Further work on NTLMSSP-based SMB signing. Current status is that I cannnot

get Win2k to send a valid signiture in it's session setup reply - which it will
give to win2k clients.

So, I need to look at becoming 'more like MS', but for now I'll get this code
into the tree.  It's actually based on the TNG cli_pipe_ntlmssp.c, as it was
slightly easier to understand than our own (but only the utility functions
remain in any way intact...).

This includes the mysical 'NTLM2' code - I have no idea if it actually works.

(I couldn't get TNG to use it for its pipes either).

Andrew Bartlett
(This used to be commit a034a5e381ba5612be21e2ba640d11f82cd945da)

4 files changed, 424 insertions, 48 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 589c7b36bb..36b6f609f5 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -356,15 +356,13 @@ end:
 }
 
 /****************************************************************************
- Send a extended security session setup blob, returning a reply blob.
+ Send a extended security session setup blob
 ****************************************************************************/
 
-static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
 {
 	uint32 capabilities = cli_session_setup_capabilities(cli);
 	char *p;
-	DATA_BLOB blob2 = data_blob(NULL, 0);
-	uint32 len;
 
 	capabilities |= CAP_EXTENDED_SECURITY;
 
@@ -389,7 +387,18 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 	p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
 	p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
 	cli_setup_bcc(cli, p);
-	cli_send_smb(cli);
+	return cli_send_smb(cli);
+}
+
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
+{
+	DATA_BLOB blob2 = data_blob(NULL, 0);
+	char *p;
+	size_t len;
 
 	if (!cli_receive_smb(cli))
 		return blob2;
@@ -418,6 +427,20 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 	return blob2;
 }
 
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+{
+	DATA_BLOB blob2 = data_blob(NULL, 0);
+	if (!cli_session_setup_blob_send(cli, blob)) {
+		return blob2;
+	}
+		
+	return cli_session_setup_blob_receive(cli);
+}
+
 #ifdef HAVE_KRB5
 /****************************************************************************
  Use in-memory credentials cache
@@ -471,6 +494,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 	DATA_BLOB blob_in = data_blob(NULL, 0);
 	DATA_BLOB blob_out;
 
+	cli_temp_set_signing(cli);
+
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
 		return False;
 	}
@@ -501,8 +526,15 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 			}
 		
 			/* now send that blob on its way */
-			blob = cli_session_setup_blob(cli, msg1);
+			if (!cli_session_setup_blob_send(cli, msg1)) {
+				return False;
+			}
 			data_blob_free(&msg1);
+			
+			cli_ntlmssp_set_signing(cli, ntlmssp_state);
+			
+			blob = cli_session_setup_blob_receive(cli);
+
 			nt_status = cli_nt_error(cli);
 		}
 		
@@ -539,6 +571,9 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 		set_cli_session_key(cli, ntlmssp_state->session_key);
 	}
 
+	/* we have a reference conter on ntlmssp_state, if we are signing
+	   then the state will be kept by the signing engine */
+
 	if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
 		return False;
 	}
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index e1509f6b63..5722b8efcd 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -81,7 +81,7 @@ static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
 
 /**
  * Determine correct target name flags for reply, given server role 
- * and negoitated falgs
+ * and negotiated flags
  * 
  * @param ntlmssp_state NTLMSSP State
  * @param neg_flags The flags from the packet
@@ -291,7 +291,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 /**
  * Create an NTLMSSP state machine
  * 
- * @param ntlmssp_state NTLMSSP State, allocated by this funciton
+ * @param ntlmssp_state NTLMSSP State, allocated by this function
  */
 
 NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
@@ -322,7 +322,7 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
 /**
  * End an NTLMSSP state machine
  * 
- * @param ntlmssp_state NTLMSSP State, free()ed by this funciton
+ * @param ntlmssp_state NTLMSSP State, free()ed by this function
  */
 
 NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state)
@@ -431,7 +431,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 	DATA_BLOB session_key = data_blob(NULL, 0);
 	uint8 datagram_sess_key[16];
 
