return True;
}
-static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response)
-{
- uint8 zero_sig[8];
- ZERO_STRUCT(zero_sig);
-
- DEBUG(5, ("Server returned security sig:\n"));
- dump_data(5, &cli->inbuf[smb_ss_field], 8);
-
- if (cli->sign_info.use_smb_signing) {
- DEBUG(5, ("smb signing already active on connection\n"));
- } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
-
- DEBUG(3, ("smb signing enabled!\n"));
- cli->sign_info.use_smb_signing = True;
- cli_calculate_mac_key(cli, user_session_key, response);
- } else {
- DEBUG(5, ("smb signing NOT enabled!\n"));
- }
-}
-
static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
{
memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
}
-
-static void set_temp_signing_on_cli(struct cli_state *cli)
-{
- if (cli->sign_info.negotiated_smb_signing)
- cli->sign_info.temp_smb_signing = True;
-}
-
-
/****************************************************************************
do a NT1 NTLM/LM encrypted session setup
@param cli client state to create do session setup on
session_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
}
-
- set_temp_signing_on_cli(cli);
+ cli_simple_set_signing(cli, session_key.data, nt_response);
} else {
/* pre-encrypted password supplied. Only used for
security=server, can't do
if (session_key.data) {
/* Have plaintext orginal */
set_cli_session_key(cli, session_key);
- set_signing_on_cli(cli, session_key.data, nt_response);
}
+ ret = True;
end:
data_blob_free(&lm_response);
data_blob_free(&nt_response);
data_blob_free(&session_key);
- return True;
+ return ret;
}
/****************************************************************************
set_message(cli->outbuf,12,0,True);
SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
- set_temp_signing_on_cli(cli);
-
cli_setup_packet(cli);
SCVAL(cli->outbuf,smb_vwv0,0xFF);
int numprots;
int plength;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
if (cli->protocol < PROTOCOL_NT1)
cli->use_spnego = False;
if (cli->port == 445)
return True;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
/* send a session request (RFC 1002) */
/* setup the packet length
* Remove four bytes from the length count, since the length
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ SMB Signing Code
+ Copyright (C) Jeremy Allison 2002.
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+struct smb_basic_signing_context {
+ DATA_BLOB mac_key;
+ uint32 send_seq_num;
+ uint32 reply_seq_num;
+};
+
+/***********************************************************
+ SMB signing - Common code before we set a new signing implementation
+************************************************************/
+
+static BOOL set_smb_signing_common(struct cli_state *cli)
+{
+ if (cli->sign_info.doing_signing) {
+ return False;
+ }
+
+ if (cli->sign_info.free_signing_context)
+ cli->sign_info.free_signing_context(cli);
+
+ /* These calls are INCONPATIBLE with SMB signing */
+ cli->readbraw_supported = False;
+ cli->writebraw_supported = False;
+
+ return True;
+}
+
+/***********************************************************
+ SMB signing - Common code for 'real' implementations
+************************************************************/
+
+static BOOL set_smb_signing_real_common(struct cli_state *cli)
+{
+ if (cli->sign_info.mandetory_signing) {
+ DEBUG(5, ("Mandetory SMB signing enabled!\n"));
+ cli->sign_info.doing_signing = True;
+ }
+
+ DEBUG(5, ("SMB signing enabled!\n"));
+
+ return True;
+}
+
+static void mark_packet_signed(struct cli_state *cli)
+{
+ uint16 flags2;
+ flags2 = SVAL(cli->outbuf,smb_flg2);
+ flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
+ SSVAL(cli->outbuf,smb_flg2, flags2);
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_simple_sign_outgoing_message(struct cli_state *cli)
+{
+ unsigned char calc_md5_mac[16];
+ struct MD5Context md5_ctx;
+ struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+ /*
+ * Firstly put the sequence number into the first 4 bytes.
+ * and zero out the next 4 bytes.
