The branch, master has been updated via a0e2632... s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close via f6ae16e... smb_traffic_analyzer.c: optimize marshalling function and document via 002193d... vfs_smb_traffic_analyzer.c: added function static char *smb_traffic_analyzer_anonymize via c1fb55c... Simplify the code a bit by creating the functions: smb_traffic_analyzer_encrypt - doing the encryption of a data block, smb_traffic_analyzer_create_header - create the protocol header, smb_traffic_analyzer_write_data - actually write the data to the socket. via 56dfc09... Update the manpage of vfs_smb_traffic_analyzer and add smbta-util. via 69d7d6c... Add the number of common data blocks to the protocol. via 4940da2... Put all the protocol stuff into a separate header file. via 5b7179d... Add smbta-util to manage the encryption key. via 6437df7... Implement AES encryption of the data block. via 3f5f2d8... Implement anonymization for protocol v2. via b745730... Make all remarks compatible to the linux kernel coding styleguide. via 81c6b87... Added an exact description of the V2 protocol. I don't think it should have it's place the man page, because this is developer information. via a45db59... Move the creation of the header. via 9702dcf... Fetch the SID of the user we are running as and send with the common data. via 654cff4... Additionally send the vfs function id with the protocol. via 27f4f51... According to the linux kernel coding styleguide, it's better to align the switch and it's case statements in the same column. This saves us one indentation level. via cdd1906... Don't use typedefs on the VFS function data structures as typedefs are evil according to the linux kernel coding styleguide. via 8cb5bac... Add read,pread,write,pwrite support to the V2 protocol. via 541fb43... Enable AES encryption of the data if a key was found in secrets.tdb. via 7bff1ea... Add rmdir, chdir, and rename as supported VFS functions via e959bdc... The format of data we are sending over the network will be flexible when sending over the network in protocol v2. To be able to do this, we create a new va-list function that is creating the buffer to send. Also it makes it easier for the receiver to parse the data; it sends an initial header containing the full length of the buffer to be send. For the individual strings, it sends sub headers containing the length of the upcoming substring to be send. With the header-data-header-data [..] structure we don't need to quote the sub strings finally enabling having all possible character sets in filenames etc.. via dcff7d3... Create structs carrying the data of individual VFS functions, and hand those over to the send function, which then casts the void pointer to the struct required by looking at the id. This allows us to return different result data depending on the VFS function that is running. Make the protocol v1 sender compatible to this. Adapt the existing VFS functions to use the new data structures. Make use of the new functionality and extend the mkdir VFS logger function to return the creation mode additionally. via 2a643ef... Introduce smb_traffic_analyzer protocol v2. from 8353aa3... s4:idl change level to type in lsa_ForestTrustRecord.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a0e2632e119c2e3e086cd485d448b44836c1499b Author: Holger Hetterich <hhet...@novell.com> Date: Mon Feb 15 17:47:30 2010 +0100 s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close commit f6ae16e318145224cc38180628e542bb3fc6bb8c Author: Holger Hetterich <hhet...@novell.com> Date: Sun Feb 7 20:39:58 2010 +0100 smb_traffic_analyzer.c: optimize marshalling function and document Collect all data that is needed, and use only one talloc_asprintf operation to create the string of common data. This simplifies the code a bit and is most probably faster than the old method. Also, #define SMBTA_COMMON_DATA_COUNT as a complete string, speeding things up because we know the value at compile time. commit 002193d34bc9ff385a866af2d39ed713a5bef1bf Author: Holger Hetterich <hhet...