8 files changed, 188 insertions, 172 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 763878f9b3..49b0004ac2 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -66,7 +66,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user,
 		memcpy(pword, pass, passlen);
 	} else if (passlen > 0) {
 		/* Plaintext mode needed, assume plaintext supplied. */
-		passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE);
+		passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE);
 	}
 
 	/* send a session setup command */
@@ -228,11 +228,39 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user,
 	return True;
 }
 
+static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response) 
+{
+	uint8 zero_sig[8];
+	ZERO_STRUCT(zero_sig);
+
+	DEBUG(5, ("Server returned security sig:\n"));
+	dump_data(5, &cli->inbuf[smb_ss_field], 8);
+
+	if (cli->sign_info.use_smb_signing) {
+		DEBUG(5, ("smb signing already active on connection\n"));
+	} else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
+
+		DEBUG(3, ("smb signing enabled!\n"));
+		cli->sign_info.use_smb_signing = True;
+		cli_calculate_mac_key(cli, user_session_key, response);
+	} else {
+		DEBUG(5, ("smb signing NOT enabled!\n"));
+	}
+}
+
 static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) 
 {
 	memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
 }
 
+
+static void set_temp_signing_on_cli(struct cli_state *cli) 
+{
+	if (cli->sign_info.negotiated_smb_signing)
+		cli->sign_info.temp_smb_signing = True;
+}
+
+
 /****************************************************************************
    do a NT1 NTLM/LM encrypted session setup
    @param cli client state to create do session setup on
@@ -282,7 +310,8 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 			session_key = data_blob(NULL, 16);
 			SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 		}
-		cli_simple_set_signing(cli, session_key.data, nt_response); 
+
+		set_temp_signing_on_cli(cli);
 	} else {
 		/* pre-encrypted password supplied.  Only used for 
 		   security=server, can't do
@@ -345,24 +374,26 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 	if (session_key.data) {
 		/* Have plaintext orginal */
 		set_cli_session_key(cli, session_key);
+		set_signing_on_cli(cli, session_key.data, nt_response);
 	}
 
-	ret = True;
 end:	
 	data_blob_free(&lm_response);
 	data_blob_free(&nt_response);
 	data_blob_free(&session_key);
-	return ret;
+	return True;
 }
 
 /****************************************************************************
- Send a extended security session setup blob
+ Send a extended security session setup blob, returning a reply blob.
 ****************************************************************************/
 
-static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
+static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 {
 	uint32 capabilities = cli_session_setup_capabilities(cli);
 	char *p;
+	DATA_BLOB blob2 = data_blob(NULL, 0);
+	uint32 len;
 
 	capabilities |= CAP_EXTENDED_SECURITY;
 
@@ -372,6 +403,8 @@ static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
 	set_message(cli->outbuf,12,0,True);
 	SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
 
+	set_temp_signing_on_cli(cli);
+
 	cli_setup_packet(cli);
 			
 	SCVAL(cli->outbuf,smb_vwv0,0xFF);
@@ -387,18 +420,7 @@ static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
 	p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
 	p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
 	cli_setup_bcc(cli, p);
-	return cli_send_smb(cli);
-}
-
-/****************************************************************************
- Send a extended security session setup blob, returning a reply blob.
-****************************************************************************/
-
-static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
-{
-	DATA_BLOB blob2 = data_blob(NULL, 0);
-	char *p;
-	size_t len;
+	cli_send_smb(cli);
 
 	if (!cli_receive_smb(cli))
 		return blob2;
@@ -427,20 +449,6 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
 	return blob2;
 }
 
-/****************************************************************************
- Send a extended security session setup blob, returning a reply blob.
-****************************************************************************/
-
-static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
-{
-	DATA_BLOB blob2 = data_blob(NULL, 0);
-	if (!cli_session_setup_blob_send(cli, blob)) {
-		return blob2;
-	}
-		
-	return cli_session_setup_blob_receive(cli);
-}
-
 #ifdef HAVE_KRB5
 /****************************************************************************
  Use in-memory credentials cache
@@ -494,8 +502,6 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 	DATA_BLOB blob_in = data_blob(NULL, 0);
 	DATA_BLOB blob_out;
 
