Change the way we sign SMB packets, to a function pointer interface.

The intention is to allow for NTLMSSP and kerberos signing of packets, but
for now it's just what I call 'simple' signing. (aka SMB signing per the SNIA
spec)

Andrew Bartlett
(This used to be commit b9cf95c3dc04a45de71fb16e85c1bfbae50e6d8f)

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 7de4b0ae8f8dee7478b43f2c022890a59da44145..23c88d3ab14a74b53047a8a2d727950d63a41001 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -201,7 +201,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
             libsmb/clirap.o libsmb/clierror.o libsmb/climessage.o \
             libsmb/clireadwrite.o libsmb/clilist.o libsmb/cliprint.o \
             libsmb/clitrans.o libsmb/clisecdesc.o libsmb/clidgram.o \
-            libsmb/clistr.o \
+            libsmb/clistr.o libsmb/smb_signing.o \
              libsmb/smberr.o libsmb/credentials.o libsmb/pwd_cache.o \
             libsmb/clioplock.o libsmb/errormap.o libsmb/clirap2.o \
             libsmb/passchange.o libsmb/doserr.o \

diff --git a/source3/include/client.h b/source3/include/client.h
index 73e29a1fff8079931f550d3b3aeedebc73076ed2..2e6b9337e43356e449e387b3bcb5dc8700608c85 100644 (file)
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -58,14 +58,15 @@ struct print_job_info
 };
 
 typedef struct smb_sign_info {
-       BOOL use_smb_signing;
+       void (*sign_outgoing_message)(struct cli_state *cli);
+       BOOL (*check_incoming_message)(struct cli_state *cli);
+       void (*free_signing_context)(struct cli_state *cli);
+       void *signing_context;
+
        BOOL negotiated_smb_signing;
-       BOOL temp_smb_signing;
-       size_t mac_key_len;
-       uint8 mac_key[64];
-       uint32 send_seq_num;
-       uint32 reply_seq_num;
        BOOL allow_smb_signing;
+       BOOL doing_signing;
+       BOOL mandetory_signing;
 } smb_sign_info;
 
 struct cli_state {

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 49b0004ac2357cf7e743925e02594dfb074370fd..589c7b36bba8b78ef9ff27b0f9a37aedbcc9a197 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -228,39 +228,11 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user,
        return True;
 }
 
-static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response) 
-{
-       uint8 zero_sig[8];
-       ZERO_STRUCT(zero_sig);
-
-       DEBUG(5, ("Server returned security sig:\n"));
-       dump_data(5, &cli->inbuf[smb_ss_field], 8);
-
-       if (cli->sign_info.use_smb_signing) {
-               DEBUG(5, ("smb signing already active on connection\n"));
-       } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
-
-               DEBUG(3, ("smb signing enabled!\n"));
-               cli->sign_info.use_smb_signing = True;
-               cli_calculate_mac_key(cli, user_session_key, response);
-       } else {
-               DEBUG(5, ("smb signing NOT enabled!\n"));
-       }
-}
-
 static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) 
 {
        memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
 }
 
-
-static void set_temp_signing_on_cli(struct cli_state *cli) 
-{
-       if (cli->sign_info.negotiated_smb_signing)
-               cli->sign_info.temp_smb_signing = True;
-}
-
-
 /****************************************************************************
    do a NT1 NTLM/LM encrypted session setup
    @param cli client state to create do session setup on
@@ -310,8 +282,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
                        session_key = data_blob(NULL, 16);
                        SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
                }
-
-               set_temp_signing_on_cli(cli);
+               cli_simple_set_signing(cli, session_key.data, nt_response); 
        } else {
                /* pre-encrypted password supplied.  Only used for 
                   security=server, can't do
@@ -374,14 +345,14 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
        if (session_key.data) {
                /* Have plaintext orginal */
                set_cli_session_key(cli, session_key);
-               set_signing_on_cli(cli, session_key.data, nt_response);
        }
 
+       ret = True;
 end:   
        data_blob_free(&lm_response);
        data_blob_free(&nt_response);
        data_blob_free(&session_key);
-       return True;
+       return ret;
 }
 
 /****************************************************************************
@@ -403,8 +374,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
        set_message(cli->outbuf,12,0,True);
        SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
 
-       set_temp_signing_on_cli(cli);
-
        cli_setup_packet(cli);
                        
        SCVAL(cli->outbuf,smb_vwv0,0xFF);
@@ -883,11 +852,6 @@ BOOL cli_negprot(struct cli_state *cli)
        int numprots;
        int plength;
 