@novell.com> Date: Sat Feb 6 11:36:14 2010 +0100 vfs_smb_traffic_analyzer.c: added function static char *smb_traffic_analyzer_anonymize This takes a lot of code out of the main functions, and makes it a bit simpler. Do the anonymization in a function. Since we already anonymized the username we don't need to do this a second time in the v2 marshalling function. commit c1fb55caa5bfc079bda6a6ef98ee591800789778 Author: Holger Hetterich <hhet...@novell.com> Date: Thu Feb 4 22:03:53 2010 +0100 Simplify the code a bit by creating the functions: smb_traffic_analyzer_encrypt - doing the encryption of a data block, smb_traffic_analyzer_create_header - create the protocol header, smb_traffic_analyzer_write_data - actually write the data to the socket. commit 56dfc0915c7a461fc53d32e9cbe29460a75c9b26 Author: Holger Hetterich <hhet...@novell.com> Date: Sat Jan 30 17:43:50 2010 +0100 Update the manpage of vfs_smb_traffic_analyzer and add smbta-util. commit 69d7d6c01a01cc81f7e28593701d3425adfce8ec Author: Holger Hetterich <hhet...@novell.com> Date: Tue Feb 2 20:04:40 2010 +0100 Add the number of common data blocks to the protocol. Always send the number of common data blocks first. This way, we can make the protocol backwards compatible. A receiver running with an older subprotocol can just ignore if a newer sender sends more common data. Add a few remarks to the marshalling function. Add two #define lines defining the protocol subrelease number and the number of common data blocks to the header file. commit 4940da2e99647b2d6ae3b4abf78c9904e4390074 Author: Holger Hetterich <hhet...@novell.com> Date: Tue Feb 2 19:36:23 2010 +0100 Put all the protocol stuff into a separate header file. All the structures and the vfs function identifier list is required by the receiver. It's therefore very handy to have this in an extra header file. commit 5b7179d2a3708246c44c5c5126368588f9da74a0 Author: Holger Hetterich <hhet...@novell.com> Date: Tue Feb 2 00:14:28 2010 +0100 Add smbta-util to manage the encryption key. This program allows the administrator to enable or disable AES encryption when using vfs_smb_traffic_analyzer. It also generates new keys, stores them to a file, so that the file can be reused on another client or server. commit 6437df7d2ceedeb26be82e050b300ad55839a721 Author: Holger Hetterich <hhet...@novell.com> Date: Fri Jan 29 21:34:27 2010 +0100 Implement AES encryption of the data block. First try. This runs on 16 bytes long AES block size, and enlarges the data block with 16 bytes, to make sure all bytes are in. The added bytes are filled with '.'. It then creates a header featuring the new length to be send, and finally sends the data block, then returns. This code is untested, as creating the receiver will be my next step. To simplify traffic_analyzer's code, this code should run as a function. It's on the do-to-list. commit 3f5f2d82bd2447ea6a3f7dc626ff9a11f7101055 Author: Holger Hetterich <hhet...@novell.com> Date: Fri Jan 29 14:57:20 2010 +0100 Implement anonymization for protocol v2. Since we need to care for the SID too, do the anonymization in the marshalling function and anonymize both the username and the SID. Remove the 'A' status flag from the header definition. A listener could see from the unencrypted header if the module is anonymizing or not, which is certainly not wanted. commit b7457301616d27078338fc476273b99d0e78330b Author: Holger Hetterich <hhet...@novell.com> Date: Sat Jan 23 22:45:28 2010 +0100 Make all remarks compatible to the linux kernel coding styleguide. commit 81c6b878b1cb665d7dd4b365af82a8c15b099d38 Author: Holger Hetterich <hhet...@novell.com> Date: Sat Jan 23 22:03:22 2010 +0100 Added an exact description of the V2 protocol. I don't think it should have it's place the man page, because this is developer information. commit a45db5948050b7a94181e0579fb9fc9f651aed74 Author: Holger Hetterich <hhet...@novell.com> Date: Fri Jan 22 21:17:53 2010 +0100 Move the creation of the header. Since the header block of the protocol contains the number of bytes to come, we always send the header itself unmodified. If we compress or crypt the data we are about to send, the length of the data to send may change. Therefore, we no longer create the header in smb_traffic_analyzer_create_string, but shortly before we send the data. For both cases, encryption and normal, we create our own header, and send it before the actual data. In case of protocol v1, we don't need to create an extra header. Just send the data, and return from the function. Change a debug message to say that the header for crypted data has been created. Add a status flags consisting of 6 bytes to the header. Their function will be descriped in one of the next patches, which is descriping the header in a longer comment. When anonymization and/or encryption is used, set the flags accordingly. commit 9702dcfa918f18c038eef0251b6330d6cf9a7162 Author: Holger Hetterich <hhet...