return from the function.
Change a debug message to say that the header for crypted data has
been created.
Add a status flags consisting of 6 bytes to the header. Their function
will be descriped in one of the next patches, which is descriping
the header in a longer comment.
When anonymization and/or encryption is used, set the flags accordingly.
commit 9702dcfa918f18c038eef0251b6330d6cf9a7162
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Jan 22 14:55:33 2010 +0100
Fetch the SID of the user we are running as and send with the common
data.
commit 654cff4cc356ca9c403a57af19f319ec26da54ce
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Jan 22 13:04:21 2010 +0100
Additionally send the vfs function id with the protocol.
commit 27f4f51d56e8b8d00729ca1eb0c6b1e1762274ce
Author: Holger Hetterich <hhetter at novell.com>
Date: Thu Jan 21 23:26:54 2010 +0100
According to the linux kernel coding styleguide, it's better to
align the switch and it's case statements in the same column.
This saves us one indentation level.
commit cdd19067284081af01f38a4ed78a9667990677cd
Author: Holger Hetterich <hhetter at novell.com>
Date: Thu Jan 21 23:16:58 2010 +0100
Don't use typedefs on the VFS function data structures as
typedefs are evil according to the linux kernel coding
styleguide.
commit 8cb5bac9ee96321c982038cb5dc951f6c2856d8c
Author: Holger Hetterich <hhetter at novell.com>
Date: Thu Jan 21 22:31:09 2010 +0100
Add read,pread,write,pwrite support to the V2 protocol.
commit 541fb436cc3d69c154dcd90d2e6b22c273baa501
Author: Holger Hetterich <hhetter at novell.com>
Date: Mon Dec 14 20:43:15 2009 +0100
Enable AES encryption of the data if a key was found in secrets.tdb.
commit 7bff1eabe5af297f115dbe7e815a006bfd78b19e
Author: Holger Hetterich <hhetter at novell.com>
Date: Fri Dec 11 21:04:46 2009 +0100
Add rmdir, chdir, and rename as supported VFS functions
commit e959bdcca4c6c879520f7f2734550c472f99836a
Author: Holger Hetterich <hhetter at novell.com>
Date: Tue Sep 22 20:01:35 2009 +0200
The format of data we are sending over the network will be flexible when sending over the network in protocol v2. To be able to do this, we create a new va-list function that is creating the buffer to send. Also it makes it easier for the receiver to parse the data; it sends an initial header containing the full length of the buffer to be send. For the individual strings, it sends sub headers containing the length of the upcoming substring to be send. With the header-data-header-data [..] structure we don't need to quote the sub strings finally enabling having all possible character sets in filenames etc..
In the sending function, implement mkdir to actually send it's data
for testing.
commit dcff7d367248ec7ecf59c4f423a81b8816799ec5
Author: Holger Hetterich <hhetter at novell.com>
Date: Mon Sep 21 15:33:21 2009 +0200
Create structs carrying the data of individual VFS functions, and hand those over to the send function, which then casts the void pointer to the struct required by looking at the id. This allows us to return different result data depending on the VFS function that is running. Make the protocol v1 sender compatible to this. Adapt the existing VFS functions to use the new data structures. Make use of the new functionality and extend the mkdir VFS logger function to return the creation mode additionally.
commit 2a643ef10c3ed64dc60a7899a581a7b83004ce0e
Author: Holger Hetterich <hhetter at novell.com>
Date: Thu Sep 17 20:11:39 2009 +0200
Introduce smb_traffic_analyzer protocol v2.
From Holger:
Make smb_traffic_analyzer differ the protocol versions to enable the development of version 2 of the protocol. To do this, a new parameter "protocol_version" has been introduced, which can be set to "V1", "V2", or nothing. If protocol_version is not set, V1 will be chosen automatically.
Created an enum for identifying VFS functions in the upcoming protocol v2. Converted the existing VFS functions to use the identifier, and set the read/write bool used in protocol v1 accordingly, also ignore any other VFS functions except read/write/pread/pwrite in v1. Added a first new VFS function for mkdir, which I use for testing and implementing both the sender and receiver for v2.