-	ZERO_STRUCT(datagram_sess_key);
+	generate_random_buffer(datagram_sess_key, sizeof(datagram_sess_key), False);	
 
 	if (!msrpc_parse(&reply, "CdBd",
 			 "NTLMSSP",
@@ -508,8 +508,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		session_key = data_blob(NULL, 16);
 		SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 	}
-	
-	data_blob_free(&challenge_blob);
 
 	/* this generates the actual auth packet */
 	if (!msrpc_gen(next_request, auth_gen_string, 
@@ -520,7 +518,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		       ntlmssp_state->domain, 
 		       ntlmssp_state->user, 
 		       ntlmssp_state->get_global_myname(), 
-		       datagram_sess_key, 0,
+		       datagram_sess_key, 16,
 		       ntlmssp_state->neg_flags)) {
 		
 		data_blob_free(&lm_response);
@@ -529,9 +527,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	data_blob_free(&lm_response);
-	data_blob_free(&nt_response);
+	data_blob_free(&ntlmssp_state->chal);
+	data_blob_free(&ntlmssp_state->lm_resp);
+	data_blob_free(&ntlmssp_state->nt_resp);
+	data_blob_free(&ntlmssp_state->session_key);
 
+	ntlmssp_state->chal = challenge_blob;
+	ntlmssp_state->lm_resp = lm_response;
+	ntlmssp_state->nt_resp = nt_response;
 	ntlmssp_state->session_key = session_key;
 
 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
@@ -558,10 +561,12 @@ NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 	(*ntlmssp_state)->unicode = True;
 
 	(*ntlmssp_state)->neg_flags = 
-	       	NTLMSSP_NEGOTIATE_128 | 
+		NTLMSSP_NEGOTIATE_128 |
 		NTLMSSP_NEGOTIATE_NTLM |
 		NTLMSSP_REQUEST_TARGET;
 
+	(*ntlmssp_state)->ref_count = 1;
+
 	return NT_STATUS_OK;
 }
 
@@ -569,8 +574,16 @@ NTSTATUS ntlmssp_client_end(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 {
 	TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
 
