diff options
| -rw-r--r-- | docs-xml/manpages/smbta-util.8.xml | 115 | ||||
| -rw-r--r-- | docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 299 | ||||
| -rw-r--r-- | docs-xml/wscript_build | 2 | ||||
| -rw-r--r-- | lib/crypto/REQUIREMENTS | 3 | ||||
| -rw-r--r-- | packaging/RHEL-CTDB/samba.spec.tmpl | 3 | ||||
| -rw-r--r-- | packaging/RHEL/samba.spec.tmpl | 2 | ||||
| -rw-r--r-- | source3/modules/vfs_smb_traffic_analyzer.c | 947 | ||||
| -rw-r--r-- | source3/modules/vfs_smb_traffic_analyzer.h | 157 | ||||
| -rw-r--r-- | source3/modules/wscript_build | 8 | ||||
| -rw-r--r-- | source3/utils/smbta-util.c | 211 | ||||
| -rw-r--r-- | source3/wscript | 2 | ||||
| -rwxr-xr-x | source3/wscript_build | 7 |
12 files changed, 1 insertions, 1755 deletions
diff --git a/docs-xml/manpages/smbta-util.8.xml b/docs-xml/manpages/smbta-util.8.xml deleted file mode 100644 index 83abfe9c839..00000000000 --- a/docs-xml/manpages/smbta-util.8.xml +++ /dev/null @@ -1,115 +0,0 @@ -<?xml version="1.0" encoding="iso-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> -<refentry id="smbta-util.8"> - -<refmeta> - <refentrytitle>smbta-util</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="source">Samba</refmiscinfo> - <refmiscinfo class="manual">System Administration tools</refmiscinfo> - <refmiscinfo class="version">4.3</refmiscinfo> -</refmeta> - - -<refnamediv> - <refname>smbta-util</refname> - <refpurpose>control encryption in VFS smb_traffic_analyzer</refpurpose> -</refnamediv> - -<refsynopsisdiv> - - <cmdsynopsis> - <command>smbta-util</command> - <arg rep="repeat" choice="opt"> - <replaceable>COMMANDS</replaceable> - </arg> - </cmdsynopsis> - -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - - <para>This tool is part of the - <citerefentry><refentrytitle>samba</refentrytitle> - <manvolnum>1</manvolnum></citerefentry> suite.</para> - - <para><command>smbta-util</command> is a tool to ease the - configuration of the vfs_smb_traffic_analyzer module regarding - data encryption.</para> - <para>The user can generate a key, install a key (activating - encryption), or uninstall a key (deactivating encryption). - Any operation that installs a key will create a File containing - the key. This file can be used by smbta-tool on other machines - to install the same key from the file.</para> - - -</refsect1> - - -<refsect1> - <title>COMMANDS</title> - - <variablelist> - - <varlistentry> - <term><option>-h</option></term> - <listitem><para>Show a short help text on the command line. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>-f</option> - <replaceable>KEYFILE</replaceable></term> - <listitem><para>Open an existing keyfile, read the key from - the file, and install the key, activating encryption. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>-g</option> - <replaceable>KEYFILE</replaceable></term> - <listitem><para>Generate a new random key, install the key, - activate encryption, and store the key into the file KEYFILE. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>-u</option></term> - <listitem><para>Uninstall the key, deactivating encryption. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>-s</option></term> - <listitem><para>Check if a key is installed. - </para></listitem> - </varlistentry> - - <varlistentry> - <term><option>-c</option> - <replaceable>KEYFILE</replaceable></term> - <listitem><para>Create a KEYFILE from an installed key. - </para></listitem> - </varlistentry> - - - </variablelist> -</refsect1> - -<refsect1> - <title>VERSION</title> - <para>This man page is correct for version 3.4 of the Samba suite.</para> -</refsect1> - -<refsect1> - <title>AUTHOR</title> - <para> The original version of smbta-util was created by Holger Hetterich. - </para> - <para> The original Samba software and related utilities were - created by Andrew Tridgell. Samba is now developed by the - Samba Team as an Open Source project similar to the way the - Linux kernel is developed.</para> -</refsect1> - -</refentry> diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml deleted file mode 100644 index f441a361602..00000000000 --- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +++ /dev/null @@ -1,299 +0,0 @@ -<?xml version="1.0" encoding="iso-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> -<refentry id="vfs_smb_traffic_analyzer.8"> - -<refmeta> - <refentrytitle>smb_traffic_analyzer</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="source">Samba</refmiscinfo> - <refmiscinfo class="manual">System Administration tools</refmiscinfo> - <refmiscinfo class="version">4.3</refmiscinfo> -</refmeta> - - -<refnamediv> - <refname>vfs_smb_traffic_analyzer</refname> - <refpurpose>log Samba VFS read and write operations through a socket - to a helper application</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>vfs objects = smb_traffic_analyzer</command> - </cmdsynopsis> -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - - <para>This VFS module is part of the - <citerefentry><refentrytitle>samba</refentrytitle> - <manvolnum>7</manvolnum></citerefentry> suite.</para> - - <para>The <command>vfs_smb_traffic_analyzer</command> VFS module logs - client file operations on a Samba server and sends this data - over a socket to a helper program (in the following the "Receiver"), - which feeds a SQL database. More - information on the helper programs can be obtained from the - homepage of the project at: - http://holger123.wordpress.com/smb-traffic-analyzer/ - Since the VFS module depends on a receiver that is doing something with - the data, it is evolving in it's development. Therefore, the module - works with different protocol versions, and the receiver has to be able - to decode the protocol that is used. The protocol version 1 was - introduced to Samba at September 25, 2008. It was a very simple - protocol, supporting only a small list of VFS operations, and had - several drawbacks. The protocol version 2 is a try to solve the - problems version 1 had while at the same time adding new features. - With the release of Samba 4.0.0, the module will run protocol version 2 - by default. - </para> -</refsect1> - -<refsect1> - <title>Protocol version 1 documentation</title> - <para><command>vfs_smb_traffic_analyzer</command> protocol version 1 is aware - of the following VFS operations:</para> - - <simplelist> - <member>write</member> - <member>pwrite</member> - <member>read</member> - <member>pread</member> - </simplelist> - - <para><command>vfs_smb_traffic_analyzer</command> sends the following data - in a fixed format separated by a comma through either an internet or a - unix domain