From 31c6679bf12bbcd6626bfd5066bb2e751314e9c2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 May 2009 22:58:39 +0200
Subject: s3:smbd: add support for SMB2 signing

metze
---
 source3/Makefile.in           |   5 +-
 source3/smbd/globals.h        |  11 ++++
 source3/smbd/smb2_server.c    | 114 ++++++++++++++++++++++-------------
 source3/smbd/smb2_sesssetup.c |  70 ++++++++++++++++++----
 source3/smbd/smb2_signing.c   | 135 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 280 insertions(+), 55 deletions(-)
 create mode 100644 source3/smbd/smb2_signing.c

(limited to 'source3')

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 1120092f90..2b30b4a5bd 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -359,7 +359,8 @@ UTIL_OBJ = ../lib/util/rbtree.o ../lib/util/signal.o ../lib/util/time.o \
 
 CRYPTO_OBJ = ../lib/crypto/crc32.o ../lib/crypto/md5.o \
 			 ../lib/crypto/hmacmd5.o ../lib/crypto/arcfour.o \
-			 ../lib/crypto/md4.o
+			 ../lib/crypto/md4.o \
+			 ../lib/crypto/sha256.o ../lib/crypto/hmacsha256.o
 
 LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
 	  lib/messages.o librpc/gen_ndr/ndr_messaging.o lib/messages_local.o \
@@ -750,7 +751,7 @@ SMBD_OBJ_SRV = smbd/files.o smbd/chgpasswd.o smbd/connection.o \
 	       smbd/dnsregister.o smbd/globals.o \
 	       smbd/smb2_server.o smbd/smb2_negprot.o \
 	       smbd/smb2_sesssetup.o smbd/smb2_tcon.o \
-	       smbd/smb2_keepalive.o \
+	       smbd/smb2_keepalive.o smbd/smb2_signing.o \
 	       $(MANGLE_OBJ) @VFS_STATIC@
 
 SMBD_OBJ_BASE = $(PARAM_WITHOUT_REG_OBJ) $(SMBD_OBJ_SRV) $(LIBSMB_OBJ) \
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 9d5eead939..c6ab31dc36 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -206,6 +206,13 @@ struct smbd_smb2_tcon;
 
 DATA_BLOB negprot_spnego(void);
 
+NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
+			       struct iovec *vector,
+			       int count);
+NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
+				const struct iovec *vector,
+				int count);
+
 bool smbd_is_smb2_header(const uint8_t *inbuf, size_t size);
 
 void reply_smb2002(struct smb_request *req, uint16_t choice);
@@ -244,6 +251,7 @@ struct smbd_smb2_request {
 	struct smbd_smb2_tcon *tcon;
 
 	int current_idx;
+	bool do_signing;
 
 	struct {
 		/* the NBT header is not allocated */
@@ -299,6 +307,9 @@ struct smbd_smb2_session {
 	NTSTATUS status;
 	uint64_t vuid;
 	AUTH_NTLMSSP_STATE *auth_ntlmssp_state;
+	struct auth_serversupplied_info *server_info;
+	DATA_BLOB session_key;
+	bool do_signing;
 
 	struct {
 		/* an id tree used to allocate tids */
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 32bb5543ae..562fc567cc 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -288,14 +288,45 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	const uint8_t *inhdr;
 	int i = req->current_idx;
 	uint16_t opcode;
+	uint32_t flags;
 	NTSTATUS status;
+	NTSTATUS session_status;
 
 	inhdr = (const uint8_t *)req->in.vector[i].iov_base;
 
 	/* TODO: verify more things */
 
+	flags = IVAL(inhdr, SMB2_HDR_FLAGS);
 	opcode = IVAL(inhdr, SMB2_HDR_OPCODE);
 	DEBUG(10,("smbd_smb2_request_dispatch: opcode[%u]\n", opcode));
+
+#define TMP_SMB2_ALLOWED_FLAGS ( \
+	SMB2_HDR_FLAG_CHAINED | \
+	SMB2_HDR_FLAG_SIGNED | \
+	SMB2_HDR_FLAG_DFS)
+	if ((flags & ~TMP_SMB2_ALLOWED_FLAGS) != 0) {
+		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+	}
+#undef TMP_SMB2_ALLOWED_FLAGS
+
+	session_status = smbd_smb2_request_check_session(req);
+
+	req->do_signing = false;
+	if (flags & SMB2_HDR_FLAG_SIGNED) {
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
+		}
+
+		req->do_signing = true;
+		status = smb2_signing_check_pdu(req->session->session_key,
+						&req->in.vector[i], 3);
+		if (!NT_STATUS_IS_OK(status)) {
+			return smbd_smb2_request_error(req, status);
+		}
+	} else if (req->session && req->session->do_signing) {
+		return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
+	}
+
 	switch (opcode) {
 	case SMB2_OP_NEGPROT:
 		return smbd_smb2_request_process_negprot(req);
@@ -304,13 +335,15 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_process_sesssetup(req);
 