-	data_blob_free(&(*ntlmssp_state)->session_key);
-	talloc_destroy(mem_ctx);
+	(*ntlmssp_state)->ref_count--;
+
+	if ((*ntlmssp_state)->ref_count == 0) {
+		data_blob_free(&(*ntlmssp_state)->chal);
+		data_blob_free(&(*ntlmssp_state)->lm_resp);
+		data_blob_free(&(*ntlmssp_state)->nt_resp);
+		data_blob_free(&(*ntlmssp_state)->session_key);
+		talloc_destroy(mem_ctx);
+	}
+
 	*ntlmssp_state = NULL;
 	return NT_STATUS_OK;
 }
diff --git a/source3/libsmb/ntlmssp_sign.c b/source3/libsmb/ntlmssp_sign.c
new file mode 100644
index 0000000000..f51d532319
--- /dev/null
+++ b/source3/libsmb/ntlmssp_sign.c
@@ -0,0 +1,208 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Version 3.0
+ *  NTLMSSP Signing routines
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-2001
+ *  Copyright (C) Andrew Bartlett 2003
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software Foundation,
+ *  Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+#include "includes.h"
+
+#define CLI_SIGN "session key to client-to-server signing key magic constant"
+#define CLI_SEAL "session key to client-to-server sealing key magic constant"
+#define SRV_SIGN "session key to server-to-client signing key magic constant"
+#define SRV_SEAL "session key to server-to-client sealing key magic constant"
+
+static void NTLMSSPcalc_ap( unsigned char *hash, unsigned char *data, int len)
+{
+    unsigned char index_i = hash[256];
+    unsigned char index_j = hash[257];
+    int ind;
+
+    for (ind = 0; ind < len; ind++)
+    {
+        unsigned char tc;
+        unsigned char t;
+
+        index_i++;
+        index_j += hash[index_i];
+
+        tc = hash[index_i];
+        hash[index_i] = hash[index_j];
+        hash[index_j] = tc;
+
+        t = hash[index_i] + hash[index_j];
+        data[ind] = data[ind] ^ hash[t];
+    }
+
+    hash[256] = index_i;
+    hash[257] = index_j;
+}
+
+static void calc_hash(unsigned char *hash, const char *k2, int k2l)
+{
+	unsigned char j = 0;
+	int ind;
+
+	for (ind = 0; ind < 256; ind++)
+	{
+		hash[ind] = (unsigned char)ind;
+	}
+
+	for (ind = 0; ind < 256; ind++)
+	{
+		unsigned char tc;
+
+		j += (hash[ind] + k2[ind%k2l]);
+
+		tc = hash[ind];
+		hash[ind] = hash[j];
+		hash[j] = tc;
+	}
+
+	hash[256] = 0;
+	hash[257] = 0;
+}
+
+static void calc_ntlmv2_hash(unsigned char hash[16], char digest[16],
+			     const char encrypted_response[16], 
+			     const char *constant)
+{
+	struct MD5Context ctx3;
+
+	MD5Init(&ctx3);
+	MD5Update(&ctx3, encrypted_response, 5);
+	MD5Update(&ctx3, constant, strlen(constant));
+	MD5Final(digest, &ctx3);
+
+	calc_hash(hash, digest, 16);
+}
+
+static NTSTATUS ntlmssp_make_packet_signiture(NTLMSSP_CLIENT_STATE *ntlmssp_state,
+					      const uchar *data, size_t length, 
+					      DATA_BLOB *sig) 
+{
+	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+		HMACMD5Context ctx;
+		char seq_num[4];
+		uchar digest[16];
+		SIVAL(seq_num, 0, &ntlmssp_state->ntlmssp_seq_num);
+
+		hmac_md5_init_limK_to_64(ntlmssp_state->cli_sign_const, 16, &ctx);
+		hmac_md5_update(seq_num, 4, &ctx);
+		hmac_md5_update(data, length, &ctx);
+		hmac_md5_final(digest, &ctx);
+
+		if (!msrpc_gen(sig, "Bd", digest, sizeof(digest), ntlmssp_state->ntlmssp_seq_num)) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	       
+		NTLMSSPcalc_ap(ntlmssp_state->cli_seal_hash,  sig->data, sig->length);
+	} else {
+		uint32 crc;
+		crc = crc32_calc_buffer(data, length);
+		if (!msrpc_gen(sig, "ddd", 0, crc, ntlmssp_state->ntlmssp_seq_num)) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		NTLMSSPcalc_ap(ntlmssp_state->ntlmssp_hash, sig->data, sig->length);
+	}
+	return NT_STATUS_OK;
+}
+
+NTSTATUS ntlmssp_client_sign_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
+					   const uchar *data, size_t length, 
+					   DATA_BLOB *sig) 
+{
+	ntlmssp_state->ntlmssp_seq_num++;
+	return ntlmssp_make_packet_signiture(ntlmssp_state, data, length, sig);
+}
+
+/**
+ * Check the signature of an incoming packet 
+ * @note caller *must* check that the signature is the size it expects 
+ *
+ */
+
+NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
+					   const uchar *data, size_t length, 
+					   const DATA_BLOB *sig) 
+{
+	DATA_BLOB local_sig;
+	NTSTATUS nt_status;
+
+	if (sig->length < 8) {
+		DEBUG(0, ("NTLMSSP packet check failed due to short signiture (%u bytes)!\n", 
+			  sig->length));
+	}
+
+	nt_status = ntlmssp_make_packet_signiture(ntlmssp_state, data, 
+						  length, &local_sig);
+	
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status)));
+		return nt_status;
+	}
+	
+	if (memcmp(sig->data, local_sig.data, MIN(sig->length, local_sig.length)) == 0) {
+		return NT_STATUS_OK;
+	} else {
+		DEBUG(0, ("NTLMSSP packet check failed due to invalid signiture!\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+}
+
+/**
+   Initialise the state for NTLMSSP signing.
+*/
+NTSTATUS ntlmssp_client_sign_init(NTLMSSP_CLIENT_STATE *ntlmssp_state)
+{
+	unsigned char p24[24];
+	unsigned char lm_hash[16];
+
+	if (!ntlmssp_state->lm_resp.data) {
+		/* can't sign or check signitures yet */ 
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+			    
+	E_deshash(ntlmssp_state->password, lm_hash);
+		
+	NTLMSSPOWFencrypt(lm_hash, ntlmssp_state->lm_resp.data, p24);
+	
+	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
+	{
+		calc_ntlmv2_hash(ntlmssp_state->cli_sign_hash, ntlmssp_state->cli_sign_const, p24, CLI_SIGN);
+		calc_ntlmv2_hash(ntlmssp_state->cli_seal_hash, ntlmssp_state->cli_seal_const, p24, CLI_SEAL);
+		calc_ntlmv2_hash(ntlmssp_state->srv_sign_hash, ntlmssp_state->srv_sign_const, p24, SRV_SIGN);
+		calc_ntlmv2_hash(ntlmssp_state->srv_seal_hash, ntlmssp_state->srv_seal_const, p24, SRV_SEAL);
+	}
+	else
+	{
+		char k2[8];
+		memcpy(k2, p24, 5);
+		k2[5] = 0xe5;
+		k2[6] = 0x38;
+		k2[7] = 0xb0;
+		
+		calc_hash(ntlmssp_state->ntlmssp_hash, k2, 8);
+	}
+
+	ntlmssp_state->ntlmssp_seq_num = 0;
+
+	ZERO_STRUCT(lm_hash);
+	return NT_STATUS_OK;
+}
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 581d18fef7..40359c5c8c 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -33,6 +33,11 @@ struct smb_basic_signing_context {
 
