r1462: GENSEC Kerberos and SPENGO work:
authorAndrew Bartlett <abartlet@samba.org>
Mon, 12 Jul 2004 09:11:13 +0000 (09:11 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:57:32 +0000 (12:57 -0500)
 - Spelling - it's SPNEGO, not SPENGO
 - SMB signing - Krb5 logins are now correctly signed
 - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not.

Andrew Bartlett

source/client/client.c
source/include/cli_context.h
source/libcli/auth/config.mk
source/libcli/auth/gensec.mk
source/libcli/auth/gensec_krb5.c
source/libcli/auth/spnego.c
source/libcli/raw/clisession.c
source/libcli/raw/clitransport.c
source/libcli/raw/smb_signing.c
source/param/loadparm.c

index db44dd3d28eba5a077fc1f7afc3ca36c81b7ff14..0ad3eed889690778595b1d357ecf20a3bf8b7934 100644 (file)
@@ -2836,6 +2836,7 @@ static struct cli_state *do_connect(const char *server, const char *share)
 
        status = cli_session_setup(c, username, password, lp_workgroup());
        if (NT_STATUS_IS_ERR(status)) {
+               d_printf("authenticated session setup failed: %s\n", nt_errstr(status));
                /* if a password was not supplied then try again with a null username */
                if (password[0] || !username[0] || use_kerberos) {
                        status = cli_session_setup(c, "", "", lp_workgroup());
index 930017bb26c281dd3279fffde010911d4c0d6286..cddc6aadf542e93be861a1846629c601c6634051 100644 (file)
@@ -53,7 +53,11 @@ struct cli_negotiate {
                BOOL (*check_incoming_message)(struct cli_request *req);
                void (*free_signing_context)(struct cli_transport *transport);
                void *signing_context;
+               BOOL negotiated_smb_signing;
+               BOOL allow_smb_signing;
                BOOL doing_signing;
+               BOOL mandatory_signing;
+               BOOL seen_valid; /* Have I ever seen a validly signed packet? */
        } sign_info;
 
        /* capabilities that the server reported */
index 0c7586026be7c83b048bd2037bb9e439e8d36607..a3bb3f1c78884322edd1a10045bf97318c8ca70c 100644 (file)
@@ -3,8 +3,7 @@
 [SUBSYSTEM::LIBCLI_AUTH]
 ADD_OBJ_FILES = libcli/auth/schannel.o \
                libcli/auth/credentials.o \
-               libcli/auth/session.o \
-               libcli/auth/ntlm_check.o
+               libcli/auth/session.o 
 REQUIRED_SUBSYSTEMS = \
                AUTH SCHANNELDB GENSEC
 # End SUBSYSTEM LIBCLI_AUTH
index 7c2c21bafd006bbcf36647f3d06cfe4e7b6de4ab..5c6a8260e5a589a93117e25444fefc54fa3a0d3d 100644 (file)
@@ -3,7 +3,7 @@
 [SUBSYSTEM::GENSEC]
 INIT_OBJ_FILES = libcli/auth/gensec.o
 REQUIRED_SUBSYSTEMS = \
-               AUTH SCHANNELDB
+               SCHANNELDB
 # End SUBSYSTEM GENSEC
 #################################
 
@@ -14,7 +14,8 @@ INIT_OBJ_FILES = libcli/auth/gensec_krb5.o
 ADD_OBJ_FILES = \
                libcli/auth/clikrb5.o \
                libcli/auth/kerberos.o \
-               libcli/auth/kerberos_verify.o
+               libcli/auth/kerberos_verify.o \
+               libcli/auth/gssapi_parse.o
 REQUIRED_SUBSYSTEMS = GENSEC
 # End MODULE gensec_krb5
 ################################################
index dbb2a10659164b07416d410aea2b7414ee94d07a..3a4f995937d538c486df40013f3749ad2bb90dbb 100644 (file)
@@ -42,6 +42,7 @@ struct gensec_krb5_state {
        enum GENSEC_KRB5_STATE state_position;
        krb5_context krb5_context;
        krb5_auth_context krb5_auth_context;
+       krb5_ccache krb5_ccache;
 };
 