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages-3/smbta-util.8.xml | 119 ++++
docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml | 126 ++++-
source3/Makefile.in | 17 +-
source3/modules/vfs_smb_traffic_analyzer.c | 573 +++++++++++++++++---
source3/modules/vfs_smb_traffic_analyzer.h | 157 ++++++
source3/utils/smbta-util.c | 211 +++++++
6 files changed, 1119 insertions(+), 84 deletions(-)
create mode 100644 docs-xml/manpages-3/smbta-util.8.xml
create mode 100644 source3/modules/vfs_smb_traffic_analyzer.h
create mode 100644 source3/utils/smbta-util.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages-3/smbta-util.8.xml b/docs-xml/manpages-3/smbta-util.8.xml
new file mode 100644
index 0000000..094fb9d
--- /dev/null
+++ b/docs-xml/manpages-3/smbta-util.8.xml
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="smbta-tool.8">
+
+<refmeta>
+ <refentrytitle>smbta-tool</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbta-tool</refname>
+ <refpurpose>control encryption in VFS smb_traffic_analyzer</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+
+ <cmdsynopsis>
+ <command>smbta-tool</command>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>smbta-tool</command>
+ <arg rep="repeat" choice="opt">
+ <replaceable>COMMANDS</replaceable>
+ </arg>
+ </cmdsynopsis>
+
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry> suite.</para>
+
+ <para><command>smbta-tool</command> is a tool to ease the
+ configuration of the vfs_smb_traffic_analyzer module regarding
+ data encryption.</para>
+ <para>The user can generate a key, install a key (activating
+ encryption), or uninstall a key (deactivating encryption).
+ Any operation that installs a key will create a File containing
+ the key. This file can be used by smbta-tool on other machines
+ to install the same key from the file.</para>
+
+
+</refsect1>
+
+
+<refsect1>
+ <title>COMMANDS</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>-h</option></term>
+ <listitem><para>Show a short help text on the command line.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-f</option>
+ <replaceable>KEYFILE</replaceable></term>
+ <listitem><para>Open an existing keyfile, read the key from
+ the file, and install the key, activating encryption.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-g</option>
+ <replaceable>KEYFILE</replaceable></term>
+ <listitem><para>Generate a new random key, install the key,
+ activate encryption, and store the key into the file KEYFILE.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-u</option></term>
+ <listitem><para>Uninstall the key, deactivating encryption.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-s</option></term>
+ <listitem><para>Check if a key is installed.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-c</option>
+ <replaceable>KEYFILE</replaceable></term>
+ <listitem><para>Create a KEYFILE from an installed key.
+ </para></listitem>
+ </varlistentry>
+
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+ <para>This man page is correct for version 3.4 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+ <para> The original version of smbta-util was created by Holger Hetterich.
+ </para>
+ <para> The original Samba software and related utilities were
+ created by Andrew Tridgell. Samba is now developed by the
+ Samba Team as an Open Source project similar to the way the
+ Linux kernel is developed.</para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml
index 36b61a9..882ee6a 100644
--- a/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml
+++ b/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml
@@ -31,14 +31,27 @@
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para>The <command>vfs_smb_traffic_analyzer</command> VFS module logs
- client write and read operations on a Samba server and sends this data
- over a socket to a helper program, which feeds a SQL database. More
+ client file operations on a Samba server and sends this data
+ over a socket to a helper program (in the following the "Receiver"),
+ which feeds a SQL database. More
information on the helper programs can be obtained from the
homepage of the project at:
http://holger123.wordpress.com/smb-traffic-analyzer/
+ Since the VFS module depends on a receiver that is doing something with
+ the data, it is evolving in it's development. Therefore, the module
+ works with different protocol versions, and the receiver has to be able
+ to decode the protocol that is used. The protocol version 1 was
+ introduced to Samba at September 25, 2008. It was a very simple
+ protocol, supporting only a small list of VFS operations, and had
+ several drawbacks. The protocol version 2 is a try to solve the
+ problems version 1 had while at the same time adding new features.
