summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-07-14 10:38:23 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-07-14 10:38:23 +0000
commit236702e15c26432fd09888658fd66f318d03e3f5 (patch)
tree83f9e20aafa3e1484e55105413eb5fcdae5d87dd
parent456f51bcbe04ccbb37a27b6e115a851cc134adcd (diff)
downloadsamba-236702e15c26432fd09888658fd66f318d03e3f5.tar.gz
samba-236702e15c26432fd09888658fd66f318d03e3f5.tar.bz2
samba-236702e15c26432fd09888658fd66f318d03e3f5.zip
Fix SMB signing when using NTLMSSP...
It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett (This used to be commit 95ec8317d4c6817d192bcd52eec44a22286e10ee)
-rw-r--r--source3/libsmb/cliconnect.c7
-rw-r--r--source3/libsmb/smb_signing.c94
2 files changed, 8 insertions, 93 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index cdd80b7f0c..8c02c4fdfe 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -551,6 +551,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
blob_in, &blob_out);
data_blob_free(&blob_in);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ DATA_BLOB null = data_blob(NULL, 0);
if (turn == 1) {
/* and wrap it in a SPNEGO wrapper */
msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out);
@@ -559,14 +560,16 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
msg1 = spnego_gen_auth(blob_out);
}
+ cli_simple_set_signing(cli,
+ ntlmssp_state->session_key.data,
+ null);
+
/* now send that blob on its way */
if (!cli_session_setup_blob_send(cli, msg1)) {
return False;
}
data_blob_free(&msg1);
- cli_ntlmssp_set_signing(cli, ntlmssp_state);
-
blob = cli_session_setup_blob_receive(cli);
nt_status = cli_nt_error(cli);
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index fee2b66670..c15604c91c 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -277,6 +277,9 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
{
struct smb_basic_signing_context *data;
+ if (!user_session_key)
+ return False;
+
if (!set_smb_signing_common(cli)) {
return False;
}
@@ -308,97 +311,6 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
}
/***********************************************************
- SMB signing - NTLMSSP implementation - calculate a MAC to send.
-************************************************************/
-
-static void cli_ntlmssp_sign_outgoing_message(struct cli_state *cli)
-{
- NTSTATUS nt_status;
- DATA_BLOB sig;
- NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
-
- /* mark the packet as signed - BEFORE we sign it...*/
- mark_packet_signed(cli);
-
- nt_status = ntlmssp_client_sign_packet(ntlmssp_state, cli->outbuf + 4,
- smb_len(cli->outbuf), &sig);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
- return;
- }
-
- DEBUG(10, ("sent SMB signature of\n"));
- dump_data(10, sig.data, MIN(sig.length, 8));
- memcpy(&cli->outbuf[smb_ss_field], sig.data, MIN(sig.length, 8));
-
- data_blob_free(&sig);
-}
-
-/***********************************************************
- SMB signing - NTLMSSP implementation - check a MAC sent by server.
-************************************************************/
-
-static BOOL cli_ntlmssp_check_incoming_message(struct cli_state *cli)
-{
- BOOL good;
- NTSTATUS nt_status;
- DATA_BLOB sig = data_blob(&cli->inbuf[smb_ss_field], 8);
-
- NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
-
- nt_status = ntlmssp_client_check_packet(ntlmssp_state, cli->outbuf + 4,
- smb_len(cli->outbuf), &sig);
-
- data_blob_free(&sig);
-
- good = NT_STATUS_IS_OK(nt_status);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
- }
-
- return signing_good(cli, good);
-}
-
-/***********************************************************
- SMB signing - NTLMSSP implementation - free signing context
-************************************************************/
-
-static void cli_ntlmssp_free_signing_context(struct cli_state *cli)
-{
- ntlmssp_client_end((NTLMSSP_CLIENT_STATE **)&cli->sign_info.signing_context);
-}
-
-/***********************************************************
- SMB signing - NTLMSSP implementation - setup the MAC key.
-************************************************************/
-
-BOOL cli_ntlmssp_set_signing(struct cli_state *cli,
- NTLMSSP_CLIENT_STATE *ntlmssp_state)
-{
- if (!set_smb_signing_common(cli)) {
- return False;
- }
-
- if (!NT_STATUS_IS_OK(ntlmssp_client_sign_init(ntlmssp_state))) {
- return False;
- }
-
- if (!set_smb_signing_real_common(cli)) {
- return False;
- }
-
- cli->sign_info.signing_context = ntlmssp_state;
- ntlmssp_state->ref_count++;
-
- cli->sign_info.sign_outgoing_message = cli_ntlmssp_sign_outgoing_message;
- cli->sign_info.check_incoming_message = cli_ntlmssp_check_incoming_message;
- cli->sign_info.free_signing_context = cli_ntlmssp_free_signing_context;
-
- return True;
-}
-
-/***********************************************************
SMB signing - NULL implementation - calculate a MAC to send.
************************************************************/