 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
@@ -66,7 +67,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
        initialize_krb5_error_table();
        gensec_krb5_state->krb5_context = NULL;
        gensec_krb5_state->krb5_auth_context = NULL;
-       gensec_krb5_state->krb5_ccdef = NULL;
+       gensec_krb5_state->krb5_ccache = NULL;
        gensec_krb5_state->session_key = data_blob(NULL, 0);
 
        ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -111,7 +112,7 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security
 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
 {
        struct gensec_krb5_state *gensec_krb5_state;
-       
+       krb5_error_code ret;
        NTSTATUS nt_status;
        nt_status = gensec_krb5_start(gensec_security);
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -121,7 +122,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
        gensec_krb5_state = gensec_security->private_data;
        gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
-       ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
+       ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
        if (ret) {
                DEBUG(1,("krb5_cc_default failed (%s)\n",
                         error_message(ret)));
@@ -135,13 +136,13 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
 {
        struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 
-       if (gensec_krb5_state->krb5_ccdef) {
+       if (gensec_krb5_state->krb5_ccache) {
                /* Removed by jra. They really need to fix their kerberos so we don't leak memory. 
                   JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
                   SuSE 9.1 Pro 
                */
 #if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
-               krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
+               krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
 #endif
        }
 
@@ -193,7 +194,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
                                      &gensec_krb5_state->krb5_auth_context, 
                                      AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
                                      gensec_security->target.principal,
-                                     ccdef, &packet);
+                                     gensec_krb5_state->krb5_ccache, &packet);
                if (ret) {
                        DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
                                 error_message(ret)));
index 7e0cda42bac0344ee00e42fbadee2207ad24ebad..32846cf5803e0d93579b44cd8e9b411c7e3dd7ef 100644 (file)
@@ -48,7 +48,7 @@ struct spnego_state {
 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
 {
        struct spnego_state *spnego_state;
-       TALLOC_CTX *mem_ctx = talloc_init("gensec_spengo_client_start");
+       TALLOC_CTX *mem_ctx = talloc_init("gensec_spnego_client_start");
        if (!mem_ctx) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -151,12 +151,12 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit
 
 /** Fallback to another GENSEC mechanism, based on magic strings 
  *
- * This is the 'fallback' case, where we don't get SPENGO, and have to
+ * This is the 'fallback' case, where we don't get SPNEGO, and have to
  * try all the other options (and hope they all have a magic string
  * they check)
 */
 
-static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec_security, 
+static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security, 
                                                  struct spnego_state *spnego_state,
                                                  TALLOC_CTX *out_mem_ctx, 
                                                  const DATA_BLOB in, DATA_BLOB *out) 
@@ -189,7 +189,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
                }
                gensec_end(&spnego_state->sub_sec_security);
        }
-       DEBUG(1, ("Failed to parse SPENGO request\n"));
+       DEBUG(1, ("Failed to parse SPNEGO request\n"));
        return NT_STATUS_INVALID_PARAMETER;
        
 }
@@ -199,7 +199,7 @@ static NTSTATUS gensec_spengo_server_try_fallback(struct gensec_security *gensec
  * This is the case, where the client is the first one who sends data
 */
 
-static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec_security, 
+static NTSTATUS gensec_spnego_client_netTokenInit(struct gensec_security *gensec_security, 
                                                  struct spnego_state *spnego_state,
                                                  TALLOC_CTX *out_mem_ctx, 
                                                  const DATA_BLOB in, DATA_BLOB *out) 
@@ -266,7 +266,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
                spnego_out.negTokenInit.mechToken = unwrapped_out;
                
                if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-                       DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+                       DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
                                return NT_STATUS_INVALID_PARAMETER;
                }
                
@@ -277,7 +277,7 @@ static NTSTATUS gensec_spengo_client_netTokenInit(struct gensec_security *gensec
        }
        gensec_end(&spnego_state->sub_sec_security);
 
