summaryrefslogtreecommitdiff
path: root/source3/libsmb
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libsmb')
-rw-r--r--source3/libsmb/cliconnect.c40
-rw-r--r--source3/libsmb/clidfs.c3
-rw-r--r--source3/libsmb/clientgen.c58
-rw-r--r--source3/libsmb/smb_signing.c50
4 files changed, 87 insertions, 64 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ad11ee0ed4..ec2932488e 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -379,6 +379,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
DATA_BLOB session_key = data_blob_null;
NTSTATUS result;
char *p;
+ bool ok;
if (passlen == 0) {
/* do nothing - guest login */
@@ -436,11 +437,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
#endif
}
-#ifdef LANMAN_ONLY
- cli_simple_set_signing(cli, session_key, lm_response);
-#else
- cli_simple_set_signing(cli, session_key, nt_response);
-#endif
+ cli_temp_set_signing(cli);
} else {
/* pre-encrypted password supplied. Only used for
security=server, can't do
@@ -492,6 +489,22 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
goto end;
}
+#ifdef LANMAN_ONLY
+ ok = cli_simple_set_signing(cli, session_key, lm_response);
+#else
+ ok = cli_simple_set_signing(cli, session_key, nt_response);
+#endif
+ if (ok) {
+ /* 'resign' the last message, so we get the right sequence numbers
+ for checking the first reply from the server */
+ cli_calculate_sign_mac(cli, cli->outbuf);
+
+ if (!cli_check_sign_mac(cli, cli->inbuf)) {
+ result = NT_STATUS_ACCESS_DENIED;
+ goto end;
+ }
+ }
+
/* use the returned vuid from now on */
cli->vuid = SVAL(cli->inbuf,smb_uid);
@@ -1284,10 +1297,17 @@ struct async_req *cli_tcon_andx_send(TALLOC_CTX *mem_ctx,
return result;
access_denied:
- result = async_req_new(mem_ctx);
- if (async_post_ntstatus(result, ev, NT_STATUS_ACCESS_DENIED)) {
- return result;
+ {
+ struct cli_request *state;
+ if (!async_req_setup(mem_ctx, &result, &state,
+ struct cli_request)) {
+ goto fail;
+ }
+ if (async_post_ntstatus(result, ev, NT_STATUS_ACCESS_DENIED)) {
+ return result;
+ }
}
+ fail:
TALLOC_FREE(result);
return NULL;
}
@@ -1936,7 +1956,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli,
if (!my_name)
my_name = global_myname();
- if (!(cli = cli_initialise())) {
+ if (!(cli = cli_initialise_ex(signing_state))) {
return NT_STATUS_NO_MEMORY;
}
@@ -1984,8 +2004,6 @@ again:
return NT_STATUS_BAD_NETWORK_NAME;
}
- cli_setup_signing_state(cli, signing_state);
-
if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO)
cli->use_spnego = False;
else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index e642f169f9..1153d8dc89 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -151,7 +151,7 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
zero_sockaddr(&ss);
/* have to open a new connection */
- if (!(c=cli_initialise())) {
+ if (!(c=cli_initialise_ex(cm_creds.signing_state))) {
d_printf("Connection to %s failed\n", server_n);
if (c) {
cli_shutdown(c);
@@ -177,7 +177,6 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
c->protocol = max_protocol;
c->use_kerberos = cm_creds.use_kerberos;
c->fallback_after_kerberos = cm_creds.fallback_after_kerberos;
- cli_setup_signing_state(c, cm_creds.signing_state);
if (!cli_session_request(c, &calling, &called)) {
char *p;
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 0382ef5fae..2983f7771a 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -425,33 +425,15 @@ void cli_init_creds(struct cli_state *cli, const char *username, const char *dom
}
/****************************************************************************
- Set the signing state (used from the command line).
-****************************************************************************/
-
-void cli_setup_signing_state(struct cli_state *cli, int signing_state)
-{
- if (signing_state == Undefined)
- return;
-
- if (signing_state == false) {
- cli->sign_info.allow_smb_signing = false;
- cli->sign_info.mandatory_signing = false;
- return;
- }
-
- cli->sign_info.allow_smb_signing = true;
-
- if (signing_state == Required)
- cli->sign_info.mandatory_signing = true;
-}
-
-/****************************************************************************
Initialise a client structure. Always returns a malloc'ed struct.
