From ef2e26c91b80556af033d3335e55f5dfa6fff31d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 13 Aug 2003 01:53:07 +0000 Subject: first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f) --- source4/libcli/raw/smb_signing.c | 341 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 341 insertions(+) create mode 100644 source4/libcli/raw/smb_signing.c (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c new file mode 100644 index 0000000000..2ab61aa001 --- /dev/null +++ b/source4/libcli/raw/smb_signing.c @@ -0,0 +1,341 @@ +/* + Unix SMB/CIFS implementation. + SMB Signing Code + Copyright (C) Jeremy Allison 2002. + Copyright (C) Andrew Bartlett 2002-2003 + Copyright (C) James J Myers 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +struct smb_basic_signing_context { + DATA_BLOB mac_key; + uint32 next_seq_num; +}; + +/*********************************************************** + SMB signing - Common code before we set a new signing implementation +************************************************************/ +static BOOL set_smb_signing_common(struct cli_transport *transport) +{ + if (!(transport->negotiate.sec_mode & + (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { + return False; + } + + if (transport->negotiate.sign_info.doing_signing) { + return False; + } + + if (transport->negotiate.sign_info.free_signing_context) + transport->negotiate.sign_info.free_signing_context(transport); + + /* These calls are INCOMPATIBLE with SMB signing */ + transport->negotiate.readbraw_supported = False; + transport->negotiate.writebraw_supported = False; + + return True; +} + +/*********************************************************** + SMB signing - Common code for 'real' implementations +************************************************************/ +static BOOL set_smb_signing_real_common(struct cli_transport *transport) +{ + if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { + DEBUG(5, ("Mandatory SMB signing enabled!\n")); + transport->negotiate.sign_info.doing_signing = True; + } + + DEBUG(5, ("SMB signing enabled!\n")); + + return True; +} + +static void mark_packet_signed(struct cli_request *req) +{ + uint16 flags2; + flags2 = SVAL(req->out.hdr, HDR_FLG2); + flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES; + SSVAL(req->out.hdr, HDR_FLG2, flags2); +} + +static BOOL signing_good(struct cli_request *req, BOOL good) +{ + if (good && !req->transport->negotiate.sign_info.doing_signing) { + req->transport->negotiate.sign_info.doing_signing = True; + } + + if (!good) { + if (req->transport->negotiate.sign_info.doing_signing) { + DEBUG(1, ("SMB signature check failed!\n")); + return False; + } else { + DEBUG(3, ("Server did not sign reply correctly\n")); + cli_transport_free_signing_context(req->transport); + return False; + } + } + return True; +} + +/*********************************************************** + SMB signing - Simple implementation - calculate a MAC to send. +************************************************************/ +static void cli_request_simple_sign_outgoing_message(struct cli_request *req) +{ + unsigned char calc_md5_mac[16]; + struct MD5Context md5_ctx; + struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; + +#if 0 + /* enable this when packet signing is preventing you working out why valgrind + says that data is uninitialised */ + file_save("pkt.dat", req->out.buffer, req->out.size); +#endif + + req->seq_num = data->next_seq_num; + + /* some requests (eg. NTcancel) are one way, and the sequence number + should be increased by 1 not 2 */ + if (req->one_way_request) { + data->next_seq_num += 1; + } else { + data->next_seq_num += 2; + } + + /* + * Firstly put the sequence number into the first 4 bytes. + * and zero out the next 4 bytes. + */ + SIVAL(req->out.hdr, HDR_SS_FIELD, req->seq_num); + SIVAL(req->out.hdr, HDR_SS_FIELD + 4, 0); + + /* mark the packet as signed - BEFORE we sign it...*/ + mark_packet_signed(req); + + /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ + MD5Init(&md5_ctx); + MD5Update(&md5_ctx, data->mac_key.data, + data->mac_key.length); + MD5Update(&md5_ctx, + req->out.buffer + NBT_HDR_SIZE, + req->out.size - NBT_HDR_SIZE); + MD5Final(calc_md5_mac, &md5_ctx); + + memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8); + +/* req->out.hdr[HDR_SS_FIELD+2]=0; + Uncomment this to test if the remote server actually verifies signitures...*/ +} + + +/*********************************************************** + SMB signing - Simple implementation - check a MAC sent by server. +************************************************************/ +static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) +{ + BOOL good; + unsigned char calc_md5_mac[16]; + unsigned char server_sent_mac[8]; + unsigned char sequence_buf[8]; + struct MD5Context md5_ctx; + struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; + const size_t offset_end_of_sig = (HDR_SS_FIELD + 8); + int i; + const int sign_range = 0; + + /* its quite bogus to be guessing sequence numbers, but very useful + when debugging signing implementations */ + for (i = 1-sign_range; i <= 1+sign_range; i++) { + /* + * Firstly put the sequence number into the first 4 bytes. + * and zero out the next 4 bytes. + */ + SIVAL(sequence_buf, 0, req->seq_num+i); + SIVAL(sequence_buf, 4, 0); + + /* get a copy of the server-sent mac */ + memcpy(server_sent_mac, &req->in.hdr[HDR_SS_FIELD], sizeof(server_sent_mac)); + + /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ + MD5Init(&md5_ctx); + MD5Update(&md5_ctx, data->mac_key.data, + data->mac_key.length); + MD5Update(&md5_ctx, req->in.hdr, HDR_SS_FIELD); + MD5Update(&md5_ctx, sequence_buf, sizeof(sequence_buf)); + + MD5Update(&md5_ctx, req->in.hdr + offset_end_of_sig, + req->in.size - NBT_HDR_SIZE - (offset_end_of_sig)); + MD5Final(calc_md5_mac, &md5_ctx); + + good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); + if (good) break; + } + + if (good && i != 1) { + DEBUG(0,("SIGNING OFFSET %d\n", i)); + } + + if (!good) { + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n")); + dump_data(5, calc_md5_mac, 8); + + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n")); + dump_data(5, server_sent_mac, 8); + } + return signing_good(req, good); +} + + +/*********************************************************** + SMB signing - Simple implementation - free signing context +************************************************************/ +static void cli_transport_simple_free_signing_context(struct cli_transport *transport) +{ + struct smb_basic_signing_context *data = transport->negotiate.sign_info.signing_context; + + data_blob_free(&data->mac_key); + SAFE_FREE(transport->negotiate.sign_info.signing_context); + + return; +} + + +/*********************************************************** + SMB signing - Simple implementation - setup the MAC key. +************************************************************/ +BOOL cli_transport_simple_set_signing(struct cli_transport *transport, + const uchar user_transport_key[16], const DATA_BLOB response) +{ + struct smb_basic_signing_context *data; + + if (!set_smb_signing_common(transport)) { + return False; + } + + if (!set_smb_signing_real_common(transport)) { + return False; + } + + data = smb_xmalloc(sizeof(*data)); + transport->negotiate.sign_info.signing_context = data; + + data->mac_key = data_blob(NULL, MIN(response.length + 16, 40)); + + memcpy(&data->mac_key.data[0], user_transport_key, 16); + memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16)); + + /* Initialise the sequence number */ + data->next_seq_num = 0; + + transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = cli_transport_simple_free_signing_context; + + return True; +} + + +/*********************************************************** + SMB signing - NULL implementation - calculate a MAC to send. +************************************************************/ +static void cli_request_null_sign_outgoing_message(struct cli_request *req) +{ + /* we can't zero out the sig, as we might be trying to send a + transport request - which is NBT-level, not SMB level and doesn't + have the field */ +} + + +/*********************************************************** + SMB signing - NULL implementation - check a MAC sent by server. +************************************************************/ +static BOOL cli_request_null_check_incoming_message(struct cli_request *req) +{ + return True; +} + + +/*********************************************************** + SMB signing - NULL implementation - free signing context +************************************************************/ +static void cli_null_free_signing_context(struct cli_transport *transport) +{ +} + +/** + SMB signing - NULL implementation - setup the MAC key. + + @note Used as an initialisation only - it will not correctly + shut down a real signing mechanism +*/ +BOOL cli_null_set_signing(struct cli_transport *transport) +{ + transport->negotiate.sign_info.signing_context = NULL; + + transport->negotiate.sign_info.sign_outgoing_message = cli_request_null_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = cli_request_null_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = cli_null_free_signing_context; + + return True; +} + + +/** + * Free the signing context + */ +void cli_transport_free_signing_context(struct cli_transport *transport) +{ + if (transport->negotiate.sign_info.free_signing_context) { + transport->negotiate.sign_info.free_signing_context(transport); + } + + cli_null_set_signing(transport); +} + + +/** + * Sign a packet with the current mechanism + */ +void cli_request_calculate_sign_mac(struct cli_request *req) +{ + req->transport->negotiate.sign_info.sign_outgoing_message(req); +} + + +/** + * Check a packet with the current mechanism + * @return False if we had an established signing connection + * which had a back checksum, True otherwise + */ +BOOL cli_request_check_sign_mac(struct cli_request *req) +{ + BOOL good; + + if (req->in.size < (HDR_SS_FIELD + 8)) { + good = False; + } else { + good = req->transport->negotiate.sign_info.check_incoming_message(req); + } + + if (!good && req->transport->negotiate.sign_info.doing_signing) { + return False; + } + + return True; +} -- cgit From dce84ffd379012812170f68f7de8aab73123f0b3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 9 May 2004 12:42:18 +0000 Subject: r610: - Merge the Samba3 'ntlm_auth --diagnostics' testsuite to Samba4. - This required using NETLOGON_NEG_AUTH2_FLAGS for the SetupCredentials2 negotiation flags, which is what Samba3 does, because otherwise the server uses different crypto. - This tests the returned session keys, which we decrypt. - Update the Samba4 notion of a 'session key' to be a DATA_BLOB in most places. - Fix session key code to return NT_STATUS_NO_SESSION_KEY if none is available. - Remove a useless argument to SMBsesskeygen_ntv1 - move netr_CredentialState from the .idl to the new credentials.h Andrew Bartlett (This used to be commit 44f8b5b53e6abd4de8a676f78d729988fadff320) --- source4/libcli/raw/smb_signing.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 2ab61aa001..5f47a5e42a 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -220,7 +220,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran SMB signing - Simple implementation - setup the MAC key. ************************************************************/ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, - const uchar user_transport_key[16], const DATA_BLOB response) + const DATA_BLOB user_session_key, + const DATA_BLOB response) { struct smb_basic_signing_context *data; @@ -235,10 +236,13 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, data = smb_xmalloc(sizeof(*data)); transport->negotiate.sign_info.signing_context = data; - data->mac_key = data_blob(NULL, MIN(response.length + 16, 40)); + data->mac_key = data_blob(NULL, response.length + user_session_key.length); - memcpy(&data->mac_key.data[0], user_transport_key, 16); - memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16)); + memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length); + + if (response.length) { + memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length); + } /* Initialise the sequence number */ data->next_seq_num = 0; -- cgit From f9d8f8843dc0ab8c9d59abde7222e0f118b86b5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 16:24:13 +0000 Subject: r884: convert samba4 to use [u]int32_t instead of [u]int32 metze (This used to be commit 0e5517d937a2eb7cf707991d1c7498c1ab456095) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 5f47a5e42a..bb295ee991 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -24,7 +24,7 @@ struct smb_basic_signing_context { DATA_BLOB mac_key; - uint32 next_seq_num; + uint32_t next_seq_num; }; /*********************************************************** -- cgit From f88bf54c7f6d1c2ef833047eb8327953c304b5ff Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 17:24:24 +0000 Subject: r889: convert samba4 to use [u]int16_t instead of [u]int16 metze (This used to be commit af6f1f8a01bebbecd99bc8c066519e89966e65e3) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index bb295ee991..989b5527aa 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -68,7 +68,7 @@ static BOOL set_smb_signing_real_common(struct cli_transport *transport) static void mark_packet_signed(struct cli_request *req) { - uint16 flags2; + uint16_t flags2; flags2 = SVAL(req->out.hdr, HDR_FLG2); flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES; SSVAL(req->out.hdr, HDR_FLG2, flags2); -- cgit From 45e93c19ef95978f908f5b14962770510634cd3b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 29 May 2004 08:11:46 +0000 Subject: r943: change samba4 to use 'uint8_t' instead of 'unsigned char' metze (This used to be commit b5378803fdcb3b3afe7c2932a38828e83470f61a) --- source4/libcli/raw/smb_signing.