libcli/smb: move smb2_signing.c to the toplevel

metze

4 files changed, 175 insertions, 2 deletions

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
new file mode 100644
index 0000000000..3687ace9b4
--- /dev/null
+++ b/libcli/smb/smb2_signing.c
@@ -0,0 +1,135 @@
+/*
+   Unix SMB/CIFS implementation.
+   SMB2 signing
+
+   Copyright (C) Stefan Metzmacher 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "../libcli/smb/smb_common.h"
+#include "../lib/crypto/crypto.h"
+
+NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
+			       struct iovec *vector,
+			       int count)
+{
+	uint8_t *hdr;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
+			 (unsigned)session_key.length));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
+
+	SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	for (i=0; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+	DEBUG(5,("signed SMB2 message\n"));
+
+	memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
+				const struct iovec *vector,
+				int count)
+{
+	const uint8_t *hdr;
+	const uint8_t *sig;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	static const uint8_t zero_sig[16] = { 0, };
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (const uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		/* we don't have the session key yet */
+		return NT_STATUS_OK;
+	}
+
+	sig = hdr+SMB2_HDR_SIGNATURE;
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	hmac_sha256_update(hdr, SMB2_HDR_SIGNATURE, &m);
+	hmac_sha256_update(zero_sig, 16, &m);
+	for (i=1; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+
+	if (memcmp(res, sig, 16) != 0) {
+		DEBUG(0,("Bad SMB2 signature for message\n"));
+		dump_data(0, sig, 16);
+		dump_data(0, res, 16);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return NT_STATUS_OK;
+}
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
new file mode 100644
index 0000000000..3c3e0c2881
--- /dev/null
+++ b/libcli/smb/smb2_signing.h
@@ -0,0 +1,34 @@
+/*
+   Unix SMB/CIFS implementation.
+   SMB2 signing
+
+   Copyright (C) Stefan Metzmacher 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBCLI_SMB_SMB2_SIGNING_H_
+#define _LIBCLI_SMB_SMB2_SIGNING_H_
+
+struct iovec;
+
+NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
+			       struct iovec *vector,
+			       int count);
+
+NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
+				const struct iovec *vector,
+				int count);
+
+#endif /* _LIBCLI_SMB_SMB2_SIGNING_H_ */
diff --git a/libcli/smb/smb_common.h b/libcli/smb/smb_common.h
index 83f7db2dfa..1f21e553ba 100644
--- a/libcli/smb/smb_common.h
+++ b/libcli/smb/smb_common.h
@@ -24,6 +24,7 @@
 
 #include "libcli/smb/smb2_constants.h"
 #include "libcli/smb/smb2_create_blob.h"
+#include "libcli/smb/smb2_signing.h"
 #include "libcli/smb/smb_constants.h"
 #include "libcli/smb/smb_util.h"
 #include "libcli/smb/smb_unix_ext.h"
diff --git a/libcli/smb/wscript_build b/libcli/smb/wscript_build
index 89ecf519ec..66319e9a5b 100644
--- a/libcli/smb/wscript_build
+++ b/libcli/smb/wscript_build
@@ -2,9 +2,12 @@
 
 
 bld.SAMBA_LIBRARY('cli_smb_common',
-	source='smb2_create_blob.c util.c',
+	source='smb2_create_blob.c smb2_signing.c util.c',
 	autoproto='smb_common_proto.h',
+	deps='LIBCRYPTO',
 	public_deps='talloc samba-util',
 	private_library=True,
-	public_headers='smb_common.h smb2_constants.h smb2_create_blob.h',
+	public_headers='''smb_common.h smb2_constants.h
+			smb2_create_blob.h smb2_signing.h
+	''',
 	)