+ Set the signing state (used from the command line).
****************************************************************************/
-struct cli_state *cli_initialise(void)
+struct cli_state *cli_initialise_ex(int signing_state)
{
struct cli_state *cli = NULL;
+ bool allow_smb_signing = false;
+ bool mandatory_signing = false;
/* Check the effective uid - make sure we are not setuid */
if (is_setuid_root()) {
@@ -490,12 +472,27 @@ struct cli_state *cli_initialise(void)
if (getenv("CLI_FORCE_DOSERR"))
cli->force_dos_errors = true;
- if (lp_client_signing())
- cli->sign_info.allow_smb_signing = true;
+ if (lp_client_signing()) {
+ allow_smb_signing = true;
+ }
+
+ if (lp_client_signing() == Required) {
+ mandatory_signing = true;
+ }
+
+ if (signing_state != Undefined) {
+ allow_smb_signing = true;
+ }
+
+ if (signing_state == false) {
+ allow_smb_signing = false;
+ mandatory_signing = false;
+ }
+
+ if (signing_state == Required) {
+ mandatory_signing = true;
+ }
- if (lp_client_signing() == Required)
- cli->sign_info.mandatory_signing = true;
-
if (!cli->outbuf || !cli->inbuf)
goto error;
@@ -510,6 +507,8 @@ struct cli_state *cli_initialise(void)
#endif
/* initialise signing */
+ cli->sign_info.allow_smb_signing = allow_smb_signing;
+ cli->sign_info.mandatory_signing = mandatory_signing;
cli_null_set_signing(cli);
cli->initialised = 1;
@@ -526,6 +525,11 @@ struct cli_state *cli_initialise(void)
return NULL;
}
+struct cli_state *cli_initialise(void)
+{
+ return cli_initialise_ex(Undefined);
+}
+
/****************************************************************************
Close all pipes open on this session.
****************************************************************************/
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index ea1eb05cfb..a3ed0e7572 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -3,17 +3,17 @@
SMB Signing Code
Copyright (C) Jeremy Allison 2003.
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -119,14 +119,14 @@ static bool cli_set_smb_signing_common(struct cli_state *cli)
if (cli->sign_info.doing_signing) {
return False;
}
-
+
if (cli->sign_info.free_signing_context)
cli->sign_info.free_signing_context(&cli->sign_info);
/* These calls are INCOMPATIBLE with SMB signing */
cli->readbraw_supported = False;
cli->writebraw_supported = False;
-
+
return True;
}
@@ -196,7 +196,7 @@ static void null_free_signing_context(struct smb_sign_info *si)
static bool null_set_signing(struct smb_sign_info *si)
{
si->signing_context = NULL;
-
+
si->sign_outgoing_message = null_sign_outgoing_message;
si->check_incoming_message = null_check_incoming_message;
si->free_signing_context = null_free_signing_context;
@@ -207,7 +207,7 @@ static bool null_set_signing(struct smb_sign_info *si)
/**
* Free the signing context
*/
-
+
static void free_signing_context(struct smb_sign_info *si)
{
if (si->free_signing_context) {
@@ -227,7 +227,7 @@ static bool signing_good(const char *inbuf, struct smb_sign_info *si,
if (!si->doing_signing) {
si->doing_signing = True;
}
-
+
if (!si->seen_valid) {
si->seen_valid = True;
}
@@ -289,7 +289,7 @@ static void simple_packet_signature(struct smb_basic_signing_context *data,
/* Calculate the 16 byte MAC - but don't alter the data in the
incoming packet.
-
+
This makes for a bit of fussing about, but it's not too bad.
*/
MD5Init(&md5_ctx);
@@ -368,7 +368,7 @@ static void client_sign_outgoing_message(char *outbuf, struct smb_sign_info *si)
I can isolate the fix here rather than re-adding the trans
signing on/off calls in libsmb/clitrans2.c JRA.
