summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/client.h1
-rw-r--r--source3/libsmb/cliconnect.c5
-rw-r--r--source3/libsmb/clientgen.c7
-rw-r--r--source3/libsmb/smbencrypt.c11
-rw-r--r--source3/param/loadparm.c11
5 files changed, 23 insertions, 12 deletions
diff --git a/source3/include/client.h b/source3/include/client.h
index 853ee7ae42..d9b72d5e0a 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -65,6 +65,7 @@ typedef struct smb_sign_info {
uint8 mac_key[44];
uint32 send_seq_num;
uint32 reply_seq_num;
+ BOOL allow_smb_signing;
} smb_sign_info;
struct cli_state {
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 389b7a1733..c13881bc21 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -942,7 +942,10 @@ BOOL cli_negprot(struct cli_state *cli)
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
}
- if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED))
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
+ cli->sign_info.negotiated_smb_signing = True;
+
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
cli->sign_info.negotiated_smb_signing = True;
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index ed1286d627..3d0bad6c99 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -249,15 +249,16 @@ struct cli_state *cli_initialise(struct cli_state *cli)
if (lp_use_spnego())
cli->use_spnego = True;
+ cli->capabilities = CAP_UNICODE | CAP_STATUS32;
+
/* Set the CLI_FORCE_DOSERR environment variable to test
client routines using DOS errors instead of STATUS32
ones. This intended only as a temporary hack. */
if (getenv("CLI_FORCE_DOSERR"))
cli->force_dos_errors = True;
- /* A way to attempt to force SMB signing */
- if (getenv("CLI_FORCE_SMB_SIGNING"))
- cli->sign_info.negotiated_smb_signing = True;
+ if (lp_client_signing())
+ cli->sign_info.allow_smb_signing = True;
if (!cli->outbuf || !cli->inbuf)
goto error;
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index a57a98e3ea..022a57ef6a 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -362,10 +362,12 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd,
SMB signing - setup the MAC key.
************************************************************/
-void cli_calculate_mac_key(struct cli_state *cli, const char *ntpasswd, const uchar resp[24])
+void cli_calculate_mac_key(struct cli_state *cli, const char *plain_passwd, const uchar resp[24])
{
- /* Get first 16 bytes. */
- E_md4hash(ntpasswd,&cli->sign_info.mac_key[0]);
+ uchar nt_hash[16];
+ E_md4hash(plain_passwd, nt_hash);
+
+ mdfour(&cli->sign_info.mac_key[0], nt_hash, sizeof(nt_hash));
memcpy(&cli->sign_info.mac_key[16],resp,24);
cli->sign_info.mac_key_len = 40;
cli->sign_info.use_smb_signing = True;
@@ -375,7 +377,7 @@ void cli_calculate_mac_key(struct cli_state *cli, const char *ntpasswd, const uc
cli->writebraw_supported = False;
/* Reset the sequence number in case we had a previous (aborted) attempt */
- cli->sign_info.send_seq_num = 0;
+ cli->sign_info.send_seq_num = 2;
}
/***********************************************************
@@ -411,6 +413,7 @@ void cli_caclulate_sign_mac(struct cli_state *cli)
MD5Final(calc_md5_mac, &md5_ctx);
memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
+
/* cli->outbuf[smb_ss_field+2]=0;
Uncomment this to test if the remote server actually verifies signitures...*/
cli->sign_info.send_seq_num++;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 73456bbd11..ac366d4ccd 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -164,7 +164,7 @@ typedef struct
char *szWinbindUID;
char *szWinbindGID;
char *szNonUnixAccountRange;
- BOOL bAlgorithmicRidBase;
+ int AlgorithmicRidBase;
char *szTemplateHomedir;
char *szTemplateShell;
char *szWinbindSeparator;
@@ -278,6 +278,7 @@ typedef struct
BOOL bKernelChangeNotify;
int restrict_anonymous;
int name_cache_timeout;
+ BOOL client_signing;
param_opt_struct *param_opt;
}
global;
@@ -754,7 +755,7 @@ static struct parm_struct parm_table[] = {
{"passdb backend", P_LIST, P_GLOBAL, &Globals.szPassdbBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"sam backend", P_LIST, P_GLOBAL, &Globals.szSamBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"non unix account range", P_STRING, P_GLOBAL, &Globals.szNonUnixAccountRange, handle_non_unix_account_range, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.bAlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.AlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_HIDE | FLAG_DEVELOPER},
@@ -862,6 +863,7 @@ static struct parm_struct parm_table[] = {
{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
+ {"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"Tuning Options", P_SEP, P_SEPARATOR},
@@ -1306,7 +1308,7 @@ static void init_globals(void)
string_set(&Globals.szNameResolveOrder, "lmhosts wins host bcast");
string_set(&Globals.szPasswordServer, "*");
- Globals.bAlgorithmicRidBase = BASE_RID;
+ Globals.AlgorithmicRidBase = BASE_RID;
Globals.bLoadPrinters = True;
Globals.mangled_stack = 50;
@@ -1825,8 +1827,9 @@ FN_LOCAL_INTEGER(lp_block_size, iBlock_size)
FN_LOCAL_CHAR(lp_magicchar, magic_char)
FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time)
FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers)
-FN_GLOBAL_BOOL(lp_algorithmic_rid_base, &Globals.bAlgorithmicRidBase)
+FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
+FN_GLOBAL_BOOL(lp_client_signing, &Globals.client_signing)
/* local prototypes */