-	cli_temp_set_signing(cli);
-
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
 		return False;
 	}
@@ -526,15 +532,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 			}
 		
 			/* now send that blob on its way */
-			if (!cli_session_setup_blob_send(cli, msg1)) {
-				return False;
-			}
+			blob = cli_session_setup_blob(cli, msg1);
 			data_blob_free(&msg1);
-			
-			cli_ntlmssp_set_signing(cli, ntlmssp_state);
-			
-			blob = cli_session_setup_blob_receive(cli);
-
 			nt_status = cli_nt_error(cli);
 		}
 		
@@ -571,9 +570,6 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 		set_cli_session_key(cli, ntlmssp_state->session_key);
 	}
 
-	/* we have a reference conter on ntlmssp_state, if we are signing
-	   then the state will be kept by the signing engine */
-
 	if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
 		return False;
 	}
@@ -778,7 +774,7 @@ BOOL cli_send_tconX(struct cli_state *cli,
 			/*
 			 * Non-encrypted passwords - convert to DOS codepage before using.
 			 */
-			passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE);
+			passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE);
 		} else {
 			memcpy(pword, pass, passlen);
 		}
@@ -887,6 +883,11 @@ BOOL cli_negprot(struct cli_state *cli)
 	int numprots;
 	int plength;
 
+	if (cli->sign_info.use_smb_signing) {
+		DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
+		return False;
+	}
+
 	if (cli->protocol < PROTOCOL_NT1)
 		cli->use_spnego = False;
 
@@ -1012,6 +1013,11 @@ BOOL cli_session_request(struct cli_state *cli,
 	if (cli->port == 445)
 		return True;
 
+	if (cli->sign_info.use_smb_signing) {
+		DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
+		return False;
+	}
+
 	/* send a session request (RFC 1002) */
 	/* setup the packet length
          * Remove four bytes from the length count, since the length
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index d969193089..9598f4ac96 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -177,6 +177,9 @@ void cli_setup_packet(struct cli_state *cli)
 			flags2 |= FLAGS2_32_BIT_ERROR_CODES;
 		if (cli->use_spnego)
 			flags2 |= FLAGS2_EXTENDED_SECURITY;
+		if (cli->sign_info.use_smb_signing 
+		    || cli->sign_info.temp_smb_signing)
+			flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
 		SSVAL(cli->outbuf,smb_flg2, flags2);
 	}
 }
@@ -197,8 +200,8 @@ void cli_setup_bcc(struct cli_state *cli, void *p)
 void cli_init_creds(struct cli_state *cli, const struct ntuser_creds *usr)
 {
         /* copy_nt_creds(&cli->usr, usr); */
-	fstrcpy(cli->domain   , usr->domain);
-	fstrcpy(cli->user_name, usr->user_name);
+	safe_strcpy(cli->domain   , usr->domain   , sizeof(usr->domain   )-1);
+	safe_strcpy(cli->user_name, usr->user_name, sizeof(usr->user_name)-1);
 	memcpy(&cli->pwd, &usr->pwd, sizeof(usr->pwd));
         cli->ntlmssp_flags = usr->ntlmssp_flags;
         cli->ntlmssp_cli_flgs = usr != NULL ? usr->ntlmssp_flags : 0;
@@ -245,8 +248,8 @@ struct cli_state *cli_initialise(struct cli_state *cli)
 	cli->timeout = 20000; /* Timeout is in milliseconds. */
 	cli->bufsize = CLI_BUFFER_SIZE+4;
 	cli->max_xmit = cli->bufsize;
-	cli->outbuf = (char *)malloc(cli->bufsize+SAFETY_MARGIN);
-	cli->inbuf = (char *)malloc(cli->bufsize+SAFETY_MARGIN);
+	cli->outbuf = (char *)malloc(cli->bufsize);
+	cli->inbuf = (char *)malloc(cli->bufsize);
 	cli->oplock_handler = cli_oplock_ack;
 
 	cli->use_spnego = lp_client_use_spnego();
@@ -259,9 +262,6 @@ struct cli_state *cli_initialise(struct cli_state *cli)
 	if (getenv("CLI_FORCE_DOSERR"))
 		cli->force_dos_errors = True;
 
