Merge branch 'master' of ssh://git.samba.org/data/git/samba into wspp-schema

author: Andrew Bartlett <abartlet@samba.org> 2009-03-08 16:16:11 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2009-03-08 16:16:11 +1100
commit: 6ac77d19b5a25a53459a58e4828fa9eac0bf11f4 (patch)
tree: bb504eecdcb94d6c82b522f5de0fd13de130fb41 /source3/libsmb
parent: bb6a2c8076e5e9eabad4ee7f09f6df979616fd13 (diff)
parent: 46bcb10b5abb21758cf234764b64220ede1b7ab5 (diff)
download: samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.tar.gz
samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.tar.bz2
samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.zip
4 files changed, 87 insertions, 64 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ad11ee0ed4..ec2932488e 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -379,6 +379,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
 	DATA_BLOB session_key = data_blob_null;
 	NTSTATUS result;
 	char *p;
+	bool ok;
 
 	if (passlen == 0) {
 		/* do nothing - guest login */
@@ -436,11 +437,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
 			SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 #endif
 		}
-#ifdef LANMAN_ONLY
-		cli_simple_set_signing(cli, session_key, lm_response); 
-#else
-		cli_simple_set_signing(cli, session_key, nt_response); 
-#endif
+		cli_temp_set_signing(cli);
 	} else {
 		/* pre-encrypted password supplied.  Only used for 
 		   security=server, can't do
@@ -492,6 +489,22 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
 		goto end;
 	}
 
+#ifdef LANMAN_ONLY
+	ok = cli_simple_set_signing(cli, session_key, lm_response);
+#else
+	ok = cli_simple_set_signing(cli, session_key, nt_response);
+#endif
+	if (ok) {
+		/* 'resign' the last message, so we get the right sequence numbers
+		   for checking the first reply from the server */
+		cli_calculate_sign_mac(cli, cli->outbuf);
+
+		if (!cli_check_sign_mac(cli, cli->inbuf)) {
+			result = NT_STATUS_ACCESS_DENIED;
+			goto end;
+		}
+	}
+
 	/* use the returned vuid from now on */
 	cli->vuid = SVAL(cli->inbuf,smb_uid);
 	
@@ -1284,10 +1297,17 @@ struct async_req *cli_tcon_andx_send(TALLOC_CTX *mem_ctx,
 	return result;
 
  access_denied:
-	result = async_req_new(mem_ctx);
-	if (async_post_ntstatus(result, ev, NT_STATUS_ACCESS_DENIED)) {
-		return result;
+	{
+		struct cli_request *state;
+		if (!async_req_setup(mem_ctx, &result, &state,
+				     struct cli_request)) {
+			goto fail;
+		}
+		if (async_post_ntstatus(result, ev, NT_STATUS_ACCESS_DENIED)) {
+			return result;
+		}
 	}
+ fail:
 	TALLOC_FREE(result);
 	return NULL;
 }
@@ -1936,7 +1956,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli,
 	if (!my_name) 
 		my_name = global_myname();
 
-	if (!(cli = cli_initialise())) {
+	if (!(cli = cli_initialise_ex(signing_state))) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -1984,8 +2004,6 @@ again:
 		return NT_STATUS_BAD_NETWORK_NAME;
 	}
 
-	cli_setup_signing_state(cli, signing_state);
-
 	if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO)
 		cli->use_spnego = False;
 	else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index e642f169f9..1153d8dc89 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -151,7 +151,7 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
 	zero_sockaddr(&ss);
 
 	/* have to open a new connection */
-	if (!(c=cli_initialise())) {
+	if (!(c=cli_initialise_ex(cm_creds.signing_state))) {
 		d_printf("Connection to %s failed\n", server_n);
 		if (c) {
 			cli_shutdown(c);
@@ -177,7 +177,6 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
 	c->protocol = max_protocol;
 	c->use_kerberos = cm_creds.use_kerberos;
 	c->fallback_after_kerberos = cm_creds.fallback_after_kerberos;
-	cli_setup_signing_state(c, cm_creds.signing_state);
 
 	if (!cli_session_request(c, &calling, &called)) {
 		char *p;
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 0382ef5fae..2983f7771a 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -425,33 +425,15 @@ void cli_init_creds(struct cli_state *cli, const char *username, const char *dom
 }
 
 /****************************************************************************
- Set the signing state (used from the command line).
-****************************************************************************/
-
-void cli_setup_signing_state(struct cli_state *cli, int signing_state)
-{
-	if (signing_state == Undefined)
-		return;
-
-	if (signing_state == false) {
-		cli->sign_info.allow_smb_signing = false;
-		cli->sign_info.mandatory_signing = false;
-		return;
-	}
-
-	cli->sign_info.allow_smb_signing = true;
-
-	if (signing_state == Required) 
-		cli->sign_info.mandatory_signing = true;
-}
-
-/****************************************************************************
  Initialise a client structure. Always returns a malloc'ed struct.
+ Set the signing state (used from the command line).
 ****************************************************************************/
 