-       DEBUG(1, ("Failed to setup SPENGO netTokenInit request\n"));
+       DEBUG(1, ("Failed to setup SPNEGO netTokenInit request\n"));
        return NT_STATUS_INVALID_PARAMETER;
 }
 
@@ -286,7 +286,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 {
        struct spnego_state *spnego_state = gensec_security->private_data;
        DATA_BLOB null_data_blob = data_blob(NULL, 0);
-       DATA_BLOB unwrapped_out;
+       DATA_BLOB unwrapped_out = data_blob(NULL, 0);
        struct spnego_data spnego_out;
        struct spnego_data spnego;
 
@@ -307,7 +307,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (in.length) {
                        len = spnego_read_data(in, &spnego);
                        if (len == -1) {
-                               return gensec_spengo_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
+                               return gensec_spnego_server_try_fallback(gensec_security, spnego_state, out_mem_ctx, in, out);
                        } else {
                                /* client sent NegTargetInit */
                        }
@@ -328,7 +328,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 
                if (!in.length) {
                        /* client to produce negTokenInit */
-                       return gensec_spengo_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
+                       return gensec_spnego_client_netTokenInit(gensec_security, spnego_state, out_mem_ctx, in, out);
                }
                
                len = spnego_read_data(in, &spnego);
@@ -341,13 +341,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                
                /* OK, so it's real SPNEGO, check the packet's the one we expect */
                if (spnego.type != spnego_state->expected_packet) {
-                       DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type, 
+                       DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                  spnego_state->expected_packet));
                        dump_data(1, (const char *)in.data, in.length);
                        spnego_free_data(&spnego);
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
+               if (spnego.negTokenInit.targetPrincipal) {
+                       nt_status = gensec_set_target_principal(gensec_security, 
+                                                               spnego.negTokenInit.targetPrincipal);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               return nt_status;
+                       }
+               }
+
                mechType = spnego.negTokenInit.mechTypes;
                for (i=0; mechType && mechType[i]; i++) {
                        nt_status = gensec_subcontext_start(gensec_security,
@@ -375,8 +383,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                                          null_data_blob, 
                                                          &unwrapped_out);
                        }
-                       if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                               DEBUG(1, ("SPENGO(%s) NEG_TOKEN_INIT failed: %s\n", 
+                       if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+                               DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n", 
                                          spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
                                gensec_end(&spnego_state->sub_sec_security);
                        } else {
@@ -384,11 +392,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        }
                }
                if (!mechType || !mechType[i]) {
-                       DEBUG(1, ("SPENGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+                       DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
                }
                
                spnego_free_data(&spnego);
-               if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+               if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
                        return nt_status;
                }
                
@@ -402,7 +410,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                spnego_out.negTokenInit.mechToken = unwrapped_out;
                
                if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-                       DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_INIT\n"));
+                       DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
                                return NT_STATUS_INVALID_PARAMETER;
                }
                
@@ -410,7 +418,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
                spnego_state->state_position = SPNEGO_CLIENT_TARG;
                
-               return nt_status;
+               return NT_STATUS_MORE_PROCESSING_REQUIRED;
        }
        case SPNEGO_SERVER_TARG:
        {
@@ -429,49 +437,47 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                
                /* OK, so it's real SPNEGO, check the packet's the one we expect */
                if (spnego.type != spnego_state->expected_packet) {
-                       DEBUG(1, ("Invalid SPENGO request: %d, expected %d\n", spnego.type, 
+                       DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                  spnego_state->expected_packet));
                        dump_data(1, (const char *)in.data, in.length);
                        spnego_free_data(&spnego);
                        return NT_STATUS_INVALID_PARAMETER;
                }
                