@novell.com> Date: Fri Jan 22 14:55:33 2010 +0100 Fetch the SID of the user we are running as and send with the common data. commit 654cff4cc356ca9c403a57af19f319ec26da54ce Author: Holger Hetterich <hhet...@novell.com> Date: Fri Jan 22 13:04:21 2010 +0100 Additionally send the vfs function id with the protocol. commit 27f4f51d56e8b8d00729ca1eb0c6b1e1762274ce Author: Holger Hetterich <hhet...@novell.com> Date: Thu Jan 21 23:26:54 2010 +0100 According to the linux kernel coding styleguide, it's better to align the switch and it's case statements in the same column. This saves us one indentation level. commit cdd19067284081af01f38a4ed78a9667990677cd Author: Holger Hetterich <hhet...@novell.com> Date: Thu Jan 21 23:16:58 2010 +0100 Don't use typedefs on the VFS function data structures as typedefs are evil according to the linux kernel coding styleguide. commit 8cb5bac9ee96321c982038cb5dc951f6c2856d8c Author: Holger Hetterich <hhet...@novell.com> Date: Thu Jan 21 22:31:09 2010 +0100 Add read,pread,write,pwrite support to the V2 protocol. commit 541fb436cc3d69c154dcd90d2e6b22c273baa501 Author: Holger Hetterich <hhet...@novell.com> Date: Mon Dec 14 20:43:15 2009 +0100 Enable AES encryption of the data if a key was found in secrets.tdb. commit 7bff1eabe5af297f115dbe7e815a006bfd78b19e Author: Holger Hetterich <hhet...@novell.com> Date: Fri Dec 11 21:04:46 2009 +0100 Add rmdir, chdir, and rename as supported VFS functions commit e959bdcca4c6c879520f7f2734550c472f99836a Author: Holger Hetterich <hhet...@novell.com> Date: Tue Sep 22 20:01:35 2009 +0200 The format of data we are sending over the network will be flexible when sending over the network in protocol v2. To be able to do this, we create a new va-list function that is creating the buffer to send. Also it makes it easier for the receiver to parse the data; it sends an initial header containing the full length of the buffer to be send. For the individual strings, it sends sub headers containing the length of the upcoming substring to be send. With the header-data-header-data [..] structure we don't need to quote the sub strings finally enabling having all possible character sets in filenames etc.. In the sending function, implement mkdir to actually send it's data for testing. commit dcff7d367248ec7ecf59c4f423a81b8816799ec5 Author: Holger Hetterich <hhet...@novell.com> Date: Mon Sep 21 15:33:21 2009 +0200 Create structs carrying the data of individual VFS functions, and hand those over to the send function, which then casts the void pointer to the struct required by looking at the id. This allows us to return different result data depending on the VFS function that is running. Make the protocol v1 sender compatible to this. Adapt the existing VFS functions to use the new data structures. Make use of the new functionality and extend the mkdir VFS logger function to return the creation mode additionally. commit 2a643ef10c3ed64dc60a7899a581a7b83004ce0e Author: Holger Hetterich <hhet...@novell.com> Date: Thu Sep 17 20:11:39 2009 +0200 Introduce smb_traffic_analyzer protocol v2. From Holger: Make smb_traffic_analyzer differ the protocol versions to enable the development of version 2 of the protocol. To do this, a new parameter "protocol_version" has been introduced, which can be set to "V1", "V2", or nothing. If protocol_version is not set, V1 will be chosen automatically. Created an enum for identifying VFS functions in the upcoming protocol v2. Converted the existing VFS functions to use the identifier, and set the read/write bool used in protocol v1 accordingly, also ignore any other VFS functions except read/write/pread/pwrite in v1. Added a first new VFS function for mkdir, which I use for testing and implementing both the sender and receiver for v2. ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages-3/smbta-util.8.xml | 119 ++++ docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml | 126 ++++- source3/Makefile.in | 17 +- source3/modules/vfs_smb_traffic_analyzer.c | 573 +++++++++++++++++--- source3/modules/vfs_smb_traffic_analyzer.h | 157 ++++++ source3/utils/smbta-util.c | 211 +++++++ 6 files changed, 1119 insertions(+), 84 deletions(-) create mode 100644 docs-xml/manpages-3/smbta-util.8.xml create mode 100644 source3/modules/vfs_smb_traffic_analyzer.h create mode 100644 source3/utils/smbta-util.c Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/smbta-util.8.xml b/docs-xml/manpages-3/smbta-util.8.xml new file mode 100644 index 0000000..094fb9d --- /dev/null +++ b/docs-xml/manpages-3/smbta-util.8.xml @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> +<refentry id="smbta-tool.8"> + +<refmeta> + <refentrytitle>smbta-tool</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">System Administration tools</refmiscinfo> + <refmiscinfo class="version">3.6</refmiscinfo> +</refmeta> + + +<refnamediv> + <refname>smbta-tool</refname> + <refpurpose>control encryption in VFS smb_traffic_analyzer</refpurpose> +</refnamediv> + +<refsynopsisdiv> + + <cmdsynopsis> + <command>smbta-tool</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>smbta-tool</command> + <arg rep="repeat" choice="opt"> + <replaceable>COMMANDS</replaceable> + </arg> + </cmdsynopsis> + +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the + <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> suite.</para> + + <para><command>smbta-tool</command> is a tool to ease the + configuration of the vfs_smb_traffic_analyzer module regarding + data encryption.</para> + <para>The user can generate a key, install a key (activating + encryption), or uninstall a key (deactivating encryption). + Any operation that installs a key will create a File containing + the key. This file can be used by smbta-tool on other machines + to install the same key from the file.</para> + + +</refsect1> + + +<refsect1> + <title>COMMANDS</title> + + <variablelist> + + <varlistentry> + <term><option>-h</option></term> + <listitem><para>Show a short help text on the command line. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-f</option> + <replaceable>KEYFILE</replaceable></term> + <listitem><para>Open an existing keyfile, read the key from + the file, and install the key, activating encryption. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-g</option> + <replaceable>KEYFILE</replaceable></term> + <listitem><para>Generate a new random key, install the key, + activate encryption, and store the key into the file KEYFILE. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-u</option></term> + <listitem><para>Uninstall the key, deactivating encryption. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-s</option></term> + <listitem><para>Check if a key is installed. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-c</option> + <replaceable>KEYFILE</replaceable></term> + <listitem><para>Create a KEYFILE from an installed key. + </para></listitem> + </varlistentry> + + + </variablelist> +</refsect1> + +<refsect1> + <title>VERSION</title> + <para>This man page is correct for version 3.4 of the Samba suite.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + <para> The original version of smbta-util was created by Holger Hetterich. + </para> + <para> The original Samba software and related utilities were + created by Andrew Tridgell. Samba is now developed by the + Samba Team as an Open Source project similar to the way the + Linux kernel is developed.</para> +</refsect1> + +</refentry> diff --git a/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml index 36b61a9..882ee6a 100644 --- a/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml +++ b/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml @@ -31,14 +31,27 @@ <manvolnum>7</manvolnum></citerefentry> suite.