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 989b5527aa..c82946ac53 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -98,7 +98,7 @@ static BOOL signing_good(struct cli_request *req, BOOL good) ************************************************************/ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) { - unsigned char calc_md5_mac[16]; + uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; @@ -150,9 +150,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) { BOOL good; - unsigned char calc_md5_mac[16]; - unsigned char server_sent_mac[8]; - unsigned char sequence_buf[8]; + uint8_t calc_md5_mac[16]; + uint8_t server_sent_mac[8]; + uint8_t sequence_buf[8]; struct MD5Context md5_ctx; struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; const size_t offset_end_of_sig = (HDR_SS_FIELD + 8); -- cgit From 73c077d37b69267646986ea3fc2ed99d7ef15d4c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 9 Jun 2004 00:07:59 +0000 Subject: r1091: Added in timing tests for deferred opens. Added extra debug info to signing mistakes. Jeremy. (This used to be commit 5c3a2417cfe1bdbdfb35d933d49f77f6696790b3) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index c82946ac53..a39f33c290 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -188,7 +188,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) } if (good && i != 1) { - DEBUG(0,("SIGNING OFFSET %d\n", i)); + DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1)); } if (!good) { -- cgit From 4f0e5e069064c11a8efc407cd42412d38534d0d2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 5 Jul 2004 23:28:49 +0000 Subject: r1345: add extended security spnego support to the smb client code set lp_use_spnego = False, because I can't get it working yet but I commit it so others can help me metze (This used to be commit 2445cceba9ab9bd928c8bc50927a39509e4526b0) --- source4/libcli/raw/smb_signing.c | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index a39f33c290..20b44a5348 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -299,6 +299,56 @@ BOOL cli_null_set_signing(struct cli_transport *transport) return True; } +/*********************************************************** + SMB signing - TEMP implementation - calculate a MAC to send. +************************************************************/ +static void cli_request_temp_sign_outgoing_message(struct cli_request *req) +{ + /* mark the packet as signed - BEFORE we sign it...*/ + mark_packet_signed(req); + + /* I wonder what BSRSPYL stands for - but this is what MS + actually sends! */ + memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8); + return; +} + +/*********************************************************** + SMB signing - TEMP implementation - check a MAC sent by server. +************************************************************/ +static BOOL cli_request_temp_check_incoming_message(struct cli_request *req) +{ + return True; +} + +/*********************************************************** + SMB signing - NULL implementation - free signing context +************************************************************/ +static void cli_temp_free_signing_context(struct cli_transport *transport) +{ + return; +} + +/** + SMB signing - TEMP implementation - setup the MAC key. + + @note Used as an initialisation only - it will not correctly + shut down a real signing mechanism +*/ +BOOL cli_temp_set_signing(struct cli_transport *transport) +{ + if (!set_smb_signing_common(transport)) { + return False; + } + + transport->negotiate.sign_info.signing_context = NULL; + + transport->negotiate.sign_info.sign_outgoing_message = cli_request_temp_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = cli_request_temp_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = cli_temp_free_signing_context; + + return True; +} /** * Free the signing context -- cgit From 88002b851bd30e3c03a5a9442baf3ced7aa6090f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 12 Jul 2004 09:11:13 +0000 Subject: r1462: GENSEC Kerberos and SPENGO work: - Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7) --- source4/libcli/raw/smb_signing.c | 101 +++++++++++++++++++++++++++++---------- 1 file changed, 75 insertions(+), 26 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 20b44a5348..52e08d05f8 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport) if (transport->negotiate.sign_info.doing_signing) { return False; } - + + if (!transport->negotiate.sign_info.allow_smb_signing) { + return False; + } + if (transport->negotiate.sign_info.free_signing_context) transport->negotiate.sign_info.free_signing_context(transport); /* These calls are INCOMPATIBLE with SMB signing */ transport->negotiate.readbraw_supported = False; transport->negotiate.writebraw_supported = False; - + return True; } @@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport) ************************************************************/ static BOOL set_smb_signing_real_common(struct cli_transport *transport) { - if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { + if (transport->negotiate.sign_info.mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); - transport->negotiate.sign_info.doing_signing = True; } DEBUG(5, ("SMB signing enabled!\n")); @@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req) SSVAL(req->out.hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct cli_request *req, BOOL good) +static BOOL signing_good(struct cli_request *req, int seq, BOOL good) { - if (good && !req->transport->negotiate.sign_info.doing_signing) { - req->transport->negotiate.sign_info.doing_signing = True; - } - - if (!good) { - if (req->transport->negotiate.sign_info.doing_signing) { - DEBUG(1, ("SMB signature check failed!\n")); - return False; + if (good) { + if (!req->transport->negotiate.sign_info.doing_signing) { + req->transport->negotiate.sign_info.doing_signing = True; + } + if (!req->transport->negotiate.sign_info.seen_valid) { + req->transport->negotiate.sign_info.seen_valid = True; + } + } else { + if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) { + + /* Non-mandatory signing - just turn off if this is the first bad packet.. */ + DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n" + "isn't sending correct signatures. Turning off.\n")); + req->transport->negotiate.sign_info.negotiated_smb_signing = False; + req->transport->negotiate.sign_info.allow_smb_signing = False; + req->transport->negotiate.sign_info.doing_signing = False; + if (req->transport->negotiate.sign_info.free_signing_context) + req->transport->negotiate.sign_info.free_signing_context(req->transport); + cli_null_set_signing(req->transport); + return True; } else { - DEBUG(3, ("Server did not sign reply correctly\n")); - cli_transport_free_signing_context(req->transport); + /* Mandatory signing or bad packet after signing started - fail and disconnect. */ + if (seq) + DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq)); return False; } } return True; -} +} /*********************************************************** SMB signing - Simple implementation - calculate a MAC to send. @@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8); + DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n", + req->seq_num, data->next_seq_num)); + dump_data(5, calc_md5_mac, 8); /* req->out.hdr[HDR_SS_FIELD+2]=0; Uncomment this to test if the remote server actually verifies signitures...*/ } @@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) MD5Final(calc_md5_mac, &md5_ctx); good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); + + if (i == 1) { + if (!good) { + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i)); + dump_data(5, calc_md5_mac, 8); + + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + dump_data(5, server_sent_mac, 8); + } else { + DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + dump_data(5, server_sent_mac, 8); + } + } + if (good) break; } @@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1)); } - if (!good) { - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n")); - dump_data(5, calc_md5_mac, 8); - - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n")); - dump_data(5, server_sent_mac, 8); - } - return signing_good(req, good); + return signing_good(req, req->seq_num+1, good); } @@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran ************************************************************/ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, const DATA_BLOB user_session_key, - const DATA_BLOB response) + const DATA_BLOB response, + int seq_num) { struct smb_basic_signing_context *data; @@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, } /* Initialise the sequence number */ - data->next_seq_num = 0; + data->next_seq_num = seq_num; transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message; transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message; @@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req) return True; } + + +BOOL cli_init_signing(struct cli_transport *transport) +{ + if (!cli_null_set_signing(transport)) { + return False; + } + + switch (lp_client_signing()) { + case SMB_SIGNING_OFF: + transport->negotiate.sign_info.allow_smb_signing = False; + break; + case SMB_SIGNING_SUPPORTED: + transport->negotiate.sign_info.allow_smb_signing = True; + break; + case SMB_SIGNING_REQUIRED: + transport->negotiate.sign_info.allow_smb_signing = True; + transport->negotiate.sign_info.mandatory_signing = True; + break; + } + return True; +} -- cgit From ad8d0190f1c188e74d61e4867f8c5ebd7fb20994 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 14 Jul 2004 09:00:28 +0000 Subject: r1494: fix debug message metze (This used to be commit 463982bf3f37bac67e1aaa488e4142d0ecc23307) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 52e08d05f8..fc10413108 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -90,7 +90,7 @@ static BOOL signing_good(struct cli_request *req, int seq, BOOL good) if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) { /* Non-mandatory signing - just turn off if this is the first bad packet.. */ - DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n" + DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); req->transport->negotiate.sign_info.negotiated_smb_signing = False; req->transport->negotiate.sign_info.allow_smb_signing = False; -- cgit From b3c46674a670ea51607d5c2a73271dff531ae7d6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 16 Jul 2004 02:54:57 +0000 Subject: r1521: Updates to our SMB signing code. - This causes our client and server code to use the same core code, with the same debugs etc. - In turn, this will allow the 'mandetory/fallback' signing algorithms to be shared, and only written once. Updates to the SPNEGO code - Don't wrap an empty token to the server, if we are actually already finished. Andrew Bartlett (This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353) --- source4/libcli/raw/smb_signing.c | 152 ++++++++++++++++++++++----------------- 1 file changed, 86 insertions(+), 66 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index fc10413108..20f8921acb 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -69,15 +69,15 @@ static BOOL set_smb_signing_real_common(struct cli_transport *transport) return True; } -static void mark_packet_signed(struct cli_request *req) +static void mark_packet_signed(struct request_buffer *out) { uint16_t flags2; - flags2 = SVAL(req->out.hdr, HDR_FLG2); + flags2 = SVAL(out->hdr, HDR_FLG2); flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES; - SSVAL(req->out.hdr, HDR_FLG2, flags2); + SSVAL(out->hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct cli_request *req, int seq, BOOL good) +static BOOL signing_good(struct cli_request *req, unsigned int seq, BOOL good) { if (good) { if (!req->transport->negotiate.sign_info.doing_signing) { @@ -87,9 +87,8 @@ static BOOL signing_good(struct cli_request *req, int seq, BOOL good) req->transport->negotiate.sign_info.seen_valid = True; } } else { - if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) { - - /* Non-mandatory signing - just turn off if this is the first bad packet.. */ + if (!req->transport->negotiate.sign_info.seen_valid) { + /* If we have never seen a good packet, just turn it off */ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); req->transport->negotiate.sign_info.negotiated_smb_signing = False; @@ -100,119 +99,97 @@ static BOOL signing_good(struct cli_request *req, int seq, BOOL good) cli_null_set_signing(req->transport); return True; } else { - /* Mandatory signing or bad packet after signing started - fail and disconnect. */ - if (seq) - DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq)); + /* bad packet after signing started - fail and disconnect. */ + DEBUG(0, ("signing_good: BAD SIG: seq %u\n", seq)); return False; } } return True; } -/*********************************************************** - SMB signing - Simple implementation - calculate a MAC to send. -************************************************************/ -static void cli_request_simple_sign_outgoing_message(struct cli_request *req) +void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_t seq_num) { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; - struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; - -#if 0 - /* enable this when packet signing is preventing you working out why valgrind - says that data is uninitialised */ - file_save("pkt.dat", req->out.buffer, req->out.size); -#endif - - req->seq_num = data->next_seq_num; - - /* some requests (eg. NTcancel) are one way, and the sequence number - should be increased by 1 not 2 */ - if (req->one_way_request) { - data->next_seq_num += 1; - } else { - data->next_seq_num += 2; - } - /* * Firstly put the sequence number into the first 4 bytes. * and zero out the next 4 bytes. */ - SIVAL(req->out.hdr, HDR_SS_FIELD, req->seq_num); - SIVAL(req->out.hdr, HDR_SS_FIELD + 4, 0); + SIVAL(out->hdr, HDR_SS_FIELD, seq_num); + SIVAL(out->hdr, HDR_SS_FIELD + 4, 0); /* mark the packet as signed - BEFORE we sign it...