-	/* initialise signing */
-	cli_null_set_signing(cli);
-
 	if (lp_client_signing()) 
 		cli->sign_info.allow_smb_signing = True;
                                    
@@ -303,7 +303,6 @@ void cli_close_connection(struct cli_state *cli)
 	SAFE_FREE(cli->outbuf);
 	SAFE_FREE(cli->inbuf);
 
-	cli_free_signing_context(cli);
 	data_blob_free(&cli->secblob);
 
 	if (cli->mem_ctx) {
@@ -315,7 +314,6 @@ void cli_close_connection(struct cli_state *cli)
 		close(cli->fd);
 	cli->fd = -1;
 	cli->smb_rw_error = 0;
-
 }
 
 /****************************************************************************
diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c
index d86f36405d..8e84963c09 100644
--- a/source3/libsmb/clifile.c
+++ b/source3/libsmb/clifile.c
@@ -948,7 +948,7 @@ BOOL cli_chkpath(struct cli_state *cli, const char *path)
 	pstring path2;
 	char *p;
 	
-	pstrcpy(path2,path);
+	safe_strcpy(path2,path,sizeof(pstring));
 	trim_string(path2,NULL,"\\");
 	if (!*path2) *path2 = '\\';
 	
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 5bd1283ab7..3884e4da82 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -178,7 +178,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
 			SSVAL(param,6,info_level); 
 			SIVAL(param,8,0);
 			p = param+12;
-			p += clistr_push(cli, param+12, mask, sizeof(param)-12, 
+			p += clistr_push(cli, param+12, mask, -1, 
 					 STR_TERMINATE);
 		} else {
 			setup = TRANSACT2_FINDNEXT;
@@ -188,7 +188,7 @@ int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
 			SIVAL(param,6,0); /* ff_resume_key */
 			SSVAL(param,10,8+4+2);	/* continue + resume required + close on end */
 			p = param+12;
-			p += clistr_push(cli, param+12, mask, sizeof(param)-12, 
+			p += clistr_push(cli, param+12, mask, -1, 
 					 STR_TERMINATE);
 		}
 
diff --git a/source3/libsmb/netlogon_unigrp.c b/source3/libsmb/netlogon_unigrp.c
index 466410d800..fa2fe32f35 100644
--- a/source3/libsmb/netlogon_unigrp.c
+++ b/source3/libsmb/netlogon_unigrp.c
@@ -22,7 +22,6 @@
 */
 
 #include "includes.h"
-#define UNIGROUP_PREFIX "UNIGROUP"
 
 /*
     Handle for netlogon_unigrp.tdb database. It is used internally
@@ -51,22 +50,17 @@ BOOL uni_group_cache_init(void)
 BOOL  uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
 {
 	TDB_DATA key,data;
-        fstring keystr, sid_string;
-	DOM_SID user_sid;
-        unsigned int i;
+        fstring keystr;
+        int i;
 
 	if (!uni_group_cache_init()) {
 		DEBUG(0,("uni_group_cache_store_netlogon: cannot open netlogon_unigrp.tdb for write!\n"));
 		return False;
 	}
 
-	sid_copy(&user_sid, &user->dom_sid.sid);
-	sid_append_rid(&user_sid, user->user_rid);
-
-	/* Prepare key as USER-SID string */
-	slprintf(keystr, sizeof(keystr), "%s/%s",
-		 UNIGROUP_PREFIX,
-		 sid_to_string(sid_string, &user_sid));
+	/* Prepare key as DOMAIN-SID/USER-RID string */
+	slprintf(keystr, sizeof(keystr), "%s/%d", 
+		 sid_string_static(&user->dom_sid.sid), user->user_rid);
 	key.dptr = keystr;
 	key.dsize = strlen(keystr) + 1;
 	