-       if (cli->sign_info.use_smb_signing) {
-               DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
-               return False;
-       }
-
        if (cli->protocol < PROTOCOL_NT1)
                cli->use_spnego = False;
 
@@ -1013,11 +977,6 @@ BOOL cli_session_request(struct cli_state *cli,
        if (cli->port == 445)
                return True;
 
-       if (cli->sign_info.use_smb_signing) {
-               DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
-               return False;
-       }
-
        /* send a session request (RFC 1002) */
        /* setup the packet length
          * Remove four bytes from the length count, since the length

diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 6ef7a7bd9c7ad4c77dca84839bc71b8ae8f10d72..3cae643c382985b6a842b4cbc1be1d2d72623b95 100644 (file)
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -177,9 +177,6 @@ void cli_setup_packet(struct cli_state *cli)
                        flags2 |= FLAGS2_32_BIT_ERROR_CODES;
                if (cli->use_spnego)
                        flags2 |= FLAGS2_EXTENDED_SECURITY;
-               if (cli->sign_info.use_smb_signing 
-                   || cli->sign_info.temp_smb_signing)
-                       flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
                SSVAL(cli->outbuf,smb_flg2, flags2);
        }
 }
@@ -262,6 +259,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
        if (getenv("CLI_FORCE_DOSERR"))
                cli->force_dos_errors = True;
 
+       /* initialise signing */
+       cli_null_set_signing(cli);
+
        if (lp_client_signing()) 
                cli->sign_info.allow_smb_signing = True;
                                    
@@ -303,6 +303,7 @@ void cli_close_connection(struct cli_state *cli)
        SAFE_FREE(cli->outbuf);
        SAFE_FREE(cli->inbuf);
 
+       cli_free_signing_context(cli);
        data_blob_free(&cli->secblob);
 
        if (cli->mem_ctx) {
@@ -314,6 +315,7 @@ void cli_close_connection(struct cli_state *cli)
                close(cli->fd);
        cli->fd = -1;
        cli->smb_rw_error = 0;
+
 }
 