+ */
+ SIVAL(cli->outbuf, smb_ss_field,
+ data->send_seq_num);
+ SIVAL(cli->outbuf, smb_ss_field + 4, 0);
+
+ /* mark the packet as signed - BEFORE we sign it...*/
+ mark_packet_signed(cli);
+
+ /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+ MD5Init(&md5_ctx);
+ MD5Update(&md5_ctx, data->mac_key.data,
+ data->mac_key.length);
+ MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
+ MD5Final(calc_md5_mac, &md5_ctx);
+
+ DEBUG(10, ("sent SMB signiture of\n"));
+ dump_data(10, calc_md5_mac, 8);
+
+ memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
+
+/* cli->outbuf[smb_ss_field+2]=0;
+ Uncomment this to test if the remote server actually verifies signitures...*/
+ data->send_seq_num++;
+ data->reply_seq_num = data->send_seq_num;
+ data->send_seq_num++;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_simple_check_incoming_message(struct cli_state *cli)
+{
+ BOOL good;
+ unsigned char calc_md5_mac[16];
+ unsigned char server_sent_mac[8];
+ struct MD5Context md5_ctx;
+ struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+ /*
+ * Firstly put the sequence number into the first 4 bytes.
+ * and zero out the next 4 bytes.
+ */
+
+ memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
+
+ DEBUG(10, ("got SMB signiture of\n"));
+ dump_data(10, server_sent_mac, 8);
+
+ SIVAL(cli->inbuf, smb_ss_field, data->reply_seq_num);
+ SIVAL(cli->inbuf, smb_ss_field + 4, 0);
+
+ /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+ MD5Init(&md5_ctx);
+ MD5Update(&md5_ctx, data->mac_key.data,
+ data->mac_key.length);
+ MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
+ MD5Final(calc_md5_mac, &md5_ctx);
+
+ good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+
+ if (good && !cli->sign_info.doing_signing) {
+ cli->sign_info.doing_signing = True;
+ }
+
+ if (!good) {
+ DEBUG(1, ("SMB signiture check failed!\n"));
+ }
+
+ return good;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - free signing context
+************************************************************/
+
+static void cli_simple_free_signing_context(struct cli_state *cli)
+{
+ struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+ data_blob_free(&data->mac_key);
+ SAFE_FREE(cli->sign_info.signing_context);
+
+ return;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - setup the MAC key.
+************************************************************/
+
+void cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
+{
+ struct smb_basic_signing_context *data;
+
+ if (!set_smb_signing_common(cli)) {
+ return;
+ }
+
+ if (!set_smb_signing_real_common(cli)) {
+ return;
+ }
+
+ data = smb_xmalloc(sizeof(*data));
+ cli->sign_info.signing_context = data;
+
+ data->mac_key = data_blob(NULL, MIN(response.length + 16, 40));
+
+ memcpy(&data->mac_key.data[0], user_session_key, 16);
+ memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16));
+
+ /* Initialise the sequence number */
+ data->send_seq_num = 0;
+
+ cli->sign_info.sign_outgoing_message = cli_simple_sign_outgoing_message;
+ cli->sign_info.check_incoming_message = cli_simple_check_incoming_message;
+ cli->sign_info.free_signing_context = cli_simple_free_signing_context;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_null_sign_outgoing_message(struct cli_state *cli)
+{
+ static uchar zeros[8];
+ memcpy(&cli->outbuf[smb_ss_field], zeros, sizeof(zeros));
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_null_check_incoming_message(struct cli_state *cli)
+{
+ return True;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - free signing context
+************************************************************/
+
+static void cli_null_free_signing_context(struct cli_state *cli)
+{
+ return;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - setup the MAC key.
+************************************************************/
+
+void cli_null_set_signing(struct cli_state *cli)
+{
+ struct smb_basic_sign_data *data;
+
+ if (!set_smb_signing_common(cli)) {
+ return;
+ }
+
+ cli->sign_info.signing_context = NULL;
+
+ cli->sign_info.sign_outgoing_message = cli_null_sign_outgoing_message;
+ cli->sign_info.check_incoming_message = cli_null_check_incoming_message;
+ cli->sign_info.free_signing_context = cli_null_free_signing_context;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_temp_sign_outgoing_message(struct cli_state *cli)
+{
+ memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
+ return;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_temp_check_incoming_message(struct cli_state *cli)
+{
+ return True;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - free signing context
+************************************************************/
+
+static void cli_temp_free_signing_context(struct cli_state *cli)
+{
+ return;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - setup the MAC key.
