r21897: Add in a basic raw NTLM encrypt request. Now

for testing.
Jeremy.
(This used to be commit 783a7b3085a155d9652cd725bf2960cd272cb554)

3 files changed, 159 insertions, 16 deletions

diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 9c3b6e3aed..52e12a38e3 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -302,3 +302,116 @@ cleanup:
 
 	return ret;	
 }
+
+/******************************************************************************
+ Send/receive the request encryption blob.
+******************************************************************************/
+
+static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out)
+{
+	uint16 setup;
+	char param[2];
+	char *rparam=NULL, *rdata=NULL;
+	unsigned int rparam_count=0, rdata_count=0;
+	NTSTATUS status = NT_STATUS_OK;
+
+	setup = TRANSACT2_SETFSINFO;
+
+	SSVAL(param,0,SMB_REQUEST_TRANSPORT_ENCRYPTION);
+
+	if (!cli_send_trans(cli, SMBtrans2,
+				NULL,
+				0, 0,
+				&setup, 1, 0,
+				param, 2, 0,
+				(char *)in->data, in->length, CLI_BUFFER_SIZE)) {
+		status = cli_nt_error(cli);
+		goto out;
+	}
+
+	if (!cli_receive_trans(cli, SMBtrans2,
+				&rparam, &rparam_count,
+				&rdata, &rdata_count)) {
+		status = cli_nt_error(cli);
+		goto out;
+	}
+
+	if (cli_is_error(cli)) {
+		status = cli_nt_error(cli);
+		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+			goto out;
+		}
+	}
+
+	*out = data_blob(rdata, rdata_count);
+
+  out:
+
+	SAFE_FREE(rparam);
+	SAFE_FREE(rdata);
+	return status;
+}
+
+/******************************************************************************
+ Start a raw ntlmssp encryption.
+******************************************************************************/
+
+NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, 
+				const char *user,
+				const char *pass,
+				const char *domain)
+{
+	DATA_BLOB blob_in = data_blob(NULL, 0);
+	DATA_BLOB blob_out = data_blob(NULL, 0);
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	struct smb_trans_enc_state *es = NULL;
+
+	es = SMB_MALLOC_P(struct smb_trans_enc_state);
+	if (!es) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	ZERO_STRUCTP(es);
+	es->smb_enc_type = SMB_TRANS_ENC_NTLM;
+	status = ntlmssp_client_start(&es->ntlmssp_state);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
+
+	ntlmssp_want_feature(es->ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+	es->ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
+
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->ntlmssp_state, user))) {
+		goto fail;
+	}
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->ntlmssp_state, domain))) {
+		goto fail;
+	}
+	if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->ntlmssp_state, pass))) {
+		goto fail;
+	}
+
+	do {
+		status = ntlmssp_update(es->ntlmssp_state, blob_in, &blob_out);
+		data_blob_free(&blob_in);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
+			status = enc_blob_send_receive(cli, &blob_out, &blob_in);
+		}
+		data_blob_free(&blob_out);
+	} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+
+	data_blob_free(&blob_in);
+
+	if (NT_STATUS_IS_OK(status)) {
+		/* Replace the old state, if any. */
+		if (cli->trans_enc_state) {
+			common_free_encryption_state(&cli->trans_enc_state);
+		}
+		cli->trans_enc_state = es;
+		cli->trans_enc_state->enc_on = True;
+	}
+
+  fail:
+
+	common_free_encryption_state(&es);
+	return status;
+}
diff --git a/source3/libsmb/smb_seal.c b/source3/libsmb/smb_seal.c
index 06662e53fb..a509438f07 100644
--- a/source3/libsmb/smb_seal.c
+++ b/source3/libsmb/smb_seal.c
@@ -154,6 +154,12 @@ NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer, cha
 		return NT_STATUS_OK;
 	}
 