</para> <para>The <command>vfs_smb_traffic_analyzer</command> VFS module logs - client write and read operations on a Samba server and sends this data - over a socket to a helper program, which feeds a SQL database. More + client file operations on a Samba server and sends this data + over a socket to a helper program (in the following the "Receiver"), + which feeds a SQL database. More information on the helper programs can be obtained from the homepage of the project at: http://holger123.wordpress.com/smb-traffic-analyzer/ + Since the VFS module depends on a receiver that is doing something with + the data, it is evolving in it's development. Therefore, the module + works with different protocol versions, and the receiver has to be able + to decode the protocol that is used. The protocol version 1 was + introduced to Samba at September 25, 2008. It was a very simple + protocol, supporting only a small list of VFS operations, and had + several drawbacks. The protocol version 2 is a try to solve the + problems version 1 had while at the same time adding new features. </para> - <para><command>vfs_smb_traffic_analyzer</command> currently is aware - of the following VFS operations:</para> +</refsect1> + +<refsect1> + <title>Protocol version 1 documentation</title> + <para><command>vfs_smb_traffic_analyzer</command> protocol version 1 is aware + of the following VFS operations:</para> <simplelist> <member>write</member> @@ -72,9 +85,86 @@ </refsect1> +<refsect1> + <title>Drawbacks of protocol version 1</title> + <para>Several drawbacks have been seen with protocol version 1 over time.</para> + <itemizedlist> + <listitem> + <para> + <command>Problematic parsing - </command> + Protocol version 1 uses hyphen and comma to seperate blocks of data. Once there is a + filename with a hyphen, you will run into problems because the receiver decodes the + data in a wrong way. + </para> + </listitem> + <listitem> + <para> + <command>Insecure network transfer - </command> + Protocol version 1 sends all it's data as plaintext over the network. + </para> + </listitem> + <listitem> + <para> + <command>Limited set of supported VFS operations - </command> + Protocol version 1 supports only four VFS operations. + </para> + </listitem> + <listitem> + <para> + <command>No subreleases of the protocol - </command> + Protocol version 1 is fixed on it's version, making it unable to introduce new + features or bugfixes through compatible sub-releases. + </para> + </listitem> + </itemizedlist> +</refsect1> +<refsect1> + <title>Version 2 of the protocol</title> + <para>Protocol version 2 is an approach to solve the problems introduced with protcol v1. + From the users perspective, the following changes are most prominent among other enhancements: + </para> + <itemizedlist> + <listitem> + <para> + The data from the module may be send encrypted, with a key stored in secrets.tdb. The + Receiver then has to use the same key. The module does AES block encryption over the + data to send. + </para> + </listitem> + <listitem> + <para> + The module now can identify itself against the receiver with a sub-release number, where + the receiver may run with a different sub-release number than the module. However, as + long as both run on the V2.x protocol, the receiver will not crash, even if the module + uses features only implemented in the newer subrelease. Ultimativly, if the module uses + a new feature from a newer subrelease, and the receiver runs an older protocol, it is just + ignoring the functionality. Of course it is best to have both the receiver and the module + running the same subrelease of the protocol. + </para> + </listitem> + <listitem> + <para> + The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the + data packages in a proper way. + </para> + </listitem> + <listitem> + <para> + The module now potientially has the ability to create data on every VFS function. As of + protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite, + rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the + upcoming sub-releases. + </para> + </listitem> + </itemizedlist> + <para> + To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS). + </para> + +</refsect1> <refsect1> - <title>OPTIONS</title> + <title>OPTIONS with protocol V1 and V2.x</title> <variablelist> @@ -111,7 +201,8 @@ <term>smb_traffic_analyzer:anonymize_prefix = STRING</term> <listitem> <para>The module will replace the user names with a prefix - given by STRING and a simple hash number. + given by STRING and a simple hash number. In version 2.x + of the protocol, the users SID will also be anonymized. </para> </listitem> @@ -125,7 +216,18 @@ smb_traffic_analyzer:anonymize_prefix, without generating an additional hash number. This means that any transfer data will be mapped to a single user, leading to a total - anonymization of user related data.