-struct cli_state *cli_initialise(void)
+struct cli_state *cli_initialise_ex(int signing_state)
 {
 	struct cli_state *cli = NULL;
+	bool allow_smb_signing = false;
+	bool mandatory_signing = false;
 
 	/* Check the effective uid - make sure we are not setuid */
 	if (is_setuid_root()) {
@@ -490,12 +472,27 @@ struct cli_state *cli_initialise(void)
 	if (getenv("CLI_FORCE_DOSERR"))
 		cli->force_dos_errors = true;
 
-	if (lp_client_signing()) 
-		cli->sign_info.allow_smb_signing = true;
+	if (lp_client_signing()) {
+		allow_smb_signing = true;
+	}
+
+	if (lp_client_signing() == Required) {
+		mandatory_signing = true;
+	}
+
+	if (signing_state != Undefined) {
+		allow_smb_signing = true;
+	}
+
+	if (signing_state == false) {
+		allow_smb_signing = false;
+		mandatory_signing = false;
+	}
+
+	if (signing_state == Required) {
+		mandatory_signing = true;
+	}
 
-	if (lp_client_signing() == Required) 
-		cli->sign_info.mandatory_signing = true;
-                                   
 	if (!cli->outbuf || !cli->inbuf)
                 goto error;
 
@@ -510,6 +507,8 @@ struct cli_state *cli_initialise(void)
 #endif
 
 	/* initialise signing */
+	cli->sign_info.allow_smb_signing = allow_smb_signing;
+	cli->sign_info.mandatory_signing = mandatory_signing;
 	cli_null_set_signing(cli);
 
 	cli->initialised = 1;
@@ -526,6 +525,11 @@ struct cli_state *cli_initialise(void)
         return NULL;
 }
 
+struct cli_state *cli_initialise(void)
+{
+	return cli_initialise_ex(Undefined);
+}
+
 /****************************************************************************
  Close all pipes open on this session.
 ****************************************************************************/
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index ea1eb05cfb..a3ed0e7572 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -3,17 +3,17 @@
    SMB Signing Code
    Copyright (C) Jeremy Allison 2003.
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -119,14 +119,14 @@ static bool cli_set_smb_signing_common(struct cli_state *cli)
 	if (cli->sign_info.doing_signing) {
 		return False;
 	}
-	
+
 	if (cli->sign_info.free_signing_context)
 		cli->sign_info.free_signing_context(&cli->sign_info);
 
 	/* These calls are INCOMPATIBLE with SMB signing */
 	cli->readbraw_supported = False;
 	cli->writebraw_supported = False;
-	
+
 	return True;
 }
 
@@ -196,7 +196,7 @@ static void null_free_signing_context(struct smb_sign_info *si)
 static bool null_set_signing(struct smb_sign_info *si)
 {
 	si->signing_context = NULL;
-	
+
 	si->sign_outgoing_message = null_sign_outgoing_message;
 	si->check_incoming_message = null_check_incoming_message;
 	si->free_signing_context = null_free_signing_context;
@@ -207,7 +207,7 @@ static bool null_set_signing(struct smb_sign_info *si)
 /**
  * Free the signing context
  */
- 
+
 static void free_signing_context(struct smb_sign_info *si)
 {
 	if (si->free_signing_context) {
@@ -227,7 +227,7 @@ static bool signing_good(const char *inbuf, struct smb_sign_info *si,
 		if (!si->doing_signing) {
 			si->doing_signing = True;
 		}
-		
+
 		if (!si->seen_valid) {
 			si->seen_valid = True;
 		}
@@ -289,7 +289,7 @@ static void simple_packet_signature(struct smb_basic_signing_context *data,
 
 	/* Calculate the 16 byte MAC - but don't alter the data in the
 	   incoming packet.
-	   
+
 	   This makes for a bit of fussing about, but it's not too bad.
 	*/
 	MD5Init(&md5_ctx);
@@ -368,7 +368,7 @@ static void client_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
 	   I can isolate the fix here rather than re-adding the trans
 	   signing on/off calls in libsmb/clitrans2.c JRA.
 	 */
-	
+
 	if (store_sequence_for_reply(&data->outstanding_packet_list, SVAL(outbuf,smb_mid), data->send_seq_num + 1)) {
 		data->send_seq_num += 2;
 	}
@@ -409,11 +409,11 @@ static bool client_check_incoming_message(const char *inbuf,
 