</para>
- <para><command>vfs_smb_traffic_analyzer</command> currently is aware
- of the following VFS operations:</para>
+</refsect1>
+
+<refsect1>
+ <title>Protocol version 1 documentation</title>
+ <para><command>vfs_smb_traffic_analyzer</command> protocol version 1 is aware
+ of the following VFS operations:</para>
<simplelist>
<member>write</member>
@@ -72,9 +85,86 @@
</refsect1>
+<refsect1>
+ <title>Drawbacks of protocol version 1</title>
+ <para>Several drawbacks have been seen with protocol version 1 over time.</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>Problematic parsing - </command>
+ Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a
+ filename with a hyphen, you will run into problems because the receiver decodes the
+ data in a wrong way.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>Insecure network transfer - </command>
+ Protocol version 1 sends all it's data as plaintext over the network.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>Limited set of supported VFS operations - </command>
+ Protocol version 1 supports only four VFS operations.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>No subreleases of the protocol - </command>
+ Protocol version 1 is fixed on it's version, making it unable to introduce new
+ features or bugfixes through compatible sub-releases.
+ </para>
+ </listitem>
+ </itemizedlist>
+</refsect1>
+<refsect1>
+ <title>Version 2 of the protocol</title>
+ <para>Protocol version 2 is an approach to solve the problems introduced with protcol v1.
+ From the users perspective, the following changes are most prominent among other enhancements:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The data from the module may be send encrypted, with a key stored in secrets.tdb. The
+ Receiver then has to use the same key. The module does AES block encryption over the
+ data to send.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The module now can identify itself against the receiver with a sub-release number, where
+ the receiver may run with a different sub-release number than the module. However, as
+ long as both run on the V2.x protocol, the receiver will not crash, even if the module
+ uses features only implemented in the newer subrelease. Ultimativly, if the module uses
+ a new feature from a newer subrelease, and the receiver runs an older protocol, it is just
+ ignoring the functionality. Of course it is best to have both the receiver and the module
+ running the same subrelease of the protocol.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the
+ data packages in a proper way.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The module now potientially has the ability to create data on every VFS function. As of
+ protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite,
+ rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the
+ upcoming sub-releases.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS).
+ </para>
+
+</refsect1>
<refsect1>
- <title>OPTIONS</title>
+ <title>OPTIONS with protocol V1 and V2.x</title>
<variablelist>
@@ -111,7 +201,8 @@
<term>smb_traffic_analyzer:anonymize_prefix = STRING</term>
<listitem>
<para>The module will replace the user names with a prefix
- given by STRING and a simple hash number.
+ given by STRING and a simple hash number. In version 2.x
+ of the protocol, the users SID will also be anonymized.
</para>
</listitem>
@@ -125,7 +216,18 @@
smb_traffic_analyzer:anonymize_prefix, without generating
an additional hash number. This means that any transfer data
will be mapped to a single user, leading to a total
- anonymization of user related data.</para>
+ anonymization of user related data. In version 2.x of the
+ protocol, the users SID will also be anonymized.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>smb_traffic_analyzer:protocol_version = STRING</term>
+ <listitem>
+ <para>If STRING matches to V1 or is not given at all, the module
+ will use version 1 of the protocol. If STRING matches to "V2"
+ the module will use version 2 of the protocol.
