summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-07-18 00:53:34 +0000
committerJeremy Allison <jra@samba.org>2003-07-18 00:53:34 +0000
commit814e987c6241601fb03335b2ba9a633d65cc5e23 (patch)
tree946b50c4cc4a8a6ebd4c4fb604413d8ce31fc828
parent5b4a2dfd2b7fdc5006452126f3b1b8b4f1bc7fe2 (diff)
downloadsamba-814e987c6241601fb03335b2ba9a633d65cc5e23.tar.gz
samba-814e987c6241601fb03335b2ba9a633d65cc5e23.tar.bz2
samba-814e987c6241601fb03335b2ba9a633d65cc5e23.zip
Signing so far... the client code fails on a SMBtrans2 secondary transaction
I think (my changes haven't affected this I believe). Initial support on the server side for smbclient. Still doesn't work for w2k clients I think... Work in progress..... (don't change). Jeremy. (This used to be commit e5714edc233424c2f74edb6d658f32f8e0ec9275)
-rw-r--r--source3/libsmb/smb_signing.c164
-rw-r--r--source3/param/loadparm.c2
-rw-r--r--source3/smbd/negprot.c18
-rw-r--r--source3/smbd/password.c8
-rw-r--r--source3/smbd/reply.c4
-rw-r--r--source3/smbd/sesssetup.c35
6 files changed, 159 insertions, 72 deletions
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 23611f3e3b..2612ed2367 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -57,6 +57,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
if (t->mid == mid) {
*reply_seq_num = t->reply_seq_num;
DLIST_REMOVE(*list, t);
+ SAFE_FREE(t);
return True;
}
}
@@ -179,7 +180,7 @@ static void free_signing_context(struct smb_sign_info *si)
static BOOL signing_good(char *inbuf, struct smb_sign_info *si, BOOL good)
{
- DEBUG(10, ("got SMB signature of\n"));
+ DEBUG(10, ("signing_good: got SMB signature of\n"));
dump_data(10,&inbuf[smb_ss_field] , 8);
if (good && !si->doing_signing) {
@@ -251,17 +252,27 @@ static void simple_packet_signature(struct smb_basic_signing_context *data,
SMB signing - Simple implementation - send the MAC.
************************************************************/
-static void cli_simple_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
+static void simple_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
{
unsigned char calc_md5_mac[16];
struct smb_basic_signing_context *data = si->signing_context;
+ if (!si->doing_signing)
+ return;
+
+ /* JRA Paranioa test - we should be able to get rid of this... */
+ if (smb_len(outbuf) < (smb_ss_field + 8 - 4)) {
+ DEBUG(1, ("simple_sign_outgoing_message: Logic error. Can't check signature on short packet! smb_len = %u\n",
+ smb_len(outbuf) ));
+ abort();
+ }
+
/* mark the packet as signed - BEFORE we sign it...*/
mark_packet_signed(outbuf);
simple_packet_signature(data, outbuf, data->send_seq_num, calc_md5_mac);
- DEBUG(10, ("sent SMB signature of\n"));
+ DEBUG(10, ("simple_sign_outgoing_message: sent SMB signature of\n"));
dump_data(10, calc_md5_mac, 8);
memcpy(&outbuf[smb_ss_field], calc_md5_mac, 8);
@@ -270,17 +281,19 @@ static void cli_simple_sign_outgoing_message(char *outbuf, struct smb_sign_info
Uncomment this to test if the remote server actually verifies signatures...*/
data->send_seq_num++;
+#if 1 /* JRATEST */
store_sequence_for_reply(&data->outstanding_packet_list,
SVAL(outbuf,smb_mid),
data->send_seq_num);
data->send_seq_num++;
+#endif /* JRATEST */
}
/***********************************************************
SMB signing - Simple implementation - check a MAC sent by server.