 static BOOL set_smb_signing_common(struct cli_state *cli) 
 {
+	if (!cli->sign_info.negotiated_smb_signing 
+	    && !cli->sign_info.mandetory_signing) {
+		return False;
+	}
+
 	if (cli->sign_info.doing_signing) {
 		return False;
 	}
@@ -40,7 +45,7 @@ static BOOL set_smb_signing_common(struct cli_state *cli)
 	if (cli->sign_info.free_signing_context)
 		cli->sign_info.free_signing_context(cli);
 
-	/* These calls are INCONPATIBLE with SMB signing */
+	/* These calls are INCOMPATIBLE with SMB signing */
 	cli->readbraw_supported = False;
 	cli->writebraw_supported = False;
 	
@@ -54,7 +59,7 @@ static BOOL set_smb_signing_common(struct cli_state *cli)
 static BOOL set_smb_signing_real_common(struct cli_state *cli) 
 {
 	if (cli->sign_info.mandetory_signing) {
-		DEBUG(5, ("Mandetory SMB signing enabled!\n"));
+		DEBUG(5, ("Mandatory SMB signing enabled!\n"));
 		cli->sign_info.doing_signing = True;
 	}
 
@@ -71,6 +76,28 @@ static void mark_packet_signed(struct cli_state *cli)
 	SSVAL(cli->outbuf,smb_flg2, flags2);
 }
 
+static BOOL signing_good(struct cli_state *cli, BOOL good) 
+{
+	DEBUG(10, ("got SMB signature of\n"));
+	dump_data(10,&cli->outbuf[smb_ss_field] , 8);
+
+	if (good && !cli->sign_info.doing_signing) {
+		cli->sign_info.doing_signing = True;
+	}
+
+	if (!good) {
+		if (cli->sign_info.doing_signing) {
+			DEBUG(1, ("SMB signature check failed!\n"));
+			return False;
+		} else {
+			DEBUG(3, ("Server did not sign reply correctly\n"));
+			cli_free_signing_context(cli);
+			return False;
+		}
+	}
+	return True;
+}	
+
 /***********************************************************
  SMB signing - Simple implementation - calculate a MAC to send.
 ************************************************************/
@@ -99,7 +126,7 @@ static void cli_simple_sign_outgoing_message(struct cli_state *cli)
 	MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
 	MD5Final(calc_md5_mac, &md5_ctx);
 
