From 88002b851bd30e3c03a5a9442baf3ced7aa6090f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 12 Jul 2004 09:11:13 +0000 Subject: r1462: GENSEC Kerberos and SPENGO work: - Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7) --- source4/client/client.c | 1 + source4/include/cli_context.h | 4 ++ source4/libcli/auth/config.mk | 3 +- source4/libcli/auth/gensec.mk | 5 +- source4/libcli/auth/gensec_krb5.c | 13 ++-- source4/libcli/auth/spnego.c | 122 +++++++++++++++++++------------------- source4/libcli/raw/clisession.c | 30 ++++++---- source4/libcli/raw/clitransport.c | 4 +- source4/libcli/raw/smb_signing.c | 101 +++++++++++++++++++++++-------- source4/param/loadparm.c | 6 +- 10 files changed, 178 insertions(+), 111 deletions(-) (limited to 'source4') diff --git a/source4/client/client.c b/source4/client/client.c index db44dd3d28..0ad3eed889 100644 --- a/source4/client/client.c +++ b/source4/client/client.c @@ -2836,6 +2836,7 @@ static struct cli_state *do_connect(const char *server, const char *share) status = cli_session_setup(c, username, password, lp_workgroup()); if (NT_STATUS_IS_ERR(status)) { + d_printf("authenticated session setup failed: %s\n", nt_errstr(status)); /* if a password was not supplied then try again with a null username */ if (password[0] || !username[0] || use_kerberos) { status = cli_session_setup(c, "", "", lp_workgroup()); diff --git a/source4/include/cli_context.h b/source4/include/cli_context.h index 930017bb26..cddc6aadf5 100644 --- a/source4/include/cli_context.h +++ b/source4/include/cli_context.h @@ -53,7 +53,11 @@ struct cli_negotiate { BOOL (*check_incoming_message)(struct cli_request *req); void (*free_signing_context)(struct cli_transport *transport); void *signing_context; + BOOL negotiated_smb_signing; + BOOL allow_smb_signing; BOOL doing_signing; + BOOL mandatory_signing; + BOOL seen_valid; /* Have I ever seen a validly signed packet? */ } sign_info; /* capabilities that the server reported */ diff --git a/source4/libcli/auth/config.mk b/source4/libcli/auth/config.mk index 0c7586026b..a3bb3f1c78 100644 --- a/source4/libcli/auth/config.mk +++ b/source4/libcli/auth/config.mk @@ -3,8 +3,7 @@ [SUBSYSTEM::LIBCLI_AUTH] ADD_OBJ_FILES = libcli/auth/schannel.o \ libcli/auth/credentials.o \ - libcli/auth/session.o \ - libcli/auth/ntlm_check.o + libcli/auth/session.o REQUIRED_SUBSYSTEMS = \ AUTH SCHANNELDB GENSEC # End SUBSYSTEM LIBCLI_AUTH diff --git a/source4/libcli/auth/gensec.mk b/source4/libcli/auth/gensec.mk index 7c2c21bafd..5c6a8260e5 100644 --- a/source4/libcli/auth/gensec.mk +++ b/source4/libcli/auth/gensec.mk @@ -3,7 +3,7 @@ [SUBSYSTEM::GENSEC] INIT_OBJ_FILES = libcli/auth/gensec.o REQUIRED_SUBSYSTEMS = \ - AUTH SCHANNELDB + SCHANNELDB # End SUBSYSTEM GENSEC ################################# @@ -14,7 +14,8 @@ INIT_OBJ_FILES = libcli/auth/gensec_krb5.o ADD_OBJ_FILES = \ libcli/auth/clikrb5.o \ libcli/auth/kerberos.o \ - libcli/auth/kerberos_verify.o + libcli/auth/kerberos_verify.o \ + libcli/auth/gssapi_parse.o REQUIRED_SUBSYSTEMS = GENSEC # End MODULE gensec_krb5 ################################################ diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index dbb2a10659..3a4f995937 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -42,6 +42,7 @@ struct gensec_krb5_state { enum GENSEC_KRB5_STATE state_position; krb5_context krb5_context; krb5_auth_context krb5_auth_context; + krb5_ccache krb5_ccache; }; static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) @@ -66,7 +67,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) initialize_krb5_error_table(); gensec_krb5_state->krb5_context = NULL; gensec_krb5_state->krb5_auth_context = NULL; - gensec_krb5_state->krb5_ccdef = NULL; + gensec_krb5_state->krb5_ccache = NULL; gensec_krb5_state->session_key = data_blob(NULL, 0); ret = krb5_init_context(&gensec_krb5_state->krb5_context); @@ -111,7 +112,7 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) { struct gensec_krb5_state *gensec_krb5_state; - + krb5_error_code ret; NTSTATUS nt_status; nt_status = gensec_krb5_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -121,7 +122,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security gensec_krb5_state = gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; - ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef); + ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache); if (ret) { DEBUG(1,("krb5_cc_default failed (%s)\n", error_message(ret))); @@ -135,13 +136,13 @@ static void gensec_krb5_end(struct gensec_security *gensec_security) { struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; - if (gensec_krb5_state->krb5_ccdef) { + if (gensec_krb5_state->krb5_ccache) { /* Removed by jra. They really need to fix their kerberos so we don't leak memory. JERRY -- disabled since it causes heimdal 0.6.1rc3 to die SuSE 