socket:</para> - <programlisting> - BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP - </programlisting> - - <para>Description of the records: - - <itemizedlist> - <listitem><para><command>BYTES</command> - the length in bytes of the VFS operation</para></listitem> - <listitem><para><command>USER</command> - the user who initiated the operation</para></listitem> - <listitem><para><command>DOMAIN</command> - the domain of the user</para></listitem> - <listitem><para><command>READ/WRITE</command> - either "W" for a write operation or "R" for read</para></listitem> - <listitem><para><command>SHARE</command> - the name of the share on which the VFS operation occurred</para></listitem> - <listitem><para><command>FILENAME</command> - the name of the file that was used by the VFS operation</para></listitem> - <listitem><para><command>TIMESTAMP</command> - a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occurred</para></listitem> - <listitem><para><command>IP</command> - The IP Address (v4 or v6) of the client machine that initiated the VFS operation.</para></listitem> - </itemizedlist> - - </para> - - <para>This module is stackable.</para> - -</refsect1> - -<refsect1> - <title>Drawbacks of protocol version 1</title> - <para>Several drawbacks have been seen with protocol version 1 over time.</para> - <itemizedlist> - <listitem> - <para> - <command>Problematic parsing - </command> - Protocol version 1 uses hyphen and comma to separate blocks of data. Once there is a - filename with a hyphen, you will run into problems because the receiver decodes the - data in a wrong way. - </para> - </listitem> - <listitem> - <para> - <command>Insecure network transfer - </command> - Protocol version 1 sends all it's data as plaintext over the network. - </para> - </listitem> - <listitem> - <para> - <command>Limited set of supported VFS operations - </command> - Protocol version 1 supports only four VFS operations. - </para> - </listitem> - <listitem> - <para> - <command>No subreleases of the protocol - </command> - Protocol version 1 is fixed on it's version, making it unable to introduce new - features or bugfixes through compatible sub-releases. - </para> - </listitem> - </itemizedlist> -</refsect1> -<refsect1> - <title>Version 2 of the protocol</title> - <para>Protocol version 2 is an approach to solve the problems introduced with protocol v1. - From the users perspective, the following changes are most prominent among other enhancements: - </para> - <itemizedlist> - <listitem> - <para> - The data from the module may be send encrypted, with a key stored in secrets.tdb. The - Receiver then has to use the same key. The module does AES block encryption over the - data to send. - </para> - </listitem> - <listitem> - <para> - The module now can identify itself against the receiver with a sub-release number, where - the receiver may run with a different sub-release number than the module. However, as - long as both run on the V2.x protocol, the receiver will not crash, even if the module - uses features only implemented in the newer subrelease. Ultimately, if the module uses - a new feature from a newer subrelease, and the receiver runs an older protocol, it is just - ignoring the functionality. Of course it is best to have both the receiver and the module - running the same subrelease of the protocol. - </para> - </listitem> - <listitem> - <para> - The parsing problems of protocol V1 can no longer happen, because V2 is marshalling the - data packages in a proper way. - </para> - </listitem> - <listitem> - <para> - The module now potentially has the ability to create data on every VFS function. As of - protocol V2.0, there is support for 8 VFS functions, namely write,read,pread,pwrite, - rename,chdir,mkdir and rmdir. Supporting more VFS functions is one of the targets for the - upcoming sub-releases. - </para> - </listitem> - </itemizedlist> - <para> - To enable protocol V2, the protocol_version vfs option has to be used (see OPTIONS). - </para> - -</refsect1> - -<refsect1> - <title>OPTIONS with protocol V1 and V2.x</title> - - <variablelist> - - <varlistentry> - <term>smb_traffic_analyzer:mode = STRING</term> - <listitem> - <para>If STRING matches to "unix_domain_socket", the module will - use a unix domain socket located at /var/tmp/stadsocket, if - STRING contains an different string or is not defined, the module will - use an internet domain socket for data transfer.</para> - - </listitem> - </varlistentry> - - - <varlistentry> - <term>smb_traffic_analyzer:host = STRING</term> - <listitem> - <para>The module will send the data to the system named with - the hostname STRING.</para> - - </listitem> - </varlistentry> - - <varlistentry> - <term>smb_traffic_analyzer:port = STRING</term> - <listitem> - <para>The module will send the data using the TCP port given - in STRING. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>smb_traffic_analyzer:anonymize_prefix = STRING</term> - <listitem> - <para>The module will replace the user names with a prefix - given by STRING and a simple hash number. In version 2.x - of the protocol, the users SID will also be anonymized. - </para> - - </listitem> - </varlistentry> - - <varlistentry> - <term>smb_traffic_analyzer:total_anonymization = STRING</term> - <listitem> - <para>If STRING matches to 'yes', the module will replace - any user name with the string given by the option - smb_traffic_analyzer:anonymize_prefix, without generating - an additional hash number. This means that any transfer data - will be mapped to a single user, leading to a total - anonymization of user related data. In version 2.x of the - protocol, the users SID will also be anonymized.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>smb_traffic_analyzer:protocol_version = STRING</term> - <listitem> - <para>If STRING matches to V1, the module will use version 1 of the - protocol. If STRING is not given, the module will use version 2 of the - protocol, which is the default. - </para> - </listitem> - </varlistentry> - - </variablelist> -</refsect1> - -<refsect1> - <title>EXAMPLES</title> - <para>Running protocol V2 on share "example_share", using an internet socket.</para> - <programlisting> - <smbconfsection name="[example_share]"/> - <smbconfoption name="path">/data/example</smbconfoption> - <smbconfoption name="vfs_objects">smb_traffic_analyzer</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption> - </programlisting> - - <para>The module running on share "example_share", using a unix domain socket</para> - <programlisting> - <smbconfsection name="[example_share]"/> - <smbconfoption name="path">/data/example</smbconfoption> - <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:mode">unix_domain_socket</smbconfoption> - </programlisting> - - <para>The module running on share "example_share", using an internet socket, - connecting to host "examplehost" on port 3491.