mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
Fix SMB signing when using NTLMSSP...
It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett
This commit is contained in:
Andrew Bartlett
parent
5472ddc9ea
commit
95ec8317d4
@ -551,6 +551,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
|
||||
blob_in, &blob_out);
|
||||
data_blob_free(&blob_in);
|
||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
||||
DATA_BLOB null = data_blob(NULL, 0);
|
||||
if (turn == 1) {
|
||||
/* and wrap it in a SPNEGO wrapper */
|
||||
msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out);
|
||||
@ -559,14 +560,16 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
|
||||
msg1 = spnego_gen_auth(blob_out);
|
||||
}
|
||||
|
||||
cli_simple_set_signing(cli,
|
||||
ntlmssp_state->session_key.data,
|
||||
null);
|
||||
|
||||
/* now send that blob on its way */
|
||||
if (!cli_session_setup_blob_send(cli, msg1)) {
|
||||
return False;
|
||||
}
|
||||
data_blob_free(&msg1);
|
||||
|
||||
cli_ntlmssp_set_signing(cli, ntlmssp_state);
|
||||
|
||||
blob = cli_session_setup_blob_receive(cli);
|
||||
|
||||
nt_status = cli_nt_error(cli);
|
||||
|
||||
@ -277,6 +277,9 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
|
||||
{
|
||||
struct smb_basic_signing_context *data;
|
||||
|
||||
if (!user_session_key)
|
||||
return False;
|
||||
|
||||
if (!set_smb_signing_common(cli)) {
|
||||
return False;
|
||||
}
|
||||
@ -307,97 +310,6 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
|
||||
return True;
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
SMB signing - NTLMSSP implementation - calculate a MAC to send.
|
||||
************************************************************/
|
||||
|
||||
static void cli_ntlmssp_sign_outgoing_message(struct cli_state *cli)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
DATA_BLOB sig;
|
||||
NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
|
||||
|
||||
/* mark the packet as signed - BEFORE we sign it...*/
|
||||
mark_packet_signed(cli);
|
||||
|
||||
nt_status = ntlmssp_client_sign_packet(ntlmssp_state, cli->outbuf + 4,
|
||||
smb_len(cli->outbuf), &sig);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
|
||||
return;
|
||||
}
|
||||
|
||||
DEBUG(10, ("sent SMB signature of\n"));
|
||||
dump_data(10, sig.data, MIN(sig.length, 8));
|
||||
memcpy(&cli->outbuf[smb_ss_field], sig.data, MIN(sig.length, 8));
|
||||
|
||||
data_blob_free(&sig);
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
SMB signing - NTLMSSP implementation - check a MAC sent by server.
|
||||
************************************************************/
|
||||
|
||||
static BOOL cli_ntlmssp_check_incoming_message(struct cli_state *cli)
|
||||
{
|
||||
BOOL good;
|
||||
NTSTATUS nt_status;
|
||||
DATA_BLOB sig = data_blob(&cli->inbuf[smb_ss_field], 8);
|
||||
|
||||
NTLMSSP_CLIENT_STATE *ntlmssp_state = cli->sign_info.signing_context;
|
||||
|
||||
nt_status = ntlmssp_client_check_packet(ntlmssp_state, cli->outbuf + 4,
|
||||
smb_len(cli->outbuf), &sig);
|
||||
|
||||
data_blob_free(&sig);
|
||||
|
||||
good = NT_STATUS_IS_OK(nt_status);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(5, ("NTLMSSP signing failed with %s\n", nt_errstr(nt_status)));
|
||||
}
|
||||
|
||||
return signing_good(cli, good);
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
SMB signing - NTLMSSP implementation - free signing context
|
||||
************************************************************/
|
||||
|
||||
static void cli_ntlmssp_free_signing_context(struct cli_state *cli)
|
||||
{
|
||||
ntlmssp_client_end((NTLMSSP_CLIENT_STATE **)&cli->sign_info.signing_context);
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
SMB signing - NTLMSSP implementation - setup the MAC key.
|
||||
************************************************************/
|
||||
|
||||
BOOL cli_ntlmssp_set_signing(struct cli_state *cli,
|
||||
NTLMSSP_CLIENT_STATE *ntlmssp_state)
|
||||
{
|
||||
if (!set_smb_signing_common(cli)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(ntlmssp_client_sign_init(ntlmssp_state))) {
|
||||
return False;
|
||||
}
|
||||
|
||||
if (!set_smb_signing_real_common(cli)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
cli->sign_info.signing_context = ntlmssp_state;
|
||||
ntlmssp_state->ref_count++;
|
||||
|
||||
cli->sign_info.sign_outgoing_message = cli_ntlmssp_sign_outgoing_message;
|
||||
cli->sign_info.check_incoming_message = cli_ntlmssp_check_incoming_message;
|
||||
cli->sign_info.free_signing_context = cli_ntlmssp_free_signing_context;
|
||||
|
||||
return True;
|
||||
}
|
||||
|
||||
/***********************************************************
|
||||
SMB signing - NULL implementation - calculate a MAC to send.
|
||||
************************************************************/
|
||||
|
||||
Loading…
Reference in New Issue
Block a user