9.1 Pro */ #if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ - krb5_cc_close(context, gensec_krb5_state->krb5_ccdef); + krb5_cc_close(context, gensec_krb5_state->krb5_ccache); #endif } @@ -193,7 +194,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL &gensec_krb5_state->krb5_auth_context, AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED, gensec_security->target.principal, - ccdef, &packet); + gensec_krb5_state->krb5_ccache, &packet); if (ret) { DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n", error_message(ret))); diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index 7e0cda42ba..32846cf580 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -48,7 +48,7 @@ struct spnego_state { static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security) { struct spnego_state *spnego_state; - TALLOC_CTX *mem_ctx = talloc_init("gensec_spengo_client_start"); + TALLOC_CTX *mem_ctx = talloc_init("gensec_spnego_client_start"); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } @@ -151,12 +151,12 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit /** Fallback to another GENSEC mechanism, based on magic strings * - * This is the 'fallback' case, where we don't get SPENGO, and have to + * This is the 'fallback' case, where we don't get SPNEGO, and have to * try all the other options (and hope they all have a magic string * they check) */ -static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec_security, +static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security, struct spnego_state *spnego_state, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) @@ -189,7 +189,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec } gensec_end(&spnego_state->sub_sec_security); } - DEBUG(1, ("Failed to parse SPENGO request\n")); + DEBUG(1, ("Failed to parse SPNEGO request\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -199,7 +199,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec * This is the case, where the client is the first one who sends data */ -static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec_security, +static NTSTATUS gensec_spnego_client_netTokenInit(struct gensec_security *gensec_security, struct spnego_state *spnego_state, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) @@ -266,7 +266,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec spnego_out.negTokenInit.mechToken = unwrapped_out; if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n")); + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -277,7 +277,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec } gensec_end(&spnego_state->sub_sec_security); - DEBUG(1, ("Failed to setup SPENGO netTokenInit request\n")); + DEBUG(1, ("Failed to setup SPNEGO netTokenInit request\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -286,7 +286,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA { struct spnego_state *spnego_state = gensec_security->private_data; DATA_BLOB null_data_blob = data_blob(NULL, 0); - DATA_BLOB unwrapped_out; + DATA_BLOB unwrapped_out = data_blob(NULL, 0); struct spnego_data spnego_out; struct spnego_data spnego; @@ -307,7 +307,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (in.length) { len = spnego_read_data(in, &spnego); if (len == -1) { - return gensec_spengo_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out); + return gensec_spnego_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out); } else { /* client sent NegTargetInit */ } @@ -328,7 +328,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (!in.length) { /* client to produce negTokenInit */ - return gensec_spengo_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out); + return gensec_spnego_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out); } len = spnego_read_data(in, &spnego); @@ -341,13 +341,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA /* OK, so it's real SPNEGO, check the packet's the one we expect */ if (spnego.type != spnego_state->expected_packet) { - DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type, + DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, spnego_state->expected_packet)); dump_data(1, (const char *)in.data, in.length); spnego_free_data(&spnego); return NT_STATUS_INVALID_PARAMETER; } + if (spnego.negTokenInit.targetPrincipal) { + nt_status = gensec_set_target_principal(gensec_security, + spnego.negTokenInit.targetPrincipal); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + } + mechType = spnego.negTokenInit.mechTypes; for (i=0; mechType && mechType[i]; i++) { nt_status = gensec_subcontext_start(gensec_security, @@ -375,8 +383,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA null_data_blob, &unwrapped_out); } - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("SPENGO(%s) NEG_TOKEN_INIT failed: %s\n", + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); gensec_end(&spnego_state->sub_sec_security); } else { @@ -384,11 +392,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } } if (!mechType || !mechType[i]) { - DEBUG(1, ("SPENGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n")); + DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n")); } spnego_free_data(&spnego); - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -402,7 +410,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego_out.negTokenInit.mechToken = unwrapped_out; if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n")); + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -410,7 +418,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; spnego_state->state_position = SPNEGO_CLIENT_TARG; - return nt_status; + return NT_STATUS_MORE_PROCESSING_REQUIRED; } case SPNEGO_SERVER_TARG: { @@ -429,49 +437,47 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA /* OK, so it's real SPNEGO, check the packet's the one we expect */ if (spnego.type != spnego_state->expected_packet) { - DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type, + DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, spnego_state->expected_packet)); dump_data(1, (const char *)in.data, in.length); spnego_free_data(&spnego); return NT_STATUS_INVALID_PARAMETER; } - if (spnego.negTokenTarg.responseToken.length) { - nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, - spnego.negTokenTarg.responseToken, - &unwrapped_out); - } else { - unwrapped_out = data_blob(NULL, 0); - nt_status = NT_STATUS_OK; - } + nt_status = gensec_update(spnego_state->sub_sec_security, + out_mem_ctx, + spnego.negTokenTarg.responseToken, + &unwrapped_out); spnego_state->result = spnego.negTokenTarg.negResult; spnego_free_data(&spnego); + /* compose reply */ + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.supportedMech + = spnego_state->sub_sec_security->ops->oid; + spnego_out.negTokenTarg.responseToken = unwrapped_out; + spnego_out.negTokenTarg.mechListMIC = null_data_blob; + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - /* compose reply */ - spnego_out.type = SPNEGO_NEG_TOKEN_TARG; spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - spnego_out.negTokenTarg.supportedMech - = spnego_state->sub_sec_security->ops->oid; - spnego_out.negTokenTarg.responseToken = unwrapped_out; - spnego_out.negTokenTarg.mechListMIC = null_data_blob; - - if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n")); - return NT_STATUS_INVALID_PARAMETER; - } spnego_state->state_position = SPNEGO_SERVER_TARG; } else if (NT_STATUS_IS_OK(nt_status)) { + spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; spnego_state->state_position = SPNEGO_DONE; } else { - DEBUG(1, ("SPENGO(%s) login failed: %s\n", + spnego_out.negTokenTarg.negResult = SPNEGO_REJECT; + DEBUG(1, ("SPNEGO(%s) login failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); - return nt_status; + spnego_state->state_position = SPNEGO_DONE; } + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); + return NT_STATUS_INVALID_PARAMETER; + } + return nt_status; } case SPNEGO_CLIENT_TARG: @@ -501,16 +507,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) { return NT_STATUS_ACCESS_DENIED; } - - if (spnego.negTokenTarg.responseToken.length) { - nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, - spnego.negTokenTarg.responseToken, - &unwrapped_out); - } else { - unwrapped_out = data_blob(NULL, 0); - nt_status = NT_STATUS_OK; - } + + nt_status = gensec_update(spnego_state->sub_sec_security, + out_mem_ctx, + spnego.negTokenTarg.responseToken, + &unwrapped_out); if (NT_STATUS_IS_OK(nt_status) && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) { @@ -521,27 +522,28 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego_state->result = spnego.negTokenTarg.negResult; spnego_free_data(&spnego); + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; + spnego_out.negTokenTarg.supportedMech = NULL; + spnego_out.negTokenTarg.responseToken = unwrapped_out; + spnego_out.negTokenTarg.mechListMIC = null_data_blob; + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* compose reply */ - spnego_out.type = SPNEGO_NEG_TOKEN_TARG; - spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; - spnego_out.negTokenTarg.supportedMech = NULL; - spnego_out.negTokenTarg.responseToken = unwrapped_out; - spnego_out.negTokenTarg.mechListMIC = null_data_blob; - if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n")); - return NT_STATUS_INVALID_PARAMETER; - } spnego_state->state_position = SPNEGO_CLIENT_TARG; } else if (NT_STATUS_IS_OK(nt_status)) { spnego_state->state_position = SPNEGO_DONE; } else { - DEBUG(1, ("SPENGO(%s) login failed: %s\n", + DEBUG(1, ("SPNEGO(%s) login failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); return nt_status; } + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); + return