 	case SMB2_OP_LOGOFF:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		return smbd_smb2_request_process_logoff(req);
 
 	case SMB2_OP_TCON:
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
+		}
 		status = smbd_smb2_request_check_session(req);
 		if (!NT_STATUS_IS_OK(status)) {
 			return smbd_smb2_request_error(req, status);
@@ -318,9 +351,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_process_tcon(req);
 
 	case SMB2_OP_TDIS:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -329,9 +361,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_process_tdis(req);
 
 	case SMB2_OP_CREATE:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -340,9 +371,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_CLOSE:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -351,9 +381,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_FLUSH:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -362,9 +391,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_READ:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -373,9 +401,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_WRITE:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -384,9 +411,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_LOCK:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -395,9 +421,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_IOCTL:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -412,9 +437,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_process_keepalive(req);
 
 	case SMB2_OP_FIND:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -423,9 +447,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_NOTIFY:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -434,9 +457,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_GETINFO:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -445,9 +467,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_SETINFO:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -456,9 +477,8 @@ static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
 
 	case SMB2_OP_BREAK:
-		status = smbd_smb2_request_check_session(req);
-		if (!NT_STATUS_IS_OK(status)) {
-			return smbd_smb2_request_error(req, status);
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
 		}
 		status = smbd_smb2_request_check_tcon(req);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -481,6 +501,16 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
 
 	smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
 
+	if (req->do_signing) {
+		int i = req->current_idx;
+		NTSTATUS status;
+		status = smb2_signing_sign_pdu(req->session->session_key,
+					       &req->out.vector[i], 3);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+	}
+
 	req->current_idx += 3;
 
 	if (req->current_idx > req->in.vector_count) {
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index fafda24ca4..be37aec04d 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -24,7 +24,9 @@
 
 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *req,
 					uint64_t in_session_id,
+					uint8_t in_security_mode,
 					DATA_BLOB in_security_buffer,
+					uint16_t *out_session_flags,
 					DATA_BLOB *out_security_buffer,
 					uint64_t *out_session_id);
 
@@ -39,9 +41,11 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req)
 	size_t expected_body_size = 0x19;
 	size_t body_size;
 	uint64_t in_session_id;
+	uint8_t in_security_mode;
 	uint16_t in_security_offset;
 	uint16_t in_security_length;
 	DATA_BLOB in_security_buffer;
+	uint16_t out_session_flags;
 	uint64_t out_session_id;
 	uint16_t out_security_offset;
 	DATA_BLOB out_security_buffer;
@@ -72,12 +76,15 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req)
 	}
 
 	in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
+	in_security_mode = CVAL(inbody, 0x03);
 	in_security_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
 	in_security_buffer.length = in_security_length;
 
 	status = smbd_smb2_session_setup(req,
 					 in_session_id,
+					 in_security_mode,
 					 in_security_buffer,
+					 &out_session_flags,
 					 &out_security_buffer,
 					 &out_session_id);
 	if (!NT_STATUS_IS_OK(status) &&
@@ -98,7 +105,8 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req)
 	SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
 
 	SSVAL(outbody.data, 0x00, 0x08 + 1);	/* struct size */
-	SSVAL(outbody.data, 0x02, 0);		/* session flags */
+	SSVAL(outbody.data, 0x02,
+	      out_session_flags);		/* session flags */
 	SSVAL(outbody.data, 0x04,
 	      out_security_offset);		/* security buffer offset */
 	SSVAL(outbody.data, 0x06,
@@ -132,13 +140,17 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
 
 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *req,
 					uint64_t in_session_id,
+					uint8_t in_security_mode,
 					DATA_BLOB in_security_buffer,
+					uint16_t *out_session_flags,
 					DATA_BLOB *out_security_buffer,
 					uint64_t *out_session_id)
 {
 	struct smbd_smb2_session *session;
 	NTSTATUS status;
 