************************************************************/
-static BOOL cli_simple_check_incoming_message(char *inbuf, struct smb_sign_info *si)
+static BOOL simple_check_incoming_message(char *inbuf, struct smb_sign_info *si)
{
BOOL good;
uint32 reply_seq_number;
@@ -289,11 +302,24 @@ static BOOL cli_simple_check_incoming_message(char *inbuf, struct smb_sign_info
struct smb_basic_signing_context *data = si->signing_context;
+ if (!si->doing_signing)
+ return True;
+
+ if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
+ DEBUG(1, ("simple_check_incoming_message: Can't check signature on short packet! smb_len = %u\n", smb_len(inbuf)));
+ return False;
+ }
+
+#if 1 /* JRATEST */
if (!get_sequence_for_reply(&data->outstanding_packet_list,
SVAL(inbuf, smb_mid),
&reply_seq_number)) {
return False;
}
+#else /* JRATEST */
+ reply_seq_number = data->send_seq_num;
+ data->send_seq_num++;
+#endif /* JRATEST */
simple_packet_signature(data, inbuf, reply_seq_number, calc_md5_mac);
@@ -301,10 +327,10 @@ static BOOL cli_simple_check_incoming_message(char *inbuf, struct smb_sign_info
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
if (!good) {
- DEBUG(5, ("BAD SIG: wanted SMB signature of\n"));
+ DEBUG(5, ("simple_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
dump_data(5, calc_md5_mac, 8);
- DEBUG(5, ("BAD SIG: got SMB signature of\n"));
+ DEBUG(5, ("simple_check_incoming_message: BAD SIG: got SMB signature of\n"));
dump_data(5, server_sent_mac, 8);
}
return signing_good(inbuf, si, good);
@@ -314,7 +340,7 @@ static BOOL cli_simple_check_incoming_message(char *inbuf, struct smb_sign_info
SMB signing - Simple implementation - free signing context
************************************************************/
-static void cli_simple_free_signing_context(struct smb_sign_info *si)
+static void simple_free_signing_context(struct smb_sign_info *si)
{
struct smb_basic_signing_context *data = si->signing_context;
struct outstanding_packet_lookup *list = data->outstanding_packet_list;
@@ -357,7 +383,8 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
data->mac_key = data_blob(NULL, response.length + 16);
memcpy(&data->mac_key.data[0], user_session_key, 16);
- memcpy(&data->mac_key.data[16],response.data, response.length);
+ if (response.length)
+ memcpy(&data->mac_key.data[16],response.data, response.length);
/* Initialise the sequence number */
data->send_seq_num = 0;
@@ -365,9 +392,9 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
/* Initialise the list of outstanding packets */
data->outstanding_packet_list = NULL;
- cli->sign_info.sign_outgoing_message = cli_simple_sign_outgoing_message;
- cli->sign_info.check_incoming_message = cli_simple_check_incoming_message;
- cli->sign_info.free_signing_context = cli_simple_free_signing_context;
+ cli->sign_info.sign_outgoing_message = simple_sign_outgoing_message;
+ cli->sign_info.check_incoming_message = simple_check_incoming_message;
+ cli->sign_info.free_signing_context = simple_free_signing_context;
return True;
}
@@ -376,7 +403,7 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
SMB signing - TEMP implementation - calculate a MAC to send.
************************************************************/
-static void cli_temp_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
+static void temp_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
{
/* mark the packet as signed - BEFORE we sign it...*/
mark_packet_signed(outbuf);
@@ -391,7 +418,7 @@ static void cli_temp_sign_outgoing_message(char *outbuf, struct smb_sign_info *s
SMB signing - TEMP implementation - check a MAC sent by server.
