/* Re-sign if needed. */
if (nreq->do_signing) {
NTSTATUS status;
- status = smb2_signing_sign_pdu(nreq->session->session_key,
- get_Protocol(),
- &nreq->out.vector[i], 3);
+ struct smbXsrv_session *x = nreq->session->smbXsrv;
+ struct smbXsrv_connection *conn = x->connection;
+ DATA_BLOB signing_key = x->global->channels[0].signing_key;
+
+ status = smb2_signing_sign_pdu(signing_key,
+ conn->protocol,
+ &nreq->out.vector[i], 3);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (req->do_signing) {
NTSTATUS status;
+ struct smbXsrv_session *x = req->session->smbXsrv;
+ struct smbXsrv_connection *conn = x->connection;
+ DATA_BLOB signing_key = x->global->channels[0].signing_key;
- status = smb2_signing_sign_pdu(req->session->session_key,
- get_Protocol(),
- &state->vector[1], 2);
+ status = smb2_signing_sign_pdu(signing_key,
+ conn->protocol,
+ &state->vector[1], 2);
if (!NT_STATUS_IS_OK(status)) {
smbd_server_connection_terminate(req->sconn,
nt_errstr(status));
NTSTATUS session_status;
uint32_t allowed_flags;
NTSTATUS return_value;
+ struct smbXsrv_session *x = NULL;
inhdr = (const uint8_t *)req->in.vector[i].iov_base;
* we defer the check of the session_status
*/
session_status = smbd_smb2_request_check_session(req);
+ if (req->session) {
+ x = req->session->smbXsrv;
+ }
req->do_signing = false;
if (flags & SMB2_HDR_FLAG_SIGNED) {
+ struct smbXsrv_connection *conn = x->connection;
+ DATA_BLOB signing_key = x->global->channels[0].signing_key;
+
if (!NT_STATUS_IS_OK(session_status)) {
return smbd_smb2_request_error(req, session_status);
}
req->do_signing = true;
- status = smb2_signing_check_pdu(req->session->session_key,
- get_Protocol(),
+ status = smb2_signing_check_pdu(signing_key,
+ conn->protocol,
&req->in.vector[i], 3);
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
} else if (opcode == SMB2_OP_CANCEL) {
/* Cancel requests are allowed to skip the signing */
- } else if (req->session && req->session->do_signing) {
+ } else if (x && x->global->signing_required) {
return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
}
if (req->do_signing) {
NTSTATUS status;
- status = smb2_signing_sign_pdu(req->session->session_key,
- get_Protocol(),
+ struct smbXsrv_session *x = req->session->smbXsrv;
+ struct smbXsrv_connection *conn = x->connection;
+ DATA_BLOB signing_key = x->global->channels[0].signing_key;
+
+ status = smb2_signing_sign_pdu(signing_key,
+ conn->protocol,
&req->out.vector[i], 3);
if (!NT_STATUS_IS_OK(status)) {
return status;
{
NTSTATUS status;
bool guest = false;
+ uint8_t session_key[16];
+ struct smbXsrv_session *x = session->smbXsrv;
+ struct smbXsrv_connection *conn = x->connection;
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == SMB_SIGNING_REQUIRED) {
- session->do_signing = true;
+ x->global->signing_required = true;
}
if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
- session->do_signing = false;
+ x->global->signing_required = false;
guest = true;
}
- session->session_key = session->session_info->session_key;
+ //session->session_key = session->session_info->session_key;
+
+ ZERO_STRUCT(session_key);
+ memcpy(session_key, session->session_info->session_key.data,
+ MIN(session->session_info->session_key.length, sizeof(session_key)));
+
+ x->global->signing_key = data_blob_talloc(x->global,
+ session_key,
+ sizeof(session_key));
+ if (x->global->signing_key.data == NULL) {
+ ZERO_STRUCT(session_key);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (conn->protocol >= PROTOCOL_SMB2_24) {
+#define _STRING_BLOB(x) data_blob_const((const uint8_t *)(x), sizeof(x))
+ const DATA_BLOB label = _STRING_BLOB("SMB2AESCMAC");
+ const DATA_BLOB context = _STRING_BLOB("SmbSign");
+#undef _STRING_BLOB
+
+ smb2_key_derivation(session_key, sizeof(session_key),
+ label.data, label.length,
+ context.data, context.length,
+ x->global->signing_key.data);
+ }
+
+ x->global->application_key = data_blob_dup_talloc(x->global,
+ x->global->signing_key);
+ if (x->global->application_key.data == NULL) {
+ ZERO_STRUCT(session_key);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (conn->protocol >= PROTOCOL_SMB2_24) {
+#define _STRING_BLOB(x) data_blob_const((const uint8_t *)(x), sizeof(x))
+ const DATA_BLOB label = _STRING_BLOB("SMB2APP");
+ const DATA_BLOB context = _STRING_BLOB("SmbRpc");
+#undef _STRING_BLOB
+
+ smb2_key_derivation(session_key, sizeof(session_key),
+ label.data, label.length,
+ context.data, context.length,
+ x->global->application_key.data);
+ }
+ ZERO_STRUCT(session_key);
+
+ x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels,
+ x->global->signing_key);
+ if (x->global->channels[0].signing_key.data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ data_blob_clear_free(&session->session_info->session_key);
+ session->session_info->session_key = data_blob_dup_talloc(session->session_info,
+ x->global->application_key);
+ if (session->session_info->session_key.data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
git.samba.org / metze / samba / wip.git / commitdiff