*/ - mark_packet_signed(req); + mark_packet_signed(out); /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ MD5Init(&md5_ctx); - MD5Update(&md5_ctx, data->mac_key.data, - data->mac_key.length); + MD5Update(&md5_ctx, mac_key->data, + mac_key->length); MD5Update(&md5_ctx, - req->out.buffer + NBT_HDR_SIZE, - req->out.size - NBT_HDR_SIZE); + out->buffer + NBT_HDR_SIZE, + out->size - NBT_HDR_SIZE); MD5Final(calc_md5_mac, &md5_ctx); - memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8); + memcpy(&out->hdr[HDR_SS_FIELD], calc_md5_mac, 8); - DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n", - req->seq_num, data->next_seq_num)); + DEBUG(5, ("sign_outgoing_message: SENT SIG (seq: %d): sent SMB signature of\n", + seq_num)); dump_data(5, calc_md5_mac, 8); /* req->out.hdr[HDR_SS_FIELD+2]=0; Uncomment this to test if the remote server actually verifies signitures...*/ } - -/*********************************************************** - SMB signing - Simple implementation - check a MAC sent by server. -************************************************************/ -static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) +BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num) { BOOL good; uint8_t calc_md5_mac[16]; uint8_t server_sent_mac[8]; uint8_t sequence_buf[8]; struct MD5Context md5_ctx; - struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; const size_t offset_end_of_sig = (HDR_SS_FIELD + 8); int i; const int sign_range = 0; + /* room enough for the signature? */ + if (in->size < NBT_HDR_SIZE + HDR_SS_FIELD + 8) { + return False; + } + /* its quite bogus to be guessing sequence numbers, but very useful when debugging signing implementations */ - for (i = 1-sign_range; i <= 1+sign_range; i++) { + for (i = 0-sign_range; i <= 0+sign_range; i++) { /* * Firstly put the sequence number into the first 4 bytes. * and zero out the next 4 bytes. */ - SIVAL(sequence_buf, 0, req->seq_num+i); + SIVAL(sequence_buf, 0, seq_num + i); SIVAL(sequence_buf, 4, 0); /* get a copy of the server-sent mac */ - memcpy(server_sent_mac, &req->in.hdr[HDR_SS_FIELD], sizeof(server_sent_mac)); + memcpy(server_sent_mac, &in->hdr[HDR_SS_FIELD], sizeof(server_sent_mac)); /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ MD5Init(&md5_ctx); - MD5Update(&md5_ctx, data->mac_key.data, - data->mac_key.length); - MD5Update(&md5_ctx, req->in.hdr, HDR_SS_FIELD); + MD5Update(&md5_ctx, mac_key->data, + mac_key->length); + MD5Update(&md5_ctx, in->hdr, HDR_SS_FIELD); MD5Update(&md5_ctx, sequence_buf, sizeof(sequence_buf)); - MD5Update(&md5_ctx, req->in.hdr + offset_end_of_sig, - req->in.size - NBT_HDR_SIZE - (offset_end_of_sig)); + MD5Update(&md5_ctx, in->hdr + offset_end_of_sig, + in->size - NBT_HDR_SIZE - (offset_end_of_sig)); MD5Final(calc_md5_mac, &md5_ctx); good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); - if (i == 1) { + if (i == 0) { if (!good) { - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i)); + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", seq_num + i)); dump_data(5, calc_md5_mac, 8); - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", seq_num + i)); dump_data(5, server_sent_mac, 8); } else { - DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + DEBUG(15, ("check_signed_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", seq_num + i)); dump_data(5, server_sent_mac, 8); } } @@ -220,10 +197,51 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) if (good) break; } - if (good && i != 1) { - DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1)); + if (good && i != 0) { + DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, seq_num)); + } + return good; +} + +/*********************************************************** + SMB signing - Simple implementation - calculate a MAC to send. +************************************************************/ +static void cli_request_simple_sign_outgoing_message(struct cli_request *req) +{ + struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; + +#if 0 + /* enable this when packet signing is preventing you working out why valgrind + says that data is uninitialised */ + file_save("pkt.dat", req->out.buffer, req->out.size); +#endif + + req->seq_num = data->next_seq_num; + + /* some requests (eg. NTcancel) are one way, and the sequence number + should be increased by 1 not 2 */ + if (req->one_way_request) { + data->next_seq_num += 1; + } else { + data->next_seq_num += 2; } + + sign_outgoing_message(&req->out, &data->mac_key, req->seq_num); +} + +/*********************************************************** + SMB signing - Simple implementation - check a MAC sent by server. +************************************************************/ +static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) +{ + struct smb_basic_signing_context *data + = req->transport->negotiate.sign_info.signing_context; + + BOOL good = check_signed_incoming_message(&req->in, + &data->mac_key, + req->seq_num+1); + return signing_good(req, req->seq_num+1, good); } @@ -247,8 +265,7 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran ************************************************************/ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, const DATA_BLOB user_session_key, - const DATA_BLOB response, - int seq_num) + const DATA_BLOB response) { struct smb_basic_signing_context *data; @@ -271,8 +288,10 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length); } + dump_data_pw("Started Signing with key:\n", data->mac_key.data, data->mac_key.length); + /* Initialise the sequence number */ - data->next_seq_num = seq_num; + data->next_seq_num = 0; transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message; transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message; @@ -332,11 +351,12 @@ BOOL cli_null_set_signing(struct cli_transport *transport) static void cli_request_temp_sign_outgoing_message(struct cli_request *req) { /* mark the packet as signed - BEFORE we sign it...*/ - mark_packet_signed(req); + mark_packet_signed(&req->out); /* I wonder what BSRSPYL stands for - but this is what MS actually sends! */ memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8); + return; } -- cgit From f1a215f5cb174a0bfe50f288fbd998c8fabb0b63 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Jul 2004 10:13:34 +0000 Subject: r1604: Samba4 avoids memcpy() as much as possible - we don't need to make a copy here. Andrew Bartlett (This used to be commit 9efc94eeafbf0eb4488c53a1456cc7026c937f9f) --- source4/libcli/raw/smb_signing.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 20f8921acb..80615f2d72 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -143,7 +143,7 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key { BOOL good; uint8_t calc_md5_mac[16]; - uint8_t server_sent_mac[8]; + uint8_t *server_sent_mac; uint8_t sequence_buf[8]; struct MD5Context md5_ctx; const size_t offset_end_of_sig = (HDR_SS_FIELD + 8); @@ -166,7 +166,7 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key SIVAL(sequence_buf, 4, 0); /* get a copy of the server-sent mac */ - memcpy(server_sent_mac, &in->hdr[HDR_SS_FIELD], sizeof(server_sent_mac)); + server_sent_mac = &in->hdr[HDR_SS_FIELD]; /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ MD5Init(&md5_ctx); -- cgit From 53781e9d37b9adb1cf2d5be2a6ae6c1f5ace26c9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 3 Aug 2004 06:52:06 +0000 Subject: r1633: fixed a couple of async oplock handling errors (This used to be commit d7e2f39b90122088e94d4a8e8c7ffa7c91d7d664) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 80615f2d72..9c02fe50ec 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -220,7 +220,7 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) /* some requests (eg. NTcancel) are one way, and the sequence number should be increased by 1 not 2 */ - if (req->one_way_request) { + if (req->sign_single_increment) { data->next_seq_num += 1; } else { data->next_seq_num += 2; -- cgit From c5fbb6f23c2d399c7510bc552cdb1a27b1ef66a8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 4 Aug 2004 13:23:35 +0000 Subject: r1654: rename cli_ -> smbcli_ rename CLI_ -> SMBCLI_ metze (This used to be commit 8441750fd9427dd6fe477f27e603821b4026f038) --- source4/libcli/raw/smb_signing.c | 62 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 31 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 9c02fe50ec..ddde58fd88 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -30,7 +30,7 @@ struct smb_basic_signing_context { /*********************************************************** SMB signing - Common code before we set a new signing implementation ************************************************************/ -static BOOL set_smb_signing_common(struct cli_transport *transport) +static BOOL set_smb_signing_common(struct smbcli_transport *transport) { if (!(transport->negotiate.sec_mode & (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { @@ -58,7 +58,7 @@ static BOOL set_smb_signing_common(struct cli_transport *transport) /*********************************************************** SMB signing - Common code for 'real' implementations ************************************************************/ -static BOOL set_smb_signing_real_common(struct cli_transport *transport) +static BOOL set_smb_signing_real_common(struct smbcli_transport *transport) { if (transport->negotiate.sign_info.mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); @@ -77,7 +77,7 @@ static void mark_packet_signed(struct request_buffer *out) SSVAL(out->hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct cli_request *req, unsigned int seq, BOOL good) +static BOOL signing_good(struct smbcli_request *req, unsigned int seq, BOOL good) { if (good) { if (!req->transport->negotiate.sign_info.doing_signing) { @@ -96,7 +96,7 @@ static BOOL signing_good(struct cli_request *req, unsigned int seq, BOOL good) req->transport->negotiate.sign_info.doing_signing = False; if (req->transport->negotiate.sign_info.free_signing_context) req->transport->negotiate.sign_info.free_signing_context(req->transport); - cli_null_set_signing(req->transport); + smbcli_null_set_signing(req->transport); return True; } else { /* bad packet after signing started - fail and disconnect. */ @@ -206,7 +206,7 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key /*********************************************************** SMB signing - Simple implementation - calculate a MAC to send. ************************************************************/ -static void cli_request_simple_sign_outgoing_message(struct cli_request *req) +static void smbcli_request_simple_sign_outgoing_message(struct smbcli_request *req) { struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; @@ -233,7 +233,7 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) /*********************************************************** SMB signing - Simple implementation - check a MAC sent by server. ************************************************************/ -static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) +static BOOL smbcli_request_simple_check_incoming_message(struct smbcli_request *req) { struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; @@ -249,7 +249,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) /*********************************************************** SMB signing - Simple implementation - free signing context ************************************************************/ -static void cli_transport_simple_free_signing_context(struct cli_transport *transport) +static void smbcli_transport_simple_free_signing_context(struct smbcli_transport *transport) { struct smb_basic_signing_context *data = transport->negotiate.sign_info.signing_context; @@ -263,7 +263,7 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL cli_transport_simple_set_signing(struct cli_transport *transport, +BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, const DATA_BLOB user_session_key, const DATA_BLOB response) { @@ -293,9 +293,9 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, /* Initialise the sequence number */ data->next_seq_num = 0; - transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = cli_transport_simple_free_signing_context; + transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_simple_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = smbcli_request_simple_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = smbcli_transport_simple_free_signing_context; return True; } @@ -304,7 +304,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, /*********************************************************** SMB signing - NULL implementation - calculate a MAC to send. ************************************************************/ -static void cli_request_null_sign_outgoing_message(struct cli_request *req) +static void smbcli_request_null_sign_outgoing_message(struct smbcli_request *req) { /* we can't zero out the sig, as we might be trying to send a transport request - which is NBT-level, not SMB level and doesn't @@ -315,7 +315,7 @@ static void cli_request_null_sign_outgoing_message(struct cli_request *req) /*********************************************************** SMB signing - NULL implementation - check a MAC sent by server. ************************************************************/ -static BOOL cli_request_null_check_incoming_message(struct cli_request *req) +static BOOL smbcli_request_null_check_incoming_message(struct smbcli_request *req) { return True; } @@ -324,7 +324,7 @@ static BOOL cli_request_null_check_incoming_message(struct cli_request *req) /*********************************************************** SMB signing - NULL implementation - free signing context ************************************************************/ -static void cli_null_free_signing_context(struct cli_transport *transport) +static void smbcli_null_free_signing_context(struct smbcli_transport *transport) { } @@ -334,13 +334,13 @@ static void cli_null_free_signing_context(struct cli_transport *transport) @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -BOOL cli_null_set_signing(struct cli_transport *transport) +BOOL smbcli_null_set_signing(struct smbcli_transport *transport) { transport->negotiate.sign_info.signing_context = NULL; - transport->negotiate.sign_info.sign_outgoing_message = cli_request_null_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = cli_request_null_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = cli_null_free_signing_context; + transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_null_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = smbcli_request_null_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = smbcli_null_free_signing_context; return True; } @@ -348,7 +348,7 @@ BOOL cli_null_set_signing(struct cli_transport *transport) /*********************************************************** SMB signing - TEMP implementation - calculate a MAC to send. ************************************************************/ -static void cli_request_temp_sign_outgoing_message(struct cli_request *req) +static void smbcli_request_temp_sign_outgoing_message(struct smbcli_request *req) { /* mark the packet as signed - BEFORE we sign it...