-               if (spnego.negTokenTarg.responseToken.length) {
-                       nt_status = gensec_update(spnego_state->sub_sec_security,
-                                                 out_mem_ctx, 
-                                                 spnego.negTokenTarg.responseToken, 
-                                                 &unwrapped_out);
-               } else {
-                       unwrapped_out = data_blob(NULL, 0);
-                       nt_status = NT_STATUS_OK;
-               }
+               nt_status = gensec_update(spnego_state->sub_sec_security,
+                                         out_mem_ctx, 
+                                         spnego.negTokenTarg.responseToken, 
+                                         &unwrapped_out);
                
                spnego_state->result = spnego.negTokenTarg.negResult;
                spnego_free_data(&spnego);
                
+               /* compose reply */
+               spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+               spnego_out.negTokenTarg.supportedMech 
+                       = spnego_state->sub_sec_security->ops->oid;
+               spnego_out.negTokenTarg.responseToken = unwrapped_out;
+               spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+               
                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                       /* compose reply */
-                       spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
                        spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
-                       spnego_out.negTokenTarg.supportedMech 
-                               = spnego_state->sub_sec_security->ops->oid;
-                       spnego_out.negTokenTarg.responseToken = unwrapped_out;
-                       spnego_out.negTokenTarg.mechListMIC = null_data_blob;
-                       
-                       if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-                               DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
-                               return NT_STATUS_INVALID_PARAMETER;
-                       }
                        spnego_state->state_position = SPNEGO_SERVER_TARG;
                } else if (NT_STATUS_IS_OK(nt_status)) {
+                       spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
                        spnego_state->state_position = SPNEGO_DONE;
                } else {
-                       DEBUG(1, ("SPENGO(%s) login failed: %s\n", 
+                       spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
+                       DEBUG(1, ("SPNEGO(%s) login failed: %s\n", 
                                  spnego_state->sub_sec_security->ops->name, 
                                  nt_errstr(nt_status)));
-                       return nt_status;
+                       spnego_state->state_position = SPNEGO_DONE;
                }
                
+               if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+                       DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
                return nt_status;
        }
        case SPNEGO_CLIENT_TARG:
@@ -501,16 +507,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
                        return NT_STATUS_ACCESS_DENIED;
                }
-               
-               if (spnego.negTokenTarg.responseToken.length) {
-                       nt_status = gensec_update(spnego_state->sub_sec_security,
-                                                 out_mem_ctx, 
-                                                 spnego.negTokenTarg.responseToken, 
-                                                 &unwrapped_out);
-               } else {
-                       unwrapped_out = data_blob(NULL, 0);
-                       nt_status = NT_STATUS_OK;
-               }
+
+               nt_status = gensec_update(spnego_state->sub_sec_security,
+                                         out_mem_ctx, 
+                                         spnego.negTokenTarg.responseToken, 
+                                         &unwrapped_out);
                
                if (NT_STATUS_IS_OK(nt_status) 
                    && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
@@ -521,27 +522,28 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                spnego_state->result = spnego.negTokenTarg.negResult;
                spnego_free_data(&spnego);
                
+               spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+               spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+               spnego_out.negTokenTarg.supportedMech = NULL;
+               spnego_out.negTokenTarg.responseToken = unwrapped_out;
+               spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+
                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                        /* compose reply */
-                       spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
-                       spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
-                       spnego_out.negTokenTarg.supportedMech = NULL;
-                       spnego_out.negTokenTarg.responseToken = unwrapped_out;
-                       spnego_out.negTokenTarg.mechListMIC = null_data_blob;
                        
-                       if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-                               DEBUG(1, ("Failed to write SPENGO reply to NEG_TOKEN_TARG\n"));
-                               return NT_STATUS_INVALID_PARAMETER;
-                       }
                        spnego_state->state_position = SPNEGO_CLIENT_TARG;
                } else if (NT_STATUS_IS_OK(nt_status)) {
                        spnego_state->state_position = SPNEGO_DONE;
                } else {
-                       DEBUG(1, ("SPENGO(%s) login failed: %s\n", 
+                       DEBUG(1, ("SPNEGO(%s) login failed: %s\n", 
                                  spnego_state->sub_sec_security->ops->name, 
                                  nt_errstr(nt_status)));
                        return nt_status;
                }
+               if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+                       DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
                
                return nt_status;
        }
index d420aa7cd6e5cbdb50e022b8d7c3f466f7b84009..5aaceb103a2a9637e6792eaffde42a187a257748 100644 (file)
@@ -260,7 +260,7 @@ static void use_nt1_session_keys(struct cli_session *session,
        E_md4hash(password, nt_hash);
        SMBsesskeygen_ntv1(nt_hash, session_key.data);
 