</para> - <programlisting> - <smbconfsection name="[example_share]"/> - <smbconfoption name="path">/data/example</smbconfoption> - <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption> - </programlisting> - - <para>The module running on share "example_share", using an internet socket, - connecting to host "examplehost" on port 3491, anonymizing user names with - the prefix "User".</para> - <programlisting> - <smbconfsection name="[example_share]"/> - <smbconfoption name="path">/data/example</smbconfoption> - <smbconfoption name="vfs objects">smb_traffic_analyzer</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:host">examplehost</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:port">3491</smbconfoption> - <smbconfoption name="smb_traffic_analyzer:anonymize_prefix">User</smbconfoption> - </programlisting> -</refsect1> - -<refsect1> - <title>VERSION</title> - <para>This man page is correct for version 3.3 of the Samba suite. - </para> -</refsect1> - -<refsect1> - <title>AUTHOR</title> - - <para>The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</para> - - <para>The original version of the VFS module and the - helper tools were created by Holger Hetterich.</para> -</refsect1> -</refentry> diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build index b327a3e7c40..d0e1051c550 100644 --- a/docs-xml/wscript_build +++ b/docs-xml/wscript_build @@ -39,7 +39,6 @@ manpages=''' manpages/smbpasswd.8 manpages/smbspool.8 manpages/smbstatus.1 - manpages/smbta-util.8 manpages/smbtar.1 manpages/smbtree.1 manpages/testparm.1 @@ -77,7 +76,6 @@ manpages=''' manpages/vfs_shadow_copy.8 manpages/vfs_shadow_copy2.8 manpages/vfs_shell_snap.8 - manpages/vfs_smb_traffic_analyzer.8 manpages/vfs_snapper.8 manpages/vfs_streams_depot.8 manpages/vfs_streams_xattr.8 diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS index 4b1e21a4e5f..351c2bb99b4 100644 --- a/lib/crypto/REQUIREMENTS +++ b/lib/crypto/REQUIREMENTS @@ -35,9 +35,6 @@ AES CFB8 - SCHANNEL - NETLOGON SamLogon session keys -AES 128 - - SMB VFS traffic analyzer - # NETTLE (AES-NI available) AES128 CCM diff --git a/packaging/RHEL-CTDB/samba.spec.tmpl b/packaging/RHEL-CTDB/samba.spec.tmpl index e76137e2630..0d8b5a6f474 100644 --- a/packaging/RHEL-CTDB/samba.spec.tmpl +++ b/packaging/RHEL-CTDB/samba.spec.tmpl @@ -420,7 +420,6 @@ exit 0 %{_libarchdir}/samba/vfs/recycle.so %{_libarchdir}/samba/vfs/shadow_copy.so %{_libarchdir}/samba/vfs/shadow_copy2.so -%{_libarchdir}/samba/vfs/smb_traffic_analyzer.so %{_libarchdir}/samba/vfs/streams_depot.so %{_libarchdir}/samba/vfs/streams_xattr.so %{_libarchdir}/samba/vfs/syncops.so @@ -444,7 +443,6 @@ exit 0 %{_mandir}/man8/smbd.8* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/vfs_*.8* -%{_mandir}/man8/smbta-util.8* ########## @@ -492,7 +490,6 @@ exit 0 %{_bindir}/smbtar %{_bindir}/smbtree %{_bindir}/sharesec -%{_bindir}/smbta-util %{_mandir}/man8/smbspool.8* %{_mandir}/man1/smbget.1* diff --git a/packaging/RHEL/samba.spec.tmpl b/packaging/RHEL/samba.spec.tmpl index 0f51c4e1b43..bb8ff11e5c4 100644 --- a/packaging/RHEL/samba.spec.tmpl +++ b/packaging/RHEL/samba.spec.tmpl @@ -337,7 +337,6 @@ fi %{_bindir}/mksmbpasswd.sh %{_bindir}/smbcontrol %{_bindir}/smbstatus -%{_bindir}/smbta-util %{_bindir}/tdbbackup %{_bindir}/tdbtool %{_bindir}/tdbdump @@ -492,7 +491,6 @@ fi %{_mandir}/man8/smbpasswd.8* %{_mandir}/man5/pam_winbind.conf.5.* %{_mandir}/man7/libsmbclient.7* -%{_mandir}/man8/smbta-util.8* %{_mandir}/man8/pam_winbind.8* %changelog diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c deleted file mode 100644 index f5c39ad6d7c..00000000000 --- a/source3/modules/vfs_smb_traffic_analyzer.c +++ /dev/null @@ -1,947 +0,0 @@ -/* - * traffic-analyzer VFS module. Measure the smb traffic users create - * on the net. - * - * Copyright (C) Holger Hetterich, 2008-2010 - * Copyright (C) Jeremy Allison, 2008 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include "includes.h" -#include "smbd/smbd.h" -#include "../smbd/globals.h" -#include "../lib/crypto/crypto.h" -#include "vfs_smb_traffic_analyzer.h" -#include "../libcli/security/security.h" -#include "secrets.h" -#include "../librpc/gen_ndr/ndr_netlogon.h" -#include "auth.h" -#include "../lib/tsocket/tsocket.h" -#include "lib/util/sys_rw_data.h" - -/* abstraction for the send_over_network function */ -enum sock_type {INTERNET_SOCKET = 0, UNIX_DOMAIN_SOCKET}; - -#define LOCAL_PATHNAME "/var/tmp/stadsocket" - -static int vfs_smb_traffic_analyzer_debug_level = DBGC_VFS; - -static enum sock_type smb_traffic_analyzer_connMode(vfs_handle_struct *handle) -{ - connection_struct *conn = handle->conn; - const char *Mode; - Mode=lp_parm_const_string(SNUM(conn), "smb_traffic_analyzer","mode", \ - "internet_socket"); - if (strstr(Mode,"unix_domain_socket")) { - return UNIX_DOMAIN_SOCKET; - } else { - return INTERNET_SOCKET; - } -} - - -/* Connect to an internet socket */ -static int smb_traffic_analyzer_connect_inet_socket(vfs_handle_struct *handle, - const char *name, uint16_t port) -{ - /* Create a streaming Socket */ - int sockfd = -1; - struct addrinfo hints; - struct addrinfo *ailist = NULL; - struct addrinfo *res = NULL; - int ret; - - ZERO_STRUCT(hints); - /* By default make sure it supports TCP. */ - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_ADDRCONFIG; - - ret = getaddrinfo(name, - NULL, - &hints, - &ailist); - - if (ret) { - DEBUG(3,("smb_traffic_analyzer_connect_inet_socket: " - "getaddrinfo failed for name %s [%s]\n", - name, - gai_strerror(ret) )); - return -1; - } - - DEBUG(3,("smb_traffic_analyzer: Internet socket mode. Hostname: %s," - "Port: %i\n", name, port)); - - for (res = ailist; res; res = res->ai_next) { - struct sockaddr_storage ss; - NTSTATUS status; - - if (!res->ai_addr || res->ai_addrlen == 0) { - continue; - } - - ZERO_STRUCT(ss); - memcpy(&ss, res->ai_addr, res->ai_addrlen); - - status = open_socket_out(&ss, port, 10000, &sockfd); - if (NT_STATUS_IS_OK(status)) { - break; - } - } - - if (ailist) { - freeaddrinfo(ailist); - } - - if (sockfd == -1) { - DEBUG(1, ("smb_traffic_analyzer: unable to create " - "socket, error is %s", - strerror(errno))); - return -1; - } - - return sockfd; -} - -/* Connect to a unix domain socket */ -static int smb_traffic_analyzer_connect_unix_socket(vfs_handle_struct *handle, - const char *name) -{ - /* Create the socket to stad */ - int len, sock; - struct sockaddr_un remote; - - DEBUG(7, ("smb_traffic_analyzer_connect_unix_socket: " - "Unix domain socket mode. Using %s\n", - name )); - - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { - DEBUG(1, ("smb_traffic_analyzer_connect_unix_socket: " - "Couldn't create socket, " - "make sure stad is running!