************************************************************/
-static BOOL cli_temp_check_incoming_message(char *inbuf, struct smb_sign_info *si)
+static BOOL temp_check_incoming_message(char *inbuf, struct smb_sign_info *si)
{
return True;
}
@@ -400,7 +427,7 @@ static BOOL cli_temp_check_incoming_message(char *inbuf, struct smb_sign_info *s
SMB signing - TEMP implementation - free signing context
************************************************************/
-static void cli_temp_free_signing_context(struct smb_sign_info *si)
+static void temp_free_signing_context(struct smb_sign_info *si)
{
return;
}
@@ -426,9 +453,9 @@ BOOL cli_temp_set_signing(struct cli_state *cli)
cli->sign_info.signing_context = NULL;
- cli->sign_info.sign_outgoing_message = cli_temp_sign_outgoing_message;
- cli->sign_info.check_incoming_message = cli_temp_check_incoming_message;
- cli->sign_info.free_signing_context = cli_temp_free_signing_context;
+ cli->sign_info.sign_outgoing_message = temp_sign_outgoing_message;
+ cli->sign_info.check_incoming_message = temp_check_incoming_message;
+ cli->sign_info.free_signing_context = temp_free_signing_context;
return True;
}
@@ -450,28 +477,15 @@ void cli_calculate_sign_mac(struct cli_state *cli)
/**
* Check a packet with the current mechanism
* @return False if we had an established signing connection
- * which had a back checksum, True otherwise
+ * which had a bad checksum, True otherwise.
*/
BOOL cli_check_sign_mac(struct cli_state *cli)
{
- BOOL good;
-
- if (smb_len(cli->inbuf) < (smb_ss_field + 8 - 4)) {
- DEBUG(cli->sign_info.doing_signing ? 1 : 10, ("Can't check signature on short packet! smb_len = %u\n", smb_len(cli->inbuf)));
- good = False;
- } else {
- good = cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info);
- }
-
- if (!good) {
- if (cli->sign_info.doing_signing) {
- return False;
- } else {
- free_signing_context(&cli->sign_info);
- }
+ if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info)) {
+ free_signing_context(&cli->sign_info);
+ return False;
}
-
return True;
}
@@ -507,18 +521,10 @@ BOOL srv_oplock_set_signing(BOOL onoff)
BOOL srv_check_sign_mac(char *inbuf)
{
- if (!srv_sign_info.doing_signing)
- return True;
-
/* Check if it's a session keepalive. */
if(CVAL(inbuf,0) == SMBkeepalive)
return True;
- if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
- DEBUG(1, ("srv_check_sign_mac: Can't check signature on short packet! smb_len = %u\n", smb_len(inbuf) ));
- return False;
- }
-
return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info);
}
@@ -536,22 +542,80 @@ void srv_calculate_sign_mac(char *outbuf)
if(CVAL(outbuf,0) == SMBkeepalive)
return;
- /* JRA Paranioa test - we should be able to get rid of this... */
- if (smb_len(outbuf) < (smb_ss_field + 8 - 4)) {
- DEBUG(1, ("srv_calculate_sign_mac: Logic error. Can't check signature on short packet! smb_len = %u\n",
- smb_len(outbuf) ));
- abort();
- }
-
srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info);
}
/***********************************************************
+ Called by server negprot when signing has been negotiated.
+************************************************************/
+
+void srv_set_signing_negotiated(void)
+{
+ srv_sign_info.allow_smb_signing = True;
+ srv_sign_info.negotiated_smb_signing = True;
+ if (lp_server_signing() == Required)
+ srv_sign_info.mandatory_signing = True;
+
+ srv_sign_info.sign_outgoing_message = temp_sign_outgoing_message;
+ srv_sign_info.check_incoming_message = temp_check_incoming_message;
+ srv_sign_info.free_signing_context = temp_free_signing_context;
+}
+
+/***********************************************************
Returns whether signing is active. We can't use sendfile or raw
reads/writes if it is.
************************************************************/
-BOOL srv_signing_active(void)
+BOOL srv_is_signing_active(void)
{
return srv_sign_info.doing_signing;
}
+
+/***********************************************************
+ Turn on signing from this packet onwards.
