diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-02-01 13:01:31 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-02-01 13:01:31 +0000 |
| commit | 2f5d3e7a64a7f756aa289294050e57b34c6dfb17 (patch) | |
| tree | cea08d868eaff30268c4b907493e2673a0c2e703 /source3/libsmb/smbencrypt.c | |
| parent | 4e8a08592340b2bd13369a205f0a30b9e827f997 (diff) | |
| download | samba-2f5d3e7a64a7f756aa289294050e57b34c6dfb17.tar.gz samba-2f5d3e7a64a7f756aa289294050e57b34c6dfb17.tar.bz2 samba-2f5d3e7a64a7f756aa289294050e57b34c6dfb17.zip | |
We now have client-side SMB signing support!
This checking allows us to connect to Microsoft servers the use SMB signing,
within a few restrictions:
- I've not get the NTLMSSP stuff going - it appears to work, but if you break
the sig - say by writing a zero in it - it still passes...
- We don't currently verfiy the server's reply
- It works against one of my test servers, but not the other...
However, it provides an excellent basis to work from. Enable it with 'client
signing' in your smb.conf.
Doc to come (tomorrow) and this is not for 3.0, till we get it complete.
The CIFS Spec is misleading - the session key (for NTLMv1 at least) is the
standard session key, ie MD4(NT#).
Thanks to jra for the early work on this.
Andrew Bartlett
(This used to be commit 1a2738937e3d80b378bd0ed33cd8d395fba2d3c3)
Diffstat (limited to 'source3/libsmb/smbencrypt.c')
| -rw-r--r-- | source3/libsmb/smbencrypt.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c index a57a98e3ea..022a57ef6a 100644 --- a/source3/libsmb/smbencrypt.c +++ b/source3/libsmb/smbencrypt.c @@ -362,10 +362,12 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd, SMB signing - setup the MAC key. ************************************************************/ -void cli_calculate_mac_key(struct cli_state *cli, const char *ntpasswd, const uchar resp[24]) +void cli_calculate_mac_key(struct cli_state *cli, const char *plain_passwd, const uchar resp[24]) { - /* Get first 16 bytes. */ - E_md4hash(ntpasswd,&cli->sign_info.mac_key[0]); + uchar nt_hash[16]; + E_md4hash(plain_passwd, nt_hash); + + mdfour(&cli->sign_info.mac_key[0], nt_hash, sizeof(nt_hash)); memcpy(&cli->sign_info.mac_key[16],resp,24); cli->sign_info.mac_key_len = 40; cli->sign_info.use_smb_signing = True; @@ -375,7 +377,7 @@ void cli_calculate_mac_key(struct cli_state *cli, const char *ntpasswd, const uc cli->writebraw_supported = False; /* Reset the sequence number in case we had a previous (aborted) attempt */ - cli->sign_info.send_seq_num = 0; + cli->sign_info.send_seq_num = 2; } /*********************************************************** @@ -411,6 +413,7 @@ void cli_caclulate_sign_mac(struct cli_state *cli) MD5Final(calc_md5_mac, &md5_ctx); memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8); + /* cli->outbuf[smb_ss_field+2]=0; Uncomment this to test if the remote server actually verifies signitures...*/ cli->sign_info.send_seq_num++; |