+************************************************************/
+
+void cli_temp_set_signing(struct cli_state *cli)
+{
+ if (!set_smb_signing_common(cli)) {
+ return;
+ }
+
+ cli->sign_info.signing_context = NULL;
+
+ cli->sign_info.sign_outgoing_message = cli_temp_sign_outgoing_message;
+ cli->sign_info.check_incoming_message = cli_temp_check_incoming_message;
+ cli->sign_info.free_signing_context = cli_temp_free_signing_context;
+}
+
+/**
+ * Free the singing context
+ */
+
+void cli_free_signing_context(struct cli_state *cli)
+{
+ if (cli->sign_info.free_signing_context)
+ cli->sign_info.free_signing_context(cli);
+
+ cli_null_set_signing(cli);
+}
+
+void cli_caclulate_sign_mac(struct cli_state *cli)
+{
+ cli->sign_info.sign_outgoing_message(cli);
+}
+
+BOOL cli_check_sign_mac(struct cli_state *cli)
+{
+ BOOL good;
+ good = cli->sign_info.check_incoming_message(cli);
+
+ if (!good) {
+ if (cli->sign_info.doing_signing) {
+ return False;
+ } else {
+ cli_free_signing_context(cli);
+ }
+ }
+
+ return True;
+}
+
#endif
}
-DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
+static DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
DATA_BLOB server_chal, size_t client_chal_length)
{
uchar ntlmv2_response[16];
return True;
}
-
-/***********************************************************
- SMB signing - setup the MAC key.
-************************************************************/
-
-void cli_calculate_mac_key(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
-{
-
- memcpy(&cli->sign_info.mac_key[0], user_session_key, 16);
- memcpy(&cli->sign_info.mac_key[16],response.data, MIN(response.length, 40 - 16));
- cli->sign_info.mac_key_len = MIN(response.length + 16, 40);
- cli->sign_info.use_smb_signing = True;
-
- /* These calls are INCONPATIBLE with SMB signing */
- cli->readbraw_supported = False;
- cli->writebraw_supported = False;
-
- /* Reset the sequence number in case we had a previous (aborted) attempt */
- cli->sign_info.send_seq_num = 2;
-}
-
-/***********************************************************
- SMB signing - calculate a MAC to send.
-************************************************************/
-
-void cli_caclulate_sign_mac(struct cli_state *cli)
-{
- unsigned char calc_md5_mac[16];
- struct MD5Context md5_ctx;
-
- if (cli->sign_info.temp_smb_signing) {
- memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
- cli->sign_info.temp_smb_signing = False;
- return;
- }
-
- if (!cli->sign_info.use_smb_signing) {
- return;
- }
-
- /*
- * Firstly put the sequence number into the first 4 bytes.
- * and zero out the next 4 bytes.
- */
- SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num);
- SIVAL(cli->outbuf, smb_ss_field + 4, 0);
-
- /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
- MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
- MD5Final(calc_md5_mac, &md5_ctx);
-
- memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
-
-/* cli->outbuf[smb_ss_field+2]=0;
- Uncomment this to test if the remote server actually verifies signitures...*/
- cli->sign_info.send_seq_num++;
- cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num;
- cli->sign_info.send_seq_num++;
-}
-
-/***********************************************************
- SMB signing - check a MAC sent by server.
-************************************************************/
-
-BOOL cli_check_sign_mac(struct cli_state *cli)
-{
- unsigned char calc_md5_mac[16];
- unsigned char server_sent_mac[8];
- struct MD5Context md5_ctx;
-
- if (cli->sign_info.temp_smb_signing) {
- return True;
- }
-
- if (!cli->sign_info.use_smb_signing) {
- return True;
- }
-
- /*
- * Firstly put the sequence number into the first 4 bytes.
- * and zero out the next 4 bytes.
- */
-
- memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
-
- SIVAL(cli->inbuf, smb_ss_field, cli->sign_info.reply_seq_num);
- SIVAL(cli->inbuf, smb_ss_field + 4, 0);
-
- /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
- MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
- MD5Final(calc_md5_mac, &md5_ctx);
-
- return (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-}