@@ -96,15 +90,14 @@ BOOL  uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
     and elements are array[0] ... array[num_elements-1]
     
 */
-DOM_SID **uni_group_cache_fetch(DOM_SID *domain, DOM_SID *user_sid,
+uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
 			      TALLOC_CTX *mem_ctx, uint32 *num_groups)
 {
 	TDB_DATA key,data;
 	fstring keystr;
-	DOM_SID **groups;
+	uint32 *groups;
 	uint32 i;
 	uint32 group_count;
-	fstring sid_string;
 	
 	if (!domain) {
 		DEBUG(1,("uni_group_cache_fetch: expected non-null domain sid\n"));
@@ -130,9 +123,8 @@ DOM_SID **uni_group_cache_fetch(DOM_SID *domain, DOM_SID *user_sid,
 	*num_groups = 0;
 	
 	/* Fetch universal groups */
-	slprintf(keystr, sizeof(keystr), "%s/%s", 
-		 UNIGROUP_PREFIX,
-		 sid_to_string(sid_string, user_sid));
+	slprintf(keystr, sizeof(keystr), "%s/%d", 
+		 sid_string_static(domain), user_rid);
 	key.dptr = keystr;
 	key.dsize = strlen(keystr) + 1;
 	data = tdb_fetch(netlogon_unigrp_tdb, key);
@@ -144,17 +136,12 @@ DOM_SID **uni_group_cache_fetch(DOM_SID *domain, DOM_SID *user_sid,
 	
 	/* Transfer data to receiver's memory context */
 	group_count = IVAL(&((uint32*)data.dptr)[0],0);
-	groups = talloc(mem_ctx, (group_count)*sizeof(*groups));
+	groups = talloc(mem_ctx, (group_count)*sizeof(uint32));
 	if (groups) {
 		for(i=0; i<group_count; i++) {
-			groups[i] = talloc(mem_ctx, sizeof(**groups));
-			if (!groups[i]) {
-				DEBUG(1,("uni_group_cache_fetch: cannot allocate uni groups in receiver's memory context\n"));
-				return NULL;
-			}
-			sid_copy(groups[i], domain);
-			sid_append_rid(groups[i], IVAL(&((uint32*)data.dptr)[i+1],0));
+			groups[i] = IVAL(&((uint32*)data.dptr)[i+1],0);
 		}
+		
 	} else {
 		DEBUG(1,("uni_group_cache_fetch: cannot allocate uni groups in receiver's memory context\n"));
 	}
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 5722b8efcd..e1509f6b63 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -81,7 +81,7 @@ static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
 
 /**
  * Determine correct target name flags for reply, given server role 
- * and negotiated flags
+ * and negoitated falgs
  * 
  * @param ntlmssp_state NTLMSSP State
  * @param neg_flags The flags from the packet
@@ -291,7 +291,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 /**
  * Create an NTLMSSP state machine
  * 
- * @param ntlmssp_state NTLMSSP State, allocated by this function
+ * @param ntlmssp_state NTLMSSP State, allocated by this funciton
  */
 
 NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
@@ -322,7 +322,7 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
 /**
  * End an NTLMSSP state machine
  * 
- * @param ntlmssp_state NTLMSSP State, free()ed by this function
+ * @param ntlmssp_state NTLMSSP State, free()ed by this funciton
  */
 
 NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state)
@@ -431,7 +431,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 	DATA_BLOB session_key = data_blob(NULL, 0);
 	uint8 datagram_sess_key[16];
 
-	generate_random_buffer(datagram_sess_key, sizeof(datagram_sess_key), False);	
+	ZERO_STRUCT(datagram_sess_key);
 
 	if (!msrpc_parse(&reply, "CdBd",
 			 "NTLMSSP",
@@ -508,6 +508,8 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		session_key = data_blob(NULL, 16);
 		SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 	}
+	
+	data_blob_free(&challenge_blob);
 
