summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-12 09:11:13 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:57:32 -0500
commit88002b851bd30e3c03a5a9442baf3ced7aa6090f (patch)
tree8547a06b7e5af9c4cb5e73f6190035aefd7fd75c
parentb62e6f1ec13c6cad5a94a2a27dc14d3fdfdd4cfc (diff)
downloadsamba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.gz
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.bz2
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.zip
r1462: GENSEC Kerberos and SPENGO work:
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
-rw-r--r--source4/client/client.c1
-rw-r--r--source4/include/cli_context.h4
-rw-r--r--source4/libcli/auth/config.mk3
-rw-r--r--source4/libcli/auth/gensec.mk5
-rw-r--r--source4/libcli/auth/gensec_krb5.c13
-rw-r--r--source4/libcli/auth/spnego.c122
-rw-r--r--source4/libcli/raw/clisession.c30
-rw-r--r--source4/libcli/raw/clitransport.c4
-rw-r--r--source4/libcli/raw/smb_signing.c101
-rw-r--r--source4/param/loadparm.c6
10 files changed, 178 insertions, 111 deletions
diff --git a/source4/client/client.c b/source4/client/client.c
index db44dd3d28..0ad3eed889 100644
--- a/source4/client/client.c
+++ b/source4/client/client.c
@@ -2836,6 +2836,7 @@ static struct cli_state *do_connect(const char *server, const char *share)
status = cli_session_setup(c, username, password, lp_workgroup());
if (NT_STATUS_IS_ERR(status)) {
+ d_printf("authenticated session setup failed: %s\n", nt_errstr(status));
/* if a password was not supplied then try again with a null username */
if (password[0] || !username[0] || use_kerberos) {
status = cli_session_setup(c, "", "", lp_workgroup());
diff --git a/source4/include/cli_context.h b/source4/include/cli_context.h
index 930017bb26..cddc6aadf5 100644
--- a/source4/include/cli_context.h
+++ b/source4/include/cli_context.h
@@ -53,7 +53,11 @@ struct cli_negotiate {
BOOL (*check_incoming_message)(struct cli_request *req);
void (*free_signing_context)(struct cli_transport *transport);
void *signing_context;
+ BOOL negotiated_smb_signing;
+ BOOL allow_smb_signing;
BOOL doing_signing;
+ BOOL mandatory_signing;
+ BOOL seen_valid; /* Have I ever seen a validly signed packet? */
} sign_info;
/* capabilities that the server reported */
diff --git a/source4/libcli/auth/config.mk b/source4/libcli/auth/config.mk
index 0c7586026b..a3bb3f1c78 100644
--- a/source4/libcli/auth/config.mk
+++ b/source4/libcli/auth/config.mk
@@ -3,8 +3,7 @@
[SUBSYSTEM::LIBCLI_AUTH]
ADD_OBJ_FILES = libcli/auth/schannel.o \
libcli/auth/credentials.o \
- libcli/auth/session.o \
- libcli/auth/ntlm_check.o
+ libcli/auth/session.o
REQUIRED_SUBSYSTEMS = \
AUTH SCHANNELDB GENSEC
# End SUBSYSTEM LIBCLI_AUTH
diff --git a/source4/libcli/auth/gensec.mk b/source4/libcli/auth/gensec.mk
index 7c2c21bafd..5c6a8260e5 100644
--- a/source4/libcli/auth/gensec.mk
+++ b/source4/libcli/auth/gensec.mk
@@ -3,7 +3,7 @@
[SUBSYSTEM::GENSEC]
INIT_OBJ_FILES = libcli/auth/gensec.o
REQUIRED_SUBSYSTEMS = \
- AUTH SCHANNELDB
+ SCHANNELDB
# End SUBSYSTEM GENSEC
#################################
@@ -14,7 +14,8 @@ INIT_OBJ_FILES = libcli/auth/gensec_krb5.o
ADD_OBJ_FILES = \
libcli/auth/clikrb5.o \
libcli/auth/kerberos.o \
- libcli/auth/kerberos_verify.o
+ libcli/auth/kerberos_verify.o \
+ libcli/auth/gssapi_parse.o
REQUIRED_SUBSYSTEMS = GENSEC
# End MODULE gensec_krb5
################################################
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index dbb2a10659..3a4f995937 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -42,6 +42,7 @@ struct gensec_krb5_state {
enum GENSEC_KRB5_STATE state_position;
krb5_context krb5_context;
krb5_auth_context krb5_auth_context;
+ krb5_ccache krb5_ccache;
};
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
@@ -66,7 +67,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
initialize_krb5_error_table();
gensec_krb5_state->krb5_context = NULL;
gensec_krb5_state->krb5_auth_context = NULL;
- gensec_krb5_state->krb5_ccdef = NULL;
+ gensec_krb5_state->krb5_ccache = NULL;
gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -111,7 +112,7 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state;
-
+ krb5_error_code ret;
NTSTATUS nt_status;
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -121,7 +122,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
+ ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
error_message(ret)));
@@ -135,13 +136,13 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
- if (gensec_krb5_state->krb5_ccdef) {
+ if (gensec_krb5_state->krb5_ccache) {
/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
SuSE 9.1 Pro
*/
#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
- krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
+ krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
#endif
}
@@ -193,7 +194,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
&gensec_krb5_state->krb5_auth_context,
AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_security->target.principal,
- ccdef, &packet);
+ gensec_krb5_state->krb5_ccache, &packet);
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
error_message(ret)));
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index 7e0cda42ba..32846cf580 100644