\n")); - return -1; - } - remote.sun_family = AF_UNIX; - strlcpy(remote.sun_path, name, - sizeof(remote.sun_path)); - len=strlen(remote.sun_path) + sizeof(remote.sun_family); - if (connect(sock, (struct sockaddr *)&remote, len) == -1 ) { - DEBUG(1, ("smb_traffic_analyzer_connect_unix_socket: " - "Could not connect to " - "socket, make sure\nstad is running!\n")); - close(sock); - return -1; - } - return sock; -} - -/* Private data allowing shared connection sockets. */ -struct refcounted_sock { - struct refcounted_sock *next, *prev; - char *name; - uint16_t port; - int sock; - unsigned int ref_count; -}; - - -/** - * Encryption of a data block with AES - * TALLOC_CTX *ctx Talloc context to work on - * const char *akey 128bit key for the encryption - * const char *str Data buffer to encrypt, \0 terminated - * int *len Will be set to the length of the - * resulting data block - * The caller has to take care for the memory - * allocated on the context. - */ -static char *smb_traffic_analyzer_encrypt( TALLOC_CTX *ctx, - const char *akey, const char *str, size_t *len) -{ - int s1,s2,h; - AES_KEY key; - unsigned char filler[17]= "................"; - char *output; - if (akey == NULL) return NULL; - AES_set_encrypt_key((const unsigned char *) akey, 128, &key); - s1 = strlen(str) / 16; - s2 = strlen(str) % 16; - memcpy(filler, str + (s1*16), s2); - DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created %s" - " as filling block.\n", filler)); - - *len = ((s1 + 1)*16); - output = talloc_array(ctx, char, *len); - for (h = 0; h < s1; h++) { - AES_encrypt((const unsigned char *) str+(16*h), (unsigned char *)output+16*h, - &key); - } - AES_encrypt(filler, (unsigned char *)(output+(16*h)), &key); - *len = (s1*16)+16; - return output; -} - -/** - * Create a v2 header. - * TALLLOC_CTX *ctx Talloc context to work on - * const char *state_flags State flag string - * int len length of the data block - */ -static char *smb_traffic_analyzer_create_header( TALLOC_CTX *ctx, - const char *state_flags, size_t data_len) -{ - char *header = talloc_asprintf( ctx, "V2.%s%017u", - state_flags, (unsigned int) data_len); - DEBUG(10, ("smb_traffic_analyzer_send_data_socket: created Header:\n")); - dump_data(10, (uint8_t *)header, strlen(header)); - return header; -} - - -/** - * Actually send header and data over the network - * char *header Header data - * char *data Data Block - * int dlength Length of data block - * int socket - */ -static void smb_traffic_analyzer_write_data( char *header, char *data, - int dlength, int _socket) -{ - int len = strlen(header); - if (write_data( _socket, header, len) != len) { - DEBUG(1, ("smb_traffic_analyzer_send_data_socket: " - "error sending the header" - " over the socket!\n")); - } - DEBUG(10,("smb_traffic_analyzer_write_data: sending data:\n")); - dump_data( 10, (uint8_t *)data, dlength); - - if (write_data( _socket, data, dlength) != dlength) { - DEBUG(1, ("smb_traffic_analyzer_write_data: " - "error sending crypted data to socket!\n")); - } -} - - -/* - * Anonymize a string if required. - * TALLOC_CTX *ctx The talloc context to work on - * const char *str The string to anonymize - * vfs_handle_struct *handle The handle struct to work on - * - * Returns a newly allocated string, either the anonymized one, - * or a copy of const char *str. The caller has to take care for - * freeing the allocated memory. - */ -static char *smb_traffic_analyzer_anonymize( TALLOC_CTX *ctx, - const char *str, - vfs_handle_struct *handle ) -{ - const char *total_anonymization; - const char *anon_prefix; - char *output; - total_anonymization=lp_parm_const_string(SNUM(handle->conn), - "smb_traffic_analyzer", - "total_anonymization", NULL); - - anon_prefix=lp_parm_const_string(SNUM(handle->conn), - "smb_traffic_analyzer", - "anonymize_prefix", NULL ); - if (anon_prefix != NULL) { - if (total_anonymization != NULL) { - output = talloc_asprintf(ctx, "%s", - anon_prefix); - } else { - output = talloc_asprintf(ctx, "%s%i", anon_prefix, - str_checksum(str)); - } - } else { - output = talloc_asprintf(ctx, "%s", str); - } - - return output; -} - - -/** - * The marshalling function for protocol v2. - * TALLOC_CTX *ctx Talloc context to work on - * struct tm *tm tm struct for the timestamp - * int seconds milliseconds of the timestamp - * vfs_handle_struct *handle vfs_handle_struct - * char *username Name of the user - * int vfs_operation VFS operation identifier - * int count Number of the common data blocks - * [...] variable args data blocks taken from the individual - * VFS data structures - * - * Returns the complete data block to send. The caller has to - * take care for freeing the allocated buffer. - */ -static char *smb_traffic_analyzer_create_string( TALLOC_CTX *ctx, - struct tm *tm, int seconds, vfs_handle_struct *handle, \ - char *username, int vfs_operation, int count, ... ) -{ - - va_list ap; - char *arg = NULL; - int len; - char *common_data_count_str = NULL; - char *timestr = NULL; - char *sidstr = NULL; - char *usersid = NULL; - char *raddr = NULL; - char *buf = NULL; - char *vfs_operation_str = NULL; - const char *service_name = lp_const_servicename(handle->conn->params->service); - - /* - * first create the data that is transfered with any VFS op - * These are, in the following order: - *(0) number of data to come [6 in v2.0] - * 1.vfs_operation identifier - * 2.username - * 3.user-SID - * 4.affected share - * 5.domain - * 6.timestamp - * 7.IP Addresss of client - */ - - /* - * number of common data blocks to come, - * this is a #define in vfs_smb_traffic_anaylzer.h, - * it's length is known at compile time - */ - common_data_count_str = talloc_strdup( ctx, SMBTA_COMMON_DATA_COUNT); - /* vfs operation identifier */ - vfs_operation_str = talloc_asprintf( common_data_count_str, "%i", - vfs_operation); - /* - * Handle anonymization. In protocol v2, we have to anonymize - * both the SID and the username. The name is already - * anonymized if needed, by the calling function. - */ - usersid = dom_sid_string( common_data_count_str, - &handle->conn->session_info->security_token->sids[0]); - - sidstr = smb_traffic_analyzer_anonymize( - common_data_count_str, - usersid, - handle); - - raddr = tsocket_address_inet_addr_string(handle->conn->sconn->remote_address, - ctx); - if (raddr == NULL) { - return NULL; - } - - /* time stamp */ - timestr = talloc_asprintf( common_data_count_str, \ - "%04d-%02d-%02d %02d:%02d:%02d.