diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-03-18 12:01:47 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-03-18 12:01:47 +0000 |
| commit | 892599fb92b6158e86a3934c8f2045ee457f38e3 (patch) | |
| tree | daf6bb11844cc1bbd8afecc2c7329a090a3f986e /source3/libsmb/cliconnect.c | |
| parent | 50e9b88dff56e70ad03eb104cb151fe21112b984 (diff) | |
| download | samba-892599fb92b6158e86a3934c8f2045ee457f38e3.tar.gz samba-892599fb92b6158e86a3934c8f2045ee457f38e3.tar.bz2 samba-892599fb92b6158e86a3934c8f2045ee457f38e3.zip | |
Merge from HEAD:
A much better SMB signing module, that allows for mulitple signing algorithms
and correctly backs down from signing when the server cannot sign the reply.
This also attempts to enable SMB signing on NTLMSSP connections, but I don't
know what NTLMSSP flags to set yet.
This would allow 'client use signing' to be set by default, for server
compatability. (A seperate option value should be provided for mandetory
signing, which would not back down).
Andrew Bartlett
(This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b)
Diffstat (limited to 'source3/libsmb/cliconnect.c')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 94 |
1 files changed, 44 insertions, 50 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 54a282e805..763878f9b3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -228,39 +228,11 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, return True; } -static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response) -{ - uint8 zero_sig[8]; - ZERO_STRUCT(zero_sig); - - DEBUG(5, ("Server returned security sig:\n")); - dump_data(5, &cli->inbuf[smb_ss_field], 8); - - if (cli->sign_info.use_smb_signing) { - DEBUG(5, ("smb signing already active on connection\n")); - } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) { - - DEBUG(3, ("smb signing enabled!\n")); - cli->sign_info.use_smb_signing = True; - cli_calculate_mac_key(cli, user_session_key, response); - } else { - DEBUG(5, ("smb signing NOT enabled!\n")); - } -} - static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) { memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key))); } - -static void set_temp_signing_on_cli(struct cli_state *cli) -{ - if (cli->sign_info.negotiated_smb_signing) - cli->sign_info.temp_smb_signing = True; -} - - /**************************************************************************** do a NT1 NTLM/LM encrypted session setup @param cli client state to create do session setup on @@ -310,8 +282,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - - set_temp_signing_on_cli(cli); + cli_simple_set_signing(cli, session_key.data, nt_response); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -374,26 +345,24 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (session_key.data) { /* Have plaintext orginal */ set_cli_session_key(cli, session_key); - set_signing_on_cli(cli, session_key.data, nt_response); } + ret = True; end: data_blob_free(&lm_response); data_blob_free(&nt_response); data_blob_free(&session_key); - return True; + return ret; } /**************************************************************************** - Send a extended security session setup blob, returning a reply blob. + Send a extended security session setup blob ****************************************************************************/ -static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) +static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; - DATA_BLOB blob2 = data_blob(NULL, 0); - uint32 len; capabilities |= CAP_EXTENDED_SECURITY; @@ -403,8 +372,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) set_message(cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); - set_temp_signing_on_cli(cli); - cli_setup_packet(cli); SCVAL(cli->outbuf,smb_vwv0,0xFF); @@ -420,7 +387,18 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); + return cli_send_smb(cli); +} + +/**************************************************************************** + Send a extended security session setup blob, returning a reply blob. +****************************************************************************/ + +static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) +{ + DATA_BLOB blob2 = data_blob(NULL, 0); + char *p; + size_t len; if (!cli_receive_smb(cli)) return blob2; @@ -449,6 +427,20 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) return blob2; } +/**************************************************************************** + Send a extended security session setup blob, returning a reply blob. +****************************************************************************/ + +static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) +{ + DATA_BLOB blob2 = data_blob(NULL, 0); + if (!cli_session_setup_blob_send(cli, blob)) { + return blob2; + } + + return cli_session_setup_blob_receive(cli); +} + #ifdef HAVE_KRB5 /**************************************************************************** Use in-memory credentials cache @@ -502,6 +494,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, DATA_BLOB blob_in = data_blob(NULL, 0); DATA_BLOB blob_out; + cli_temp_set_signing(cli); + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) { return False; } @@ -532,8 +526,15 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, } /* now send that blob on its way */ - blob = cli_session_setup_blob(cli, msg1); + if (!cli_session_setup_blob_send(cli, msg1)) { + return False; + } data_blob_free(&msg1); + + cli_ntlmssp_set_signing(cli, ntlmssp_state); + + blob = cli_session_setup_blob_receive(cli); + nt_status = cli_nt_error(cli); } @@ -570,6 +571,9 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, set_cli_session_key(cli, ntlmssp_state->session_key); } + /* we have a reference conter on ntlmssp_state, if we are signing + then the state will be kept by the signing engine */ + if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { return False; } @@ -883,11 +887,6 @@ BOOL cli_negprot(struct cli_state *cli) int numprots; int plength; - if (cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n")); - return False; - } - if (cli->protocol < PROTOCOL_NT1) cli->use_spnego = False; @@ -1013,11 +1012,6 @@ BOOL cli_session_request(struct cli_state *cli, if (cli->port == 445) return True; - if (cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n")); - return False; - } - /* send a session request (RFC 1002) */ /* setup the packet length * Remove four bytes from the length count, since the length |