-	DEBUG(10, ("sent SMB signiture of\n"));
+	DEBUG(10, ("sent SMB signature of\n"));
 	dump_data(10, calc_md5_mac, 8);
 
 	memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
@@ -130,7 +157,7 @@ static BOOL cli_simple_check_incoming_message(struct cli_state *cli)
 
 	memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
 
-	DEBUG(10, ("got SMB signiture of\n"));
+	DEBUG(10, ("got SMB signature of\n"));
 	dump_data(10, server_sent_mac, 8);
 
 	SIVAL(cli->inbuf, smb_ss_field, data->reply_seq_num);
@@ -145,15 +172,7 @@ static BOOL cli_simple_check_incoming_message(struct cli_state *cli)
 
 	good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
 	
-	if (good && !cli->sign_info.doing_signing) {
-		cli->sign_info.doing_signing = True;
-	}
-
-	if (!good) {
-		DEBUG(1, ("SMB signiture check failed!\n"));
-	}
-
-	return good;
+	return signing_good(cli, good);
 }
 
 /***********************************************************
@@ -174,16 +193,16 @@ static void cli_simple_free_signing_context(struct cli_state *cli)
  SMB signing - Simple implementation - setup the MAC key.
 ************************************************************/
 
-void cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
+BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
 {
 	struct smb_basic_signing_context *data;
 
 	if (!set_smb_signing_common(cli)) {
-		return;
+		return False;
 	}
 
 	if (!set_smb_signing_real_common(cli)) {
-		return;
+		return False;
 	}
 
 	data = smb_xmalloc(sizeof(*data));
@@ -194,12 +213,105 @@ void cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
 	memcpy(&data->mac_key.data[0], user_session_key, 16);
 	memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16));
 
-	/* Initialise the sequence number */
+	/* Initialize the sequence number */
 	data->send_seq_num = 0;
 
 	cli->sign_info.sign_outgoing_message = cli_simple_sign_outgoing_message;
 	cli->sign_info.check_incoming_message = cli_simple_check_incoming_message;
 	cli->sign_info.free_signing_context = cli_simple_free_signing_context;
+
+	return True;
+}
+
+/***********************************************************
+ SMB signing - NTLMSSP implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_ntlmssp_sign_outgoing_message(struct cli_state *cli)
+{
+	NTSTATUS nt_status;
+	DATA_BLOB sig;
+	NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
+
+	/* mark the packet as signed - BEFORE we sign it...*/
+	mark_packet_signed(cli);
+	
+	nt_status = ntlmssp_client_sign_packet(ntlmssp_state, cli->outbuf + 4, 
+					       smb_len(cli->outbuf), &sig);
+	
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(0, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
+		return;
+	}
+
+	DEBUG(10, ("sent SMB signature of\n"));
+	dump_data(10, sig.data, MIN(sig.length, 8));
+	memcpy(&cli->outbuf[smb_ss_field], sig.data, MIN(sig.length, 8));
+	
+	data_blob_free(&sig);
+}
+
+/***********************************************************
+ SMB signing - NTLMSSP implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_ntlmssp_check_incoming_message(struct cli_state *cli)
+{
+	BOOL good;
+	NTSTATUS nt_status;
+	DATA_BLOB sig = data_blob(&cli->outbuf[smb_ss_field], 8);
+
+	NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
+
+	nt_status = ntlmssp_client_check_packet(ntlmssp_state, cli->outbuf + 4, 
+						smb_len(cli->outbuf), &sig);
+	
+	data_blob_free(&sig);
+	
+	good = NT_STATUS_IS_OK(nt_status);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(5, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
+	}
+
+	return signing_good(cli, good);
+}
+
+/***********************************************************
+ SMB signing - NTLMSSP implementation - free signing context
+************************************************************/
+
+static void cli_ntlmssp_free_signing_context(struct cli_state *cli)
+{
+	ntlmssp_client_end((NTLMSSP_CLIENT_STATE **)&cli->sign_info.signing_context);
+}
+
+/***********************************************************
+ SMB signing - NTLMSSP implementation - setup the MAC key.
+************************************************************/
+
+BOOL cli_ntlmssp_set_signing(struct cli_state *cli,
+			     NTLMSSP_CLIENT_STATE *ntlmssp_state)
+{
+	if (!set_smb_signing_common(cli)) {
+		return False;
+	}
+
+	if (!NT_STATUS_IS_OK(ntlmssp_client_sign_init(ntlmssp_state))) {
+		return False;
+	}
+
+	if (!set_smb_signing_real_common(cli)) {
+		return False;
+	}
+
+	cli->sign_info.signing_context = ntlmssp_state;
+	ntlmssp_state->ref_count++;
+
+	cli->sign_info.sign_outgoing_message = cli_ntlmssp_sign_outgoing_message;
+	cli->sign_info.check_incoming_message = cli_ntlmssp_check_incoming_message;
+	cli->sign_info.free_signing_context = cli_ntlmssp_free_signing_context;
+
+	return True;
 }
 
