r1462: GENSEC Kerberos and SPENGO work:

 - Spelling - it's SPNEGO, not SPENGO
 - SMB signing - Krb5 logins are now correctly signed
 - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.

Andrew Bartlett
(This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)

3 files changed, 95 insertions, 40 deletions

diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c
index d420aa7cd6..5aaceb103a 100644
--- a/source4/libcli/raw/clisession.c
+++ b/source4/libcli/raw/clisession.c
@@ -260,7 +260,7 @@ static void use_nt1_session_keys(struct cli_session *session,
 	E_md4hash(password, nt_hash);
 	SMBsesskeygen_ntv1(nt_hash, session_key.data);
 
-	cli_transport_simple_set_signing(transport, session_key, *nt_response);
+	cli_transport_simple_set_signing(transport, session_key, *nt_response, 0);
 
 	cli_session_set_user_session_key(session, &session_key);
 	data_blob_free(&session_key);
@@ -381,6 +381,8 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
 {
 	NTSTATUS status;
 	union smb_sesssetup s2;
+	DATA_BLOB session_key = data_blob(NULL, 0);
+	DATA_BLOB null_data_blob = data_blob(NULL, 0);
 
 	s2.generic.level = RAW_SESSSETUP_SPNEGO;
 	s2.spnego.in.bufsize = ~0;
@@ -433,39 +435,41 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
 			       session->transport->negotiate.secblob,
 			       &s2.spnego.in.secblob);
 
-	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		goto done;
-	}
-
 	while(1) {
+		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
+			break;
+		}
+
+		status = gensec_session_key(session->gensec, &session_key);
+		if (NT_STATUS_IS_OK(status)) {
+			cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 0);
+		}
+
 		session->vuid = s2.spnego.out.vuid;
 		status = smb_raw_session_setup(session, mem_ctx, &s2);
 		session->vuid = UID_FIELD_INVALID;
 		if (!NT_STATUS_IS_OK(status) &&
 		    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-			goto done;
+			break;
 		}
 
 		status = gensec_update(session->gensec, mem_ctx,
 				       s2.spnego.out.secblob,
 				       &s2.spnego.in.secblob);
 
-		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-			goto done;
+		if (NT_STATUS_IS_OK(status)) {
+			break;
 		}
 	}
 
 done:
 	if (NT_STATUS_IS_OK(status)) {
-		DATA_BLOB null_data_blob = data_blob(NULL, 0);
-		DATA_BLOB session_key = data_blob(NULL, 0);
-		
 		status = gensec_session_key(session->gensec, &session_key);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
-
-		cli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
+		
+		cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 2 /* two legs on last packet */);
 
 		cli_session_set_user_session_key(session, &session_key);
 
diff --git a/source4/libcli/raw/clitransport.c b/source4/libcli/raw/clitransport.c
index a378ac8aad..18784fe33a 100644
--- a/source4/libcli/raw/clitransport.c
+++ b/source4/libcli/raw/clitransport.c
@@ -40,7 +40,9 @@ struct cli_transport *cli_transport_init(struct cli_socket *sock)
 	transport->negotiate.protocol = PROTOCOL_NT1;
 	transport->options.use_spnego = lp_use_spnego();
 	transport->negotiate.max_xmit = ~0;
-	cli_null_set_signing(transport);
+	
+	cli_init_signing(transport);
+
 	transport->socket->reference_count++;
 
 	ZERO_STRUCT(transport->called);
diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c
index 20b44a5348..52e08d05f8 100644
--- a/source4/libcli/raw/smb_signing.c
+++ b/source4/libcli/raw/smb_signing.c
@@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
 	if (transport->negotiate.sign_info.doing_signing) {
 		return False;
 	}
-	
+
+	if (!transport->negotiate.sign_info.allow_smb_signing) {
+		return False;
+	}
+
 	if (transport->negotiate.sign_info.free_signing_context)
 		transport->negotiate.sign_info.free_signing_context(transport);
 
 	/* These calls are INCOMPATIBLE with SMB signing */
 	transport->negotiate.readbraw_supported = False;
 	transport->negotiate.writebraw_supported = False;
-	
+
 	return True;
 }
 
@@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
 ************************************************************/
 static BOOL set_smb_signing_real_common(struct cli_transport *transport) 
 {
-	if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+	if (transport->negotiate.sign_info.mandatory_signing) {
 		DEBUG(5, ("Mandatory SMB signing enabled!\n"));
-		transport->negotiate.sign_info.doing_signing = True;
 	}
 
