2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell <tridge@samba.org> 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/raw/libcliraw.h"
24 #include "libcli/smb2/smb2.h"
25 #include "libcli/smb2/smb2_calls.h"
26 #include "heimdal/lib/hcrypto/sha.h"
29 NOTE: this code does not yet interoperate with the windows SMB2
30 implementation. We are waiting on feedback on the docs to find out
36 setup signing on a transport
38 NTSTATUS smb2_start_signing(struct smb2_transport *transport)
40 if (transport->signing.session_key.length != 16) {
41 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
42 (unsigned)transport->signing.session_key.length));
43 return NT_STATUS_ACCESS_DENIED;
46 transport->signing.signing_started = true;
51 sign an outgoing message
53 NTSTATUS smb2_sign_message(struct smb2_request *req)
55 struct smb2_request_buffer *buf = &req->out;
60 if (!req->transport->signing.doing_signing ||
61 !req->transport->signing.signing_started) {
65 if (buf->size < NBT_HDR_SIZE + SMB2_HDR_SIGNATURE + 16) {
66 /* can't sign non-SMB2 messages */
70 session_id = BVAL(buf->hdr, SMB2_HDR_SESSION_ID);
71 if (session_id == 0) {
72 /* we don't sign messages with a zero session_id. See
77 if (req->transport->signing.session_key.length != 16) {
78 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
79 (unsigned)req->transport->signing.session_key.length));
80 return NT_STATUS_ACCESS_DENIED;
83 memset(buf->hdr + SMB2_HDR_SIGNATURE, 0, 16);
85 SIVAL(buf->hdr, SMB2_HDR_FLAGS, IVAL(buf->hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
89 SHA256_Update(&m, req->transport->signing.session_key.data,
90 req->transport->signing.session_key.length);
91 SHA256_Update(&m, buf->buffer+NBT_HDR_SIZE, buf->size-NBT_HDR_SIZE);
92 SHA256_Final(res, &m);
94 DEBUG(5,("signed SMB2 message of size %u\n", (unsigned)buf->size - NBT_HDR_SIZE));
96 memcpy(buf->hdr + SMB2_HDR_SIGNATURE, res, 16);
99 /* check our own signature */
100 smb2_check_signature(req->transport, buf->buffer, buf->size);
107 check an incoming signature
109 NTSTATUS smb2_check_signature(struct smb2_transport *transport,
110 uint8_t *buffer, uint_t length)
114 uint8_t res[SHA256_DIGEST_LENGTH];
117 if (!transport->signing.signing_started ||
118 !transport->signing.doing_signing) {
122 if (length < NBT_HDR_SIZE + SMB2_HDR_SIGNATURE + 16) {
123 /* can't check non-SMB2 messages */
127 session_id = BVAL(buffer+NBT_HDR_SIZE, SMB2_HDR_SESSION_ID);
128 if (session_id == 0) {
129 /* don't sign messages with a zero session_id. See
134 if (transport->signing.session_key.length == 0) {
135 /* we don't have the session key yet */
139 if (transport->signing.session_key.length != 16) {
140 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
141 (unsigned)transport->signing.session_key.length));
142 return NT_STATUS_ACCESS_DENIED;
145 memcpy(sig, buffer+NBT_HDR_SIZE+SMB2_HDR_SIGNATURE, 16);
147 memset(buffer + NBT_HDR_SIZE + SMB2_HDR_SIGNATURE, 0, 16);
151 SHA256_Update(&m, transport->signing.session_key.data, 16);
152 SHA256_Update(&m, buffer+NBT_HDR_SIZE, length-NBT_HDR_SIZE);
153 SHA256_Final(res, &m);
155 memcpy(buffer+NBT_HDR_SIZE+SMB2_HDR_SIGNATURE, sig, 16);
157 if (memcmp(res, sig, 16) != 0) {
158 DEBUG(0,("Bad SMB2 signature for message of size %u\n", length));
159 dump_data(0, sig, 16);
160 dump_data(0, res, 16);
161 return NT_STATUS_ACCESS_DENIED;