 /***********************************************************
@@ -210,7 +322,7 @@ static void cli_null_sign_outgoing_message(struct cli_state *cli)
 {
 	/* we can't zero out the sig, as we might be trying to send a
 	   session request - which is NBT-level, not SMB level and doesn't
-	   have the feild */
+	   have the field */
 	return;
 }
 
@@ -232,23 +344,24 @@ static void cli_null_free_signing_context(struct cli_state *cli)
 	return;
 }
 
-/***********************************************************
+/**
  SMB signing - NULL implementation - setup the MAC key.
-************************************************************/
 
-void cli_null_set_signing(struct cli_state *cli)
+ @note Used as an initialisation only - it will not correctly
+       shut down a real signing mechinism
+*/
+
+BOOL cli_null_set_signing(struct cli_state *cli)
 {
 	struct smb_basic_sign_data *data;
 
-	if (!set_smb_signing_common(cli)) {
-		return;
-	}
-
 	cli->sign_info.signing_context = NULL;
 	
 	cli->sign_info.sign_outgoing_message = cli_null_sign_outgoing_message;
 	cli->sign_info.check_incoming_message = cli_null_check_incoming_message;
 	cli->sign_info.free_signing_context = cli_null_free_signing_context;
+
+	return True;
 }
 
 /***********************************************************
@@ -257,7 +370,12 @@ void cli_null_set_signing(struct cli_state *cli)
 
 static void cli_temp_sign_outgoing_message(struct cli_state *cli)
 {
-	memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
+	/* mark the packet as signed - BEFORE we sign it...*/
+	mark_packet_signed(cli);
+
+	/* I wonder what BSRSPYL stands for - but this is what MS 
+	   actually sends! */
+	memcpy(&cli->outbuf[smb_ss_field], "BSRSPYL ", 8);
 	return;
 }
 
@@ -283,10 +401,10 @@ static void cli_temp_free_signing_context(struct cli_state *cli)
  SMB signing - NULL implementation - setup the MAC key.
 ************************************************************/
 
-void cli_temp_set_signing(struct cli_state *cli)
+BOOL cli_temp_set_signing(struct cli_state *cli)
 {
 	if (!set_smb_signing_common(cli)) {
-		return;
+		return False;
 	}
 
 	cli->sign_info.signing_context = NULL;
@@ -294,6 +412,8 @@ void cli_temp_set_signing(struct cli_state *cli)
 	cli->sign_info.sign_outgoing_message = cli_temp_sign_outgoing_message;
 	cli->sign_info.check_incoming_message = cli_temp_check_incoming_message;
 	cli->sign_info.free_signing_context = cli_temp_free_signing_context;
+
+	return True;
 }
 
 /**
@@ -309,7 +429,7 @@ void cli_free_signing_context(struct cli_state *cli)
 }
 
 /**
- * Sign a packet with the current mechinism
+ * Sign a packet with the current mechanism
  */
  
 void cli_caclulate_sign_mac(struct cli_state *cli)
@@ -318,7 +438,7 @@ void cli_caclulate_sign_mac(struct cli_state *cli)
 }
 
 /**
- * Check a packet with the current mechinism
+ * Check a packet with the current mechanism
  * @return False if we had an established signing connection
  *         which had a back checksum, True otherwise
  */