summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2009-01-12 12:32:46 +0100
committerStefan Metzmacher <metze@samba.org>2009-01-12 13:22:40 +0100
commit7d9fd64f38aa5821b38c1223cf87979fc87bfb71 (patch)
treec27386d13936d5a96419b870c59b450db0bf1e14
parent6f53a487b40de03380db3562733621e209342832 (diff)
downloadsamba-7d9fd64f38aa5821b38c1223cf87979fc87bfb71.tar.gz
samba-7d9fd64f38aa5821b38c1223cf87979fc87bfb71.tar.bz2
samba-7d9fd64f38aa5821b38c1223cf87979fc87bfb71.zip
s3:libsmb: handle the smb signing states the same in the krb5 and ntlmssp cases
SMB signing works the same regardless of the used auth mech. We need to start with the temp signing ("BSRSPYL ") and the session setup response with NT_STATUS_OK is the first signed packet. Now we set the krb5 session key if we got the NT_STATUS_OK from the server and then recheck the packet. All this is needed to make the fallback from krb5 to ntlmssp possible. This commit also resets the cli->vuid value to 0, if the krb5 auth didn't succeed. Otherwise the server handles NTLMSSP packets as krb5 packets. The restructuring of the SMB signing code is needed to make sure the krb5 code only starts the signing engine on success. Otherwise the NTLMSSP fallback could not initialize the signing engine (again). metze
-rw-r--r--source3/libsmb/cliconnect.c51
1 files changed, 35 insertions, 16 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6ddc249c04..bf0d270bab 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -535,7 +535,7 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
#define BASE_SESSSETUP_BLOB_PACKET_SIZE (35 + 24 + 22)
-static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5)
+static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
{
int32 remaining = blob.length;
int32 cur = 0;
@@ -559,13 +559,8 @@ static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B
send_blob.length = max_blob_size;
remaining -= max_blob_size;
} else {
- DATA_BLOB null_blob = data_blob_null;
-
send_blob.length = remaining;
remaining = 0;
-
- /* This is the last packet in the sequence - turn signing on. */
- cli_simple_set_signing(cli, session_key_krb5, null_blob);
}
send_blob.data = &blob.data[cur];
@@ -613,8 +608,11 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
{
DATA_BLOB negTokenTarg;
DATA_BLOB session_key_krb5;
+ NTSTATUS nt_status;
int rc;
+ cli_temp_set_signing(cli);
+
DEBUG(2,("Doing kerberos session setup\n"));
/* generate the encapsulated kerberos5 ticket */
@@ -630,23 +628,44 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
#endif
- if (!cli_session_setup_blob(cli, negTokenTarg, session_key_krb5)) {
- data_blob_free(&negTokenTarg);
- data_blob_free(&session_key_krb5);
- return ADS_ERROR_NT(cli_nt_error(cli));
+ if (!cli_session_setup_blob(cli, negTokenTarg)) {
+ nt_status = cli_nt_error(cli);
+ goto nt_error;
+ }
+
+ if (cli_is_error(cli)) {
+ nt_status = cli_nt_error(cli);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ }
+ goto nt_error;
}
cli_set_session_key(cli, session_key_krb5);
+ if (cli_simple_set_signing(
+ cli, session_key_krb5, data_blob_null)) {
+
+ /* 'resign' the last message, so we get the right sequence numbers
+ for checking the first reply from the server */
+ cli_calculate_sign_mac(cli, cli->outbuf);
+
+ if (!cli_check_sign_mac(cli, cli->inbuf)) {
+ nt_status = NT_STATUS_ACCESS_DENIED;
+ goto nt_error;
+ }
+ }
+
data_blob_free(&negTokenTarg);
data_blob_free(&session_key_krb5);
- if (cli_is_error(cli)) {
- if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
- return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- }
- }
- return ADS_ERROR_NT(cli_nt_error(cli));
+ return ADS_ERROR_NT(NT_STATUS_OK);
+
+nt_error:
+ data_blob_free(&negTokenTarg);
+ data_blob_free(&session_key_krb5);
+ cli->vuid = 0;
+ return ADS_ERROR_NT(nt_status);
}
#endif /* HAVE_KRB5 */