-       cli_transport_simple_set_signing(transport, session_key, *nt_response);
+       cli_transport_simple_set_signing(transport, session_key, *nt_response, 0);
 
        cli_session_set_user_session_key(session, &session_key);
        data_blob_free(&session_key);
@@ -381,6 +381,8 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
 {
        NTSTATUS status;
        union smb_sesssetup s2;
+       DATA_BLOB session_key = data_blob(NULL, 0);
+       DATA_BLOB null_data_blob = data_blob(NULL, 0);
 
        s2.generic.level = RAW_SESSSETUP_SPNEGO;
        s2.spnego.in.bufsize = ~0;
@@ -433,39 +435,41 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct cli_session *session
                               session->transport->negotiate.secblob,
                               &s2.spnego.in.secblob);
 
-       if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-               goto done;
-       }
-
        while(1) {
+               if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
+                       break;
+               }
+
+               status = gensec_session_key(session->gensec, &session_key);
+               if (NT_STATUS_IS_OK(status)) {
+                       cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 0);
+               }
+
                session->vuid = s2.spnego.out.vuid;
                status = smb_raw_session_setup(session, mem_ctx, &s2);
                session->vuid = UID_FIELD_INVALID;
                if (!NT_STATUS_IS_OK(status) &&
                    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                       goto done;
+                       break;
                }
 
                status = gensec_update(session->gensec, mem_ctx,
                                       s2.spnego.out.secblob,
                                       &s2.spnego.in.secblob);
 
-               if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                       goto done;
+               if (NT_STATUS_IS_OK(status)) {
+                       break;
                }
        }
 
 done:
        if (NT_STATUS_IS_OK(status)) {
-               DATA_BLOB null_data_blob = data_blob(NULL, 0);
-               DATA_BLOB session_key = data_blob(NULL, 0);
-               
                status = gensec_session_key(session->gensec, &session_key);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
-
-               cli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
+               
+               cli_transport_simple_set_signing(session->transport, session_key, null_data_blob, 2 /* two legs on last packet */);
 
                cli_session_set_user_session_key(session, &session_key);
 
index a378ac8aad79a604710e7a06484fb7a09e81222e..18784fe33ac951580dea7ca100cfece8c42491f8 100644 (file)
@@ -40,7 +40,9 @@ struct cli_transport *cli_transport_init(struct cli_socket *sock)
        transport->negotiate.protocol = PROTOCOL_NT1;
        transport->options.use_spnego = lp_use_spnego();
        transport->negotiate.max_xmit = ~0;
-       cli_null_set_signing(transport);
+       
+       cli_init_signing(transport);
+
        transport->socket->reference_count++;
 
        ZERO_STRUCT(transport->called);
index 20b44a53484fdf4f8dea9679d2aaf725b263802c..52e08d05f875ec0d7e84406d1006a23b806e0438 100644 (file)
@@ -40,14 +40,18 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
        if (transport->negotiate.sign_info.doing_signing) {
                return False;
        }
-       
+
+       if (!transport->negotiate.sign_info.allow_smb_signing) {
+               return False;
+       }
+
        if (transport->negotiate.sign_info.free_signing_context)
                transport->negotiate.sign_info.free_signing_context(transport);
 
        /* These calls are INCOMPATIBLE with SMB signing */
        transport->negotiate.readbraw_supported = False;
        transport->negotiate.writebraw_supported = False;
-       
+
        return True;
 }
 