 	DEBUG(5, ("SMB signing enabled!\n"));
@@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req)
 	SSVAL(req->out.hdr, HDR_FLG2, flags2);
 }
 
-static BOOL signing_good(struct cli_request *req, BOOL good) 
+static BOOL signing_good(struct cli_request *req, int seq, BOOL good) 
 {
-	if (good && !req->transport->negotiate.sign_info.doing_signing) {
-		req->transport->negotiate.sign_info.doing_signing = True;
-	}
-
-	if (!good) {
-		if (req->transport->negotiate.sign_info.doing_signing) {
-			DEBUG(1, ("SMB signature check failed!\n"));
-			return False;
+	if (good) {
+		if (!req->transport->negotiate.sign_info.doing_signing) {
+			req->transport->negotiate.sign_info.doing_signing = True;
+		}
+		if (!req->transport->negotiate.sign_info.seen_valid) {
+			req->transport->negotiate.sign_info.seen_valid = True;
+		}
+	} else {
+		if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) {
+
+			/* Non-mandatory signing - just turn off if this is the first bad packet.. */
+			DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n"
+				  "isn't sending correct signatures. Turning off.\n"));
+			req->transport->negotiate.sign_info.negotiated_smb_signing = False;
+			req->transport->negotiate.sign_info.allow_smb_signing = False;
+			req->transport->negotiate.sign_info.doing_signing = False;
+			if (req->transport->negotiate.sign_info.free_signing_context)
+				req->transport->negotiate.sign_info.free_signing_context(req->transport);
+			cli_null_set_signing(req->transport);
+			return True;
 		} else {
-			DEBUG(3, ("Server did not sign reply correctly\n"));
-			cli_transport_free_signing_context(req->transport);
+			/* Mandatory signing or bad packet after signing started - fail and disconnect. */
+			if (seq)
+				DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq));
 			return False;
 		}
 	}
 	return True;
-}	
+}
 
 /***********************************************************
  SMB signing - Simple implementation - calculate a MAC to send.
@@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req)
 
 	memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8);
 
+	DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n", 
+		  req->seq_num, data->next_seq_num));
+	dump_data(5, calc_md5_mac, 8);
 /*	req->out.hdr[HDR_SS_FIELD+2]=0; 
 	Uncomment this to test if the remote server actually verifies signitures...*/
 }
@@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
 		MD5Final(calc_md5_mac, &md5_ctx);
 		
 		good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+
+		if (i == 1) {
+			if (!good) {
+				DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i));
+				dump_data(5, calc_md5_mac, 8);
+				
+				DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+				dump_data(5, server_sent_mac, 8);
+			} else {
+				DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+				dump_data(5, server_sent_mac, 8);
+			}
+		}
+
 		if (good) break;
 	}
 
@@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
 		DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1));
 	}
 
-	if (!good) {
-		DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
-		dump_data(5, calc_md5_mac, 8);
-		
-		DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n"));
-		dump_data(5, server_sent_mac, 8);
-	}
-	return signing_good(req, good);
+	return signing_good(req, req->seq_num+1, good);
 }
 
 
@@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran
 ************************************************************/
 BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
 				      const DATA_BLOB user_session_key, 
-				      const DATA_BLOB response)
+				      const DATA_BLOB response,
+				      int seq_num)
 {
 	struct smb_basic_signing_context *data;
 
@@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
 	}
 
 	/* Initialise the sequence number */
-	data->next_seq_num = 0;
+	data->next_seq_num = seq_num;
 
 	transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message;
 	transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message;
@@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req)
 
 	return True;
 }
+
+
+BOOL cli_init_signing(struct cli_transport *transport) 
+{
+	if (!cli_null_set_signing(transport)) {
+		return False;
+	}
+	
+	switch (lp_client_signing()) {
+	case SMB_SIGNING_OFF:
+	transport->negotiate.sign_info.allow_smb_signing = False;
+		break;
+	case SMB_SIGNING_SUPPORTED:
+		transport->negotiate.sign_info.allow_smb_signing = True;
+		break;
+	case SMB_SIGNING_REQUIRED:
+		transport->negotiate.sign_info.allow_smb_signing = True;
+		transport->negotiate.sign_info.mandatory_signing = True;
+		break;
+	}
+	return True;
+}