summaryrefslogtreecommitdiff
path: root/source4/libcli/raw/smb_signing.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-12 09:11:13 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:57:32 -0500
commit88002b851bd30e3c03a5a9442baf3ced7aa6090f (patch)
tree8547a06b7e5af9c4cb5e73f6190035aefd7fd75c /source4/libcli/raw/smb_signing.c
parentb62e6f1ec13c6cad5a94a2a27dc14d3fdfdd4cfc (diff)
downloadsamba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.gz
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.tar.bz2
samba-88002b851bd30e3c03a5a9442baf3ced7aa6090f.zip
r1462: GENSEC Kerberos and SPENGO work:
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
Diffstat (limited to 'source4/libcli/raw/smb_signing.c')
-rw-r--r--source4/libcli/raw/smb_signing.c101
1 files changed, 75 insertions, 26 deletions
diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c
index 20b44a5348..52e08d05f8 100644
--- a/source4/libcli/raw/smb_signing.c
+++ b/source4/libcli/raw/smb_signing.c
@@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
if (transport->negotiate.sign_info.doing_signing) {
return False;
}
-
+
+ if (!transport->negotiate.sign_info.allow_smb_signing) {
+ return False;
+ }
+
if (transport->negotiate.sign_info.free_signing_context)
transport->negotiate.sign_info.free_signing_context(transport);
/* These calls are INCOMPATIBLE with SMB signing */
transport->negotiate.readbraw_supported = False;
transport->negotiate.writebraw_supported = False;
-
+
return True;
}
@@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
************************************************************/
static BOOL set_smb_signing_real_common(struct cli_transport *transport)
{
- if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+ if (transport->negotiate.sign_info.mandatory_signing) {
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
- transport->negotiate.sign_info.doing_signing = True;
}
DEBUG(5, ("SMB signing enabled!\n"));
@@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req)
SSVAL(req->out.hdr, HDR_FLG2, flags2);
}
-static BOOL signing_good(struct cli_request *req, BOOL good)
+static BOOL signing_good(struct cli_request *req, int seq, BOOL good)
{
- if (good && !req->transport->negotiate.sign_info.doing_signing) {
- req->transport->negotiate.sign_info.doing_signing = True;
- }
-
- if (!good) {
- if (req->transport->negotiate.sign_info.doing_signing) {
- DEBUG(1, ("SMB signature check failed!\n"));
- return False;
+ if (good) {
+ if (!req->transport->negotiate.sign_info.doing_signing) {
+ req->transport->negotiate.sign_info.doing_signing = True;
+ }
+ if (!req->transport->negotiate.sign_info.seen_valid) {
+ req->transport->negotiate.sign_info.seen_valid = True;
+ }
+ } else {
+ if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) {
+
+ /* Non-mandatory signing - just turn off if this is the first bad packet.. */
+ DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n"
+ "isn't sending correct signatures. Turning off.\n"));
+ req->transport->negotiate.sign_info.negotiated_smb_signing = False;
+ req->transport->negotiate.sign_info.allow_smb_signing = False;
+ req->transport->negotiate.sign_info.doing_signing = False;
+ if (req->transport->negotiate.sign_info.free_signing_context)
+ req->transport->negotiate.sign_info.free_signing_context(req->transport);
+ cli_null_set_signing(req->transport);
+ return True;
} else {
- DEBUG(3, ("Server did not sign reply correctly\n"));
- cli_transport_free_signing_context(req->transport);
+ /* Mandatory signing or bad packet after signing started - fail and disconnect. */
+ if (seq)
+ DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq));
return False;
}
}
return True;
-}
+}
/***********************************************************
SMB signing - Simple implementation - calculate a MAC to send.
@@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req)
memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8);
+ DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n",
+ req->seq_num, data->next_seq_num));
+ dump_data(5, calc_md5_mac, 8);
/* req->out.hdr[HDR_SS_FIELD+2]=0;
Uncomment this to test if the remote server actually verifies signitures...*/
}
@@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
MD5Final(calc_md5_mac, &md5_ctx);
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+
+ if (i == 1) {
+ if (!good) {
+ DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i));
+ dump_data(5, calc_md5_mac, 8);
+
+ DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+ dump_data(5, server_sent_mac, 8);
+ } else {
+ DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+ dump_data(5, server_sent_mac, 8);
+ }
+ }
+
if (good) break;
}
@@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1));
}
- if (!good) {
- DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
- dump_data(5, calc_md5_mac, 8);
-
- DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n"));
- dump_data(5, server_sent_mac, 8);
- }
- return signing_good(req, good);
+ return signing_good(req, req->seq_num+1, good);
}
@@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran
************************************************************/
BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
const DATA_BLOB user_session_key,
- const DATA_BLOB response)
+ const DATA_BLOB response,
+ int seq_num)
{
struct smb_basic_signing_context *data;
@@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
}
/* Initialise the sequence number */
- data->next_seq_num = 0;
+ data->next_seq_num = seq_num;
transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message;
transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message;
@@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req)
return True;
}
+
+
+BOOL cli_init_signing(struct cli_transport *transport)
+{
+ if (!cli_null_set_signing(transport)) {
+ return False;
+ }
+
+ switch (lp_client_signing()) {
+ case SMB_SIGNING_OFF:
+ transport->negotiate.sign_info.allow_smb_signing = False;
+ break;
+ case SMB_SIGNING_SUPPORTED:
+ transport->negotiate.sign_info.allow_smb_signing = True;
+ break;
+ case SMB_SIGNING_REQUIRED:
+ transport->negotiate.sign_info.allow_smb_signing = True;
+ transport->negotiate.sign_info.mandatory_signing = True;
+ break;
+ }
+ return True;
+}
generated by cgit (git 2.34.1) at 2024-06-16 06:22:04 +0000