@@ -56,9 +60,8 @@ static BOOL set_smb_signing_common(struct cli_transport *transport)
 ************************************************************/
 static BOOL set_smb_signing_real_common(struct cli_transport *transport) 
 {
-       if (transport->negotiate.sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+       if (transport->negotiate.sign_info.mandatory_signing) {
                DEBUG(5, ("Mandatory SMB signing enabled!\n"));
-               transport->negotiate.sign_info.doing_signing = True;
        }
 
        DEBUG(5, ("SMB signing enabled!\n"));
@@ -74,24 +77,37 @@ static void mark_packet_signed(struct cli_request *req)
        SSVAL(req->out.hdr, HDR_FLG2, flags2);
 }
 
-static BOOL signing_good(struct cli_request *req, BOOL good) 
+static BOOL signing_good(struct cli_request *req, int seq, BOOL good) 
 {
-       if (good && !req->transport->negotiate.sign_info.doing_signing) {
-               req->transport->negotiate.sign_info.doing_signing = True;
-       }
-
-       if (!good) {
-               if (req->transport->negotiate.sign_info.doing_signing) {
-                       DEBUG(1, ("SMB signature check failed!\n"));
-                       return False;
+       if (good) {
+               if (!req->transport->negotiate.sign_info.doing_signing) {
+                       req->transport->negotiate.sign_info.doing_signing = True;
+               }
+               if (!req->transport->negotiate.sign_info.seen_valid) {
+                       req->transport->negotiate.sign_info.seen_valid = True;
+               }
+       } else {
+               if (!req->transport->negotiate.sign_info.mandatory_signing && !req->transport->negotiate.sign_info.seen_valid) {
+
+                       /* Non-mandatory signing - just turn off if this is the first bad packet.. */
+                       DEBUG(5, ("srv_check_incoming_message: signing negotiated but not required and peer\n"
+                                 "isn't sending correct signatures. Turning off.\n"));
+                       req->transport->negotiate.sign_info.negotiated_smb_signing = False;
+                       req->transport->negotiate.sign_info.allow_smb_signing = False;
+                       req->transport->negotiate.sign_info.doing_signing = False;
+                       if (req->transport->negotiate.sign_info.free_signing_context)
+                               req->transport->negotiate.sign_info.free_signing_context(req->transport);
+                       cli_null_set_signing(req->transport);
+                       return True;
                } else {
-                       DEBUG(3, ("Server did not sign reply correctly\n"));
-                       cli_transport_free_signing_context(req->transport);
+                       /* Mandatory signing or bad packet after signing started - fail and disconnect. */
+                       if (seq)
+                               DEBUG(0, ("signing_good: BAD SIG: seq %u\n", (unsigned int)seq));
                        return False;
                }
        }
        return True;
-}      
+}
 
 /***********************************************************
  SMB signing - Simple implementation - calculate a MAC to send.
@@ -139,6 +155,9 @@ static void cli_request_simple_sign_outgoing_message(struct cli_request *req)
 
        memcpy(&req->out.hdr[HDR_SS_FIELD], calc_md5_mac, 8);
 
+       DEBUG(5, ("cli_request_simple_sign_outgoing_message: SENT SIG (seq: %d, next %d): sent SMB signature of\n", 
+                 req->seq_num, data->next_seq_num));
+       dump_data(5, calc_md5_mac, 8);
 /*     req->out.hdr[HDR_SS_FIELD+2]=0; 
        Uncomment this to test if the remote server actually verifies signitures...*/
 }
@@ -184,6 +203,20 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
                MD5Final(calc_md5_mac, &md5_ctx);
                
                good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
+
+               if (i == 1) {
+                       if (!good) {
+                               DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): wanted SMB signature of\n", req->seq_num + i));
+                               dump_data(5, calc_md5_mac, 8);
+                               
+                               DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+                               dump_data(5, server_sent_mac, 8);
+                       } else {
+                               DEBUG(15, ("cli_request_simple_check_incoming_message: GOOD SIG (seq: %d): got SMB signature of\n", req->seq_num + i));
+                               dump_data(5, server_sent_mac, 8);
+                       }
+               }
+
                if (good) break;
        }
 
