summaryrefslogtreecommitdiff
path: root/source4/libcli/smb2
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libcli/smb2')
-rw-r--r--source4/libcli/smb2/connect.c8
-rw-r--r--source4/libcli/smb2/logoff.c2
-rw-r--r--source4/libcli/smb2/session.c10
-rw-r--r--source4/libcli/smb2/signing.c9
-rw-r--r--source4/libcli/smb2/smb2.h9
-rw-r--r--source4/libcli/smb2/transport.c6
6 files changed, 20 insertions, 24 deletions
diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c
index cdb5e3b5d4..c89c109b72 100644
--- a/source4/libcli/smb2/connect.c
+++ b/source4/libcli/smb2/connect.c
@@ -112,19 +112,19 @@ static void continue_negprot(struct smb2_request *req)
composite_error(c, NT_STATUS_ACCESS_DENIED);
return;
}
- transport->signing.doing_signing = false;
+ transport->signing_required = false;
break;
case SMB_SIGNING_SUPPORTED:
case SMB_SIGNING_AUTO:
if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
- transport->signing.doing_signing = true;
+ transport->signing_required = true;
} else {
- transport->signing.doing_signing = false;
+ transport->signing_required = false;
}
break;
case SMB_SIGNING_REQUIRED:
if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_ENABLED) {
- transport->signing.doing_signing = true;
+ transport->signing_required = true;
} else {
composite_error(c, NT_STATUS_ACCESS_DENIED);
return;
diff --git a/source4/libcli/smb2/logoff.c b/source4/libcli/smb2/logoff.c
index b38a08ca43..e3f83f27d8 100644
--- a/source4/libcli/smb2/logoff.c
+++ b/source4/libcli/smb2/logoff.c
@@ -33,6 +33,8 @@ struct smb2_request *smb2_logoff_send(struct smb2_session *session)
req = smb2_request_init(session->transport, SMB2_OP_LOGOFF, 0x04, false, 0);
if (req == NULL) return NULL;
+ req->session = session;
+
SBVAL(req->out.hdr, SMB2_HDR_SESSION_ID, session->uid);
SSVAL(req->out.body, 0x02, 0);
diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c
index 91616319d5..31b3e942e9 100644
--- a/source4/libcli/smb2/session.c
+++ b/source4/libcli/smb2/session.c
@@ -187,14 +187,14 @@ static void session_request_handler(struct smb2_request *req)
return;
}
- if (session->transport->signing.doing_signing) {
- if (session->session_key.length != 16) {
- DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
+ if (session->transport->signing_required) {
+ if (session->session_key.length == 0) {
+ DEBUG(0,("Wrong session key length %u for SMB2 signing\n",
(unsigned)session->session_key.length));
composite_error(c, NT_STATUS_ACCESS_DENIED);
return;
}
- session->transport->signing.signing_started = true;
+ session->signing_active = true;
}
composite_done(c);
@@ -218,7 +218,7 @@ struct composite_context *smb2_session_setup_spnego_send(struct smb2_session *se
ZERO_STRUCT(state->io);
state->io.in.vc_number = 0;
- if (session->transport->signing.doing_signing) {
+ if (session->transport->signing_required) {
state->io.in.security_mode =
SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED;
}
diff --git a/source4/libcli/smb2/signing.c b/source4/libcli/smb2/signing.c
index fb2c22db4e..0d655d1a86 100644
--- a/source4/libcli/smb2/signing.c
+++ b/source4/libcli/smb2/signing.c
@@ -46,7 +46,7 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke
return NT_STATUS_OK;
}
- if (session_key.length != 16) {
+ if (session_key.length == 0) {
DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
(unsigned)session_key.length));
return NT_STATUS_ACCESS_DENIED;
@@ -57,10 +57,9 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke
SIVAL(buf->hdr, SMB2_HDR_FLAGS, IVAL(buf->hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
ZERO_STRUCT(m);
- hmac_sha256_init(session_key.data, 16, &m);
+ hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
hmac_sha256_update(buf->buffer+NBT_HDR_SIZE, buf->size-NBT_HDR_SIZE, &m);
hmac_sha256_final(res, &m);
-
DEBUG(5,("signed SMB2 message of size %u\n", (unsigned)buf->size - NBT_HDR_SIZE));
memcpy(buf->hdr + SMB2_HDR_SIGNATURE, res, 16);
@@ -95,7 +94,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session
return NT_STATUS_OK;
}
- if (session_key.length != 16) {
+ if (session_key.length == 0) {
DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
(unsigned)session_key.length));
return NT_STATUS_ACCESS_DENIED;
@@ -106,7 +105,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session
memset(buf->hdr + SMB2_HDR_SIGNATURE, 0, 16);
ZERO_STRUCT(m);
- hmac_sha256_init(session_key.data, 16, &m);
+ hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
hmac_sha256_update(buf->hdr, buf->size-NBT_HDR_SIZE, &m);
hmac_sha256_final(res, &m);
diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h
index 2b468d3dc9..5d6341a15b 100644
--- a/source4/libcli/smb2/smb2.h
+++ b/source4/libcli/smb2/smb2.h
@@ -27,11 +27,6 @@
struct smb2_handle;
-struct smb2_signing_context {
- bool doing_signing;
- bool signing_started;
-};
-
/*
information returned from the negotiate process
*/
@@ -78,7 +73,8 @@ struct smb2_transport {
} oplock;
struct smbcli_options options;
- struct smb2_signing_context signing;
+
+ bool signing_required;
};
@@ -98,6 +94,7 @@ struct smb2_session {
struct gensec_security *gensec;
uint64_t uid;
DATA_BLOB session_key;
+ bool signing_active;
};
diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c
index 6e0d523e21..d9691bec7c 100644
--- a/source4/libcli/smb2/transport.c
+++ b/source4/libcli/smb2/transport.c
@@ -235,7 +235,7 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE);
req->status = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS));
- if (req->session && transport->signing.doing_signing) {
+ if (req->session && req->session->signing_active) {
status = smb2_check_signature(&req->in,
req->session->session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -352,9 +352,7 @@ void smb2_transport_send(struct smb2_request *req)
}
/* possibly sign the message */
- if (req->transport->signing.doing_signing &&
- req->transport->signing.signing_started &&
- req->session) {
+ if (req->session && req->session->signing_active) {
status = smb2_sign_message(&req->out, req->session->session_key);
if (!NT_STATUS_IS_OK(status)) {
req->state = SMB2_REQUEST_ERROR;