</para> + anonymization of user related data. In version 2.x of the + protocol, the users SID will also be anonymized.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>smb_traffic_analyzer:protocol_version = STRING</term> + <listitem> + <para>If STRING matches to V1 or is not given at all, the module + will use version 1 of the protocol. If STRING matches to "V2" + the module will use version 2 of the protocol. + </para> </listitem> </varlistentry> @@ -134,6 +236,15 @@ <refsect1> <title>EXAMPLES</title> + <para>Running protocol V2 on share "example_share", using an internet socket.</para> + <programlisting> + <smbconfsection name="[example_share]"/> + <smbconfoption name="path">/data/example</smbconfoption> + <smbconfoption name="vfs_objects">smb_traffic_analyzer</smbconfoption> + <smbconfoption name="smb_traffic_analyzer:protocol_version">V2</smbconfoption> + <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption> + <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption> + </programlisting> <para>The module running on share "example_share", using a unix domain socket</para> <programlisting> @@ -183,5 +294,4 @@ <para>The original version of the VFS module and the helper tools were created by Holger Hetterich.</para> </refsect1> - </refentry> diff --git a/source3/Makefile.in b/source3/Makefile.in index 9d42047..4c12157 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -209,15 +209,16 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \ SBIN_PROGS = bin/s...@exeext@ bin/n...@exeext@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ BIN_PROGS1 = bin/smbcli...@exeext@ bin/n...@exeext@ bin/smbsp...@exeext@ \ - bin/testp...@exeext@ bin/smbsta...@exeext@ bin/smb...@exeext@ + bin/testp...@exeext@ bin/smbsta...@exeext@ bin/smb...@exeext@ \ + bin/smbta-u...@exeext@ BIN_PROGS2 = bin/smbcont...@exeext@ bin/smbt...@exeext@ $(TDBBACKUP) \ bin/nmbloo...@exeext@ bin/pdbe...@exeext@ $(TDBDUMP) \ $(TDBTOOL) BIN_PROGS3 = bin/smbpas...@exeext@ bin/rpccli...@exeext@ bin/smbca...@exeext@ \ bin/profi...@exeext@ bin/ntlm_a...@exeext@ bin/share...@exeext@ \ - bin/smbcquo...@exeext@ bin/eventlog...@exeext@ + bin/smbcquo...@exeext@ bin/eventlog...@exeext@ BIN_PROGS4 = bin/ldbe...@exeext@ bin/ldbsea...@exeext@ bin/ldb...@exeext@ \ - bin/ldb...@exeext@ bin/ldbmod...@exeext@ bin/ldbren...@exeext@ + bin/ldb...@exeext@ bin/ldbmod...@exeext@ bin/ldbren...@exeext@ TORTURE_PROGS = bin/smbtort...@exeext@ bin/msgt...@exeext@ \ bin/maskt...@exeext@ bin/lockt...@exeext@ \ @@ -882,6 +883,10 @@ TESTPARM_OBJ = utils/testparm.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \ $(LIBSMB_ERR_OBJ) +SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \ + $(LOCKING_OBJ) $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) \ + $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ) + TEST_LP_LOAD_OBJ = param/test_lp_load.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ $(POPT_LIB_OBJ) $(LIBSAMBA_OBJ) @@ -1619,6 +1624,11 @@ bin/testp...@exeext@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ $(LIBTALLOC @$(CC) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) +bin/smbta-u...@exeext@: $(BINARY_PREREQS) $(SMBTA_UTIL_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) + @echo Linking $@ + @$(CC) -o $@ $(SMBTA_UTIL_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ + $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) + bin/smbsta...