NT_STATUS_INVALID_PARAMETER; + } return nt_status; } diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c index d420aa7cd6..5aaceb103a 100644 --- a/source4/libcli/raw/clisession.c +++ b/source4/libcli/raw/clisession.c @@ -260,7 +260,7 @@ static void use_nt1_session_keys(struct cli_session *session, E_md4hash(password, nt_hash); SMBsesskeygen_ntv1(nt_hash, session_key.data); - cli_transport_simple_set_signing(transport, session_key, *nt_response); + cli_transport_simple_set_signing(transport, session_key, *nt_response, 0); cli_session_set_user_session_key(session, &session_key); data_blob_free(&session_key); @@ -381,6 +381,8 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session { NTSTATUS status; union smb_sesssetup s2; + DATA_BLOB session_key = data_blob(NULL, 0); + DATA_BLOB null_data_blob = data_blob(NULL, 0); s2.generic.level = RAW_SESSSETUP_SPNEGO; s2.spnego.in.bufsize = ~0; @@ -433,39 +435,41 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session session->transport->negotiate.secblob, &s2.spnego.in.secblob); - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - goto done; - } - while(1) { + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { + break; + } + + status = gensec_session_key(session->gensec, &session_key); + if (NT_STATUS_IS_OK(status)) { + cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 0); + } + session->vuid = s2.spnego.out.vuid; status = smb_raw_session_setup(session, mem_ctx, &s2); session->vuid = UID_FIELD_INVALID; if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - goto done; + break; } status = gensec_update(session->gensec, mem_ctx, s2.spnego.out.secblob, &s2.spnego.in.secblob); - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - goto done; + if (NT_STATUS_IS_OK(status)) { + break; } } done: if (NT_STATUS_IS_OK(status)) { - DATA_BLOB null_data_blob = data_blob(NULL, 0); - DATA_BLOB session_key = data_blob(NULL, 0); - status = gensec_session_key(session->gensec, &session_key); if (!NT_STATUS_IS_OK(status)) { return status; } - - cli_transport_simple_set_signing(session->transport, session_key, null_data_blob); + + cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 2 /* two legs on last packet */); cli_session_set_user_session_key(session, &session_key); diff --git a/source4/libcli/raw/clitransport.c b/source4/libcli/raw/clitransport.c index a378ac8aad..18784fe33a 100644 --- a/source4/libcli/raw/clitransport.c +++ b/source4/libcli/raw/clitransport.c @@ -40,7 +40,9 @@ struct cli_transport *cli_transport_init(struct cli_socket *sock) transport->negotiate.protocol = PROTOCOL_NT1; transport->options.use_spnego = lp_use_spnego(); transport->negotiate.max_xmit = ~0; - cli_null_set_signing(transport); + + cli_init_signing(transport); + transport->socket->reference_count++; ZERO_STRUCT(transport->called); diff --git a/source4/libcli/raw/smb_signing.c b/source4/libcli/raw/smb_signing.c index 20b44a5348..52e08d05f8 100644 --- a/source4/libcli/raw/smb_signing.c +++ b/source4/libcli/raw/smb_signing.c @@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport) if (transport->negotiate.sign_info.doing_signing) { return False; } - + + if (!transport->negotiate.sign_info.allow_smb_signing) { + return False; + } + if (transport->negotiate.sign_info.free_signing_context) transport->negotiate.sign_info.free_signing_context(transport); /* These calls are INCOMPATIBLE with SMB signing */ transport->negotiate.readbraw_supported = False; transport->negotiate.writebraw_supported = False; - + return True; } @@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport) ************************************************************/ static BOOL set_smb_signing_real_common(struct cli_transport *transport) { - if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { + if (transport->negotiate.sign_info.mandatory_signing) { DEBUG(5, ("Mandatory SMB signing enabled!\n")); - transport->negotiate.sign_info.doing_signing = True; } DEBUG(5, ("SMB signing enabled!\n")); @@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req) SSVAL(req->out.hdr, HDR_FLG2, flags2); } -static BOOL signing_good(struct cli_request *req, BOOL good) +static BOOL signing_good(struct cli_request *req, int seq, BOOL good) { - if (good && !req->transport->negotiate.sign_info.doing_signing) { - req->transport->negotiate.sign_info.doing_signing = True; - } - - if (!good) { - if (req->transport->negotiate.sign_info.doing_signing) { - DEBUG(1, ("SMB signature check failed!\n")); - return False; + if (good) { + if (!req->transport->negotiate.sign_info.doing_signing) { + req->transport->negotiate.sign_info.doing_signing = True; + } + if (!req->transport->negotiate.sign_info.seen_valid) { + req->transport->negotiate.sign_info.seen_valid = True; + } + } else { + if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) { + + /* Non-mandatory signing - just turn off if this is the first bad packet.. */ + DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n" + "isn't sending correct signatures. Turning off.