diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-04-06 13:08:07 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-04-06 13:08:07 +0000 |
| commit | 88ed48d0f935db136318fafe6e541cf7cbaed5e2 (patch) | |
| tree | 1d1d62ce15b731e3e40b7212da3bc836f2c176df /source3/libsmb/ntlmssp_sign.c | |
| parent | 9496f1e2063eb0b93142bfaf86979b21bf8b56e6 (diff) | |
| download | samba-88ed48d0f935db136318fafe6e541cf7cbaed5e2.tar.gz samba-88ed48d0f935db136318fafe6e541cf7cbaed5e2.tar.bz2 samba-88ed48d0f935db136318fafe6e541cf7cbaed5e2.zip | |
SMB signing updates - this gets NTLMSSP signing workin to the point where I
just need to get the verifiction code working - we get back a signiture from
the server, and just can't verify it yet.
This also brings the short-packet checks into common code, and breaks the
connection if the server sends a signed reply, on an established connection,
that fails the test.
This breaks our read/write code at the moment, as we need to keep a list
of outstanding packets.
(signing is not enabled by default, unless the server demands it)
Not for 3.0 till I fix the outstanding packet list.
Andrew Barlett
(This used to be commit 808d1fcf20153970d587cb631a08607beb09703a)
Diffstat (limited to 'source3/libsmb/ntlmssp_sign.c')
| -rw-r--r-- | source3/libsmb/ntlmssp_sign.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/source3/libsmb/ntlmssp_sign.c b/source3/libsmb/ntlmssp_sign.c index 8f6bd0c691..5426263fb9 100644 --- a/source3/libsmb/ntlmssp_sign.c +++ b/source3/libsmb/ntlmssp_sign.c @@ -92,8 +92,14 @@ static void calc_ntlmv2_hash(unsigned char hash[16], char digest[16], calc_hash(hash, digest, 16); } +enum ntlmssp_direction { + NTLMSSP_SEND, + NTLMSSP_RECEIVE +}; + static NTSTATUS ntlmssp_make_packet_signiture(NTLMSSP_CLIENT_STATE *ntlmssp_state, const uchar *data, size_t length, + enum ntlmssp_direction direction, DATA_BLOB *sig) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { @@ -110,8 +116,14 @@ static NTSTATUS ntlmssp_make_packet_signiture(NTLMSSP_CLIENT_STATE *ntlmssp_stat if (!msrpc_gen(sig, "Bd", digest, sizeof(digest), ntlmssp_state->ntlmssp_seq_num)) { return NT_STATUS_NO_MEMORY; } - - NTLMSSPcalc_ap(ntlmssp_state->cli_seal_hash, sig->data, sig->length); + switch (direction) { + case NTLMSSP_SEND: + NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash, sig->data, sig->length); + break; + case NTLMSSP_RECEIVE: + NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash, sig->data, sig->length); + break; + } } else { uint32 crc; crc = crc32_calc_buffer(data, length); @@ -129,7 +141,7 @@ NTSTATUS ntlmssp_client_sign_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, DATA_BLOB *sig) { ntlmssp_state->ntlmssp_seq_num++; - return ntlmssp_make_packet_signiture(ntlmssp_state, data, length, sig); + return ntlmssp_make_packet_signiture(ntlmssp_state, data, length, NTLMSSP_SEND, sig); } /** @@ -151,7 +163,7 @@ NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, } nt_status = ntlmssp_make_packet_signiture(ntlmssp_state, data, - length, &local_sig); + length, NTLMSSP_RECEIVE, &local_sig); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status))); @@ -161,6 +173,12 @@ NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, if (memcmp(sig->data, local_sig.data, MIN(sig->length, local_sig.length)) == 0) { return NT_STATUS_OK; } else { + DEBUG(5, ("BAD SIG: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + DEBUG(0, ("NTLMSSP packet check failed due to invalid signiture!\n")); return NT_STATUS_ACCESS_DENIED; } |