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -48,7 +48,7 @@ struct spnego_state {
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
- TALLOC_CTX *mem_ctx = talloc_init("gensec_spengo_client_start");
+ TALLOC_CTX *mem_ctx = talloc_init("gensec_spnego_client_start");
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
@@ -151,12 +151,12 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit
/** Fallback to another GENSEC mechanism, based on magic strings
*
- * This is the 'fallback' case, where we don't get SPENGO, and have to
+ * This is the 'fallback' case, where we don't get SPNEGO, and have to
* try all the other options (and hope they all have a magic string
* they check)
*/
-static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec_security,
+static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -189,7 +189,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
}
- DEBUG(1, ("Failed to parse SPENGO request\n"));
+ DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -199,7 +199,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
* This is the case, where the client is the first one who sends data
*/
-static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec_security,
+static NTSTATUS gensec_spnego_client_netTokenInit(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
@@ -266,7 +266,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -277,7 +277,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
}
gensec_end(&spnego_state->sub_sec_security);
- DEBUG(1, ("Failed to setup SPENGO netTokenInit request\n"));
+ DEBUG(1, ("Failed to setup SPNEGO netTokenInit request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -286,7 +286,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
{
struct spnego_state *spnego_state = gensec_security->private_data;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
- DATA_BLOB unwrapped_out;
+ DATA_BLOB unwrapped_out = data_blob(NULL, 0);
struct spnego_data spnego_out;
struct spnego_data spnego;
@@ -307,7 +307,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (in.length) {
len = spnego_read_data(in, &spnego);
if (len == -1) {
- return gensec_spengo_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
+ return gensec_spnego_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
} else {
/* client sent NegTargetInit */
}
@@ -328,7 +328,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!in.length) {
/* client to produce negTokenInit */
- return gensec_spengo_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
+ return gensec_spnego_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
}
len = spnego_read_data(in, &spnego);
@@ -341,13 +341,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ if (spnego.negTokenInit.targetPrincipal) {
+ nt_status = gensec_set_target_principal(gensec_security,
+ spnego.negTokenInit.targetPrincipal);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ }
+
mechType = spnego.negTokenInit.mechTypes;
for (i=0; mechType && mechType[i]; i++) {
nt_status = gensec_subcontext_start(gensec_security,
@@ -375,8 +383,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
null_data_blob,
&unwrapped_out);
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- DEBUG(1, ("SPENGO(%s) NEG_TOKEN_INIT failed: %s\n",
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
gensec_end(&spnego_state->sub_sec_security);
} else {
@@ -384,11 +392,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
}
if (!mechType || !mechType[i]) {
- DEBUG(1, ("SPENGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
}
spnego_free_data(&spnego);
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@@ -402,7 +410,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -410,7 +418,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- return nt_status;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_SERVER_TARG:
{
@@ -429,49 +437,47 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type,
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, (const char *)in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego.negTokenTarg.responseToken.length) {
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- } else {
- unwrapped_out = data_blob(NULL, 0);
- nt_status = NT_STATUS_OK;
- }
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.supportedMech
+ = spnego_state->sub_sec_security->ops->oid;
+ spnego_out.negTokenTarg.responseToken = unwrapped_out;
+ spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
- spnego_out.negTokenTarg.supportedMech
- = spnego_state->sub_sec_security->ops->oid;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_state->state_position = SPNEGO_DONE;
} else {
- DEBUG(1, ("SPENGO(%s) login failed: %s\n",
+ spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
+ DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
- return nt_status;
+ spnego_state->state_position = SPNEGO_DONE;
}
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return nt_status;
}
case SPNEGO_CLIENT_TARG:
@@ -501,16 +507,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
return NT_STATUS_ACCESS_DENIED;
}
-
- if (spnego.negTokenTarg.responseToken.length) {
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- } else {