%03d", \ - tm->tm_year+1900, \ - tm->tm_mon+1, \ - tm->tm_mday, \ - tm->tm_hour, \ - tm->tm_min, \ - tm->tm_sec, \ - (int)seconds); - len = strlen( timestr ); - /* create the string of common data */ - buf = talloc_asprintf(ctx, - "%s%04u%s%04u%s%04u%s%04u%s%04u%s%04u%s%04u%s", - common_data_count_str, - (unsigned int) strlen(vfs_operation_str), - vfs_operation_str, - (unsigned int) strlen(username), - username, - (unsigned int) strlen(sidstr), - sidstr, - (unsigned int) strlen(service_name), - service_name, - (unsigned int) - strlen(handle->conn->session_info->info->domain_name), - handle->conn->session_info->info->domain_name, - (unsigned int) strlen(timestr), - timestr, - (unsigned int) strlen(raddr), - raddr); - - talloc_free(common_data_count_str); - - /* data blocks depending on the VFS function */ - va_start( ap, count ); - while ( count-- ) { - arg = va_arg( ap, char * ); - /* - * protocol v2 sends a four byte string - * as a header to each block, including - * the numbers of bytes to come in the - * next string. - */ - len = strlen( arg ); - buf = talloc_asprintf_append( buf, "%04u%s", len, arg); - } - va_end( ap ); - return buf; -} - -static void smb_traffic_analyzer_send_data(vfs_handle_struct *handle, - void *data, - enum vfs_id vfs_operation ) -{ - struct refcounted_sock *rf_sock = NULL; - struct timeval tv; - time_t tv_sec; - struct tm *tm = NULL; - int seconds; - char *str = NULL; - char *username = NULL; - char *header = NULL; - const char *protocol_version = NULL; - bool Write = false; - size_t len; - size_t size; - char *akey, *output; - - /* - * The state flags are part of the header - * and are descripted in the protocol description - * in vfs_smb_traffic_analyzer.h. They begin at byte - * 03 of the header. - */ - char state_flags[9] = "000000\0"; - - /** - * The first byte of the state flag string represents - * the modules protocol subversion number, defined - * in smb_traffic_analyzer.h. smbtatools/smbtad are designed - * to handle not yet implemented protocol enhancements - * by ignoring them. By recognizing the SMBTA_SUBRELEASE - * smbtatools can tell the user to update the client - * software. - */ - state_flags[0] = SMBTA_SUBRELEASE; - - SMB_VFS_HANDLE_GET_DATA(handle, rf_sock, struct refcounted_sock, return); - - if (rf_sock == NULL || rf_sock->sock == -1) { - DEBUG(1, ("smb_traffic_analyzer_send_data: socket is " - "closed\n")); - return; - } - - GetTimeOfDay(&tv); - tv_sec = tv.tv_sec; - tm = localtime(&tv_sec); - if (!tm) { - return; - } - seconds=(float) (tv.tv_usec / 1000); - - /* - * Check if anonymization is required, and if yes do this only for - * the username here, needed vor protocol version 1. In v2 we - * additionally anonymize the SID, which is done in it's marshalling - * function. - */ - username = smb_traffic_analyzer_anonymize( talloc_tos(), - handle->conn->session_info->unix_info->sanitized_username, - handle); - - if (!username) { - return; - } - - protocol_version = lp_parm_const_string(SNUM(handle->conn), - "smb_traffic_analyzer", - "protocol_version", NULL ); - - - if (protocol_version != NULL && strcmp(protocol_version,"V1") == 0) { - - struct rw_data *s_data = (struct rw_data *) data; - - /* - * in case of protocol v1, ignore any vfs operations - * except read,pread,write,pwrite, and set the "Write" - * bool accordingly, send data and return. - */ - if ( vfs_operation > vfs_id_pwrite ) return; - - if ( vfs_operation <= vfs_id_pread ) Write=false; - else Write=true; - - str = talloc_asprintf(talloc_tos(), - "V1,%u,\"%s\",\"%s\",\"%c\",\"%s\",\"%s\"," - "\"%04d-%02d-%02d %02d:%02d:%02d.%03d\"\n", - (unsigned int) s_data->len, - username, - handle->conn->session_info->info->domain_name, - Write ? 'W' : 'R', - handle->conn->cwd, - s_data->filename, - tm->tm_year+1900, - tm->tm_mon+1, - tm->tm_mday, - tm->tm_hour, - tm->tm_min, - tm->tm_sec, - (int)seconds); - len = strlen(str); - if (write_data(rf_sock->sock, str, len) != len) { - DEBUG(1, ("smb_traffic_analyzer_send_data_socket: " - "error sending V1 protocol data to socket!\n")); - return; - } - - } else { - /** - * Protocol 2 is used by default. - */ - - switch( vfs_operation ) { - case vfs_id_open: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_open, - 3, ((struct open_data *) data)->filename, - talloc_asprintf( talloc_tos(), "%u", - (unsigned int)((struct open_data *) data)->mode), - talloc_asprintf( talloc_tos(), "%u", - ((struct open_data *) data)->result)); - break; - case vfs_id_close: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_close, - 2, ((struct close_data *) data)->filename, - talloc_asprintf( talloc_tos(), "%u", - ((struct close_data *) data)->result)); - break; - case vfs_id_mkdir: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_mkdir, \ - 3, ((struct mkdir_data *) data)->path, \ - talloc_asprintf( talloc_tos(), "%u", \ - (unsigned int)((struct mkdir_data *) data)->mode), \ - talloc_asprintf( talloc_tos(), "%u", \ - ((struct mkdir_data *) data)->result )); - break; - case vfs_id_rmdir: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_rmdir, - 2, ((struct rmdir_data *) data)->path, \ - talloc_asprintf( talloc_tos(), "%u", \ - ((struct rmdir_data *) data)->result )); - break; - case vfs_id_rename: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_rename, - 3, ((struct rename_data *) data)->src, \ - ((struct rename_data *) data)->dst, - talloc_asprintf(talloc_tos(), "%u", \ - ((struct rename_data *) data)->result)); - break; - case vfs_id_chdir: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_id_chdir, - 2, ((struct chdir_data *) data)->path, \ - talloc_asprintf(talloc_tos(), "%u", \ - ((struct chdir_data *) data)->result)); - break; - - case vfs_id_write: - case vfs_id_pwrite: - case vfs_id_read: - case vfs_id_pread: ; - str = smb_traffic_analyzer_create_string( talloc_tos(), - tm, seconds, handle, username, vfs_operation, - 2, ((struct rw_data *) data)->filename, \ - talloc_asprintf(talloc_tos(), "%u", \ - (unsigned int) - ((struct rw_data *) data)->len)); - break; - default: - DEBUG(1, ("smb_traffic_analyzer: error! " - "wrong VFS operation id detected!\n")); - return; - } - - } - - if (!str) { - DEBUG(1, ("smb_traffic_analyzer_send_data: " - "unable to create string to send!\n")); - return; - } - - - /* - * If configured, optain the key and run AES encryption - * over the data. - */ - become_root(); - akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); - unbecome_root(); - if ( akey != NULL ) { - state_flags[2] = 'E'; - DEBUG(10, ("smb_traffic_analyzer_send_data_socket: a key was" - " found, encrypting data!