\n")); + req->transport->negotiate.sign_info.negotiated_smb_signing = False; + req->transport->negotiate.sign_info.allow_smb_signing = False; + req->transport->negotiate.sign_info.doing_signing = False; + if (req->transport->negotiate.sign_info.free_signing_context) + req->transport->negotiate.sign_info.free_signing_context(req->transport); + cli_null_set_signing(req->transport); + return True; } else { - DEBUG(3, ("Server did not sign reply correctly\n")); - cli_transport_free_signing_context(req->transport); + /* Mandatory signing or bad packet after signing started - fail and disconnect. */ + if (seq) + DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq)); return False; } } return True; -} +} /*********************************************************** SMB signing - Simple implementation - calculate a MAC to send. @@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req) memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8); + DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n", + req->seq_num, data->next_seq_num)); + dump_data(5, calc_md5_mac, 8); /* req->out.hdr[HDR_SS_FIELD+2]=0; Uncomment this to test if the remote server actually verifies signitures...*/ } @@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) MD5Final(calc_md5_mac, &md5_ctx); good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0); + + if (i == 1) { + if (!good) { + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i)); + dump_data(5, calc_md5_mac, 8); + + DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + dump_data(5, server_sent_mac, 8); + } else { + DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i)); + dump_data(5, server_sent_mac, 8); + } + } + if (good) break; } @@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req) DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1)); } - if (!good) { - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n")); - dump_data(5, calc_md5_mac, 8); - - DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n")); - dump_data(5, server_sent_mac, 8); - } - return signing_good(req, good); + return signing_good(req, req->seq_num+1, good); } @@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran ************************************************************/ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, const DATA_BLOB user_session_key, - const DATA_BLOB response) + const DATA_BLOB response, + int seq_num) { struct smb_basic_signing_context *data; @@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport, } /* Initialise the sequence number */ - data->next_seq_num = 0; + data->next_seq_num = seq_num; transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message; transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message; @@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req) return True; } + + +BOOL cli_init_signing(struct cli_transport *transport) +{ + if (!cli_null_set_signing(transport)) { + return False; + } + + switch (lp_client_signing()) { + case SMB_SIGNING_OFF: + transport->negotiate.sign_info.allow_smb_signing = False; + break; + case SMB_SIGNING_SUPPORTED: + transport->negotiate.sign_info.allow_smb_signing = True; + break; + case SMB_SIGNING_REQUIRED: + transport->negotiate.sign_info.allow_smb_signing = True; + transport->negotiate.sign_info.mandatory_signing = True; + break; + } + return True; +} diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index 68a16501d2..5493b2617c 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -212,6 +212,7 @@ typedef struct BOOL bNTLMAuth; BOOL bUseSpnego; BOOL server_signing; + BOOL client_signing; BOOL bClientLanManAuth; BOOL bClientNTLMv2Auth; BOOL bHostMSDfs; @@ -654,6 +655,7 @@ static struct parm_struct parm_table[] = { {"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER}, {"server signing", P_ENUM, P_GLOBAL, &Globals.server_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED}, + {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED}, {"rpc big endian", P_BOOL, P_GLOBAL, &Globals.bRpcBigEndian, NULL, NULL, FLAG_DEVELOPER}, {"Tuning Options", P_SEP, P_SEPARATOR}, @@ -1103,7 +1105,8 @@ static void init_globals(void) Globals.bUseSpnego = True; - Globals.server_signing = False; + Globals.client_signing = SMB_SIGNING_SUPPORTED; + Globals.server_signing = SMB_SIGNING_SUPPORTED; string_set(&Globals.smb_ports, SMB_PORTS); } @@ -1375,6 +1378,7 @@ FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time) FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers) FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) +FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) /* local prototypes */ -- cgit