+ </para>
</listitem>
</varlistentry>
@@ -134,6 +236,15 @@
<refsect1>
<title>EXAMPLES</title>
+ <para>Running protocol V2 on share "example_share", using an internet socket.</para>
+ <programlisting>
+ <smbconfsection name="[example_share]"/>
+ <smbconfoption name="path">/data/example</smbconfoption>
+ <smbconfoption name="vfs_objects">smb_traffic_analyzer</smbconfoption>
+ <smbconfoption name="smb_traffic_analyzer:protocol_version">V2</smbconfoption>
+ <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption>
+ <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption>
+ </programlisting>
<para>The module running on share "example_share", using a unix domain socket</para>
<programlisting>
@@ -183,5 +294,4 @@
<para>The original version of the VFS module and the
helper tools were created by Holger Hetterich.</para>
</refsect1>
-
</refentry>
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 9d42047..4c12157 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -209,15 +209,16 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \
SBIN_PROGS = bin/smbd at EXEEXT@ bin/nmbd at EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
BIN_PROGS1 = bin/smbclient at EXEEXT@ bin/net at EXEEXT@ bin/smbspool at EXEEXT@ \
- bin/testparm at EXEEXT@ bin/smbstatus at EXEEXT@ bin/smbget at EXEEXT@
+ bin/testparm at EXEEXT@ bin/smbstatus at EXEEXT@ bin/smbget at EXEEXT@ \
+ bin/smbta-util at EXEEXT@
BIN_PROGS2 = bin/smbcontrol at EXEEXT@ bin/smbtree at EXEEXT@ $(TDBBACKUP) \
bin/nmblookup at EXEEXT@ bin/pdbedit at EXEEXT@ $(TDBDUMP) \
$(TDBTOOL)
BIN_PROGS3 = bin/smbpasswd at EXEEXT@ bin/rpcclient at EXEEXT@ bin/smbcacls at EXEEXT@ \
bin/profiles at EXEEXT@ bin/ntlm_auth at EXEEXT@ bin/sharesec at EXEEXT@ \
- bin/smbcquotas at EXEEXT@ bin/eventlogadm at EXEEXT@
+ bin/smbcquotas at EXEEXT@ bin/eventlogadm at EXEEXT@
BIN_PROGS4 = bin/ldbedit at EXEEXT@ bin/ldbsearch at EXEEXT@ bin/ldbadd at EXEEXT@ \
- bin/ldbdel at EXEEXT@ bin/ldbmodify at EXEEXT@ bin/ldbrename at EXEEXT@
+ bin/ldbdel at EXEEXT@ bin/ldbmodify at EXEEXT@ bin/ldbrename at EXEEXT@
TORTURE_PROGS = bin/smbtorture at EXEEXT@ bin/msgtest at EXEEXT@ \
bin/masktest at EXEEXT@ bin/locktest at EXEEXT@ \
@@ -882,6 +883,10 @@ TESTPARM_OBJ = utils/testparm.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
$(LIBSMB_ERR_OBJ)
+SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
+ $(LOCKING_OBJ) $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+
TEST_LP_LOAD_OBJ = param/test_lp_load.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
$(POPT_LIB_OBJ) $(LIBSAMBA_OBJ)
@@ -1619,6 +1624,11 @@ bin/testparm at EXEEXT@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ $(LIBTALLOC
@$(CC) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
$(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS)
+bin/smbta-util at EXEEXT@: $(BINARY_PREREQS) $(SMBTA_UTIL_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB)
+ @echo Linking $@
+ @$(CC) -o $@ $(SMBTA_UTIL_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
+ $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS)
+
bin/smbstatus at EXEEXT@: $(BINARY_PREREQS) $(STATUS_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB)
@echo Linking $@
@$(CC) -o $@ $(STATUS_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
@@ -1854,7 +1864,6 @@ $(LIBTALLOC_SHARED_TARGET): $(LIBTALLOC_SHARED_TARGET_SONAME)
$(LIBTALLOC_STATIC_TARGET): $(BINARY_PREREQS) $(LIBTALLOC_OBJ0)
@echo Linking non-shared library $@
@-$(AR) -rc $@ $(LIBTALLOC_OBJ0)
-
libtalloc: $(LIBTALLOC)
cleanlibtalloc::
diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c
index 1eb02a2..f454c45 100644
--- a/source3/modules/vfs_smb_traffic_analyzer.c
+++ b/source3/modules/vfs_smb_traffic_analyzer.c
@@ -20,9 +20,10 @@
*/
#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "vfs_smb_traffic_analyzer.h"
/* abstraction for the send_over_network function */
-
enum sock_type {INTERNET_SOCKET = 0, UNIX_DOMAIN_SOCKET};
#define LOCAL_PATHNAME "/var/tmp/stadsocket"
@@ -44,7 +45,6 @@ static enum sock_type smb_traffic_analyzer_connMode(vfs_handle_struct *handle)
/* Connect to an internet socket */
-
static int smb_traffic_analyzer_connect_inet_socket(vfs_handle_struct *handle,
const char *name, uint16_t port)
{
@@ -108,7 +108,6 @@ static int smb_traffic_analyzer_connect_inet_socket(vfs_handle_struct *handle,
}
/* Connect to a unix domain socket */
-
static int smb_traffic_analyzer_connect_unix_socket(vfs_handle_struct *handle,
const char *name)
{
@@ -141,7 +140,6 @@ static int smb_traffic_analyzer_connect_unix_socket(vfs_handle_struct *handle,
}
/* Private data allowing shared connection sockets. */
-
struct refcounted_sock {
struct refcounted_sock *next, *prev;
char *name;
@@ -150,12 +148,241 @@ struct refcounted_sock {
unsigned int ref_count;
};
-/* Send data over a socket */
+
+/**
+ * Encryption of a data block with AES
+ * TALLOC_CTX *ctx Talloc context to work on
+ * const char *akey 128bit key for the encryption
+ * const char *str Data buffer to encrypt, \0 terminated
+ * int *len Will be set to the length of the
+ * resulting data block
+ * The caller has to take care for the memory
+ * allocated on the context.