*/ mark_packet_signed(&req->out); @@ -363,7 +363,7 @@ static void cli_request_temp_sign_outgoing_message(struct cli_request *req) /*********************************************************** SMB signing - TEMP implementation - check a MAC sent by server. ************************************************************/ -static BOOL cli_request_temp_check_incoming_message(struct cli_request *req) +static BOOL smbcli_request_temp_check_incoming_message(struct smbcli_request *req) { return True; } @@ -371,7 +371,7 @@ static BOOL cli_request_temp_check_incoming_message(struct cli_request *req) /*********************************************************** SMB signing - NULL implementation - free signing context ************************************************************/ -static void cli_temp_free_signing_context(struct cli_transport *transport) +static void smbcli_temp_free_signing_context(struct smbcli_transport *transport) { return; } @@ -382,7 +382,7 @@ static void cli_temp_free_signing_context(struct cli_transport *transport) @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -BOOL cli_temp_set_signing(struct cli_transport *transport) +BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) { if (!set_smb_signing_common(transport)) { return False; @@ -390,9 +390,9 @@ BOOL cli_temp_set_signing(struct cli_transport *transport) transport->negotiate.sign_info.signing_context = NULL; - transport->negotiate.sign_info.sign_outgoing_message = cli_request_temp_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = cli_request_temp_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = cli_temp_free_signing_context; + transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_temp_sign_outgoing_message; + transport->negotiate.sign_info.check_incoming_message = smbcli_request_temp_check_incoming_message; + transport->negotiate.sign_info.free_signing_context = smbcli_temp_free_signing_context; return True; } @@ -400,20 +400,20 @@ BOOL cli_temp_set_signing(struct cli_transport *transport) /** * Free the signing context */ -void cli_transport_free_signing_context(struct cli_transport *transport) +void smbcli_transport_free_signing_context(struct smbcli_transport *transport) { if (transport->negotiate.sign_info.free_signing_context) { transport->negotiate.sign_info.free_signing_context(transport); } - cli_null_set_signing(transport); + smbcli_null_set_signing(transport); } /** * Sign a packet with the current mechanism */ -void cli_request_calculate_sign_mac(struct cli_request *req) +void smbcli_request_calculate_sign_mac(struct smbcli_request *req) { req->transport->negotiate.sign_info.sign_outgoing_message(req); } @@ -424,7 +424,7 @@ void cli_request_calculate_sign_mac(struct cli_request *req) * @return False if we had an established signing connection * which had a back checksum, True otherwise */ -BOOL cli_request_check_sign_mac(struct cli_request *req) +BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) { BOOL good; @@ -442,9 +442,9 @@ BOOL cli_request_check_sign_mac(struct cli_request *req) } -BOOL cli_init_signing(struct cli_transport *transport) +BOOL smbcli_init_signing(struct smbcli_transport *transport) { - if (!cli_null_set_signing(transport)) { + if (!smbcli_null_set_signing(transport)) { return False; } -- cgit From 6ffaf57fe715419bf3aa677027548161b642d17e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Aug 2004 04:38:03 +0000 Subject: r1686: Don't use a void* for the context inside the SMB signing code. Andrew Bartlett (This used to be commit 64fcd8ecebabdd09fed6b65e3c436bffc1da9de7) --- source4/libcli/raw/smb_signing.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index ddde58fd88..ffbecb85fc 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -22,11 +22,6 @@ #include "includes.h" -struct smb_basic_signing_context { - DATA_BLOB mac_key; - uint32_t next_seq_num; -}; - /*********************************************************** SMB signing - Common code before we set a new signing implementation ************************************************************/ -- cgit From 5a79e6cf484cd27092217a8e739e6d79bb8b12e9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Aug 2004 16:15:21 +0000 Subject: r1725: Remove a silly 'utility' function. Andrew Bartlett (This used to be commit 4d563d7e4afad1c5f583aca3f42087bfff0fb895) --- source4/libcli/raw/smb_signing.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index ffbecb85fc..b65513ebce 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -50,20 +50,6 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) return True; } -/*********************************************************** - SMB signing - Common code for 'real' implementations -************************************************************/ -static BOOL set_smb_signing_real_common(struct smbcli_transport *transport) -{ - if (transport->negotiate.sign_info.mandatory_signing) { - DEBUG(5, ("Mandatory SMB signing enabled!\n")); - } - - DEBUG(5, ("SMB signing enabled!\n")); - - return True; -} - static void mark_packet_signed(struct request_buffer *out) { uint16_t flags2; @@ -268,10 +254,12 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, return False; } - if (!set_smb_signing_real_common(transport)) { - return False; + if (transport->negotiate.sign_info.mandatory_signing) { + DEBUG(5, ("Mandatory SMB signing enabled!\n")); } + DEBUG(5, ("SMB signing enabled!\n")); + data = smb_xmalloc(sizeof(*data)); transport->negotiate.sign_info.signing_context = data; -- cgit From d9ff454a87410d4756cd61612bfb4aa768301be5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Aug 2004 18:05:30 +0000 Subject: r1729: Make the SMB signing code more generic (to share more between client and servers). Andrew Bartlett (This used to be commit b90b04e84bc8add235cf9ee7797a608ff48c4ca0) --- source4/libcli/raw/smb_signing.c | 99 +++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 42 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index b65513ebce..c1fad1eaf8 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -41,7 +41,8 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) } if (transport->negotiate.sign_info.free_signing_context) - transport->negotiate.sign_info.free_signing_context(transport); + transport->negotiate.sign_info + .free_signing_context(&transport->negotiate.sign_info); /* These calls are INCOMPATIBLE with SMB signing */ transport->negotiate.readbraw_supported = False; @@ -58,26 +59,27 @@ static void mark_packet_signed(struct request_buffer *out) SSVAL(out->hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct smbcli_request *req, unsigned int seq, BOOL good) +static BOOL signing_good(struct smb_signing_context *sign_info, + unsigned int seq, BOOL good) { if (good) { - if (!req->transport->negotiate.sign_info.doing_signing) { - req->transport->negotiate.sign_info.doing_signing = True; + if (!sign_info->doing_signing) { + sign_info->doing_signing = True; } - if (!req->transport->negotiate.sign_info.seen_valid) { - req->transport->negotiate.sign_info.seen_valid = True; + if (!sign_info->seen_valid) { + sign_info->seen_valid = True; } } else { - if (!req->transport->negotiate.sign_info.seen_valid) { + if (!sign_info->seen_valid) { /* If we have never seen a good packet, just turn it off */ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); - req->transport->negotiate.sign_info.negotiated_smb_signing = False; - req->transport->negotiate.sign_info.allow_smb_signing = False; - req->transport->negotiate.sign_info.doing_signing = False; - if (req->transport->negotiate.sign_info.free_signing_context) - req->transport->negotiate.sign_info.free_signing_context(req->transport); - smbcli_null_set_signing(req->transport); + sign_info->negotiated_smb_signing = False; + sign_info->allow_smb_signing = False; + sign_info->doing_signing = False; + if (sign_info->free_signing_context) + sign_info->free_signing_context(sign_info); + smbcli_null_set_signing(sign_info); return True; } else { /* bad packet after signing started - fail and disconnect. */ @@ -223,45 +225,41 @@ static BOOL smbcli_request_simple_check_incoming_message(struct smbcli_request * &data->mac_key, req->seq_num+1); - return signing_good(req, req->seq_num+1, good); + return signing_good(&req->transport->negotiate.sign_info, + req->seq_num+1, good); } /*********************************************************** SMB signing - Simple implementation - free signing context ************************************************************/ -static void smbcli_transport_simple_free_signing_context(struct smbcli_transport *transport) +static void smbcli_transport_simple_free_signing_context(struct smb_signing_context *sign_info) { - struct smb_basic_signing_context *data = transport->negotiate.sign_info.signing_context; + struct smb_basic_signing_context *data = sign_info->signing_context; data_blob_free(&data->mac_key); - SAFE_FREE(transport->negotiate.sign_info.signing_context); + SAFE_FREE(sign_info->signing_context); return; } - /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, - const DATA_BLOB user_session_key, - const DATA_BLOB response) +BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, + const DATA_BLOB user_session_key, + const DATA_BLOB response) { struct smb_basic_signing_context *data; - if (!set_smb_signing_common(transport)) { - return False; - } - - if (transport->negotiate.sign_info.mandatory_signing) { + if (sign_info->mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); } DEBUG(5, ("SMB signing enabled!\n")); data = smb_xmalloc(sizeof(*data)); - transport->negotiate.sign_info.signing_context = data; + sign_info->signing_context = data; data->mac_key = data_blob(NULL, response.length + user_session_key.length); @@ -276,14 +274,31 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, /* Initialise the sequence number */ data->next_seq_num = 0; - transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_simple_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = smbcli_request_simple_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = smbcli_transport_simple_free_signing_context; + sign_info->sign_outgoing_message = smbcli_request_simple_sign_outgoing_message; + sign_info->check_incoming_message = smbcli_request_simple_check_incoming_message; + sign_info->free_signing_context = smbcli_transport_simple_free_signing_context; return True; } +/*********************************************************** + SMB signing - Simple implementation - setup the MAC key. +************************************************************/ +BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, + const DATA_BLOB user_session_key, + const DATA_BLOB response) +{ + if (!set_smb_signing_common(transport)) { + return False; + } + + return smbcli_simple_set_signing(&transport->negotiate.sign_info, + user_session_key, + response); +} + + /*********************************************************** SMB signing - NULL implementation - calculate a MAC to send. ************************************************************/ @@ -307,7 +322,7 @@ static BOOL smbcli_request_null_check_incoming_message(struct smbcli_request *re /*********************************************************** SMB signing - NULL implementation - free signing context ************************************************************/ -static void smbcli_null_free_signing_context(struct smbcli_transport *transport) +static void smbcli_null_free_signing_context(struct smb_signing_context *sign_info) { } @@ -317,13 +332,13 @@ static void smbcli_null_free_signing_context(struct smbcli_transport *transport) @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -BOOL smbcli_null_set_signing(struct smbcli_transport *transport) +BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) { - transport->negotiate.sign_info.signing_context = NULL; + sign_info->signing_context = NULL; - transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_null_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = smbcli_request_null_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = smbcli_null_free_signing_context; + sign_info->sign_outgoing_message = smbcli_request_null_sign_outgoing_message; + sign_info->check_incoming_message = smbcli_request_null_check_incoming_message; + sign_info->free_signing_context = smbcli_null_free_signing_context; return True; } @@ -354,7 +369,7 @@ static BOOL smbcli_request_temp_check_incoming_message(struct smbcli_request *re /*********************************************************** SMB signing - NULL implementation - free signing context ************************************************************/ -static void smbcli_temp_free_signing_context(struct smbcli_transport *transport) +static void smbcli_temp_free_signing_context(struct smb_signing_context *sign_info) { return; } @@ -383,13 +398,13 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) /** * Free the signing context */ -void smbcli_transport_free_signing_context(struct smbcli_transport *transport) +void smbcli_transport_free_signing_context(struct smb_signing_context *sign_info) { - if (transport->negotiate.sign_info.free_signing_context) { - transport->negotiate.sign_info.free_signing_context(transport); + if (sign_info->free_signing_context) { + sign_info->free_signing_context(sign_info); } - smbcli_null_set_signing(transport); + smbcli_null_set_signing(sign_info); } @@ -427,7 +442,7 @@ BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) BOOL smbcli_init_signing(struct smbcli_transport *transport) { - if (!smbcli_null_set_signing(transport)) { + if (!smbcli_null_set_signing(&transport->negotiate.sign_info)) { return False; } -- cgit From ca72bdfecbea2e332821bc292b4bb34f6c96ac2e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Aug 2004 19:29:22 +0000 Subject: r1735: Clean up SMB signing - we don't have more than one 'real' way to sign a packet, so don't pretend we do... Andrew Bartlett (This used to be commit 68a6d5aeb35e8972182fffbb6cc506f89584b2d5) --- source4/libcli/raw/smb_signing.c | 45 +++++++++++++--------------------------- 1 file changed, 14 insertions(+), 31 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index c1fad1eaf8..adfccda65a 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -74,7 +74,6 @@ static BOOL signing_good(struct smb_signing_context *sign_info, /* If we have never seen a good packet, just turn it off */ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); - sign_info->negotiated_smb_signing = False; sign_info->allow_smb_signing = False; sign_info->doing_signing = False; if (sign_info->free_signing_context) @@ -191,25 +190,25 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key ************************************************************/ static void smbcli_request_simple_sign_outgoing_message(struct smbcli_request *req) { - struct smb_basic_signing_context *data = req->transport->negotiate.sign_info.signing_context; - #if 0 /* enable this when packet signing is preventing you working out why valgrind says that data is uninitialised */ file_save("pkt.dat", req->out.buffer, req->out.size); #endif - req->seq_num = data->next_seq_num; + req->seq_num = req->transport->negotiate.sign_info.next_seq_num; /* some requests (eg. NTcancel) are one way, and the sequence number should be increased by 1 not 2 */ if (req->sign_single_increment) { - data->next_seq_num += 1; + req->transport->negotiate.sign_info.next_seq_num += 1; } else { - data->next_seq_num += 2; + req->transport->negotiate.sign_info.next_seq_num += 2; } - sign_outgoing_message(&req->out, &data->mac_key, req->seq_num); + sign_outgoing_message(&req->out, + &req->transport->negotiate.sign_info.mac_key, + req->seq_num); } @@ -218,11 +217,8 @@ static void smbcli_request_simple_sign_outgoing_message(struct smbcli_request *r ************************************************************/ static BOOL smbcli_request_simple_check_incoming_message(struct smbcli_request *req) { - struct smb_basic_signing_context *data - = req->transport->negotiate.sign_info.signing_context; - BOOL good = check_signed_incoming_message(&req->in, - &data->mac_key, + &req->transport->negotiate.sign_info.mac_key, req->seq_num+1); return signing_good(&req->transport->negotiate.sign_info, @@ -235,11 +231,7 @@ static BOOL smbcli_request_simple_check_incoming_message(struct smbcli_request * ************************************************************/ static void smbcli_transport_simple_free_signing_context(struct smb_signing_context *sign_info) { - struct smb_basic_signing_context *data = sign_info->signing_context; - - data_blob_free(&data->mac_key); - SAFE_FREE(sign_info->signing_context); - + data_blob_free(&sign_info->mac_key); return; } @@ -250,29 +242,24 @@ BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, const DATA_BLOB user_session_key, const DATA_BLOB response) { - struct smb_basic_signing_context *data; - if (sign_info->mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); } DEBUG(5, ("SMB signing enabled!\n")); - data = smb_xmalloc(sizeof(*data)); - sign_info->signing_context = data; - - data->mac_key = data_blob(NULL, response.length + user_session_key.length); + sign_info->mac_key = data_blob(NULL, response.length + user_session_key.length); - memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length); + memcpy(&sign_info->mac_key.data[0], user_session_key.data, user_session_key.length); if (response.length) { - memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length); + memcpy(&sign_info->mac_key.data[user_session_key.length],response.data, response.length); } - dump_data_pw("Started Signing with key:\n", data->mac_key.data, data->mac_key.length); + dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length); /* Initialise the sequence number */ - data->next_seq_num = 0; + sign_info->next_seq_num = 0; sign_info->sign_outgoing_message = smbcli_request_simple_sign_outgoing_message; sign_info->check_incoming_message = smbcli_request_simple_check_incoming_message; @@ -334,8 +321,6 @@ static void smbcli_null_free_signing_context(struct smb_signing_context *sign_in */ BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) { - sign_info->signing_context = NULL; - sign_info->sign_outgoing_message = smbcli_request_null_sign_outgoing_message; sign_info->check_incoming_message = smbcli_request_null_check_incoming_message; sign_info->free_signing_context = smbcli_null_free_signing_context; @@ -344,7 +329,7 @@ BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) } /*********************************************************** - SMB signing - TEMP implementation - calculate a MAC to send. + SMB signing - TEMP implementation (send BSRSPYL during SPNEGO) - calculate a MAC to send. ************************************************************/ static void smbcli_request_temp_sign_outgoing_message(struct smbcli_request *req) { @@ -386,8 +371,6 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) return False; } - transport->negotiate.sign_info.signing_context = NULL; - transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_temp_sign_outgoing_message; transport->negotiate.sign_info.check_incoming_message = smbcli_request_temp_check_incoming_message; transport->negotiate.sign_info.free_signing_context = smbcli_temp_free_signing_context; -- cgit From ffcfb97fb3d065e8c37d7f2de8b688d1e570a47b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Aug 2004 00:04:52 +0000 Subject: r1745: More work on cleaning up SMB signing. This removes the function pointer mess from the SMB signing code. Andrew Bartlett (This used to be commit 8830603e4bc821a11db87072a32a51b076a28e06) --- source4/libcli/raw/smb_signing.c | 288 +++++++++++++++------------------------ 1 file changed, 109 insertions(+), 179 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index adfccda65a..03794829c2 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -21,6 +21,8 @@ */ #include "includes.h" +static void smbcli_free_signing_context(struct smb_signing_context *sign_info); +static BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info); /*********************************************************** SMB signing - Common code before we set a new signing implementation @@ -40,9 +42,7 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) return False; } - if (transport->negotiate.sign_info.free_signing_context) - transport->negotiate.sign_info - .free_signing_context(&transport->negotiate.sign_info); + smbcli_free_signing_context(&transport->negotiate.sign_info); /* These calls are INCOMPATIBLE with SMB signing */ transport->negotiate.readbraw_supported = False; @@ -74,10 +74,9 @@ static BOOL signing_good(struct smb_signing_context *sign_info, /* If we have never seen a good packet, just turn it off */ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); - sign_info->allow_smb_signing = False; sign_info->doing_signing = False; - if (sign_info->free_signing_context) - sign_info->free_signing_context(sign_info); + smbcli_free_signing_context(sign_info); + smbcli_null_set_signing(sign_info); return True; } else { @@ -188,7 +187,7 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key /*********************************************************** SMB signing - Simple implementation - calculate a MAC to send. ************************************************************/ -static void smbcli_request_simple_sign_outgoing_message(struct smbcli_request *req) +void smbcli_request_calculate_sign_mac(struct smbcli_request *req) { #if 0 /* enable this when packet signing is preventing you working out why valgrind @@ -196,51 +195,121 @@ static void smbcli_request_simple_sign_outgoing_message(struct smbcli_request *r file_save("pkt.dat", req->out.buffer, req->out.size); #endif - req->seq_num = req->transport->negotiate.sign_info.next_seq_num; - - /* some requests (eg. NTcancel) are one way, and the sequence number - should be increased by 1 not 2 */ - if (req->sign_single_increment) { - req->transport->negotiate.sign_info.next_seq_num += 1; - } else { - req->transport->negotiate.sign_info.next_seq_num += 2; + switch (req->transport->negotiate.sign_info.signing_state) { + case SMB_SIGNING_ENGINE_OFF: + break; + + case SMB_SIGNING_ENGINE_BSRSPYL: + /* mark the packet as signed - BEFORE we sign it...*/ + mark_packet_signed(&req->out); + + /* I wonder what BSRSPYL stands for - but this is what MS + actually sends! */ + memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8); + break; + + case SMB_SIGNING_ENGINE_ON: + + req->seq_num = req->transport->negotiate.sign_info.next_seq_num; + + /* some requests (eg. NTcancel) are one way, and the sequence number + should be increased by 1 not 2 */ + if (req->sign_single_increment) { + req->transport->negotiate.sign_info.next_seq_num += 1; + } else { + req->transport->negotiate.sign_info.next_seq_num += 2; + } + + sign_outgoing_message(&req->out, + &req->transport->negotiate.sign_info.mac_key, + req->seq_num); + break; } - - sign_outgoing_message(&req->out, - &req->transport->negotiate.sign_info.mac_key, - req->seq_num); + return; } -/*********************************************************** - SMB signing - Simple implementation - check a MAC sent by server. -************************************************************/ -static BOOL smbcli_request_simple_check_incoming_message(struct smbcli_request *req) +/** + SMB signing - NULL implementation - setup the MAC key. + + @note Used as an initialisation only - it will not correctly + shut down a real signing mechanism +*/ +static BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) { - BOOL good = check_signed_incoming_message(&req->in, - &req->transport->negotiate.sign_info.mac_key, - req->seq_num+1); - - return signing_good(&req->transport->negotiate.sign_info, - req->seq_num+1, good); + sign_info->mac_key = data_blob(NULL, 0); + sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; + return True; } +/** + SMB signing - TEMP implementation - setup the MAC key. + + @note Used as an initialisation only - it will not correctly + shut down a real signing mechanism +*/ +BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) +{ + if (!set_smb_signing_common(transport)) { + return False; + } + + transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); + transport->negotiate.sign_info.signing_state = SMB_SIGNING_ENGINE_BSRSPYL; + + return True; +} + +/** + * Free the signing context + */ +static void smbcli_free_signing_context(struct smb_signing_context *sign_info) +{ + data_blob_free(&sign_info->mac_key); + smbcli_null_set_signing(sign_info); +} /*********************************************************** - SMB signing - Simple implementation - free signing context + SMB signing - Simple implementation - check a MAC sent by server. ************************************************************/ -static void smbcli_transport_simple_free_signing_context(struct smb_signing_context *sign_info) +/** + * Check a packet supplied by the server. + * @return False if we had an established signing connection + * which had a back checksum, True otherwise + */ +BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) { - data_blob_free(&sign_info->mac_key); - return; + BOOL good; + + switch (req->transport->negotiate.sign_info.signing_state) + { + case SMB_SIGNING_ENGINE_OFF: + return True; + case SMB_SIGNING_ENGINE_BSRSPYL: + case SMB_SIGNING_ENGINE_ON: + { + if (req->in.size < (HDR_SS_FIELD + 8)) { + return False; + } else { + good = check_signed_incoming_message(&req->in, + &req->transport->negotiate.sign_info.mac_key, + req->seq_num+1); + + return signing_good(&req->transport->negotiate.sign_info, + req->seq_num+1, good); + } + } + } + return False; } + /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, - const DATA_BLOB user_session_key, - const DATA_BLOB response) +static BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, + const DATA_BLOB user_session_key, + const DATA_BLOB response) { if (sign_info->mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); @@ -261,9 +330,7 @@ BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, /* Initialise the sequence number */ sign_info->next_seq_num = 0; - sign_info->sign_outgoing_message = smbcli_request_simple_sign_outgoing_message; - sign_info->check_incoming_message = smbcli_request_simple_check_incoming_message; - sign_info->free_signing_context = smbcli_transport_simple_free_signing_context; + sign_info->signing_state = SMB_SIGNING_ENGINE_ON; return True; } @@ -273,8 +340,8 @@ BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, SMB signing - Simple implementation - setup the MAC key. ************************************************************/ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, - const DATA_BLOB user_session_key, - const DATA_BLOB response) + const DATA_BLOB user_session_key, + const DATA_BLOB response) { if (!set_smb_signing_common(transport)) { return False; @@ -286,143 +353,6 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, } -/*********************************************************** - SMB signing - NULL implementation - calculate a MAC to send. -************************************************************/ -static void smbcli_request_null_sign_outgoing_message(struct smbcli_request *req) -{ - /* we can't zero out the sig, as we might be trying to send a - transport request - which is NBT-level, not SMB level and doesn't - have the field */ -} - - -/*********************************************************** - SMB signing - NULL implementation - check a MAC sent by server. -************************************************************/ -static BOOL smbcli_request_null_check_incoming_message(struct smbcli_request *req) -{ - return True; -} - - -/*********************************************************** - SMB signing - NULL implementation - free signing context -************************************************************/ -static void smbcli_null_free_signing_context(struct smb_signing_context *sign_info) -{ -} - -/** - SMB signing - NULL implementation - setup the MAC key. - - @note Used as an initialisation only - it will not correctly - shut down a real signing mechanism -*/ -BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) -{ - sign_info->sign_outgoing_message = smbcli_request_null_sign_outgoing_message; - sign_info->check_incoming_message = smbcli_request_null_check_incoming_message; - sign_info->free_signing_context = smbcli_null_free_signing_context; - - return True; -} - -/*********************************************************** - SMB signing - TEMP implementation (send BSRSPYL during SPNEGO) - calculate a MAC to send. -************************************************************/ -static void smbcli_request_temp_sign_outgoing_message(struct smbcli_request *req) -{ - /* mark the packet as signed - BEFORE we sign it...