- unwrapped_out = data_blob(NULL, 0);
- nt_status = NT_STATUS_OK;
- }
+
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)
&& (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
@@ -521,27 +522,28 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state->result = spnego.negTokenTarg.negResult;
spnego_free_data(&spnego);
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+ spnego_out.negTokenTarg.supportedMech = NULL;
+ spnego_out.negTokenTarg.responseToken = unwrapped_out;
+ spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
- spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- spnego_out.negTokenTarg.supportedMech = NULL;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
spnego_state->state_position = SPNEGO_CLIENT_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->state_position = SPNEGO_DONE;
} else {
- DEBUG(1, ("SPENGO(%s) login failed: %s\n",
+ DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
return nt_status;
}
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
return nt_status;
}
diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c
index d420aa7cd6..5aaceb103a 100644
--- a/source4/libcli/raw/clisession.c
+++ b/source4/libcli/raw/clisession.c
@@ -260,7 +260,7 @@ static void use_nt1_session_keys(struct cli_session *session,
E_md4hash(password, nt_hash);
SMBsesskeygen_ntv1(nt_hash, session_key.data);
- cli_transport_simple_set_signing(transport, session_key, *nt_response);
+ cli_transport_simple_set_signing(transport, session_key, *nt_response, 0);
cli_session_set_user_session_key(session, &session_key);
data_blob_free(&session_key);
@@ -381,6 +381,8 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
{
NTSTATUS status;
union smb_sesssetup s2;
+ DATA_BLOB session_key = data_blob(NULL, 0);
+ DATA_BLOB null_data_blob = data_blob(NULL, 0);
s2.generic.level = RAW_SESSSETUP_SPNEGO;
s2.spnego.in.bufsize = ~0;
@@ -433,39 +435,41 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
session->transport->negotiate.secblob,
&s2.spnego.in.secblob);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- goto done;
- }
-
while(1) {
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
+ break;
+ }
+
+ status = gensec_session_key(session->gensec, &session_key);
+ if (NT_STATUS_IS_OK(status)) {
+ cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 0);
+ }
+
session->vuid = s2.spnego.out.vuid;
status = smb_raw_session_setup(session, mem_ctx, &s2);
session->vuid = UID_FIELD_INVALID;
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- goto done;
+ break;
}
status = gensec_update(session->gensec, mem_ctx,
s2.spnego.out.secblob,
&s2.spnego.in.secblob);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- goto done;
+ if (NT_STATUS_IS_OK(status)) {
+ break;
}
}
done:
if (NT_STATUS_IS_OK(status)) {
- DATA_BLOB null_data_blob = data_blob(NULL, 0);
- DATA_BLOB session_key = data_blob(NULL, 0);
-
status = gensec_session_key(session->gensec, &session_key);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
-
- cli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
+
+ cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 2 /* two legs on last packet */);
cli_session_set_user_session_key(session, &session_key);
diff --git a/source4/libcli/raw/clitransport.c b/source4/libcli/raw/clitransport.c
index a378ac8aad..18784fe33a 100644
--- a/source4/libcli/raw/clitransport.c
+++ b/source4/libcli/raw/clitransport.c
@@ -40,7 +40,9 @@ struct cli_transport *cli_transport_init(struct cli_socket *sock)
transport->negotiate.protocol = PROTOCOL_NT1;
transport->options.use_spnego = lp_use_spnego();
transport->negotiate.max_xmit = ~0;
- cli_null_set_signing(transport);
+
+ cli_init_signing(transport);
+
transport->socket->reference_count++;
ZERO_STRUCT(transport->called);
diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c
index 20b44a5348..52e08d05f8 100644
--- a/source4/libcli/raw/smb_signing.c
+++ b/source4/libcli/raw/smb_signing.c
@@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
if (transport->negotiate.sign_info.doing_signing) {
return False;
}
-
+
+ if (!transport->negotiate.sign_info.allow_smb_signing) {
+ return False;
+ }
+
if (transport->negotiate.sign_info.free_signing_context)
transport->negotiate.sign_info.free_signing_context(transport);
/* These calls are INCOMPATIBLE with SMB signing */
transport->negotiate.readbraw_supported = False;
transport->negotiate.writebraw_supported = False;
-
+
return True;
}
@@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
************************************************************/
static BOOL set_smb_signing_real_common(struct cli_transport *transport)
{
- if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+ if (transport->negotiate.sign_info.mandatory_signing) {
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
- transport->negotiate.sign_info.doing_signing = True;
}
DEBUG(5, ("SMB signing enabled!\n"));
@@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req)
SSVAL(req->out.hdr, HDR_FLG2, flags2);
}
-static BOOL signing_good(struct cli_request *req, BOOL good)
+static BOOL signing_good(struct cli_request *req, int seq, BOOL good)
{
- if (good && !req->transport->negotiate.sign_info.doing_signing) {
