diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-08-31 01:42:09 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-09-05 13:17:32 +0200 |
commit | 0ed0a669566a0fe2f3a0357e35080346b550fb1d (patch) | |
tree | ffcd5175cd456dca89df1b5abed99e2beeed3c99 /libcli/smb | |
parent | 50648760e786c0f1c7236344c31592ab586773dd (diff) | |
download | samba-0ed0a669566a0fe2f3a0357e35080346b550fb1d.tar.gz samba-0ed0a669566a0fe2f3a0357e35080346b550fb1d.tar.bz2 samba-0ed0a669566a0fe2f3a0357e35080346b550fb1d.zip |
libcli/smb: move smb2_signing.c to the toplevel
metze
Diffstat (limited to 'libcli/smb')
-rw-r--r-- | libcli/smb/smb2_signing.c | 135 | ||||
-rw-r--r-- | libcli/smb/smb2_signing.h | 34 | ||||
-rw-r--r-- | libcli/smb/smb_common.h | 1 | ||||
-rw-r--r-- | libcli/smb/wscript_build | 7 |
4 files changed, 175 insertions, 2 deletions
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c new file mode 100644 index 0000000000..3687ace9b4 --- /dev/null +++ b/libcli/smb/smb2_signing.c @@ -0,0 +1,135 @@ +/* + Unix SMB/CIFS implementation. + SMB2 signing + + Copyright (C) Stefan Metzmacher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/filesys.h" +#include "../libcli/smb/smb_common.h" +#include "../lib/crypto/crypto.h" + +NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key, + struct iovec *vector, + int count) +{ + uint8_t *hdr; + uint64_t session_id; + struct HMACSHA256Context m; + uint8_t res[SHA256_DIGEST_LENGTH]; + int i; + + if (count < 2) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (vector[0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INVALID_PARAMETER; + } + + hdr = (uint8_t *)vector[0].iov_base; + + session_id = BVAL(hdr, SMB2_HDR_SESSION_ID); + if (session_id == 0) { + /* + * do not sign messages with a zero session_id. + * See MS-SMB2 3.2.4.1.1 + */ + return NT_STATUS_OK; + } + + if (session_key.length == 0) { + DEBUG(2,("Wrong session key length %u for SMB2 signing\n", + (unsigned)session_key.length)); + return NT_STATUS_ACCESS_DENIED; + } + + memset(hdr + SMB2_HDR_SIGNATURE, 0, 16); + + SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED); + + ZERO_STRUCT(m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); + for (i=0; i < count; i++) { + hmac_sha256_update((const uint8_t *)vector[i].iov_base, + vector[i].iov_len, &m); + } + hmac_sha256_final(res, &m); + DEBUG(5,("signed SMB2 message\n")); + + memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16); + + return NT_STATUS_OK; +} + +NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key, + const struct iovec *vector, + int count) +{ + const uint8_t *hdr; + const uint8_t *sig; + uint64_t session_id; + struct HMACSHA256Context m; + uint8_t res[SHA256_DIGEST_LENGTH]; + static const uint8_t zero_sig[16] = { 0, }; + int i; + + if (count < 2) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (vector[0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INVALID_PARAMETER; + } + + hdr = (const uint8_t *)vector[0].iov_base; + + session_id = BVAL(hdr, SMB2_HDR_SESSION_ID); + if (session_id == 0) { + /* + * do not sign messages with a zero session_id. + * See MS-SMB2 3.2.4.1.1 + */ + return NT_STATUS_OK; + } + + if (session_key.length == 0) { + /* we don't have the session key yet */ + return NT_STATUS_OK; + } + + sig = hdr+SMB2_HDR_SIGNATURE; + + ZERO_STRUCT(m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); + hmac_sha256_update(hdr, SMB2_HDR_SIGNATURE, &m); + hmac_sha256_update(zero_sig, 16, &m); + for (i=1; i < count; i++) { + hmac_sha256_update((const uint8_t *)vector[i].iov_base, + vector[i].iov_len, &m); + } + hmac_sha256_final(res, &m); + + if (memcmp(res, sig, 16) != 0) { + DEBUG(0,("Bad SMB2 signature for message\n")); + dump_data(0, sig, 16); + dump_data(0, res, 16); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h new file mode 100644 index 0000000000..3c3e0c2881 --- /dev/null +++ b/libcli/smb/smb2_signing.h @@ -0,0 +1,34 @@ +/* + Unix SMB/CIFS implementation. + SMB2 signing + + Copyright (C) Stefan Metzmacher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBCLI_SMB_SMB2_SIGNING_H_ +#define _LIBCLI_SMB_SMB2_SIGNING_H_ + +struct iovec; + +NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key, + struct iovec *vector, + int count); + +NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key, + const struct iovec *vector, + int count); + +#endif /* _LIBCLI_SMB_SMB2_SIGNING_H_ */ diff --git a/libcli/smb/smb_common.h b/libcli/smb/smb_common.h index 83f7db2dfa..1f21e553ba 100644 --- a/libcli/smb/smb_common.h +++ b/libcli/smb/smb_common.h @@ -24,6 +24,7 @@ #include "libcli/smb/smb2_constants.h" #include "libcli/smb/smb2_create_blob.h" +#include "libcli/smb/smb2_signing.h" #include "libcli/smb/smb_constants.h" #include "libcli/smb/smb_util.h" #include "libcli/smb/smb_unix_ext.h" diff --git a/libcli/smb/wscript_build b/libcli/smb/wscript_build index 89ecf519ec..66319e9a5b 100644 --- a/libcli/smb/wscript_build +++ b/libcli/smb/wscript_build @@ -2,9 +2,12 @@ bld.SAMBA_LIBRARY('cli_smb_common', - source='smb2_create_blob.c util.c', + source='smb2_create_blob.c smb2_signing.c util.c', autoproto='smb_common_proto.h', + deps='LIBCRYPTO', public_deps='talloc samba-util', private_library=True, - public_headers='smb_common.h smb2_constants.h smb2_create_blob.h', + public_headers='''smb_common.h smb2_constants.h + smb2_create_blob.h smb2_signing.h + ''', ) |