\n")); - output = smb_traffic_analyzer_encrypt( talloc_tos(), - akey, str, &len); - SAFE_FREE(akey); - header = smb_traffic_analyzer_create_header( talloc_tos(), - state_flags, len); - - DEBUG(10, ("smb_traffic_analyzer_send_data_socket:" - " header created for crypted data: %s\n", header)); - smb_traffic_analyzer_write_data(header, output, len, - rf_sock->sock); - return; - - } - - len = strlen(str); - header = smb_traffic_analyzer_create_header( talloc_tos(), - state_flags, len); - smb_traffic_analyzer_write_data(header, str, strlen(str), - rf_sock->sock); - -} - -static struct refcounted_sock *sock_list; - -static void smb_traffic_analyzer_free_data(void **pptr) -{ - struct refcounted_sock *rf_sock = *(struct refcounted_sock **)pptr; - if (rf_sock == NULL) { - return; - } - rf_sock->ref_count--; - if (rf_sock->ref_count != 0) { - return; - } - if (rf_sock->sock != -1) { - close(rf_sock->sock); - } - DLIST_REMOVE(sock_list, rf_sock); - TALLOC_FREE(rf_sock); -} - -static int smb_traffic_analyzer_connect(struct vfs_handle_struct *handle, - const char *service, - const char *user) -{ - connection_struct *conn = handle->conn; - enum sock_type st = smb_traffic_analyzer_connMode(handle); - struct refcounted_sock *rf_sock = NULL; - const char *name = (st == UNIX_DOMAIN_SOCKET) ? LOCAL_PATHNAME : - lp_parm_const_string(SNUM(conn), - "smb_traffic_analyzer", - "host", "localhost"); - uint16_t port = (st == UNIX_DOMAIN_SOCKET) ? 0 : - atoi( lp_parm_const_string(SNUM(conn), - "smb_traffic_analyzer", "port", "9430")); - int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); - - if (ret < 0) { - return ret; - } - - /* Are we already connected ? */ - for (rf_sock = sock_list; rf_sock; rf_sock = rf_sock->next) { - if (port == rf_sock->port && - (strcmp(name, rf_sock->name) == 0)) { - break; - } - } - - /* If we're connected already, just increase the - * reference count. */ - if (rf_sock) { - rf_sock->ref_count++; - } else { - /* New connection. */ - rf_sock = talloc_zero(NULL, struct refcounted_sock); - if (rf_sock == NULL) { - SMB_VFS_NEXT_DISCONNECT(handle); - errno = ENOMEM; - return -1; - } - rf_sock->name = talloc_strdup(rf_sock, name); - if (rf_sock->name == NULL) { - SMB_VFS_NEXT_DISCONNECT(handle); - TALLOC_FREE(rf_sock); - errno = ENOMEM; - return -1; - } - rf_sock->port = port; - rf_sock->ref_count = 1; - - if (st == UNIX_DOMAIN_SOCKET) { - rf_sock->sock = smb_traffic_analyzer_connect_unix_socket(handle, - name); - } else { - - rf_sock->sock = smb_traffic_analyzer_connect_inet_socket(handle, - name, - port); - } - if (rf_sock->sock == -1) { - SMB_VFS_NEXT_DISCONNECT(handle); - TALLOC_FREE(rf_sock); - return -1; - } - DLIST_ADD(sock_list, rf_sock); - } - - /* Store the private data. */ - SMB_VFS_HANDLE_SET_DATA(handle, rf_sock, smb_traffic_analyzer_free_data, - struct refcounted_sock, return -1); - return 0; -} - -/* VFS Functions */ -static int smb_traffic_analyzer_chdir(vfs_handle_struct *handle, \ - const char *path) -{ - struct chdir_data s_data; - s_data.result = SMB_VFS_NEXT_CHDIR(handle, path); - s_data.path = path; - DEBUG(10, ("smb_traffic_analyzer_chdir: CHDIR: %s\n", path)); - smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_chdir); - return s_data.result; -} - -static int smb_traffic_analyzer_rename(vfs_handle_struct *handle, \ - const struct smb_filename *smb_fname_src, - const struct smb_filename *smb_fname_dst) -{ - struct rename_data s_data; - s_data.result = SMB_VFS_NEXT_RENAME(handle, smb_fname_src, \ - smb_fname_dst); - s_data.src = smb_fname_src->base_name; - s_data.dst = smb_fname_dst->base_name; - DEBUG(10, ("smb_traffic_analyzer_rename: RENAME: %s / %s\n", - smb_fname_src->base_name, - smb_fname_dst->base_name)); - smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_rename); - return s_data.result; -} - -static int smb_traffic_analyzer_rmdir(vfs_handle_struct *handle, \ - const char *path) -{ - struct rmdir_data s_data; - s_data.result = SMB_VFS_NEXT_RMDIR(handle, path); - s_data.path = path; - DEBUG(10, ("smb_traffic_analyzer_rmdir: RMDIR: %s\n", path)); - smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_rmdir); - return s_data.result; -} - -static int smb_traffic_analyzer_mkdir(vfs_handle_struct *handle, \ - const char *path, mode_t mode) -{ - struct mkdir_data s_data; - s_data.result = SMB_VFS_NEXT_MKDIR(handle, path, mode); - s_data.path = path; - s_data.mode = mode; - DEBUG(10, ("smb_traffic_analyzer_mkdir: MKDIR: %s\n", path)); - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_mkdir); - return s_data.result; -} - -static ssize_t smb_traffic_analyzer_sendfile(vfs_handle_struct *handle, - int tofd, - files_struct *fromfsp, - const DATA_BLOB *hdr, - off_t offset, - size_t n) -{ - struct rw_data s_data; - s_data.len = SMB_VFS_NEXT_SENDFILE(handle, - tofd, fromfsp, hdr, offset, n); - s_data.filename = fromfsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_sendfile: sendfile(r): %s\n", - fsp_str_dbg(fromfsp))); - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_read); - return s_data.len; -} - -static ssize_t smb_traffic_analyzer_recvfile(vfs_handle_struct *handle, - int fromfd, - files_struct *tofsp, - off_t offset, - size_t n) -{ - struct rw_data s_data; - s_data.len = SMB_VFS_NEXT_RECVFILE(handle, - fromfd, tofsp, offset, n); - s_data.filename = tofsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_recvfile: recvfile(w): %s\n", - fsp_str_dbg(tofsp))); - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_write); - return s_data.len; -} - - -static ssize_t smb_traffic_analyzer_read(vfs_handle_struct *handle, \ - files_struct *fsp, void *data, size_t n) -{ - struct rw_data s_data; - - s_data.len = SMB_VFS_NEXT_READ(handle, fsp, data, n); - s_data.filename = fsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_read: READ: %s\n", fsp_str_dbg(fsp))); - - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_read); - return s_data.len; -} - - -static ssize_t smb_traffic_analyzer_pread(vfs_handle_struct *handle, \ - files_struct *fsp, void *data, size_t n, off_t offset) -{ - struct rw_data s_data; - - s_data.len = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); - s_data.filename = fsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_pread: PREAD: %s\n", - fsp_str_dbg(fsp))); - - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_pread); - - return s_data.len; -} - -static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle, \ - files_struct *fsp, const void *data, size_t n) -{ - struct rw_data s_data; - - s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n); - s_data.filename = fsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %s\n", - fsp_str_dbg(fsp))); - - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_write); - return s_data.len; -} - -static ssize_t smb_traffic_analyzer_pwrite(vfs_handle_struct *handle, \ - files_struct *fsp, const void *data, size_t n, off_t offset) -{ - struct rw_data s_data; - - s_data.len = SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); - s_data.filename = fsp->fsp_name->base_name; - DEBUG(10, ("smb_traffic_analyzer_pwrite: PWRITE: %s\n", \ - fsp_str_dbg(fsp))); - - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_pwrite); - return s_data.len; -} - -static int smb_traffic_analyzer_open(vfs_handle_struct *handle, \ - struct smb_filename *smb_fname, files_struct *fsp,\ - int flags, mode_t mode) -{ - struct open_data s_data; - - s_data.result = SMB_VFS_NEXT_OPEN( handle, smb_fname, fsp, - flags, mode); - DEBUG(10,("smb_traffic_analyzer_open: OPEN: %s\n", - fsp_str_dbg(fsp))); - s_data.filename = fsp->fsp_name->base_name; - s_data.mode = mode; - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_open); - return s_data.result; -} - -static int smb_traffic_analyzer_close(vfs_handle_struct *handle, \ - files_struct *fsp) -{ - struct close_data s_data; - s_data.result = SMB_VFS_NEXT_CLOSE(handle, fsp); - DEBUG(10,("smb_traffic_analyzer_close: CLOSE: %s\n", - fsp_str_dbg(fsp))); - s_data.filename = fsp->fsp_name->base_name; - smb_traffic_analyzer_send_data(handle, - &s_data, - vfs_id_close); - return s_data.result; -} - - -static struct vfs_fn_pointers vfs_smb_traffic_analyzer_fns = { - .connect_fn = smb_traffic_analyzer_connect, - .read_fn = smb_traffic_analyzer_read, - .pread_fn = smb_traffic_analyzer_pread, - .write_fn = smb_traffic_analyzer_write, - .pwrite_fn = smb_traffic_analyzer_pwrite, - .mkdir_fn = smb_traffic_analyzer_mkdir, - .rename_fn = smb_traffic_analyzer_rename, - .chdir_fn = smb_traffic_analyzer_chdir, - .open_fn = smb_traffic_analyzer_open, - .rmdir_fn = smb_traffic_analyzer_rmdir, - .close_fn = smb_traffic_analyzer_close, - .sendfile_fn = smb_traffic_analyzer_sendfile, - .recvfile_fn = smb_traffic_analyzer_recvfile -}; - -/* Module initialization */ -static_decl_vfs; -NTSTATUS vfs_smb_traffic_analyzer_init(void) -{ - NTSTATUS ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, - "smb_traffic_analyzer", - &vfs_smb_traffic_analyzer_fns); - - if (!NT_STATUS_IS_OK(ret)) { - return ret; - } - - vfs_smb_traffic_analyzer_debug_level = - debug_add_class("smb_traffic_analyzer"); - - if (vfs_smb_traffic_analyzer_debug_level == -1) { - vfs_smb_traffic_analyzer_debug_level = DBGC_VFS; - DEBUG(1, ("smb_traffic_analyzer_init: Couldn't register custom" - "debugging class!\n")); - } else { - DEBUG(3, ("smb_traffic_analyzer_init: Debug class number of" - "'smb_traffic_analyzer': %d\n", \ - vfs_smb_traffic_analyzer_debug_level)); - } - - return ret; -} diff --git a/source3/modules/vfs_smb_traffic_analyzer.h b/source3/modules/vfs_smb_traffic_analyzer.h deleted file mode 100644 index 817ffd83d12..00000000000 --- a/source3/modules/vfs_smb_traffic_analyzer.h +++ /dev/null @@ -1,157 +0,0 @@ -/* - * traffic-analyzer VFS module. Measure the smb traffic users create - * on the net. - * - * Copyright (C) Holger Hetterich, 2008 - * Copyright (C) Jeremy Allison, 2008 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/** - * Protocol version 2.0 description - * - * The following table shows the exact assembly of the 2.0 protocol. - * - * -->Header<-- - * The protocol header is always send first, and contains various - * information about the data block to come. - * The header is always of fixed length, and will be send unencrypted. - * - * Byte Number/Bytes Description - * 00-02 Contains always the string "V2." - * 03 This byte contains a possible subrelease number of the - * protocol. This enables the receiver to make a version - * check to ensure the compatibility and allows us to - * release 2.x versions of the protocol with bugfixes or - * enhancements. - * 04 This byte is reserved for possible future extensions. - * 05 Usually, this byte contains the character '0'. If the - * VFS module is configured for encryption of the data, - * this byte is set to 'E'. - * 06-09 These bytes contain the character '0' by default, and - * are reserved for possible future extensions. They have - * no function in 2.0. - * 10-27 17 bytes containing a string representation of the - * number of bytes to come in the following data block. - * It is right aligned and filled from the left with '0'. - * - * -->Data Block<-- - * The data block is send immediately after the header was send. It's length - * is exactly what was given in bytes 11-28 from in the header. - * - * The data block may be send encrypted. - * - * To make the data block easy for the receiver to read, it is divided into - * several sub-blocks, each with it's own header of four byte length. In each - * of the sub-headers, a string representation of the length of this block is - * to be found. - * - * Thus the formal structure is very simple: - * - * [HEADER]data[HEADER]data[HEADER]data[END] - * - * whereas [END] is exactly at the position given in bytes 11-28 of the - * header. - * - * Some data the VFS module is capturing is of use for any VFS operation. - * Therefore, there is a "common set" of data, that will be send with any - * data block. The following provides a list of this data. - * - the VFS function identifier (see VFS function ifentifier table below). - * - a timestamp to the millisecond. - * - the username (as text) who runs the VFS operation. - * - the SID of the user who run the VFS operation. - * - the domain under which the VFS operation has happened. - * - */ - -/* Protocol subrelease number */ -#define SMBTA_SUBRELEASE '0' - -/* - * Every data block sends a number of blocks sending common data - * we send the number of "common data blocks" to come very first - * so that if the receiver is using an older version of the protocol - * it knows which blocks it can ignore. - */ -#define SMBTA_COMMON_DATA_COUNT "00017" - -/* - * VFS Functions identifier table. In protocol version 2, every vfs - * function is given a unique id. - */ -enum vfs_id { - /* - * care for the order here, required for compatibility - * with protocol version 1. - */ - vfs_id_read, - vfs_id_pread, - vfs_id_write, - vfs_id_pwrite, - /* end of protocol version 1 identifiers. */ - vfs_id_mkdir, - vfs_id_rmdir, - vfs_id_rename, - vfs_id_chdir, - vfs_id_open, - vfs_id_close -}; - - - -/* - * Specific data sets for the VFS functions. - * A compatible receiver has to have the exact same dataset. - */ -struct open_data { - const char *filename; - mode_t mode; - int result; -}; - -struct close_data { - const