diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-03-09 12:37:05 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2004-03-09 12:37:05 +0000 |
| commit | 4b683427acea8196cee1c8249ac5f25c98fb568e (patch) | |
| tree | d4905d9872254b91a81aceff6f1473cab3076f8b /source3/libsmb/cliconnect.c | |
| parent | 6100210db96e8647c33b4bf67458ce55f28a53e1 (diff) | |
| download | samba-4b683427acea8196cee1c8249ac5f25c98fb568e.tar.gz samba-4b683427acea8196cee1c8249ac5f25c98fb568e.tar.bz2 samba-4b683427acea8196cee1c8249ac5f25c98fb568e.zip | |
Commit to HEAD the updates to smb signing code that I was propsing for 3.0.
This code implements 'opportunistic signing' in our client (when the
server supports it, we will use it), and correct downgrading on both
the client and server for the 'enabled' (rather than required) signing
level.
This means that we can actually set 'server signing = yes' and not
have the world fall apart. We had a number of bugs in that code, and
it certainly looks like most of the testing was with the 'requried'
setting.
While the changes are reasonable, I'm putting this into HEAD rather
than 3.0 for the timebeing. SMB signing, like NTLMSSP, tends to have
gotchas in it :-)
(I also need to give it a workout with more than smbclient before I
move it across).
Andrew Bartlett
(This used to be commit 6bad895462cf076a7e917c909e2a461d1b360bf1)
Diffstat (limited to 'source3/libsmb/cliconnect.c')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 84159e5d62..b5993cd1e6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -325,7 +325,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key, nt_response, 0); + cli_simple_set_signing(cli, session_key, nt_response); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -521,7 +521,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob, 0); + cli_simple_set_signing(cli, session_key_krb5, null_blob); blob2 = cli_session_setup_blob(cli, negTokenTarg); @@ -643,13 +643,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - /* Using NTLMSSP session setup, signing on the net only starts - * after a successful authentication and the session key has - * been determined, but with a sequence number of 2. This - * assumes that NTLMSSP needs exactly 2 roundtrips, for any - * other SPNEGO mechanism it needs adapting. */ - - cli_simple_set_signing(cli, key, null_blob, 2); + if (cli_simple_set_signing(cli, key, null_blob)) { + + /* 'resign' the last message, so we get the right sequence numbers + for checking the first reply from the server */ + cli_calculate_sign_mac(cli); + + if (!cli_check_sign_mac(cli, True)) { + nt_status = NT_STATUS_ACCESS_DENIED; + } + } } /* we have a reference conter on ntlmssp_state, if we are signing @@ -1088,6 +1091,8 @@ BOOL cli_negprot(struct cli_state *cli) } cli->sign_info.negotiated_smb_signing = True; cli->sign_info.mandatory_signing = True; + } else if (cli->sign_info.allow_smb_signing && cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { + cli->sign_info.negotiated_smb_signing = True; } } else if (cli->protocol >= PROTOCOL_LANMAN1) { |