diff options
author | Volker Lendecke <vlendec@samba.org> | 2003-12-27 10:13:20 +0000 |
---|---|---|
committer | Volker Lendecke <vlendec@samba.org> | 2003-12-27 10:13:20 +0000 |
commit | 889eb5ef5df9a50df09b04076efbc8d58bc3665e (patch) | |
tree | 8578e43ee3e1084c4a8c6af6f96b556ecc4d297e | |
parent | 67263790a0b66696677cff5aee43318db19d1657 (diff) | |
download | samba-889eb5ef5df9a50df09b04076efbc8d58bc3665e.tar.gz samba-889eb5ef5df9a50df09b04076efbc8d58bc3665e.tar.bz2 samba-889eb5ef5df9a50df09b04076efbc8d58bc3665e.zip |
Preliminary fix for our signing problem with failed NTLMSSP logins. This patch
solves the problem for me here, I can still successfully set up signing using
NTLMSSP against w2k3 and it does not show a signing error anymoe when the
password was wrong.
Jeremy, you might want to take a further look at it as this is not
particularly elegant.
Volker
(This used to be commit 8a82060e3aee6d5ef38b1448035d865f9bce63a7)
-rw-r--r-- | source3/libsmb/cliconnect.c | 22 | ||||
-rw-r--r-- | source3/libsmb/smb_signing.c | 6 |
2 files changed, 19 insertions, 9 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f6dfd40006..b140c772a2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -318,7 +318,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key, nt_response); + cli_simple_set_signing(cli, session_key, nt_response, 0); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -511,7 +511,7 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob); + cli_simple_set_signing(cli, session_key_krb5, null_blob, 0); blob2 = cli_session_setup_blob(cli, negTokenTarg); @@ -568,7 +568,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DATA_BLOB null_blob = data_blob(NULL, 0); if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -577,10 +576,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use msg1 = spnego_gen_auth(blob_out); } - cli_simple_set_signing(cli, - data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length), - null_blob); - /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n")); @@ -630,8 +625,21 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); if (NT_STATUS_IS_OK(nt_status)) { + + DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, + ntlmssp_state->session_key.length); + DATA_BLOB null_blob = data_blob(NULL, 0); + fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); + + /* Using NTLMSSP session setup, signing on the net only starts + * after a successful authentication and the session key has + * been determined, but with a sequence number of 2. This + * assumes that NTLMSSP needs exactly 2 roundtrips, for any + * other SPNEGO mechanism it needs adapting. */ + + cli_simple_set_signing(cli, key, null_blob, 2); } /* we have a reference conter on ntlmssp_state, if we are signing diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c index 6b2abb9ccc..8a056f659f 100644 --- a/source3/libsmb/smb_signing.c +++ b/source3/libsmb/smb_signing.c @@ -405,7 +405,9 @@ static void simple_free_signing_context(struct smb_sign_info *si) SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL cli_simple_set_signing(struct cli_state *cli, const DATA_BLOB user_session_key, const DATA_BLOB response) +BOOL cli_simple_set_signing(struct cli_state *cli, + const DATA_BLOB user_session_key, + const DATA_BLOB response, int initial_send_seq_num) { struct smb_basic_signing_context *data; @@ -443,7 +445,7 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const DATA_BLOB user_session_ dump_data_pw("MAC ssession key is:\n", data->mac_key.data, data->mac_key.length); /* Initialise the sequence number */ - data->send_seq_num = 0; + data->send_seq_num = initial_send_seq_num; /* Initialise the list of outstanding packets */ data->outstanding_packet_list = NULL; |