s3:libsmb: handle the smb signing states the same in the krb5 and ntlmssp cases

[samba.git] / source / libsmb / cliconnect.c

diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 69f84aa60ec546316ec2eaa23e021917cccd53da..5f74076a686fc44f535d025e73f3a01443d9a5e7 100644 (file)
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -536,7 +536,7 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
 
 #define BASE_SESSSETUP_BLOB_PACKET_SIZE (35 + 24 + 22)
 
-static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5)
+static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 {
        int32 remaining = blob.length;
        int32 cur = 0;
@@ -560,13 +560,8 @@ static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B
                        send_blob.length = max_blob_size;
                        remaining -= max_blob_size;
                } else {
-                       DATA_BLOB null_blob = data_blob_null;
-
                        send_blob.length = remaining; 
                         remaining = 0;
-
-                       /* This is the last packet in the sequence - turn signing on. */
-                       cli_simple_set_signing(cli, session_key_krb5, null_blob); 
                }
 
                send_blob.data =  &blob.data[cur];
@@ -614,8 +609,11 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
 {
        DATA_BLOB negTokenTarg;
        DATA_BLOB session_key_krb5;
+       NTSTATUS nt_status;
        int rc;
 
+       cli_temp_set_signing(cli);
+
        DEBUG(2,("Doing kerberos session setup\n"));
 
        /* generate the encapsulated kerberos5 ticket */
@@ -631,23 +629,44 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
        file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
 #endif
 
-       if (!cli_session_setup_blob(cli, negTokenTarg, session_key_krb5)) {
-               data_blob_free(&negTokenTarg);
-               data_blob_free(&session_key_krb5);
-               return ADS_ERROR_NT(cli_nt_error(cli));
+       if (!cli_session_setup_blob(cli, negTokenTarg)) {
+               nt_status = cli_nt_error(cli);
+               goto nt_error;
+       }
+
+       if (cli_is_error(cli)) {
+               nt_status = cli_nt_error(cli);
+               if (NT_STATUS_IS_OK(nt_status)) {
+                       nt_status = NT_STATUS_UNSUCCESSFUL;
+               }
+               goto nt_error;
        }
 
        cli_set_session_key(cli, session_key_krb5);
 
+       if (cli_simple_set_signing(
+                   cli, session_key_krb5, data_blob_null)) {
+
+               /* 'resign' the last message, so we get the right sequence numbers
+                  for checking the first reply from the server */
+               cli_calculate_sign_mac(cli, cli->outbuf);
+
+               if (!cli_check_sign_mac(cli, cli->inbuf)) {
+                       nt_status = NT_STATUS_ACCESS_DENIED;
+                       goto nt_error;
+               }
+       }
+
        data_blob_free(&negTokenTarg);
        data_blob_free(&session_key_krb5);
 
-       if (cli_is_error(cli)) {
-               if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
-                       return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
-               }
-       } 
-       return ADS_ERROR_NT(cli_nt_error(cli));
+       return ADS_ERROR_NT(NT_STATUS_OK);
+
+nt_error:
+       data_blob_free(&negTokenTarg);
+       data_blob_free(&session_key_krb5);
+       cli->vuid = 0;
+       return ADS_ERROR_NT(nt_status);
 }
 #endif /* HAVE_KRB5 */