+************************************************************/
+
+void srv_set_signing(const uchar user_session_key[16], const DATA_BLOB response)
+{
+ struct smb_basic_signing_context *data;
+
+ if (!user_session_key)
+ return;
+
+ if (!srv_sign_info.negotiated_smb_signing && !srv_sign_info.mandatory_signing) {
+ DEBUG(5,("srv_set_signing: signing negotiated = %u, mandatory_signing = %u. Not allowing smb signing.\n",
+ (unsigned int)srv_sign_info.negotiated_smb_signing,
+ (unsigned int)srv_sign_info.mandatory_signing ));
+ return;
+ }
+
+ /* Once we've turned on, ignore any more sessionsetups. */
+ if (srv_sign_info.doing_signing) {
+ return;
+ }
+
+ if (srv_sign_info.free_signing_context)
+ srv_sign_info.free_signing_context(&srv_sign_info);
+
+ srv_sign_info.doing_signing = True;
+
+ data = smb_xmalloc(sizeof(*data));
+
+ srv_sign_info.signing_context = data;
+
+ data->mac_key = data_blob(NULL, response.length + 16);
+
+ memcpy(&data->mac_key.data[0], user_session_key, 16);
+ if (response.length)
+ memcpy(&data->mac_key.data[16],response.data, response.length);
+
+ /* Initialise the sequence number */
+ data->send_seq_num = 0;
+
+ /* Initialise the list of outstanding packets */
+ data->outstanding_packet_list = NULL;
+
+ srv_sign_info.sign_outgoing_message = simple_sign_outgoing_message;
+ srv_sign_info.check_incoming_message = simple_check_incoming_message;
+ srv_sign_info.free_signing_context = simple_free_signing_context;
+}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1af8d51114..272434d487 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4298,5 +4298,5 @@ int lp_maxprintjobs(int snum)
BOOL lp_use_sendfile(int snum)
{
- return (_lp_use_sendfile(snum) && !srv_signing_active());
+ return (_lp_use_sendfile(snum) && !srv_is_signing_active());
}
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 0b58eb3eb2..28e3cf97d1 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -278,11 +278,19 @@ static int reply_nt1(char *inbuf, char *outbuf)
secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
if (lp_server_signing()) {
- secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
- /* No raw mode with smb signing. */
- capabilities &= ~CAP_RAW_MODE;
- if (lp_server_signing() == Required)
- secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
+ if (lp_security() >= SEC_USER) {
+ secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
+ /* No raw mode with smb signing. */
+ capabilities &= ~CAP_RAW_MODE;
+ if (lp_server_signing() == Required)
+ secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
+ srv_set_signing_negotiated();
+ } else {
+ DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n"));
+ if (lp_server_signing() == Required) {
+ exit_server("reply_nt1: smb signing required and share level security selected.");
+ }
+ }
}
set_message(outbuf,17,0,True);
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 9930fc8c33..b988f2ec74 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -111,7 +111,7 @@ void invalidate_all_vuids(void)
*
*/
-int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
+int register_vuid(auth_serversupplied_info *server_info, DATA_BLOB response_blob, const char *smb_name)
{
user_struct *vuser = NULL;
@@ -241,12 +241,10 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
vuser->homes_snum = -1;
}
-#if 0 /* JRATEST. */
- if (lp_server_signing() && !vuser->guest && !srv_signing_active()) {
+ if (lp_server_signing() && !vuser->guest && !srv_is_signing_active()) {
/* Try and turn on server signing on the first non-guest sessionsetup. */
- srv_set_signing(session_key.data, nt_response);
+ srv_set_signing(vuser->session_key, response_blob);
}
-#endif
return vuser->vuid;
}
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 61323e8b56..44633b1db6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1472,7 +1472,7 @@ int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_s
files_struct *fsp;
START_PROFILE(SMBreadbraw);
- if (srv_signing_active()) {
+ if (srv_is_signing_active()) {