*/ - mark_packet_signed(&req->out); - - /* I wonder what BSRSPYL stands for - but this is what MS - actually sends! */ - memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8); - - return; -} - -/*********************************************************** - SMB signing - TEMP implementation - check a MAC sent by server. -************************************************************/ -static BOOL smbcli_request_temp_check_incoming_message(struct smbcli_request *req) -{ - return True; -} - -/*********************************************************** - SMB signing - NULL implementation - free signing context -************************************************************/ -static void smbcli_temp_free_signing_context(struct smb_signing_context *sign_info) -{ - return; -} - -/** - SMB signing - TEMP implementation - setup the MAC key. - - @note Used as an initialisation only - it will not correctly - shut down a real signing mechanism -*/ -BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) -{ - if (!set_smb_signing_common(transport)) { - return False; - } - - transport->negotiate.sign_info.sign_outgoing_message = smbcli_request_temp_sign_outgoing_message; - transport->negotiate.sign_info.check_incoming_message = smbcli_request_temp_check_incoming_message; - transport->negotiate.sign_info.free_signing_context = smbcli_temp_free_signing_context; - - return True; -} - -/** - * Free the signing context - */ -void smbcli_transport_free_signing_context(struct smb_signing_context *sign_info) -{ - if (sign_info->free_signing_context) { - sign_info->free_signing_context(sign_info); - } - - smbcli_null_set_signing(sign_info); -} - - -/** - * Sign a packet with the current mechanism - */ -void smbcli_request_calculate_sign_mac(struct smbcli_request *req) -{ - req->transport->negotiate.sign_info.sign_outgoing_message(req); -} - - -/** - * Check a packet with the current mechanism - * @return False if we had an established signing connection - * which had a back checksum, True otherwise - */ -BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) -{ - BOOL good; - - if (req->in.size < (HDR_SS_FIELD + 8)) { - good = False; - } else { - good = req->transport->negotiate.sign_info.check_incoming_message(req); - } - - if (!good && req->transport->negotiate.sign_info.doing_signing) { - return False; - } - - return True; -} - - BOOL smbcli_init_signing(struct smbcli_transport *transport) { if (!smbcli_null_set_signing(&transport->negotiate.sign_info)) { @@ -431,7 +361,7 @@ BOOL smbcli_init_signing(struct smbcli_transport *transport) switch (lp_client_signing()) { case SMB_SIGNING_OFF: - transport->negotiate.sign_info.allow_smb_signing = False; + transport->negotiate.sign_info.allow_smb_signing = False; break; case SMB_SIGNING_SUPPORTED: transport->negotiate.sign_info.allow_smb_signing = True; -- cgit From 912e79ade515451152be6b45cc3cc83a9d286827 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Aug 2004 00:37:01 +0000 Subject: r1746: Remove more cruft from the SMB signing code. Andrew Bartlett (This used to be commit b176151b7294b03534921a26db4fb4be1e5d617c) --- source4/libcli/raw/smb_signing.c | 56 ++++++++++++++-------------------------- 1 file changed, 20 insertions(+), 36 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 03794829c2..09da8e9983 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -21,8 +21,7 @@ */ #include "includes.h" -static void smbcli_free_signing_context(struct smb_signing_context *sign_info); -static BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info); +static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info); /*********************************************************** SMB signing - Common code before we set a new signing implementation @@ -42,8 +41,6 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) return False; } - smbcli_free_signing_context(&transport->negotiate.sign_info); - /* These calls are INCOMPATIBLE with SMB signing */ transport->negotiate.readbraw_supported = False; transport->negotiate.writebraw_supported = False; @@ -74,10 +71,7 @@ static BOOL signing_good(struct smb_signing_context *sign_info, /* If we have never seen a good packet, just turn it off */ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); - sign_info->doing_signing = False; - smbcli_free_signing_context(sign_info); - - smbcli_null_set_signing(sign_info); + smbcli_set_signing_off(sign_info); return True; } else { /* bad packet after signing started - fail and disconnect. */ @@ -162,25 +156,23 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); - if (i == 0) { - if (!good) { - DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", seq_num + i)); - dump_data(5, calc_md5_mac, 8); - - DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", seq_num + i)); - dump_data(5, server_sent_mac, 8); - } else { - DEBUG(15, ("check_signed_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", seq_num + i)); - dump_data(5, server_sent_mac, 8); - } - } - if (good) break; } if (good && i != 0) { DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, seq_num)); } + + if (!good) { + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", seq_num + i)); + dump_data(5, calc_md5_mac, 8); + + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", seq_num + i)); + dump_data(5, server_sent_mac, 8); + } else { + DEBUG(15, ("check_signed_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", seq_num + i)); + dump_data(5, server_sent_mac, 8); + } return good; } @@ -230,14 +222,15 @@ void smbcli_request_calculate_sign_mac(struct smbcli_request *req) /** - SMB signing - NULL implementation - setup the MAC key. + SMB signing - NULL implementation @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -static BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) +static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) { - sign_info->mac_key = data_blob(NULL, 0); + sign_info->doing_signing = False; + data_blob_free(&sign_info->mac_key); sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; return True; } @@ -245,14 +238,13 @@ static BOOL smbcli_null_set_signing(struct smb_signing_context *sign_info) /** SMB signing - TEMP implementation - setup the MAC key. - @note Used as an initialisation only - it will not correctly - shut down a real signing mechanism */ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) { if (!set_smb_signing_common(transport)) { return False; } + smbcli_set_signing_off(&transport->negotiate.sign_info); transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); transport->negotiate.sign_info.signing_state = SMB_SIGNING_ENGINE_BSRSPYL; @@ -260,15 +252,6 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) return True; } -/** - * Free the signing context - */ -static void smbcli_free_signing_context(struct smb_signing_context *sign_info) -{ - data_blob_free(&sign_info->mac_key); - smbcli_null_set_signing(sign_info); -} - /*********************************************************** SMB signing - Simple implementation - check a MAC sent by server. ************************************************************/ @@ -355,7 +338,8 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, BOOL smbcli_init_signing(struct smbcli_transport *transport) { - if (!smbcli_null_set_signing(&transport->negotiate.sign_info)) { + transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); + if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) { return False; } -- cgit From f387277b7fa3dc190a6345394aaf79399b88851f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Aug 2004 07:26:42 +0000 Subject: r1768: Add some debugs to assist in SMB signing debugging. Andrew Bartlett (This used to be commit 32b45fc9e8ff1d0b73bbec1eb1d249af3ec52e46) --- source4/libcli/raw/smb_signing.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 09da8e9983..0b9c2864d3 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -30,14 +30,17 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) { if (!(transport->negotiate.sec_mode & (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { + DEBUG(5, ("SMB Signing is not negotiated by the peer\n")); return False; } if (transport->negotiate.sign_info.doing_signing) { + DEBUG(5, ("SMB Signing already in progress, so we don't start it again\n")); return False; } if (!transport->negotiate.sign_info.allow_smb_signing) { + DEBUG(5, ("SMB Signing has been locally disabled\n")); return False; } @@ -61,9 +64,11 @@ static BOOL signing_good(struct smb_signing_context *sign_info, { if (good) { if (!sign_info->doing_signing) { + DEBUG(5, ("Seen valid packet, so turning signing on\n")); sign_info->doing_signing = True; } if (!sign_info->seen_valid) { + DEBUG(5, ("Seen valid packet, so marking signing as 'seen valid'\n")); sign_info->seen_valid = True; } } else { @@ -130,6 +135,11 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key return False; } + if (!mac_key->length) { + /* NO key yet */ + return False; + } + /* its quite bogus to be guessing sequence numbers, but very useful when debugging signing implementations */ for (i = 0-sign_range; i <= 0+sign_range; i++) { @@ -229,6 +239,7 @@ void smbcli_request_calculate_sign_mac(struct smbcli_request *req) */ static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) { + DEBUG(5, ("Shutdown SMB signing\n")); sign_info->doing_signing = False; data_blob_free(&sign_info->mac_key); sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; @@ -244,6 +255,7 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) if (!set_smb_signing_common(transport)) { return False; } + DEBUG(5, ("BSRSPYL SMB signing enabled\n")); smbcli_set_signing_off(&transport->negotiate.sign_info); transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); -- cgit From 7b088a8f654f34911928dcdf320ca3cf79592aed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 13 Aug 2004 00:16:57 +0000 Subject: r1796: Enable server-side SPNEGO, now that I have fixed the server-side SMB signing code to be able to cope. Andrew Bartlett (This used to be commit cb74d52b563730a50e33c92d868c45ee96a598e8) --- source4/libcli/raw/smb_signing.c | 109 ++++++++++++++++++++++++--------------- 1 file changed, 66 insertions(+), 43 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 0b9c2864d3..bd29abe3e6 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -21,26 +21,37 @@ */ #include "includes.h" -static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info); /*********************************************************** SMB signing - Common code before we set a new signing implementation ************************************************************/ -static BOOL set_smb_signing_common(struct smbcli_transport *transport) +BOOL set_smb_signing_common(struct smb_signing_context *sign_info) { - if (!(transport->negotiate.sec_mode & - (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { - DEBUG(5, ("SMB Signing is not negotiated by the peer\n")); + if (sign_info->doing_signing) { + DEBUG(5, ("SMB Signing already in progress, so we don't start it again\n")); return False; } - if (transport->negotiate.sign_info.doing_signing) { - DEBUG(5, ("SMB Signing already in progress, so we don't start it again\n")); + if (!sign_info->allow_smb_signing) { + DEBUG(5, ("SMB Signing has been locally disabled\n")); return False; } - if (!transport->negotiate.sign_info.allow_smb_signing) { - DEBUG(5, ("SMB Signing has been locally disabled\n")); + return True; +} + +/*********************************************************** + SMB signing - Common code before we set a new signing implementation +************************************************************/ +static BOOL smbcli_set_smb_signing_common(struct smbcli_transport *transport) +{ + if (!set_smb_signing_common(&transport->negotiate.sign_info)) { + return False; + } + + if (!