@@ -191,14 +224,7 @@ static BOOL cli_request_simple_check_incoming_message(struct cli_request *req)
                DEBUG(0,("SIGNING OFFSET %d (should be %d)\n", i, req->seq_num+1));
        }
 
-       if (!good) {
-               DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: wanted SMB signature of\n"));
-               dump_data(5, calc_md5_mac, 8);
-               
-               DEBUG(5, ("cli_request_simple_check_incoming_message: BAD SIG: got SMB signature of\n"));
-               dump_data(5, server_sent_mac, 8);
-       }
-       return signing_good(req, good);
+       return signing_good(req, req->seq_num+1, good);
 }
 
 
@@ -221,7 +247,8 @@ static void cli_transport_simple_free_signing_context(struct cli_transport *tran
 ************************************************************/
 BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
                                      const DATA_BLOB user_session_key, 
-                                     const DATA_BLOB response)
+                                     const DATA_BLOB response,
+                                     int seq_num)
 {
        struct smb_basic_signing_context *data;
 
@@ -245,7 +272,7 @@ BOOL cli_transport_simple_set_signing(struct cli_transport *transport,
        }
 
        /* Initialise the sequence number */
-       data->next_seq_num = 0;
+       data->next_seq_num = seq_num;
 
        transport->negotiate.sign_info.sign_outgoing_message = cli_request_simple_sign_outgoing_message;
        transport->negotiate.sign_info.check_incoming_message = cli_request_simple_check_incoming_message;
@@ -393,3 +420,25 @@ BOOL cli_request_check_sign_mac(struct cli_request *req)
 
        return True;
 }
+
+
+BOOL cli_init_signing(struct cli_transport *transport) 
+{
+       if (!cli_null_set_signing(transport)) {
+               return False;
+       }
+       
+       switch (lp_client_signing()) {
+       case SMB_SIGNING_OFF:
+       transport->negotiate.sign_info.allow_smb_signing = False;
+               break;
+       case SMB_SIGNING_SUPPORTED:
+               transport->negotiate.sign_info.allow_smb_signing = True;
+               break;
+       case SMB_SIGNING_REQUIRED:
+               transport->negotiate.sign_info.allow_smb_signing = True;
+               transport->negotiate.sign_info.mandatory_signing = True;
+               break;
+       }
+       return True;
+}
index 68a16501d2202cf62bb2c177f256ab0f1e51558c..5493b2617cad061047fee7fcde6d0a9f8b9d6ef6 100644 (file)
@@ -212,6 +212,7 @@ typedef struct
        BOOL bNTLMAuth;
        BOOL bUseSpnego;
        BOOL server_signing;
+       BOOL client_signing;
        BOOL bClientLanManAuth;
        BOOL bClientNTLMv2Auth;
        BOOL bHostMSDfs;
@@ -654,6 +655,7 @@ static struct parm_struct parm_table[] = {
        {"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
        {"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
        {"server signing", P_ENUM, P_GLOBAL, &Globals.server_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED}, 
+       {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED}, 
        {"rpc big endian", P_BOOL, P_GLOBAL, &Globals.bRpcBigEndian, NULL, NULL, FLAG_DEVELOPER},
 
        {"Tuning Options", P_SEP, P_SEPARATOR},
@@ -1103,7 +1105,8 @@ static void init_globals(void)
 
        Globals.bUseSpnego = True;
 
-       Globals.server_signing = False;
+       Globals.client_signing = SMB_SIGNING_SUPPORTED;
+       Globals.server_signing = SMB_SIGNING_SUPPORTED;
 
        string_set(&Globals.smb_ports, SMB_PORTS);
 }
@@ -1375,6 +1378,7 @@ FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time)
 FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers)
 FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
 FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
+FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
 
 /* local prototypes */