libcli/smb: move smb2_signing.c to the toplevel

metze

1 files changed, 135 insertions, 0 deletions

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
new file mode 100644
index 0000000000..3687ace9b4
--- /dev/null
+++ b/libcli/smb/smb2_signing.c
@@ -0,0 +1,135 @@
+/*
+   Unix SMB/CIFS implementation.
+   SMB2 signing
+
+   Copyright (C) Stefan Metzmacher 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "../libcli/smb/smb_common.h"
+#include "../lib/crypto/crypto.h"
+
+NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
+			       struct iovec *vector,
+			       int count)
+{
+	uint8_t *hdr;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
+			 (unsigned)session_key.length));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
+
+	SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	for (i=0; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+	DEBUG(5,("signed SMB2 message\n"));
+
+	memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
+				const struct iovec *vector,
+				int count)
+{
+	const uint8_t *hdr;
+	const uint8_t *sig;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	static const uint8_t zero_sig[16] = { 0, };
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (const uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		/* we don't have the session key yet */
+		return NT_STATUS_OK;
+	}
+
+	sig = hdr+SMB2_HDR_SIGNATURE;
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	hmac_sha256_update(hdr, SMB2_HDR_SIGNATURE, &m);
+	hmac_sha256_update(zero_sig, 16, &m);
+	for (i=1; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+
+	if (memcmp(res, sig, 16) != 0) {
+		DEBUG(0,("Bad SMB2 signature for message\n"));
+		dump_data(0, sig, 16);
+		dump_data(0, res, 16);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return NT_STATUS_OK;
+}