+ */
+static char *smb_traffic_analyzer_encrypt( TALLOC_CTX *ctx,
+ const char *akey, const char *str, size_t *len)
+{
+ int s1,s2,h,d;
+ AES_KEY key;
+ char filler[17]= "................";
+ char *output;
+ char crypted[18];
+ if (akey == NULL) return NULL;
+ samba_AES_set_encrypt_key(akey, 128, &key);
+ s1 = strlen(str) / 16;
+ s2 = strlen(str) % 16;
+ for (h = 0; h < s2; h++) *(filler+h)=*(str+(s1*16)+h);
+ DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created %s"
+ " as filling block.\n", filler));
+ output = talloc_array(ctx, char, (s1*16)+17 );
+ d=0;
+ for (h = 0; h < s1; h++) {
+ samba_AES_encrypt(str+(16*h), crypted, &key);
+ for (d = 0; d<16; d++) output[d+(16*h)]=crypted[d];
+ }
+ samba_AES_encrypt( str+(16*h), filler, &key );
+ for (d = 0;d < 16; d++) output[d+(16*h)]=*(filler+d);
+ *len = (s1*16)+16;
+ return output;
+}
+
+/**
+ * Create a v2 header.
+ * TALLLOC_CTX *ctx Talloc context to work on
+ * const char *state_flags State flag string
+ * int len length of the data block
+ */
+static char *smb_traffic_analyzer_create_header( TALLOC_CTX *ctx,
+ const char *state_flags, size_t data_len)
+{
+ char *header = talloc_asprintf( ctx, "V2.%s%017u",
+ state_flags, data_len);
+ DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created Header:\n"));
+ dump_data(10, header, strlen(header));
+ return header;
+}
+
+
+/**
+ * Actually send header and data over the network
+ * char *header Header data
+ * char *data Data Block
+ * int dlength Length of data block
+ * int socket
+ */
+static void smb_traffic_analyzer_write_data( char *header, char *data,
+ int dlength, int socket)
+{
+ int len = strlen(header);
+ if (write_data( socket, header, len) != len) {
+ DEBUG(1, ("smb_traffic_analyzer_send_data_socket: "
+ "error sending the header"
+ " over the socket!\n"));
+ }
+ DEBUG(10,("smb_traffic_analyzer_write_data: sending data:\n"));
+ dump_data( 10, data, dlength);
+
+ if (write_data( socket, data, dlength) != dlength) {
+ DEBUG(1, ("smb_traffic_analyzer_write_data: "
+ "error sending crypted data to socket!\n"));
+ }
+}
+
+
+/*
+ * Anonymize a string if required.
+ * TALLOC_CTX *ctx The talloc context to work on
+ * const char *str The string to anonymize
+ * vfs_handle_struct *handle The handle struct to work on
+ *
+ * Returns a newly allocated string, either the anonymized one,
+ * or a copy of const char *str. The caller has to take care for
+ * freeing the allocated memory.
+ */
+static char *smb_traffic_analyzer_anonymize( TALLOC_CTX *ctx,
+ const char *str,
+ vfs_handle_struct *handle )
+{
+ const char *total_anonymization;
+ const char *anon_prefix;
+ char *output;
+ total_anonymization=lp_parm_const_string(SNUM(handle->conn),
--
Samba Shared Repository
More information about the samba-cvs
mailing list