- req->transport->negotiate.sign_info.doing_signing = True;
- }
-
- if (!good) {
- if (req->transport->negotiate.sign_info.doing_signing) {
- DEBUG(1, ("SMB signature check failed!\n"));
- return False;
+ if (good) {
+ if (!req->transport->negotiate.sign_info.doing_signing) {
+ req->transport->negotiate.sign_info.doing_signing = True;
+ }
+ if (!req->transport->negotiate.sign_info.seen_valid) {
+ req->transport->negotiate.sign_info.seen_valid = True;
+ }
+ } else {
+ if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) {
+
+ /* Non-mandatory signing - just turn off if this is the first bad packet.. */
+ DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n"
+ "isn't sending correct signatures. Turning off.\n"));
+ req->transport->negotiate.sign_info.negotiated_smb_signing = False;
+ req->transport->negotiate.sign_info.allow_smb_signing = False;
+ req->transport->negotiate.sign_info.doing_signing = False;
+ if (req->transport->negotiate.sign_info.free_signing_context)
+ req->transport->negotiate.sign_info.free_signing_context(req->transport);
+ cli_null_set_signing(req->transport);
+ return True;
} else {
- DEBUG(3, ("Server did not sign reply correctly\n"));
- cli_transport_free_signing_context(req->transport);
+ /* Mandatory signing or bad packet after signing started - fail and disconnect. */
+ if (seq)
+ DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq));
return False;
}
}
return True;
-}
+}
/***********************************************************
SMB signing - Simple implementation - calculate a MAC to send.
@@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req)
memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8);
+ DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n",
+ req->seq_num, data->next_seq_num));
+ dump_data(5, calc_md5_mac, 8);
/* req->out.hdr[HDR_SS_FIELD+2]=0;
Uncomment this to test if the remote server actually verifies signitures...*/
}
@@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
MD5Final(calc_md5_mac, &md5_ctx);
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+
+ if (i == 1) {
+ if (!good) {
+ DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i));
+ dump_data(5, calc_md5_mac, 8);
+
+ DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+ dump_data(5, server_sent_mac, 8);
+ } else {
+ DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+ dump_data(5, server_sent_mac, 8);
+ }
+ }
+
if (good) break;
}
@@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1));
}
- if (!good) {
- DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
- dump_data(5, calc_md5_mac, 8);
-
- DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n"));
- dump_data(5, server_sent_mac, 8);
- }
- return signing_good(req, good);
+ return signing_good(req, req->seq_num+1, good);
}
@@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran
************************************************************/
BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
const DATA_BLOB user_session_key,
- const DATA_BLOB response)
+ const DATA_BLOB response,
+ int seq_num)
{
struct smb_basic_signing_context *data;
@@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
}
/* Initialise the sequence number */
- data->next_seq_num = 0;
+ data->next_seq_num = seq_num;
transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message;
transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message;
@@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req)
return True;
}
+
+
+BOOL cli_init_signing(struct cli_transport *transport)
+{
+ if (!cli_null_set_signing(transport)) {
+ return False;
+ }
+
+ switch (lp_client_signing()) {
+ case SMB_SIGNING_OFF:
+ transport->negotiate.sign_info.allow_smb_signing = False;
+ break;
+ case SMB_SIGNING_SUPPORTED:
+ transport->negotiate.sign_info.allow_smb_signing = True;
+ break;
+ case SMB_SIGNING_REQUIRED:
+ transport->negotiate.sign_info.allow_smb_signing = True;
+ transport->negotiate.sign_info.mandatory_signing = True;
+ break;
+ }
+ return True;
+}
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index 68a16501d2..5493b2617c 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -212,6 +212,7 @@ typedef struct
BOOL bNTLMAuth;
BOOL bUseSpnego;
BOOL server_signing;
+ BOOL client_signing;
BOOL bClientLanManAuth;
BOOL bClientNTLMv2Auth;
BOOL bHostMSDfs;
@@ -654,6 +655,7 @@ static struct parm_struct parm_table[] = {
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
{"server signing", P_ENUM, P_GLOBAL, &Globals.server_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED},
+ {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED},
{"rpc big endian", P_BOOL, P_GLOBAL, &Globals.bRpcBigEndian, NULL, NULL, FLAG_DEVELOPER},
{"Tuning Options", P_SEP, P_SEPARATOR},
@@ -1103,7 +1105,8 @@ static void init_globals(void)
Globals.bUseSpnego = True;
- Globals.server_signing = False;
+ Globals.client_signing = SMB_SIGNING_SUPPORTED;
+ Globals.server_signing = SMB_SIGNING_SUPPORTED;
string_set(&Globals.smb_ports, SMB_PORTS);
}
@@ -1375,6 +1378,7 @@ FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time)
FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
+FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
/* local prototypes */