 	/* this generates the actual auth packet */
 	if (!msrpc_gen(next_request, auth_gen_string, 
@@ -518,7 +520,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		       ntlmssp_state->domain, 
 		       ntlmssp_state->user, 
 		       ntlmssp_state->get_global_myname(), 
-		       datagram_sess_key, 16,
+		       datagram_sess_key, 0,
 		       ntlmssp_state->neg_flags)) {
 		
 		data_blob_free(&lm_response);
@@ -527,14 +529,9 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	data_blob_free(&ntlmssp_state->chal);
-	data_blob_free(&ntlmssp_state->lm_resp);
-	data_blob_free(&ntlmssp_state->nt_resp);
-	data_blob_free(&ntlmssp_state->session_key);
+	data_blob_free(&lm_response);
+	data_blob_free(&nt_response);
 
-	ntlmssp_state->chal = challenge_blob;
-	ntlmssp_state->lm_resp = lm_response;
-	ntlmssp_state->nt_resp = nt_response;
 	ntlmssp_state->session_key = session_key;
 
 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
@@ -561,12 +558,10 @@ NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 	(*ntlmssp_state)->unicode = True;
 
 	(*ntlmssp_state)->neg_flags = 
-		NTLMSSP_NEGOTIATE_128 |
+	       	NTLMSSP_NEGOTIATE_128 | 
 		NTLMSSP_NEGOTIATE_NTLM |
 		NTLMSSP_REQUEST_TARGET;
 
-	(*ntlmssp_state)->ref_count = 1;
-
 	return NT_STATUS_OK;
 }
 
@@ -574,16 +569,8 @@ NTSTATUS ntlmssp_client_end(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 {
 	TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
 
-	(*ntlmssp_state)->ref_count--;
-
-	if ((*ntlmssp_state)->ref_count == 0) {
-		data_blob_free(&(*ntlmssp_state)->chal);
-		data_blob_free(&(*ntlmssp_state)->lm_resp);
-		data_blob_free(&(*ntlmssp_state)->nt_resp);
-		data_blob_free(&(*ntlmssp_state)->session_key);
-		talloc_destroy(mem_ctx);
-	}
-
+	data_blob_free(&(*ntlmssp_state)->session_key);
+	talloc_destroy(mem_ctx);
 	*ntlmssp_state = NULL;
 	return NT_STATUS_OK;
 }
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index 28160d9609..aa9391325f 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -295,7 +295,7 @@ void SMBsesskeygen_ntv1(const uchar kr[16],
 #endif
 }
 
-static DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
+DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
 				   DATA_BLOB server_chal, size_t client_chal_length)
 {
 	uchar ntlmv2_response[16];
@@ -416,3 +416,101 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd,
 	
