diff options
-rw-r--r-- | source3/include/smb.h | 7 | ||||
-rw-r--r-- | source3/libsmb/clientgen.c | 5 | ||||
-rw-r--r-- | source3/libsmb/ntlmssp_sign.c | 26 | ||||
-rw-r--r-- | source3/libsmb/smb_signing.c | 17 |
4 files changed, 39 insertions, 16 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h index 4f37c38413..3bb6bf9237 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -78,6 +78,10 @@ typedef int BOOL; #define READ_EOF 2 #define READ_ERROR 3 +/* This error code can go into the client smb_rw_error. */ +#define WRITE_ERROR 4 +#define READ_BAD_SIG 5 + #define DIR_STRUCT_SIZE 43 /* these define the attribute byte as seen by DOS */ @@ -161,9 +165,6 @@ typedef uint16 smb_ucs2_t; typedef smb_ucs2_t wpstring[PSTRING_LEN]; typedef smb_ucs2_t wfstring[FSTRING_LEN]; -/* This error code can go into the client smb_rw_error. */ -#define WRITE_ERROR 4 - #ifdef WORDS_BIGENDIAN #define UCS2_SHIFT 8 #else diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index 0da9a8932f..fe9453e6f2 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -118,7 +118,10 @@ BOOL cli_receive_smb(struct cli_state *cli) } if (!cli_check_sign_mac(cli)) { - DEBUG(0, ("SMB Signiture verification failed on incoming packet!\n")); + DEBUG(0, ("SMB Signature verification failed on incoming packet!\n")); + cli->smb_rw_error = READ_BAD_SIG; + close(cli->fd); + cli->fd = -1; return False; }; return True; diff --git a/source3/libsmb/ntlmssp_sign.c b/source3/libsmb/ntlmssp_sign.c index 8f6bd0c691..5426263fb9 100644 --- a/source3/libsmb/ntlmssp_sign.c +++ b/source3/libsmb/ntlmssp_sign.c @@ -92,8 +92,14 @@ static void calc_ntlmv2_hash(unsigned char hash[16], char digest[16], calc_hash(hash, digest, 16); } +enum ntlmssp_direction { + NTLMSSP_SEND, + NTLMSSP_RECEIVE +}; + static NTSTATUS ntlmssp_make_packet_signiture(NTLMSSP_CLIENT_STATE *ntlmssp_state, const uchar *data, size_t length, + enum ntlmssp_direction direction, DATA_BLOB *sig) { if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { @@ -110,8 +116,14 @@ static NTSTATUS ntlmssp_make_packet_signiture(NTLMSSP_CLIENT_STATE *ntlmssp_stat if (!msrpc_gen(sig, "Bd", digest, sizeof(digest), ntlmssp_state->ntlmssp_seq_num)) { return NT_STATUS_NO_MEMORY; } - - NTLMSSPcalc_ap(ntlmssp_state->cli_seal_hash, sig->data, sig->length); + switch (direction) { + case NTLMSSP_SEND: + NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash, sig->data, sig->length); + break; + case NTLMSSP_RECEIVE: + NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash, sig->data, sig->length); + break; + } } else { uint32 crc; crc = crc32_calc_buffer(data, length); @@ -129,7 +141,7 @@ NTSTATUS ntlmssp_client_sign_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, DATA_BLOB *sig) { ntlmssp_state->ntlmssp_seq_num++; - return ntlmssp_make_packet_signiture(ntlmssp_state, data, length, sig); + return ntlmssp_make_packet_signiture(ntlmssp_state, data, length, NTLMSSP_SEND, sig); } /** @@ -151,7 +163,7 @@ NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, } nt_status = ntlmssp_make_packet_signiture(ntlmssp_state, data, - length, &local_sig); + length, NTLMSSP_RECEIVE, &local_sig); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status))); @@ -161,6 +173,12 @@ NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state, if (memcmp(sig->data, local_sig.data, MIN(sig->length, local_sig.length)) == 0) { return NT_STATUS_OK; } else { + DEBUG(5, ("BAD SIG: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + DEBUG(0, ("NTLMSSP packet check failed due to invalid signiture!\n")); return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c index 9bbf7ef91c..42c4d5574d 100644 --- a/source3/libsmb/smb_signing.c +++ b/source3/libsmb/smb_signing.c @@ -160,11 +160,6 @@ static BOOL cli_simple_check_incoming_message(struct cli_state *cli) SIVAL(sequence_buf, 0, data->reply_seq_num); SIVAL(sequence_buf, 4, 0); - if (smb_len(cli->inbuf) < (offset_end_of_sig - 4)) { - DEBUG(1, ("Can't check signature on short packet! smb_len = %u\n", smb_len(cli->inbuf))); - return False; - } - /* get a copy of the server-sent mac */ memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac)); @@ -275,7 +270,7 @@ static BOOL cli_ntlmssp_check_incoming_message(struct cli_state *cli) { BOOL good; NTSTATUS nt_status; - DATA_BLOB sig = data_blob(&cli->outbuf[smb_ss_field], 8); + DATA_BLOB sig = data_blob(&cli->inbuf[smb_ss_field], 8); NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context; @@ -460,8 +455,14 @@ void cli_caclulate_sign_mac(struct cli_state *cli) BOOL cli_check_sign_mac(struct cli_state *cli) { BOOL good; - good = cli->sign_info.check_incoming_message(cli); - + + if (smb_len(cli->inbuf) < (smb_ss_field + 8 - 4)) { + DEBUG(1, ("Can't check signature on short packet! smb_len = %u\n", smb_len(cli->inbuf))); + good = False; + } else { + good = cli->sign_info.check_incoming_message(cli); + } + if (!good) { if (cli->sign_info.doing_signing) { return False; |