};
typedef struct smb_sign_info {
- BOOL use_smb_signing;
+ void (*sign_outgoing_message)(struct cli_state *cli);
+ BOOL (*check_incoming_message)(struct cli_state *cli);
+ void (*free_signing_context)(struct cli_state *cli);
+ void *signing_context;
+
BOOL negotiated_smb_signing;
- BOOL temp_smb_signing;
- size_t mac_key_len;
- uint8 mac_key[64];
- uint32 send_seq_num;
- uint32 reply_seq_num;
BOOL allow_smb_signing;
+ BOOL doing_signing;
+ BOOL mandetory_signing;
} smb_sign_info;
struct cli_state {
DATA_BLOB session_key;
uint32 neg_flags;
+
+ /* SMB Signing */
+
+ uint32 ntlmssp_seq_num;
+
+ /* ntlmv2 */
+ char cli_sign_const[16];
+ char cli_seal_const[16];
+ char srv_sign_const[16];
+ char srv_seal_const[16];
+
+ unsigned char cli_sign_hash[258];
+ unsigned char cli_seal_hash[258];
+ unsigned char srv_sign_hash[258];
+ unsigned char srv_seal_hash[258];
+
+ /* ntlmv1 */
+ unsigned char ntlmssp_hash[258];
} NTLMSSP_CLIENT_STATE;
return True;
}
-static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response)
-{
- uint8 zero_sig[8];
- ZERO_STRUCT(zero_sig);
-
- DEBUG(5, ("Server returned security sig:\n"));
- dump_data(5, &cli->inbuf[smb_ss_field], 8);
-
- if (cli->sign_info.use_smb_signing) {
- DEBUG(5, ("smb signing already active on connection\n"));
- } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
-
- DEBUG(3, ("smb signing enabled!\n"));
- cli->sign_info.use_smb_signing = True;
- cli_calculate_mac_key(cli, user_session_key, response);
- } else {
- DEBUG(5, ("smb signing NOT enabled!\n"));
- }
-}
-
static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
{
memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
}
-
-static void set_temp_signing_on_cli(struct cli_state *cli)
-{
- if (cli->sign_info.negotiated_smb_signing)
- cli->sign_info.temp_smb_signing = True;
-}
-
-
/****************************************************************************
do a NT1 NTLM/LM encrypted session setup
@param cli client state to create do session setup on
session_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
}
-
- set_temp_signing_on_cli(cli);
+ cli_simple_set_signing(cli, session_key.data, nt_response);
} else {
/* pre-encrypted password supplied. Only used for
security=server, can't do
if (session_key.data) {
/* Have plaintext orginal */
set_cli_session_key(cli, session_key);
- set_signing_on_cli(cli, session_key.data, nt_response);
}
+ ret = True;
end:
data_blob_free(&lm_response);
data_blob_free(&nt_response);
data_blob_free(&session_key);
- return True;
+ return ret;
}
/****************************************************************************
- Send a extended security session setup blob, returning a reply blob.
+ Send a extended security session setup blob
****************************************************************************/
-static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
{
uint32 capabilities = cli_session_setup_capabilities(cli);
char *p;
- DATA_BLOB blob2 = data_blob(NULL, 0);
- uint32 len;
capabilities |= CAP_EXTENDED_SECURITY;
set_message(cli->outbuf,12,0,True);
SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
- set_temp_signing_on_cli(cli);
-
cli_setup_packet(cli);
SCVAL(cli->outbuf,smb_vwv0,0xFF);
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
cli_setup_bcc(cli, p);
- cli_send_smb(cli);
+ return cli_send_smb(cli);
+}
+
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
+{
+ DATA_BLOB blob2 = data_blob(NULL, 0);
+ char *p;
+ size_t len;
if (!cli_receive_smb(cli))
return blob2;
return blob2;
}
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+{
+ DATA_BLOB blob2 = data_blob(NULL, 0);
+ if (!cli_session_setup_blob_send(cli, blob)) {
+ return blob2;
+ }
+
+ return cli_session_setup_blob_receive(cli);
+}
+
#ifdef HAVE_KRB5
/****************************************************************************
Use in-memory credentials cache
DATA_BLOB blob_in = data_blob(NULL, 0);
DATA_BLOB blob_out;
+ cli_temp_set_signing(cli);
+
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
return False;
}
}
/* now send that blob on its way */
- blob = cli_session_setup_blob(cli, msg1);
+ if (!cli_session_setup_blob_send(cli, msg1)) {
+ return False;
+ }
data_blob_free(&msg1);
+
+ cli_ntlmssp_set_signing(cli, ntlmssp_state);
+
+ blob = cli_session_setup_blob_receive(cli);
+
nt_status = cli_nt_error(cli);
}
set_cli_session_key(cli, ntlmssp_state->session_key);
}
+ /* we have a reference conter on ntlmssp_state, if we are signing
+ then the state will be kept by the signing engine */
+
if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
return False;
}
int numprots;
int plength;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