 	return True;
 }
+
+/***********************************************************
+ SMB signing - setup the MAC key.
+************************************************************/
+
+void cli_calculate_mac_key(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
+{
+	
+	memcpy(&cli->sign_info.mac_key[0], user_session_key, 16);
+	memcpy(&cli->sign_info.mac_key[16],response.data, MIN(response.length, 40 - 16));
+	cli->sign_info.mac_key_len = MIN(response.length + 16, 40);
+	cli->sign_info.use_smb_signing = True;
+
+	/* These calls are INCONPATIBLE with SMB signing */
+	cli->readbraw_supported = False;
+	cli->writebraw_supported = False;
+
+	/* Reset the sequence number in case we had a previous (aborted) attempt */
+	cli->sign_info.send_seq_num = 2;
+}
+
+/***********************************************************
+ SMB signing - calculate a MAC to send.
+************************************************************/
+
+void cli_caclulate_sign_mac(struct cli_state *cli)
+{
+	unsigned char calc_md5_mac[16];
+	struct MD5Context md5_ctx;
+
+	if (cli->sign_info.temp_smb_signing) {
+		memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
+		cli->sign_info.temp_smb_signing = False;
+		return;
+	}
+
+	if (!cli->sign_info.use_smb_signing) {
+		return;
+	}
+
+	/*
+	 * Firstly put the sequence number into the first 4 bytes.
+	 * and zero out the next 4 bytes.
+	 */
+	SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num);
+	SIVAL(cli->outbuf, smb_ss_field + 4, 0);
+
+	/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+	MD5Init(&md5_ctx);
+	MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
+	MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
+	MD5Final(calc_md5_mac, &md5_ctx);
+
+	memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
+
+/*	cli->outbuf[smb_ss_field+2]=0; 
+	Uncomment this to test if the remote server actually verifies signitures...*/
+	cli->sign_info.send_seq_num++;
+	cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num;
+	cli->sign_info.send_seq_num++;
+}
+
+/***********************************************************
+ SMB signing - check a MAC sent by server.
+************************************************************/
+
+BOOL cli_check_sign_mac(struct cli_state *cli)
+{
+	unsigned char calc_md5_mac[16];
+	unsigned char server_sent_mac[8];
+	struct MD5Context md5_ctx;
+
+	if (cli->sign_info.temp_smb_signing) {
+		return True;
+	}
+
+	if (!cli->sign_info.use_smb_signing) {
+		return True;
+	}
+
+	/*
+	 * Firstly put the sequence number into the first 4 bytes.
+	 * and zero out the next 4 bytes.
+	 */
+
+	memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
+
+	SIVAL(cli->inbuf, smb_ss_field, cli->sign_info.reply_seq_num);
+	SIVAL(cli->inbuf, smb_ss_field + 4, 0);
+
+	/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+	MD5Init(&md5_ctx);
+	MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
+	MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
+	MD5Final(calc_md5_mac, &md5_ctx);
+
+	return (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+}
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trust_passwd.c
index b8f84ba890..cf9fd58b13 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trust_passwd.c
@@ -1,8 +1,7 @@
 /* 
  *  Unix SMB/CIFS implementation.
- *  Routines to operate on various trust relationships
- *  Copyright (C) Andrew Bartlett                   2001
- *  Copyright (C) Rafal Szczesniak                  2003
+ *  Routines to change trust account passwords.
+ *  Copyright (C) Andrew Bartlett                   2001.
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -114,63 +113,4 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *me
 	
 	return trust_pw_change_and_store_it(cli, mem_ctx, old_trust_passwd_hash);
 	
-}
-
-
-/**
- * Verify whether or not given domain is trusted.
- *
- * @param domain_name name of the domain to be verified
- * @return true if domain is one of the trusted once or
- *         false if otherwise
- **/
- 
-BOOL is_trusted_domain(const char* dom_name)
-{
-	int enum_ctx = 0;
-	const int trustdom_size = 10;
-	int num_domains, i;
-	TRUSTDOM **domains;
-	NTSTATUS result;
-	fstring trustdom_name;
-	DOM_SID trustdom_sid;
-	TALLOC_CTX *mem_ctx;
-	
-	/*
-	 * Query the secrets db as an ultimate source of information
-	 * about trusted domain names. This is PDC or BDC case.
-	 */
-	mem_ctx = talloc_init("is_trusted_domain");
-	
-	do {
-		result = secrets_get_trusted_domains(mem_ctx, &enum_ctx, trustdom_size,
-		                                     &num_domains, &domains);
-		/* compare each returned entry against incoming connection's domain */
-		for (i = 0; i < num_domains; i++) {
-			pull_ucs2_fstring(trustdom_name, domains[i]->name);
-			if (strequal(trustdom_name, dom_name)) {
-				talloc_destroy(mem_ctx);
-				return True;
-			}
-		}
-	} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
-
-	talloc_destroy(mem_ctx);
-
-	/*
-	 * Query the trustdom_cache updated periodically. The only
-	 * way for domain member server.
-	 */
-	if (trustdom_cache_enable() &&
-		trustdom_cache_fetch(dom_name, &trustdom_sid)) {
-		trustdom_cache_shutdown();
-		return True;
-	}
-
-	/*
-	 * if nothing's been found, then give up here, although
-	 * the last resort might be to query the PDC.
-	 */
-	return False;
-}
-
+}