*/
-
+
if (store_sequence_for_reply(&data->outstanding_packet_list, SVAL(outbuf,smb_mid), data->send_seq_num + 1)) {
data->send_seq_num += 2;
}
@@ -409,11 +409,11 @@ static bool client_check_incoming_message(const char *inbuf,
server_sent_mac = (unsigned char *)&inbuf[smb_ss_field];
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-
+
if (!good) {
DEBUG(5, ("client_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
dump_data(5, calc_md5_mac, 8);
-
+
DEBUG(5, ("client_check_incoming_message: BAD SIG: got SMB signature of\n"));
dump_data(5, server_sent_mac, 8);
#if 1 /* JRATEST */
@@ -447,7 +447,7 @@ static void simple_free_signing_context(struct smb_sign_info *si)
(struct smb_basic_signing_context *)si->signing_context;
struct outstanding_packet_lookup *list;
struct outstanding_packet_lookup *next;
-
+
for (list = data->outstanding_packet_list; list; list = next) {
next = list->next;
DLIST_REMOVE(data->outstanding_packet_list, list);
@@ -486,7 +486,7 @@ bool cli_simple_set_signing(struct cli_state *cli,
memset(data, '\0', sizeof(*data));
cli->sign_info.signing_context = data;
-
+
data->mac_key = data_blob(NULL, response.length + user_session_key.length);
memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
@@ -571,7 +571,7 @@ bool cli_temp_set_signing(struct cli_state *cli)
}
cli->sign_info.signing_context = NULL;
-
+
cli->sign_info.sign_outgoing_message = temp_sign_outgoing_message;
cli->sign_info.check_incoming_message = temp_check_incoming_message;
cli->sign_info.free_signing_context = temp_free_signing_context;
@@ -587,7 +587,7 @@ void cli_free_signing_context(struct cli_state *cli)
/**
* Sign a packet with the current mechanism
*/
-
+
void cli_calculate_sign_mac(struct cli_state *cli, char *buf)
{
cli->sign_info.sign_outgoing_message(buf, &cli->sign_info);
@@ -598,7 +598,7 @@ void cli_calculate_sign_mac(struct cli_state *cli, char *buf)
* @return False if we had an established signing connection
* which had a bad checksum, True otherwise.
*/
-
+
bool cli_check_sign_mac(struct cli_state *cli, char *buf)
{
if (!cli->sign_info.check_incoming_message(buf, &cli->sign_info, True)) {
@@ -746,7 +746,7 @@ static bool srv_check_incoming_message(const char *inbuf,
server_sent_mac = (unsigned char *)&inbuf[smb_ss_field];
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-
+
if (!good) {
if (saved_seq) {
@@ -758,7 +758,7 @@ static bool srv_check_incoming_message(const char *inbuf,
(unsigned int)reply_seq_number));
dump_data(5, server_sent_mac, 8);
}
-
+
#if 1 /* JRATEST */
{
int i;
@@ -865,7 +865,7 @@ void srv_defer_sign_response(uint16 mid)
cancelled by mid. This should never find one....
************************************************************/
-void srv_cancel_sign_response(uint16 mid)
+void srv_cancel_sign_response(uint16 mid, bool cancel)
{
struct smb_basic_signing_context *data;
uint32 dummy_seq;
@@ -884,7 +884,9 @@ void srv_cancel_sign_response(uint16 mid)
;
/* cancel doesn't send a reply so doesn't burn a sequence number. */
- data->send_seq_num -= 1;
+ if (cancel) {
+ data->send_seq_num -= 1;
+ }
}
/***********************************************************
@@ -969,17 +971,17 @@ void srv_set_signing(const DATA_BLOB user_session_key, const DATA_BLOB response)
if (srv_sign_info.doing_signing) {
return;
}
-
+
if (srv_sign_info.free_signing_context)
srv_sign_info.free_signing_context(&srv_sign_info);
-
+
srv_sign_info.doing_signing = True;
data = SMB_XMALLOC_P(struct smb_basic_signing_context);
memset(data, '\0', sizeof(*data));
srv_sign_info.signing_context = data;
-
+
data->mac_key = data_blob(NULL, response.length + user_session_key.length);
memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
generated by cgit (git 2.34.1) at 2024-08-02 01:20:55 +0000