if (cli->protocol < PROTOCOL_NT1)
cli->use_spnego = False;
if (cli->port == 445)
return True;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
/* send a session request (RFC 1002) */
/* setup the packet length
* Remove four bytes from the length count, since the length
flags2 |= FLAGS2_32_BIT_ERROR_CODES;
if (cli->use_spnego)
flags2 |= FLAGS2_EXTENDED_SECURITY;
- if (cli->sign_info.use_smb_signing
- || cli->sign_info.temp_smb_signing)
- flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
SSVAL(cli->outbuf,smb_flg2, flags2);
}
}
void cli_init_creds(struct cli_state *cli, const struct ntuser_creds *usr)
{
/* copy_nt_creds(&cli->usr, usr); */
- safe_strcpy(cli->domain , usr->domain , sizeof(usr->domain )-1);
- safe_strcpy(cli->user_name, usr->user_name, sizeof(usr->user_name)-1);
+ fstrcpy(cli->domain , usr->domain);
+ fstrcpy(cli->user_name, usr->user_name);
memcpy(&cli->pwd, &usr->pwd, sizeof(usr->pwd));
cli->ntlmssp_flags = usr->ntlmssp_flags;
cli->ntlmssp_cli_flgs = usr != NULL ? usr->ntlmssp_flags : 0;
if (getenv("CLI_FORCE_DOSERR"))
cli->force_dos_errors = True;
+ /* initialise signing */
+ cli_null_set_signing(cli);
+
if (lp_client_signing())
cli->sign_info.allow_smb_signing = True;
SAFE_FREE(cli->outbuf);
SAFE_FREE(cli->inbuf);
+ cli_free_signing_context(cli);
data_blob_free(&cli->secblob);
if (cli->mem_ctx) {
close(cli->fd);
cli->fd = -1;
cli->smb_rw_error = 0;
+
}
/****************************************************************************
#endif
}
-DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
+static DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
DATA_BLOB server_chal, size_t client_chal_length)
{
uchar ntlmv2_response[16];
return True;
}
-
-/***********************************************************
- SMB signing - setup the MAC key.
-************************************************************/
-
-void cli_calculate_mac_key(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
-{
-
- memcpy(&cli->sign_info.mac_key[0], user_session_key, 16);
- memcpy(&cli->sign_info.mac_key[16],response.data, MIN(response.length, 40 - 16));
- cli->sign_info.mac_key_len = MIN(response.length + 16, 40);
- cli->sign_info.use_smb_signing = True;
-
- /* These calls are INCONPATIBLE with SMB signing */
- cli->readbraw_supported = False;
- cli->writebraw_supported = False;
-
- /* Reset the sequence number in case we had a previous (aborted) attempt */
- cli->sign_info.send_seq_num = 2;
-}
-
-/***********************************************************
- SMB signing - calculate a MAC to send.
-************************************************************/
-
-void cli_caclulate_sign_mac(struct cli_state *cli)
-{
- unsigned char calc_md5_mac[16];
- struct MD5Context md5_ctx;
-
- if (cli->sign_info.temp_smb_signing) {
- memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
- cli->sign_info.temp_smb_signing = False;
- return;
- }
-
- if (!cli->sign_info.use_smb_signing) {
- return;
- }
-
- /*
- * Firstly put the sequence number into the first 4 bytes.
- * and zero out the next 4 bytes.
- */
- SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num);
- SIVAL(cli->outbuf, smb_ss_field + 4, 0);
-
- /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
- MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
- MD5Final(calc_md5_mac, &md5_ctx);
-
- memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
-
-/* cli->outbuf[smb_ss_field+2]=0;
- Uncomment this to test if the remote server actually verifies signitures...*/
- cli->sign_info.send_seq_num++;
- cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num;
- cli->sign_info.send_seq_num++;
-}
-
-/***********************************************************
- SMB signing - check a MAC sent by server.
-************************************************************/
-
-BOOL cli_check_sign_mac(struct cli_state *cli)
-{
- unsigned char calc_md5_mac[16];
- unsigned char server_sent_mac[8];
- struct MD5Context md5_ctx;
-
- if (cli->sign_info.temp_smb_signing) {
- return True;
- }
-
- if (!cli->sign_info.use_smb_signing) {
- return True;
- }
-
- /*
- * Firstly put the sequence number into the first 4 bytes.
- * and zero out the next 4 bytes.
- */
-
- memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
-
- SIVAL(cli->inbuf, smb_ss_field, cli->sign_info.reply_seq_num);
- SIVAL(cli->inbuf, smb_ss_field + 4, 0);
-
- /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
- MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
- MD5Final(calc_md5_mac, &md5_ctx);
-
- return (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-}
git.samba.org / samba.git / commitdiff