@exeext@: $(BINARY_PREREQS) $(STATUS_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) @echo Linking $@ @$(CC) -o $@ $(STATUS_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ @@ -1854,7 +1864,6 @@ $(LIBTALLOC_SHARED_TARGET): $(LIBTALLOC_SHARED_TARGET_SONAME) $(LIBTALLOC_STATIC_TARGET): $(BINARY_PREREQS) $(LIBTALLOC_OBJ0) @echo Linking non-shared library $@ @-$(AR) -rc $@ $(LIBTALLOC_OBJ0) - libtalloc: $(LIBTALLOC) cleanlibtalloc:: diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c index 1eb02a2..f454c45 100644 --- a/source3/modules/vfs_smb_traffic_analyzer.c +++ b/source3/modules/vfs_smb_traffic_analyzer.c @@ -20,9 +20,10 @@ */ #include "includes.h" +#include "../lib/crypto/crypto.h" +#include "vfs_smb_traffic_analyzer.h" /* abstraction for the send_over_network function */ - enum sock_type {INTERNET_SOCKET = 0, UNIX_DOMAIN_SOCKET}; #define LOCAL_PATHNAME "/var/tmp/stadsocket" @@ -44,7 +45,6 @@ static enum sock_type smb_traffic_analyzer_connMode(vfs_handle_struct *handle) /* Connect to an internet socket */ - static int smb_traffic_analyzer_connect_inet_socket(vfs_handle_struct *handle, const char *name, uint16_t port) { @@ -108,7 +108,6 @@ static int smb_traffic_analyzer_connect_inet_socket(vfs_handle_struct *handle, } /* Connect to a unix domain socket */ - static int smb_traffic_analyzer_connect_unix_socket(vfs_handle_struct *handle, const char *name) { @@ -141,7 +140,6 @@ static int smb_traffic_analyzer_connect_unix_socket(vfs_handle_struct *handle, } /* Private data allowing shared connection sockets. */ - struct refcounted_sock { struct refcounted_sock *next, *prev; char *name; @@ -150,12 +148,241 @@ struct refcounted_sock { unsigned int ref_count; }; -/* Send data over a socket */ + +/** + * Encryption of a data block with AES + * TALLOC_CTX *ctx Talloc context to work on + * const char *akey 128bit key for the encryption + * const char *str Data buffer to encrypt, \0 terminated + * int *len Will be set to the length of the + * resulting data block + * The caller has to take care for the memory + * allocated on the context. + */ +static char *smb_traffic_analyzer_encrypt( TALLOC_CTX *ctx, + const char *akey, const char *str, size_t *len) +{ + int s1,s2,h,d; + AES_KEY key; + char filler[17]= "................"; + char *output; + char crypted[18]; + if (akey == NULL) return NULL; + samba_AES_set_encrypt_key(akey, 128, &key); + s1 = strlen(str) / 16; + s2 = strlen(str) % 16; + for (h = 0; h < s2; h++) *(filler+h)=*(str+(s1*16)+h); + DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created %s" + " as filling block.\n", filler)); + output = talloc_array(ctx, char, (s1*16)+17 ); + d=0; + for (h = 0; h < s1; h++) { + samba_AES_encrypt(str+(16*h), crypted, &key); + for (d = 0; d<16; d++) output[d+(16*h)]=crypted[d]; + } + samba_AES_encrypt( str+(16*h), filler, &key ); + for (d = 0;d < 16; d++) output[d+(16*h)]=*(filler+d); + *len = (s1*16)+16; + return output; +} + +/** + * Create a v2 header. + * TALLLOC_CTX *ctx Talloc context to work on + * const char *state_flags State flag string + * int len length of the data block + */ +static char *smb_traffic_analyzer_create_header( TALLOC_CTX *ctx, + const char *state_flags, size_t data_len) +{ + char *header = talloc_asprintf( ctx, "V2.%s%017u", + state_flags, data_len); + DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created Header:\n")); + dump_data(10, header, strlen(header)); + return header; +} + + +/** + * Actually send header and data over the network + * char *header Header data + * char *data Data Block + * int dlength Length of data block + * int socket + */ +static void smb_traffic_analyzer_write_data( char *header, char *data, + int dlength, int socket) +{ + int len = strlen(header); + if (write_data( socket, header, len) != len) { + DEBUG(1, ("smb_traffic_analyzer_send_data_socket: " + "error sending the header" + " over the socket!\n")); + } + DEBUG(10,("smb_traffic_analyzer_write_data: sending data:\n")); + dump_data( 10, data, dlength); + + if (write_data( socket, data, dlength) != dlength) { + DEBUG(1, ("smb_traffic_analyzer_write_data: " + "error sending crypted data to socket!\n")); + } +} + + +/* + * Anonymize a string if required. + * TALLOC_CTX *ctx The talloc context to work on + * const char *str The string to anonymize + * vfs_handle_struct *handle The handle struct to work on + * + * Returns a newly allocated string, either the anonymized one, + * or a copy of const char *str. The caller has to take care for + * freeing the allocated memory. + */ +static char *smb_traffic_analyzer_anonymize( TALLOC_CTX *ctx, + const char *str, + vfs_handle_struct *handle ) +{ + const char *total_anonymization; + const char *anon_prefix; + char *output; + total_anonymization=lp_parm_const_string(SNUM(handle->conn), -- Samba Shared Repository