+	/* Ignore session keepalives. */
+	if(CVAL(buffer,0) == SMBkeepalive) {
+		*buf_out = buffer;
+		return NT_STATUS_OK;
+	}
+
 	if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
 		return common_ntlm_encrypt_buffer(es->ntlmssp_state, buffer, buf_out);
 	} else {
@@ -177,6 +183,12 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf)
 		/* Not decrypting. */
 		return NT_STATUS_OK;
 	}
+
+	/* Ignore session keepalives. */
+	if(CVAL(buf,0) == SMBkeepalive) {
+		return NT_STATUS_OK;
+	}
+
 	if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
 		return common_ntlm_decrypt_buffer(es->ntlmssp_state, buf);
 	} else {
@@ -282,15 +294,3 @@ NTSTATUS cli_encrypt_message(struct cli_state *cli, char **buf_out)
 {
 	return common_encrypt_buffer(cli->trans_enc_state, cli->outbuf, buf_out);
 }
-
-/******************************************************************************
- Start a raw ntlmssp encryption.
-******************************************************************************/
-
-NTSTATUS cli_ntlm_smb_encryption_on(struct cli_state *cli, 
-				const char *user,
-				const char *pass,
-				const char *workgroup)
-{
-
-}
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index df74b2db36..66a15e9408 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -585,7 +585,9 @@ void cli_free_signing_context(struct cli_state *cli)
  
 void cli_calculate_sign_mac(struct cli_state *cli)
 {
-	cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+	if (!cli_encryption_on(cli)) {
+		cli->sign_info.sign_outgoing_message(cli->outbuf, &cli->sign_info);
+	}
 }
 
 /**
@@ -596,6 +598,9 @@ void cli_calculate_sign_mac(struct cli_state *cli)
  
 BOOL cli_check_sign_mac(struct cli_state *cli) 
 {
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!cli->sign_info.check_incoming_message(cli->inbuf, &cli->sign_info, True)) {
 		free_signing_context(&cli->sign_info);	
 		return False;
@@ -612,6 +617,9 @@ BOOL client_set_trans_sign_state_on(struct cli_state *cli, uint16 mid)
 	struct smb_sign_info *si = &cli->sign_info;
 	struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
 
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!si->doing_signing) {
 		return True;
 	}
@@ -637,6 +645,9 @@ BOOL client_set_trans_sign_state_off(struct cli_state *cli, uint16 mid)
 	struct smb_sign_info *si = &cli->sign_info;
 	struct smb_basic_signing_context *data = (struct smb_basic_signing_context *)si->signing_context;
 
+	if (cli_encryption_on(cli)) {
+		return True;
+	}
 	if (!si->doing_signing) {
 		return True;
 	}
@@ -798,8 +809,18 @@ BOOL srv_oplock_set_signing(BOOL onoff)
 BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
 {
 	/* Check if it's a session keepalive. */
-	if(CVAL(inbuf,0) == SMBkeepalive)
+	if(CVAL(inbuf,0) == SMBkeepalive) {
 		return True;
+	}
+
+	/* 
+	 * If we have an encrypted transport
+	 * don't sign - we're already doing that.
+	 */
+
+	if (srv_encryption_on()) {
+		return True;
+	}
 
 	return srv_sign_info.check_incoming_message(inbuf, &srv_sign_info, must_be_ok);
 }
@@ -811,9 +832,18 @@ BOOL srv_check_sign_mac(char *inbuf, BOOL must_be_ok)
 void srv_calculate_sign_mac(char *outbuf)
 {
 	/* Check if it's a session keepalive. */
-	/* JRA Paranioa test - do we ever generate these in the server ? */
-	if(CVAL(outbuf,0) == SMBkeepalive)
+	if(CVAL(outbuf,0) == SMBkeepalive) {
 		return;
+	}
+
+	/* 
+	 * If we have an encrypted transport
+	 * don't check sign - we're already doing that.
+	 */
+
+	if (srv_encryption_on()) {
+		return;
+	}
 
 	srv_sign_info.sign_outgoing_message(outbuf, &srv_sign_info);
 }