exit_server("reply_readbraw: SMB signing is active - raw reads/writes are disallowed.");
}
@@ -1874,7 +1874,7 @@ int reply_writebraw(connection_struct *conn, char *inbuf,char *outbuf, int size,
int outsize = 0;
START_PROFILE(SMBwritebraw);
- if (srv_signing_active()) {
+ if (srv_is_signing_active()) {
exit_server("reply_readbraw: SMB signing is active - raw reads/writes are disallowed.");
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 7d77ed3071..9ec5433b02 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -153,6 +153,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
uint8 session_key[16];
uint8 tok_id[2];
BOOL foreign = False;
+ DATA_BLOB nullblob = data_blob(NULL, 0);
ZERO_STRUCT(ticket);
ZERO_STRUCT(auth_data);
@@ -235,7 +236,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
memcpy(server_info->session_key, session_key, sizeof(session_key));
/* register_vuid keeps the server info */
- sess_vuid = register_vuid(server_info, user);
+ sess_vuid = register_vuid(server_info, nullblob, user);
free(user);
@@ -250,6 +251,10 @@ static int reply_spnego_kerberos(connection_struct *conn,
}
SSVAL(outbuf, smb_uid, sess_vuid);
+
+ if (!server_info->guest && !srv_check_sign_mac(inbuf)) {
+ exit_server("reply_spnego_kerberos: bad smb signature");
+ }
}
/* wrap that up in a nice GSS-API wrapping */
@@ -275,7 +280,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
End the NTLMSSP exchange context if we are OK/complete fail
***************************************************************************/
-static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
+static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char *outbuf,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
{
@@ -294,8 +299,10 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
if (NT_STATUS_IS_OK(nt_status)) {
int sess_vuid;
+ DATA_BLOB nullblob = data_blob(NULL, 0);
+
/* register_vuid keeps the server info */
- sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user);
+ sess_vuid = register_vuid(server_info, nullblob, (*auth_ntlmssp_state)->ntlmssp_state->user);
(*auth_ntlmssp_state)->server_info = NULL;
if (sess_vuid == -1) {
@@ -310,6 +317,11 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
}
SSVAL(outbuf,smb_uid,sess_vuid);
+
+ if (!server_info->guest && !srv_check_sign_mac(inbuf)) {
+ exit_server("reply_spnego_ntlmssp: bad smb signature");
+ }
+
}
}
@@ -382,7 +394,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
data_blob_free(&secblob);
- reply_spnego_ntlmssp(conn, outbuf, &global_ntlmssp_state,
+ reply_spnego_ntlmssp(conn, inbuf, outbuf, &global_ntlmssp_state,
&chal, nt_status);
data_blob_free(&chal);
@@ -419,7 +431,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
data_blob_free(&auth);
- reply_spnego_ntlmssp(conn, outbuf, &global_ntlmssp_state,
+ reply_spnego_ntlmssp(conn, inbuf, outbuf, &global_ntlmssp_state,
&auth_reply, nt_status);
data_blob_free(&auth_reply);
@@ -742,7 +754,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
free_user_info(&user_info);
data_blob_free(&lm_resp);
- data_blob_free(&nt_resp);
data_blob_clear_free(&plaintext_password);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -750,9 +761,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
}
if (!NT_STATUS_IS_OK(nt_status)) {
+ data_blob_free(&nt_resp);
return ERROR_NT(nt_status_squash(nt_status));
}
-
+
/* it's ok - setup a reply */
set_message(outbuf,3,0,True);
if (Protocol >= PROTOCOL_NT1) {
@@ -770,12 +782,17 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
to a uid can get through without a password, on the same VC */
/* register_vuid keeps the server info */
- sess_vuid = register_vuid(server_info, sub_user);
-
+ sess_vuid = register_vuid(server_info, nt_resp, sub_user);
+ data_blob_free(&nt_resp);
+
if (sess_vuid == -1) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
+ if (!server_info->guest && !srv_check_sign_mac(inbuf)) {
+ exit_server("reply_sesssetup_and_X: bad smb signature");
+ }
+
SSVAL(outbuf,smb_uid,sess_vuid);
SSVAL(inbuf,smb_uid,sess_vuid);