char *filename; - int result; -}; - -struct mkdir_data { - const char *path; - mode_t mode; - int result; -}; - -struct rmdir_data { - const char *path; - int result; -}; - -struct rename_data { - const char *src; - const char *dst; - int result; -}; - -struct chdir_data { - const char *path; - int result; -}; - -/* rw_data used for read/write/pread/pwrite */ -struct rw_data { - char *filename; - size_t len; -}; - - diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build index be1de50beca..635b780cb9f 100644 --- a/source3/modules/wscript_build +++ b/source3/modules/wscript_build @@ -369,14 +369,6 @@ bld.SAMBA3_MODULE('vfs_acl_tdb', internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_acl_tdb'), enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_acl_tdb')) -bld.SAMBA3_MODULE('vfs_smb_traffic_analyzer', - subsystem='vfs', - source='vfs_smb_traffic_analyzer.c', - deps='samba-util', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_smb_traffic_analyzer'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_smb_traffic_analyzer')) - bld.SAMBA3_MODULE('vfs_dirsort', subsystem='vfs', source='vfs_dirsort.c', diff --git a/source3/utils/smbta-util.c b/source3/utils/smbta-util.c deleted file mode 100644 index 7cc0a6ec9d3..00000000000 --- a/source3/utils/smbta-util.c +++ /dev/null @@ -1,211 +0,0 @@ -/* - smbta-util: tool for controlling encryption with - vfs_smb_traffic_analyzer - Copyright (C) 2010 Holger Hetterich <hhetter@novell.com> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. */ - -#include "includes.h" -#include "secrets.h" - -static void delete_key(void); - - -static void help(void) -{ -printf("-h print this help message.\n"); -printf("-f <file> install the key from a file and activate\n"); -printf(" encryption.\n"); -printf("-g <file> generate a key, save it to a file, and activate encryption.\n"); -printf("-u uninstall a key, and deactivate encryption.\n"); -printf("-c <file> create a file from an installed key.\n"); -printf("-s check if a key is installed, and print the key to stdout.\n"); -printf("\n"); -} - -static void check_key(void) -{ size_t size; - char *akey; - if (!secrets_init()) { - printf("Error opening secrets database."); - exit(1); - } - akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); - if (akey != NULL) { - printf("A key is installed: %s\n",akey); - printf("Encryption activated.\n"); - free(akey); - exit(0); - } else printf("No key is installed.\n"); - exit(1); -} - -static void create_keyfile(char *filename, char *key) -{ - FILE *keyfile; - keyfile = fopen(filename, "w"); - if (keyfile == NULL) { - printf("error creating the keyfile!\n"); - exit(1); - } - fprintf(keyfile, "%s", key); - fclose(keyfile); - printf("File '%s' has been created.\n", filename); -} - -/** - * Load a key from a file. The caller has to free the - * returned string. - */ -static void load_key_from_file(char *filename, char *key) -{ - FILE *keyfile; - int l; - keyfile = fopen(filename, "r"); - if (keyfile == NULL) { - printf("Error opening the keyfile!\n"); - exit(1); - } - l = fscanf(keyfile, "%s", key); - if (l != 1 || strlen(key) != 16) { - printf("Key file in wrong format\n"); - fclose(keyfile); - exit(1); - } - fclose(keyfile); -} - -static void create_file_from_key(char *filename) -{ - size_t size; - char *akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); - if (akey == NULL) { - printf("No key is installed! Can't create file.\n"); - exit(1); - } - create_keyfile(filename, akey); - free(akey); -} - -/** - * Generate a random key. The user has to free the returned - * string. - */ -static void generate_key(char *key) -{ - int f; - srand( (unsigned)time( NULL ) ); - for ( f = 0; f < 16; f++) { - *(key+f) = (rand() % 128) +32; - } - *(key+16)='\0'; - printf("Random key generated.\n"); -} - -static void create_new_key_and_activate( char *filename ) -{ - char key[17] = {0}; - - if (!secrets_init()) { - printf("Error opening secrets database."); - exit(1); - } - - generate_key(key); - delete_key(); - secrets_store("smb_traffic_analyzer_key", key, strlen(key)+1 ); - printf("Key installed, encryption activated.\n"); - create_file_from_key(filename); -} - -static void delete_key(void) -{ - size_t size; - char *akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); - if (akey != NULL) { - free(akey); - secrets_delete("smb_traffic_analyzer_key"); - printf("Removed installed key. Encryption deactivated.\n"); - } else { - printf("No key is installed.\n"); - } -} - - -static void load_key_from_file_and_activate( char *filename) -{ - char key[17] = {0}; - char *akey; - size_t size; - load_key_from_file(filename, key); - printf("Loaded key from %s.\n",filename); - akey = (char *) secrets_fetch("smb_traffic_analyzer_key", &size); - if (akey != NULL) { - printf("Removing the old key.\n"); - delete_key(); - SAFE_FREE(akey); - } - printf("Installing the key from file %s\n",filename); - secrets_store("smb_traffic_analyzer_key", key, strlen(key)+1); -} - -static void process_arguments(int argc, char **argv) -{ - char co; - while ((co = getopt(argc, argv, "hf:g:uc:s")) != EOF) { - switch(co) { - case 'h': - help(); - exit(0); - case 's': - check_key(); - break; - case 'g': - create_new_key_and_activate(optarg); - break; - case 'u': - delete_key(); - break; - case 'c': - create_file_from_key(optarg); - break; - case 'f': - load_key_from_file_and_activate(optarg); - break; - default: - help(); - break; - } - } -} - -int main(int argc, char **argv) -{ - sec_init(); - smb_init_locale(); - - if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", - get_dyn_CONFIGFILE()); - exit(1); - } - - if (argc == 1) { - help(); - exit(1); - } - - process_arguments(argc, argv); - exit(0); -} diff --git a/source3/wscript b/source3/wscript index 2f2c1db8769..82cb8582bd9 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1596,7 +1596,7 @@ main() { vfs_expand_msdfs vfs_shadow_copy vfs_shadow_copy2 vfs_readahead vfs_xattr_tdb vfs_posix_eadb vfs_streams_xattr vfs_streams_depot vfs_acl_xattr vfs_acl_tdb - vfs_smb_traffic_analyzer vfs_preopen vfs_catia + vfs_preopen vfs_catia vfs_media_harmony vfs_unityed_media vfs_fruit vfs_shell_snap vfs_commit vfs_worm vfs_crossrename vfs_linux_xfs_sgid vfs_time_audit vfs_offline diff --git a/source3/wscript_build b/source3/wscript_build index e28fe303f0b..4c6390e7d53 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1187,13 +1187,6 @@ bld.SAMBA3_BINARY('testparm', param popt_samba3''') -bld.SAMBA3_BINARY('smbta-util', - source='utils/smbta-util.c', - deps=''' - talloc - secrets3 - param''') - smbstatus_source = 'utils/status.c smbd/notify_msg.c' if bld.CONFIG_GET("WITH_PROFILE"): |