 	server_sent_mac = (unsigned char *)&inbuf[smb_ss_field];
 	good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-	
+
 	if (!good) {
 		DEBUG(5, ("client_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
 		dump_data(5, calc_md5_mac, 8);
-		
+
 		DEBUG(5, ("client_check_incoming_message: BAD SIG: got SMB signature of\n"));
 		dump_data(5, server_sent_mac, 8);
 #if 1 /* JRATEST */
@@ -447,7 +447,7 @@ static void simple_free_signing_context(struct smb_sign_info *si)
 		(struct smb_basic_signing_context *)si->signing_context;
 	struct outstanding_packet_lookup *list;
 	struct outstanding_packet_lookup *next;
-	
+
 	for (list = data->outstanding_packet_list; list; list = next) {
 		next = list->next;
 		DLIST_REMOVE(data->outstanding_packet_list, list);
@@ -486,7 +486,7 @@ bool cli_simple_set_signing(struct cli_state *cli,
 	memset(data, '\0', sizeof(*data));
 
 	cli->sign_info.signing_context = data;
-	
+
 	data->mac_key = data_blob(NULL, response.length + user_session_key.length);
 
 	memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
@@ -571,7 +571,7 @@ bool cli_temp_set_signing(struct cli_state *cli)
 	}
 
 	cli->sign_info.signing_context = NULL;
-	
+
 	cli->sign_info.sign_outgoing_message = temp_sign_outgoing_message;
 	cli->sign_info.check_incoming_message = temp_check_incoming_message;
 	cli->sign_info.free_signing_context = temp_free_signing_context;
@@ -587,7 +587,7 @@ void cli_free_signing_context(struct cli_state *cli)
 /**
  * Sign a packet with the current mechanism
  */
- 
+
 void cli_calculate_sign_mac(struct cli_state *cli, char *buf)
 {
 	cli->sign_info.sign_outgoing_message(buf, &cli->sign_info);
@@ -598,7 +598,7 @@ void cli_calculate_sign_mac(struct cli_state *cli, char *buf)
  * @return False if we had an established signing connection
  *         which had a bad checksum, True otherwise.
  */
- 
+
 bool cli_check_sign_mac(struct cli_state *cli, char *buf)
 {
 	if (!cli->sign_info.check_incoming_message(buf, &cli->sign_info, True)) {
@@ -746,7 +746,7 @@ static bool srv_check_incoming_message(const char *inbuf,
 
 	server_sent_mac = (unsigned char *)&inbuf[smb_ss_field];
 	good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-	
+
 	if (!good) {
 
 		if (saved_seq) {
@@ -758,7 +758,7 @@ static bool srv_check_incoming_message(const char *inbuf,
 						(unsigned int)reply_seq_number));
 			dump_data(5, server_sent_mac, 8);
 		}
-		
+
 #if 1 /* JRATEST */
 		{
 			int i;
@@ -865,7 +865,7 @@ void srv_defer_sign_response(uint16 mid)
  cancelled by mid. This should never find one....
 ************************************************************/
 
-void srv_cancel_sign_response(uint16 mid)
+void srv_cancel_sign_response(uint16 mid, bool cancel)
 {
 	struct smb_basic_signing_context *data;
 	uint32 dummy_seq;
@@ -884,7 +884,9 @@ void srv_cancel_sign_response(uint16 mid)
 		;
 
 	/* cancel doesn't send a reply so doesn't burn a sequence number. */
-	data->send_seq_num -= 1;
+	if (cancel) {
+		data->send_seq_num -= 1;
+	}
 }
 
 /***********************************************************
@@ -969,17 +971,17 @@ void srv_set_signing(const DATA_BLOB user_session_key, const DATA_BLOB response)
 	if (srv_sign_info.doing_signing) {
 		return;
 	}
-	
+
 	if (srv_sign_info.free_signing_context)
 		srv_sign_info.free_signing_context(&srv_sign_info);
-	
+
 	srv_sign_info.doing_signing = True;
 
 	data = SMB_XMALLOC_P(struct smb_basic_signing_context);
 	memset(data, '\0', sizeof(*data));
 
 	srv_sign_info.signing_context = data;
-	
+
 	data->mac_key = data_blob(NULL, response.length + user_session_key.length);
 
 	memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
author	Andrew Bartlett <abartlet@samba.org>	2009-03-08 16:16:11 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2009-03-08 16:16:11 +1100
commit	6ac77d19b5a25a53459a58e4828fa9eac0bf11f4 (patch)
tree	bb504eecdcb94d6c82b522f5de0fd13de130fb41 /source3/libsmb
parent	bb6a2c8076e5e9eabad4ee7f09f6df979616fd13 (diff)
parent	46bcb10b5abb21758cf234764b64220ede1b7ab5 (diff)
download	samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.tar.gz samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.tar.bz2 samba-6ac77d19b5a25a53459a58e4828fa9eac0bf11f4.zip