(transport->negotiate.sec_mode & + (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { + DEBUG(5, ("SMB Signing is not negotiated by the peer\n")); return False; } @@ -51,7 +62,7 @@ static BOOL set_smb_signing_common(struct smbcli_transport *transport) return True; } -static void mark_packet_signed(struct request_buffer *out) +void mark_packet_signed(struct request_buffer *out) { uint16_t flags2; flags2 = SVAL(out->hdr, HDR_FLG2); @@ -59,7 +70,7 @@ static void mark_packet_signed(struct request_buffer *out) SSVAL(out->hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct smb_signing_context *sign_info, +BOOL signing_good(struct smb_signing_context *sign_info, unsigned int seq, BOOL good) { if (good) { @@ -166,6 +177,19 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); + if (i == 0) { + if (!good) { + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", seq_num + i)); + dump_data(5, calc_md5_mac, 8); + + DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", seq_num + i)); + dump_data(5, server_sent_mac, 8); + } else { + DEBUG(15, ("check_signed_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", seq_num + i)); + dump_data(5, server_sent_mac, 8); + } + } + if (good) break; } @@ -173,17 +197,20 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, seq_num)); } - if (!good) { - DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", seq_num + i)); - dump_data(5, calc_md5_mac, 8); - - DEBUG(5, ("check_signed_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", seq_num + i)); - dump_data(5, server_sent_mac, 8); + return good; +} + +static void smbcli_req_allocate_seq_num(struct smbcli_request *req) +{ + req->seq_num = req->transport->negotiate.sign_info.next_seq_num; + + /* some requests (eg. NTcancel) are one way, and the sequence number + should be increased by 1 not 2 */ + if (req->sign_single_increment) { + req->transport->negotiate.sign_info.next_seq_num += 1; } else { - DEBUG(15, ("check_signed_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", seq_num + i)); - dump_data(5, server_sent_mac, 8); + req->transport->negotiate.sign_info.next_seq_num += 2; } - return good; } /*********************************************************** @@ -212,16 +239,7 @@ void smbcli_request_calculate_sign_mac(struct smbcli_request *req) case SMB_SIGNING_ENGINE_ON: - req->seq_num = req->transport->negotiate.sign_info.next_seq_num; - - /* some requests (eg. NTcancel) are one way, and the sequence number - should be increased by 1 not 2 */ - if (req->sign_single_increment) { - req->transport->negotiate.sign_info.next_seq_num += 1; - } else { - req->transport->negotiate.sign_info.next_seq_num += 2; - } - + smbcli_req_allocate_seq_num(req); sign_outgoing_message(&req->out, &req->transport->negotiate.sign_info.mac_key, req->seq_num); @@ -237,10 +255,11 @@ void smbcli_request_calculate_sign_mac(struct smbcli_request *req) @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) +BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) { DEBUG(5, ("Shutdown SMB signing\n")); sign_info->doing_signing = False; + sign_info->next_seq_num = 0; data_blob_free(&sign_info->mac_key); sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; return True; @@ -252,7 +271,7 @@ static BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) */ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) { - if (!set_smb_signing_common(transport)) { + if (!smbcli_set_smb_signing_common(transport)) { return False; } DEBUG(5, ("BSRSPYL SMB signing enabled\n")); @@ -302,9 +321,9 @@ BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -static BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, - const DATA_BLOB user_session_key, - const DATA_BLOB response) +BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, + const DATA_BLOB *user_session_key, + const DATA_BLOB *response) { if (sign_info->mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); @@ -312,12 +331,16 @@ static BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, DEBUG(5, ("SMB signing enabled!\n")); - sign_info->mac_key = data_blob(NULL, response.length + user_session_key.length); - - memcpy(&sign_info->mac_key.data[0], user_session_key.data, user_session_key.length); + if (response && response->length) { + sign_info->mac_key = data_blob(NULL, response->length + user_session_key->length); + } else { + sign_info->mac_key = data_blob(NULL, user_session_key->length); + } + + memcpy(&sign_info->mac_key.data[0], user_session_key->data, user_session_key->length); - if (response.length) { - memcpy(&sign_info->mac_key.data[user_session_key.length],response.data, response.length); + if (response && response->length) { + memcpy(&sign_info->mac_key.data[user_session_key->length],response->data, response->length); } dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length); @@ -338,13 +361,13 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, const DATA_BLOB user_session_key, const DATA_BLOB response) { - if (!set_smb_signing_common(transport)) { + if (!smbcli_set_smb_signing_common(transport)) { return False; } return smbcli_simple_set_signing(&transport->negotiate.sign_info, - user_session_key, - response); + &user_session_key, + &response); } -- cgit From 729d17c27013eae731a97ac8413135c93244bca6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 12:51:49 +0000 Subject: r2664: fixed the final server leak for normal operation. We now get a clean report from --leak-check (This used to be commit 1ff41bbcae8dc7514a85d69679e44dc7c5b0342f) --- source4/libcli/raw/smb_signing.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index bd29abe3e6..9ba385e062 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -321,7 +321,8 @@ BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, +BOOL smbcli_simple_set_signing(TALLOC_CTX *mem_ctx, + struct smb_signing_context *sign_info, const DATA_BLOB *user_session_key, const DATA_BLOB *response) { @@ -332,9 +333,9 @@ BOOL smbcli_simple_set_signing(struct smb_signing_context *sign_info, DEBUG(5, ("SMB signing enabled!\n")); if (response && response->length) { - sign_info->mac_key = data_blob(NULL, response->length + user_session_key->length); + sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, response->length + user_session_key->length); } else { - sign_info->mac_key = data_blob(NULL, user_session_key->length); + sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, user_session_key->length); } memcpy(&sign_info->mac_key.data[0], user_session_key->data, user_session_key->length); @@ -365,7 +366,8 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, return False; } - return smbcli_simple_set_signing(&transport->negotiate.sign_info, + return smbcli_simple_set_signing(transport, + &transport->negotiate.sign_info, &user_session_key, &response); } -- cgit From 971754c0ed8613b1897041bc5e5b67d1e3b68abe Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 Oct 2004 17:40:41 +0000 Subject: r3295: Fix for SMB signing with 56-bit DES session keys. From Nalin Dahyabhai . Jeremy. (This used to be commit afed78f359a15809b2d9b7566e16ade294944fa9) --- source4/libcli/raw/smb_signing.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 9ba385e062..e1d7b071f2 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -102,6 +102,8 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_ { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; + unsigned char key_buf[16]; + /* * Firstly put the sequence number into the first 4 bytes. * and zero out the next 4 bytes. @@ -114,8 +116,15 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_ /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ MD5Init(&md5_ctx); - MD5Update(&md5_ctx, mac_key->data, - mac_key->length); + + /* NB. When making and verifying SMB signatures, Windows apparently + zero-pads the key to 128 bits if it isn't long enough. + From Nalin Dahyabhai */ + MD5Update(&md5_ctx, mac_key->data, mac_key->length); + if (mac_key->length < sizeof(key_buf)) { + memset(key_buf, 0, sizeof(key_buf)); + MD5Update(&md5_ctx, key_buf, sizeof(key_buf) - mac_key->length); + } MD5Update(&md5_ctx, out->buffer + NBT_HDR_SIZE, out->size - NBT_HDR_SIZE); -- cgit From ad8c4ae941047aa7409ff0d8d10de721f5ff0659 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 30 Oct 2004 01:22:52 +0000 Subject: r3380: - changed the default behaviour of server signing. We now have a default setting of "server signing = auto", which means to offer signing only if we have domain logons enabled (ie. we are a DC). This is a better match for what windows clients want, as unfortunately windows clients always use signing if it is offered, and when they use signing they not only go slower because of the signing itself, they also disable large readx/writex support, so they end up sending very small IOs for. - changed the default max xmit again, this time matching longhorn, which uses 12288. That seems to be a fairly good compromise value. (This used to be commit e63edc81716fefd58a3be25deb3b25e45471f196) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index e1d7b071f2..2a0c64f598 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -394,6 +394,7 @@ BOOL smbcli_init_signing(struct smbcli_transport *transport) transport->negotiate.sign_info.allow_smb_signing = False; break; case SMB_SIGNING_SUPPORTED: + case SMB_SIGNING_AUTO: transport->negotiate.sign_info.allow_smb_signing = True; break; case SMB_SIGNING_REQUIRED: -- cgit From 9f1210a243654fd6d94acdef83f468a33c1b3b3f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Nov 2004 01:03:22 +0000 Subject: r3419: moved the libcli/raw structures into libcli/raw/libcliraw.h and made them private (This used to be commit 386ac565c452ede1d74e06acb401ca9db99d3ff3) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 2a0c64f598..d348c202f5 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "libcli/raw/libcliraw.h" /*********************************************************** SMB signing - Common code before we set a new signing implementation -- cgit From a1d0b97ed40fe6985bb45b1715309638e7faaffc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 06:14:15 +0000 Subject: r3462: separate out the crypto includes (This used to be commit 3f75117db921e493bb77a5dc14b8ce91a6288f30) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index d348c202f5..c0c1337312 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -22,6 +22,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "lib/crypto/crypto.h" /*********************************************************** SMB signing - Common code before we set a new signing implementation -- cgit From 9112a632f6791ffc3c3c1aadd214cbaba8fe816e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 4 Dec 2004 13:56:25 +0000 Subject: r4063: - change char * -> uint8_t in struct request_buffer - change smbcli_read/write to take void * for the buffers to match read(2)/write(2) all this fixes a lot of gcc-4 warnings metze (This used to be commit b94f92bc6637f748d6f7049f4f9a30b0b8d18a7a) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index c0c1337312..4204f3b4dc 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -104,7 +104,7 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_ { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; - unsigned char key_buf[16]; + uint8_t key_buf[16]; /* * Firstly put the sequence number into the first 4 bytes. -- cgit From 025e03de549efa47979199adf80b6eef4c8f926b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Jun 2005 00:57:15 +0000 Subject: r7970: This SMB signing code (merged from 3.0) turned out to be bogus. Andrew Bartlett (This used to be commit 817160ec1a85724c8bf482f128ea687396de0888) --- source4/libcli/raw/smb_signing.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 4204f3b4dc..14dfc64737 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -118,15 +118,7 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_ /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ MD5Init(&md5_ctx); - - /* NB. When making and verifying SMB signatures, Windows apparently - zero-pads the key to 128 bits if it isn't long enough. - From Nalin Dahyabhai */ MD5Update(&md5_ctx, mac_key->data, mac_key->length); - if (mac_key->length < sizeof(key_buf)) { - memset(key_buf, 0, sizeof(key_buf)); - MD5Update(&md5_ctx, key_buf, sizeof(key_buf) - mac_key->length); - } MD5Update(&md5_ctx, out->buffer + NBT_HDR_SIZE, out->size - NBT_HDR_SIZE); -- cgit From cf601f71aad8e5007e8ec8ac9b455ccd7bda4432 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Jul 2005 10:26:25 +0000 Subject: r8134: remove unused var metze (This used to be commit f308b72b19ab1e0e2f5a732bd1bc13082a634a9c) --- source4/libcli/raw/smb_signing.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 14dfc64737..df63c33cb9 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -104,7 +104,6 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_ { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; - uint8_t key_buf[16]; /* * Firstly put the sequence number into the first 4 bytes. -- cgit From 78c50015bb8bd5a1d831a6e7ec796b3367c73145 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 3 Jan 2006 15:40:05 +0000 Subject: r12694: Move some headers to the directory of the subsystem they belong to. (This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index df63c33cb9..a73db78f7b 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "smb.h" #include "libcli/raw/libcliraw.h" #include "lib/crypto/crypto.h" -- cgit From 0eddf14b307e905663b95296aa695a10d3fb90f7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 24 Apr 2006 09:36:09 +0000 Subject: r15191: Avoid uint_t as it's not standard. (This used to be commit 7af59357b94e3819415b3a9257be0ced745ce130) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index a73db78f7b..541fd1fb8c 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -101,7 +101,7 @@ BOOL signing_good(struct smb_signing_context *sign_info, return True; } -void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, uint_t seq_num) +void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num) { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/libcli/raw/smb_signing.