+	*out_session_flags = 0;
+
 	if (in_session_id == 0) {
 		int id;
 
@@ -185,6 +197,7 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *req,
 	if (session->auth_ntlmssp_state == NULL) {
 		status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(session);
 			return status;
 		}
 	}
@@ -193,19 +206,54 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *req,
 				     in_security_buffer,
 				     out_security_buffer);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		/* nothing to do */
-	} else if (NT_STATUS_IS_OK(status)) {
-		/* TODO: setup session key for signing */
-		session->status = NT_STATUS_OK;
-		/*
-		 * we attach the session to the request
-		 * so that the response can be signed
-		 */
-		req->session = session;
-	} else {
+		*out_session_id = session->vuid;
+		return status;
+	} else if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(session);
 		return status;
 	}
 
+	/* TODO: setup session key for signing */
+
+	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
+	    lp_server_signing() == Required) {
+		session->do_signing = true;
+	}
+
+	if (session->auth_ntlmssp_state->server_info->guest) {
+		/* we map anonymous to guest internally */
+		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
+		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
+		/* force no signing */
+		session->do_signing = false;
+	}
+
+	session->server_info = session->auth_ntlmssp_state->server_info;
+	data_blob_free(&session->server_info->user_session_key);
+	session->server_info->user_session_key =
+			data_blob_talloc(
+			session->server_info,
+			session->auth_ntlmssp_state->ntlmssp_state->session_key.data,
+			session->auth_ntlmssp_state->ntlmssp_state->session_key.length);
+	if (session->auth_ntlmssp_state->ntlmssp_state->session_key.length > 0) {
+		if (session->server_info->user_session_key.data == NULL) {
+			TALLOC_FREE(session);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+	session->session_key = session->server_info->user_session_key;
+
+	session->status = NT_STATUS_OK;
+
+	/*
+	 * we attach the session to the request
+	 * so that the response can be signed
+	 */
+	req->session = session;
+	if (session->do_signing) {
+		req->do_signing = true;
+	}
+
 	*out_session_id = session->vuid;
 	return status;
 }
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
new file mode 100644
index 0000000000..55ed4f6d1c
--- /dev/null
+++ b/source3/smbd/smb2_signing.c
@@ -0,0 +1,135 @@
+/*
+   Unix SMB/CIFS implementation.
+   SMB2 signing
+
+   Copyright (C) Stefan Metzmacher 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smbd/globals.h"
+#include "../source4/libcli/smb2/smb2_constants.h"
+#include "../lib/crypto/crypto.h"
+
+NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
+			       struct iovec *vector,
+			       int count)
+{
+	uint8_t *hdr;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
+			 (unsigned)session_key.length));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
+
+	SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	for (i=0; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+	DEBUG(5,("signed SMB2 message\n"));
+
+	memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
+				const struct iovec *vector,
+				int count)
+{
+	const uint8_t *hdr;
+	const uint8_t *sig;
+	uint64_t session_id;
+	struct HMACSHA256Context m;
+	uint8_t res[SHA256_DIGEST_LENGTH];
+	static const uint8_t zero_sig[16];
+	int i;
+
+	if (count < 2) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (vector[0].iov_len != SMB2_HDR_BODY) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	hdr = (const uint8_t *)vector[0].iov_base;
+
+	session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
+	if (session_id == 0) {
+		/*
+		 * do not sign messages with a zero session_id.
+		 * See MS-SMB2 3.2.4.1.1
+		 */
+		return NT_STATUS_OK;
+	}
+
+	if (session_key.length == 0) {
+		/* we don't have the session key yet */
+		return NT_STATUS_OK;
+	}
+
+	sig = hdr+SMB2_HDR_SIGNATURE;
+
+	ZERO_STRUCT(m);
+	hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
+	hmac_sha256_update(hdr, SMB2_HDR_SIGNATURE, &m);
+	hmac_sha256_update(zero_sig, 16, &m);
+	for (i=1; i < count; i++) {
+		hmac_sha256_update((const uint8_t *)vector[i].iov_base,
+				   vector[i].iov_len, &m);
+	}
+	hmac_sha256_final(res, &m);
+
+	if (memcmp(res, sig, 16) != 0) {
+		DEBUG(0,("Bad SMB2 signature for message\n"));
+		dump_data(0, sig, 16);
+		dump_data(0, res, 16);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return NT_STATUS_OK;
+}
-- 
cgit