 /****************************************************************************

diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
new file mode 100644 (file)
index 0000000..b3a6351
--- /dev/null
+++ b/source3/libsmb/smb_signing.c
@@ -0,0 +1,329 @@
+/* 
+   Unix SMB/CIFS implementation.
+   SMB Signing Code
+   Copyright (C) Jeremy Allison 2002.
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+struct smb_basic_signing_context {
+       DATA_BLOB mac_key;
+       uint32 send_seq_num;
+       uint32 reply_seq_num;
+};
+
+/***********************************************************
+ SMB signing - Common code before we set a new signing implementation
+************************************************************/
+
+static BOOL set_smb_signing_common(struct cli_state *cli) 
+{
+       if (cli->sign_info.doing_signing) {
+               return False;
+       }
+       
+       if (cli->sign_info.free_signing_context)
+               cli->sign_info.free_signing_context(cli);
+
+       /* These calls are INCONPATIBLE with SMB signing */
+       cli->readbraw_supported = False;
+       cli->writebraw_supported = False;
+       
+       return True;
+}
+
+/***********************************************************
+ SMB signing - Common code for 'real' implementations
+************************************************************/
+
+static BOOL set_smb_signing_real_common(struct cli_state *cli) 
+{
+       if (cli->sign_info.mandetory_signing) {
+               DEBUG(5, ("Mandetory SMB signing enabled!\n"));
+               cli->sign_info.doing_signing = True;
+       }
+
+       DEBUG(5, ("SMB signing enabled!\n"));
+
+       return True;
+}
+
+static void mark_packet_signed(struct cli_state *cli) 
+{
+       uint16 flags2;
+       flags2 = SVAL(cli->outbuf,smb_flg2);
+       flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
+       SSVAL(cli->outbuf,smb_flg2, flags2);
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_simple_sign_outgoing_message(struct cli_state *cli)
+{
+       unsigned char calc_md5_mac[16];
+       struct MD5Context md5_ctx;
+       struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+       /*
+        * Firstly put the sequence number into the first 4 bytes.
+        * and zero out the next 4 bytes.
+        */
+       SIVAL(cli->outbuf, smb_ss_field, 
+             data->send_seq_num);
+       SIVAL(cli->outbuf, smb_ss_field + 4, 0);
+
+       /* mark the packet as signed - BEFORE we sign it...*/
+       mark_packet_signed(cli);
+
+       /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+       MD5Init(&md5_ctx);
+       MD5Update(&md5_ctx, data->mac_key.data, 
+                 data->mac_key.length); 
+       MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
+       MD5Final(calc_md5_mac, &md5_ctx);
+
+       DEBUG(10, ("sent SMB signiture of\n"));
+       dump_data(10, calc_md5_mac, 8);
+
+       memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
+
+/*     cli->outbuf[smb_ss_field+2]=0; 
+       Uncomment this to test if the remote server actually verifies signitures...*/
+       data->send_seq_num++;
+       data->reply_seq_num = data->send_seq_num;
+       data->send_seq_num++;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_simple_check_incoming_message(struct cli_state *cli)
+{
+       BOOL good;
+       unsigned char calc_md5_mac[16];
+       unsigned char server_sent_mac[8];
+       struct MD5Context md5_ctx;
+       struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+       /*
+        * Firstly put the sequence number into the first 4 bytes.
+        * and zero out the next 4 bytes.
+        */
+
+       memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
+
+       DEBUG(10, ("got SMB signiture of\n"));
+       dump_data(10, server_sent_mac, 8);
+
+       SIVAL(cli->inbuf, smb_ss_field, data->reply_seq_num);
+       SIVAL(cli->inbuf, smb_ss_field + 4, 0);
+
+       /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+       MD5Init(&md5_ctx);
+       MD5Update(&md5_ctx, data->mac_key.data, 
+                 data->mac_key.length); 
+       MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
+       MD5Final(calc_md5_mac, &md5_ctx);
+
+       good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+       
+       if (good && !cli->sign_info.doing_signing) {
+               cli->sign_info.doing_signing = True;
+       }
+
+       if (!good) {
+               DEBUG(1, ("SMB signiture check failed!\n"));
+       }
+
+       return good;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - free signing context
+************************************************************/
+
+static void cli_simple_free_signing_context(struct cli_state *cli)
+{
+       struct smb_basic_signing_context *data = cli->sign_info.signing_context;
+
+       data_blob_free(&data->mac_key);
+       SAFE_FREE(cli->sign_info.signing_context);
+
+       return;
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - setup the MAC key.
+************************************************************/
+
+void cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
+{
+       struct smb_basic_signing_context *data;
+
+       if (!set_smb_signing_common(cli)) {
+               return;
+       }
+
+       if (!set_smb_signing_real_common(cli)) {
+               return;
+       }
+
+       data = smb_xmalloc(sizeof(*data));
+       cli->sign_info.signing_context = data;
+       
+       data->mac_key = data_blob(NULL, MIN(response.length + 16, 40));
+
+       memcpy(&data->mac_key.data[0], user_session_key, 16);
+       memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16));
+
+       /* Initialise the sequence number */
+       data->send_seq_num = 0;
+
+       cli->sign_info.sign_outgoing_message = cli_simple_sign_outgoing_message;
+       cli->sign_info.check_incoming_message = cli_simple_check_incoming_message;
+       cli->sign_info.free_signing_context = cli_simple_free_signing_context;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_null_sign_outgoing_message(struct cli_state *cli)
+{
+       static uchar zeros[8];
+       memcpy(&cli->outbuf[smb_ss_field], zeros, sizeof(zeros));
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_null_check_incoming_message(struct cli_state *cli)
+{
+       return True;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - free signing context
+************************************************************/
+
+static void cli_null_free_signing_context(struct cli_state *cli)
+{
+       return;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - setup the MAC key.
+************************************************************/
+
+void cli_null_set_signing(struct cli_state *cli)
+{
+       struct smb_basic_sign_data *data;
+
+       if (!set_smb_signing_common(cli)) {
+               return;
+       }
+
+       cli->sign_info.signing_context = NULL;
+       
+       cli->sign_info.sign_outgoing_message = cli_null_sign_outgoing_message;
+       cli->sign_info.check_incoming_message = cli_null_check_incoming_message;
+       cli->sign_info.free_signing_context = cli_null_free_signing_context;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - calculate a MAC to send.
+************************************************************/
+
+static void cli_temp_sign_outgoing_message(struct cli_state *cli)
+{
+       memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
+       return;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - check a MAC sent by server.
+************************************************************/
+
+static BOOL cli_temp_check_incoming_message(struct cli_state *cli)
+{
+       return True;
+}
+
+/***********************************************************
+ SMB signing - TEMP implementation - free signing context
+************************************************************/
+
+static void cli_temp_free_signing_context(struct cli_state *cli)
+{
+       return;
+}
+
+/***********************************************************
+ SMB signing - NULL implementation - setup the MAC key.
+************************************************************/
+
+void cli_temp_set_signing(struct cli_state *cli)
+{
+       if (!set_smb_signing_common(cli)) {
+               return;
+       }
+
+       cli->sign_info.signing_context = NULL;
+       
+       cli->sign_info.sign_outgoing_message = cli_temp_sign_outgoing_message;
+       cli->sign_info.check_incoming_message = cli_temp_check_incoming_message;
+       cli->sign_info.free_signing_context = cli_temp_free_signing_context;
+}
+
+/**
+ *  Free the singing context
+ */
+ 
+void cli_free_signing_context(struct cli_state *cli) 
+{
+       if (cli->sign_info.free_signing_context) 
+               cli->sign_info.free_signing_context(cli);
+
+       cli_null_set_signing(cli);
+}
+
+void cli_caclulate_sign_mac(struct cli_state *cli)
+{
+       cli->sign_info.sign_outgoing_message(cli);
+}
+
+BOOL cli_check_sign_mac(struct cli_state *cli) 
+{
+       BOOL good;
+       good = cli->sign_info.check_incoming_message(cli);
+       
+       if (!good) {
+               if (cli->sign_info.doing_signing) {
+                       return False;
+               } else {
+                       cli_free_signing_context(cli);  
+               }
+       }
+
+       return True;
+}
+

diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index aa9391325fa5fc8b75b7b0f5890e50489102e134..28160d96094d14b245ba53a6840941893c7de4ff 100644 (file)
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -295,7 +295,7 @@ void SMBsesskeygen_ntv1(const uchar kr[16],
 #endif
 }
 
-DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
+static DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
                                   DATA_BLOB server_chal, size_t client_chal_length)
 {
        uchar ntlmv2_response[16];
@@ -416,101 +416,3 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd,
        
        return True;
 }
-
-/***********************************************************
- SMB signing - setup the MAC key.
-************************************************************/
-
-void cli_calculate_mac_key(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
-{
-       
-       memcpy(&cli->sign_info.mac_key[0], user_session_key, 16);
-       memcpy(&cli->sign_info.mac_key[16],response.data, MIN(response.length, 40 - 16));
-       cli->sign_info.mac_key_len = MIN(response.length + 16, 40);
-       cli->sign_info.use_smb_signing = True;
-
-       /* These calls are INCONPATIBLE with SMB signing */
-       cli->readbraw_supported = False;
-       cli->writebraw_supported = False;
-
-       /* Reset the sequence number in case we had a previous (aborted) attempt */
-       cli->sign_info.send_seq_num = 2;
-}
-
-/***********************************************************
- SMB signing - calculate a MAC to send.
-************************************************************/
-
-void cli_caclulate_sign_mac(struct cli_state *cli)
-{
-       unsigned char calc_md5_mac[16];
-       struct MD5Context md5_ctx;
-
-       if (cli->sign_info.temp_smb_signing) {
-               memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
-               cli->sign_info.temp_smb_signing = False;
-               return;
-       }
-
-       if (!cli->sign_info.use_smb_signing) {
-               return;
-       }
-
-       /*
-        * Firstly put the sequence number into the first 4 bytes.
-        * and zero out the next 4 bytes.
-        */
-       SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num);
-       SIVAL(cli->outbuf, smb_ss_field + 4, 0);
-
-       /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
-       MD5Init(&md5_ctx);
-       MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
-       MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
-       MD5Final(calc_md5_mac, &md5_ctx);
-
-       memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
-
-/*     cli->outbuf[smb_ss_field+2]=0; 
-       Uncomment this to test if the remote server actually verifies signitures...*/
-       cli->sign_info.send_seq_num++;
-       cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num;
-       cli->sign_info.send_seq_num++;
-}
-
-/***********************************************************
- SMB signing - check a MAC sent by server.
-************************************************************/
-
-BOOL cli_check_sign_mac(struct cli_state *cli)
-{
-       unsigned char calc_md5_mac[16];
-       unsigned char server_sent_mac[8];
-       struct MD5Context md5_ctx;
-
-       if (cli->sign_info.temp_smb_signing) {
-               return True;
-       }
-
-       if (!cli->sign_info.use_smb_signing) {
-               return True;
-       }
-
-       /*
-        * Firstly put the sequence number into the first 4 bytes.
-        * and zero out the next 4 bytes.
-        */
-
-       memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
-
-       SIVAL(cli->inbuf, smb_ss_field, cli->sign_info.reply_seq_num);
-       SIVAL(cli->inbuf, smb_ss_field + 4, 0);
-
-       /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
-       MD5Init(&md5_ctx);
-       MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
-       MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
-       MD5Final(calc_md5_mac, &md5_ctx);
-
-       return (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
-}