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 541fd1fb8c..99044d23ae 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 959915a8cbea0c598ef1f29ce666329a521ef2f6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Sep 2007 15:35:18 +0000 Subject: r25001: Fix more C++ and other warnings, fix some of the indentation with ts=4 lines that I accidently added earlier. (This used to be commit 0bcb21ed740fcec0f48ad36bbc2deee2948e8fc7) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 99044d23ae..a37c9a7836 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -375,7 +375,7 @@ BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, } -BOOL smbcli_init_signing(struct smbcli_transport *transport) +bool smbcli_init_signing(struct smbcli_transport *transport) { transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) { -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index a37c9a7836..1a82ea0536 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -23,6 +23,7 @@ #include "smb.h" #include "libcli/raw/libcliraw.h" #include "lib/crypto/crypto.h" +#include "param/param.h" /*********************************************************** SMB signing - Common code before we set a new signing implementation -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 1a82ea0536..59c13bbeb6 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -383,7 +383,7 @@ bool smbcli_init_signing(struct smbcli_transport *transport) return False; } - switch (lp_client_signing()) { + switch (lp_client_signing(global_loadparm)) { case SMB_SIGNING_OFF: transport->negotiate.sign_info.allow_smb_signing = False; break; -- cgit From 2151cde58014ea2e822c13d2f8a369b45dc19ca8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:28:14 +0000 Subject: r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9) --- source4/libcli/raw/smb_signing.c | 88 ++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 44 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 59c13bbeb6..e19e81af7e 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -28,41 +28,41 @@ /*********************************************************** SMB signing - Common code before we set a new signing implementation ************************************************************/ -BOOL set_smb_signing_common(struct smb_signing_context *sign_info) +bool set_smb_signing_common(struct smb_signing_context *sign_info) { if (sign_info->doing_signing) { DEBUG(5, ("SMB Signing already in progress, so we don't start it again\n")); - return False; + return false; } if (!sign_info->allow_smb_signing) { DEBUG(5, ("SMB Signing has been locally disabled\n")); - return False; + return false; } - return True; + return true; } /*********************************************************** SMB signing - Common code before we set a new signing implementation ************************************************************/ -static BOOL smbcli_set_smb_signing_common(struct smbcli_transport *transport) +static bool smbcli_set_smb_signing_common(struct smbcli_transport *transport) { if (!set_smb_signing_common(&transport->negotiate.sign_info)) { - return False; + return false; } if (!(transport->negotiate.sec_mode & (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) { DEBUG(5, ("SMB Signing is not negotiated by the peer\n")); - return False; + return false; } /* These calls are INCOMPATIBLE with SMB signing */ - transport->negotiate.readbraw_supported = False; - transport->negotiate.writebraw_supported = False; + transport->negotiate.readbraw_supported = false; + transport->negotiate.writebraw_supported = false; - return True; + return true; } void mark_packet_signed(struct request_buffer *out) @@ -73,17 +73,17 @@ void mark_packet_signed(struct request_buffer *out) SSVAL(out->hdr, HDR_FLG2, flags2); } -BOOL signing_good(struct smb_signing_context *sign_info, - unsigned int seq, BOOL good) +bool signing_good(struct smb_signing_context *sign_info, + unsigned int seq, bool good) { if (good) { if (!sign_info->doing_signing) { DEBUG(5, ("Seen valid packet, so turning signing on\n")); - sign_info->doing_signing = True; + sign_info->doing_signing = true; } if (!sign_info->seen_valid) { DEBUG(5, ("Seen valid packet, so marking signing as 'seen valid'\n")); - sign_info->seen_valid = True; + sign_info->seen_valid = true; } } else { if (!sign_info->seen_valid) { @@ -91,14 +91,14 @@ BOOL signing_good(struct smb_signing_context *sign_info, DEBUG(5, ("signing_good: signing negotiated but not required and peer\n" "isn't sending correct signatures. Turning off.\n")); smbcli_set_signing_off(sign_info); - return True; + return true; } else { /* bad packet after signing started - fail and disconnect. */ DEBUG(0, ("signing_good: BAD SIG: seq %u\n", seq)); - return False; + return false; } } - return True; + return true; } void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num) @@ -133,9 +133,9 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsig Uncomment this to test if the remote server actually verifies signitures...*/ } -BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num) +bool check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num) { - BOOL good; + bool good; uint8_t calc_md5_mac[16]; uint8_t *server_sent_mac; uint8_t sequence_buf[8]; @@ -146,12 +146,12 @@ BOOL check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key /* room enough for the signature? */ if (in->size < NBT_HDR_SIZE + HDR_SS_FIELD + 8) { - return False; + return false; } if (!mac_key->length) { /* NO key yet */ - return False; + return false; } /* its quite bogus to be guessing sequence numbers, but very useful @@ -258,24 +258,24 @@ void smbcli_request_calculate_sign_mac(struct smbcli_request *req) @note Used as an initialisation only - it will not correctly shut down a real signing mechanism */ -BOOL smbcli_set_signing_off(struct smb_signing_context *sign_info) +bool smbcli_set_signing_off(struct smb_signing_context *sign_info) { DEBUG(5, ("Shutdown SMB signing\n")); - sign_info->doing_signing = False; + sign_info->doing_signing = false; sign_info->next_seq_num = 0; data_blob_free(&sign_info->mac_key); sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; - return True; + return true; } /** SMB signing - TEMP implementation - setup the MAC key. */ -BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) +bool smbcli_temp_set_signing(struct smbcli_transport *transport) { if (!smbcli_set_smb_signing_common(transport)) { - return False; + return false; } DEBUG(5, ("BSRSPYL SMB signing enabled\n")); smbcli_set_signing_off(&transport->negotiate.sign_info); @@ -283,7 +283,7 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); transport->negotiate.sign_info.signing_state = SMB_SIGNING_ENGINE_BSRSPYL; - return True; + return true; } /*********************************************************** @@ -291,22 +291,22 @@ BOOL smbcli_temp_set_signing(struct smbcli_transport *transport) ************************************************************/ /** * Check a packet supplied by the server. - * @return False if we had an established signing connection - * which had a back checksum, True otherwise + * @return false if we had an established signing connection + * which had a back checksum, true otherwise */ -BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) +bool smbcli_request_check_sign_mac(struct smbcli_request *req) { - BOOL good; + bool good; switch (req->transport->negotiate.sign_info.signing_state) { case SMB_SIGNING_ENGINE_OFF: - return True; + return true; case SMB_SIGNING_ENGINE_BSRSPYL: case SMB_SIGNING_ENGINE_ON: { if (req->in.size < (HDR_SS_FIELD + 8)) { - return False; + return false; } else { good = check_signed_incoming_message(&req->in, &req->transport->negotiate.sign_info.mac_key, @@ -317,14 +317,14 @@ BOOL smbcli_request_check_sign_mac(struct smbcli_request *req) } } } - return False; + return false; } /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL smbcli_simple_set_signing(TALLOC_CTX *mem_ctx, +bool smbcli_simple_set_signing(TALLOC_CTX *mem_ctx, struct smb_signing_context *sign_info, const DATA_BLOB *user_session_key, const DATA_BLOB *response) @@ -354,19 +354,19 @@ BOOL smbcli_simple_set_signing(TALLOC_CTX *mem_ctx, sign_info->signing_state = SMB_SIGNING_ENGINE_ON; - return True; + return true; } /*********************************************************** SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL smbcli_transport_simple_set_signing(struct smbcli_transport *transport, +bool smbcli_transport_simple_set_signing(struct smbcli_transport *transport, const DATA_BLOB user_session_key, const DATA_BLOB response) { if (!smbcli_set_smb_signing_common(transport)) { - return False; + return false; } return smbcli_simple_set_signing(transport, @@ -380,21 +380,21 @@ bool smbcli_init_signing(struct smbcli_transport *transport) { transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) { - return False; + return false; } switch (lp_client_signing(global_loadparm)) { case SMB_SIGNING_OFF: - transport->negotiate.sign_info.allow_smb_signing = False; + transport->negotiate.sign_info.allow_smb_signing = false; break; case SMB_SIGNING_SUPPORTED: case SMB_SIGNING_AUTO: - transport->negotiate.sign_info.allow_smb_signing = True; + transport->negotiate.sign_info.allow_smb_signing = true; break; case SMB_SIGNING_REQUIRED: - transport->negotiate.sign_info.allow_smb_signing = True; - transport->negotiate.sign_info.mandatory_signing = True; + transport->negotiate.sign_info.allow_smb_signing = true; + transport->negotiate.sign_info.mandatory_signing = true; break; } - return True; + return true; } -- cgit From 425732f688865ebe2bfe568c8278edec50cbdedf Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 3 Jan 2008 17:21:58 -0600 Subject: r26651: libsmb: Allow specifying signing policy from higher up. The number of arguments is getting a bit excessive now, so it probably makes sense to pass in the smbcli_options struct rather than all members individually and add a convenience function for obtaining a smbcli_options struct from a loadparm context. (This used to be commit 9f64213463b5bf3bcbf36913139e9a5042e967a2) --- source4/libcli/raw/smb_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index e19e81af7e..0053710aaf 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -383,7 +383,7 @@ bool smbcli_init_signing(struct smbcli_transport *transport) return false; } - switch (lp_client_signing(global_loadparm)) { + switch (transport->options.signing) { case SMB_SIGNING_OFF: transport->negotiate.sign_info.allow_smb_signing = false; break; -- cgit From e870cfec9f3512b0f1bd3110d7b975652525e28a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 14 Feb 2008 10:12:33 +1100 Subject: Convert SMB and SMB2 code to use a common buffer handling structure This converts our SMB and SMB2 code to use a common structure "struct request_bufinfo" for information on the buffer bounds of a packet, alignment information and string handling. This allows us to use a common backend for SMB and SMB2 code, while still using all the same string and blob handling functions. Up to now we had been passing a NULL req handle into these common routines from the SMB2 side of the server, which meant that we failed any operation which did a bounds checked string extraction (such as a RenameInformation setinfo call, which is what Vista uses for renaming files) There is still some more work to be done on this - for example we can now remove many of the SMB2 specific buffer handling functions that we had, and use the SMB ones. (This used to be commit ca6d9be6cb6a403a81b18fa6e9a6a0518d7f0f68) --- source4/libcli/raw/smb_signing.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 0053710aaf..4acfb9d16d 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -65,7 +65,7 @@ static bool smbcli_set_smb_signing_common(struct smbcli_transport *transport) return true; } -void mark_packet_signed(struct request_buffer *out) +void mark_packet_signed(struct smb_request_buffer *out) { uint16_t flags2; flags2 = SVAL(out->hdr, HDR_FLG2); @@ -101,7 +101,7 @@ bool signing_good(struct smb_signing_context *sign_info, return true; } -void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num) +void sign_outgoing_message(struct smb_request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num) { uint8_t calc_md5_mac[16]; struct MD5Context md5_ctx; @@ -133,7 +133,7 @@ void sign_outgoing_message(struct request_buffer *out, DATA_BLOB *mac_key, unsig Uncomment this to test if the remote server actually verifies signitures...*/ } -bool check_signed_incoming_message(struct request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num) +bool check_signed_incoming_message(struct smb_request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num) { bool good; uint8_t calc_md5_mac[16]; -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/libcli/raw/smb_signing.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 4acfb9d16d..97bb688d1a 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -22,6 +22,7 @@ #include "includes.h" #include "smb.h" #include "libcli/raw/libcliraw.h" +#include "libcli/raw/raw_proto.h" #include "lib/crypto/crypto.h" #include "param/param.h" -- cgit From d104a706d1adb5d75abd05a9a3f938385eefc5d4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 6 Sep 2008 09:07:41 +1000 Subject: Make SMB signing work with Windows 2008 and kerberos. Pinched from b53e6387e30010509034835acf88b91b380ff44a by metze. Andrew Bartlett (This used to be commit d55602e23e7947462cb402b20b2d354b96aa7ba3) --- source4/libcli/raw/smb_signing.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/libcli/raw/smb_signing.c') diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 97bb688d1a..1d03686d9a 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -263,7 +263,6 @@ bool smbcli_set_signing_off(struct smb_signing_context *sign_info) { DEBUG(5, ("Shutdown SMB signing\n")); sign_info->doing_signing = false; - sign_info->next_seq_num = 0; data_blob_free(&sign_info->mac_key); sign_info->signing_state = SMB_SIGNING_ENGINE_OFF; return true; @@ -350,9 +349,6 @@ bool smbcli_simple_set_signing(TALLOC_CTX *mem_ctx, dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length); - /* Initialise the sequence number */ - sign_info->next_seq_num = 0; - sign_info->signing_state = SMB_SIGNING_ENGINE_ON; return true; @@ -379,6 +375,7 @@ bool smbcli_transport_simple_set_signing(struct smbcli_transport *transport, bool smbcli_init_signing(struct smbcli_transport *transport) { + transport->negotiate.sign_info.next_seq_num = 0; transport->negotiate.sign_info.mac_key = data_blob(NULL, 0); if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) { return false; -- cgit