sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-05 12:23:50 +03:00
Code Activity

Change the way we sign SMB packets, to a function pointer interface.

Browse Source 
The intention is to allow for NTLMSSP and kerberos signing of packets, but
for now it's just what I call 'simple' signing. (aka SMB signing per the SNIA
spec)

Andrew Bartlett
This commit is contained in:
Andrew Bartlett
-
parent d1dde5f684
commit b9cf95c3dc
6 changed files with 346 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/Makefile.in
View File

@@ -201,7 +201,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
libsmb/clirap.o libsmb/clierror.o libsmb/climessage.o \
libsmb/clireadwrite.o libsmb/clilist.o libsmb/cliprint.o \
libsmb/clitrans.o libsmb/clisecdesc.o libsmb/clidgram.o \
libsmb/clistr.o \
libsmb/clistr.o libsmb/smb_signing.o \
libsmb/smberr.o libsmb/credentials.o libsmb/pwd_cache.o \
libsmb/clioplock.o libsmb/errormap.o libsmb/clirap2.o \
libsmb/passchange.o libsmb/doserr.o \

13
source/include/client.h
View File

@@ -58,14 +58,15 @@ struct print_job_info
};
typedef struct smb_sign_info {
BOOL use_smb_signing;
void (*sign_outgoing_message)(struct cli_state *cli);
BOOL (*check_incoming_message)(struct cli_state *cli);
void (*free_signing_context)(struct cli_state *cli);
void *signing_context;
BOOL negotiated_smb_signing;
BOOL temp_smb_signing;
size_t mac_key_len;
uint8 mac_key[64];
uint32 send_seq_num;
uint32 reply_seq_num;
BOOL allow_smb_signing;
BOOL doing_signing;
BOOL mandetory_signing;
} smb_sign_info;
struct cli_state {

47
source/libsmb/cliconnect.c
View File

@@ -228,39 +228,11 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user,
return True;
}
static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response)
{
uint8 zero_sig[8];
ZERO_STRUCT(zero_sig);
DEBUG(5, ("Server returned security sig:\n"));
dump_data(5, &cli->inbuf[smb_ss_field], 8);
if (cli->sign_info.use_smb_signing) {
DEBUG(5, ("smb signing already active on connection\n"));
} else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
DEBUG(3, ("smb signing enabled!\n"));
cli->sign_info.use_smb_signing = True;
cli_calculate_mac_key(cli, user_session_key, response);
} else {
DEBUG(5, ("smb signing NOT enabled!\n"));
}
}
static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
{
memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
}
static void set_temp_signing_on_cli(struct cli_state *cli)
{
if (cli->sign_info.negotiated_smb_signing)
cli->sign_info.temp_smb_signing = True;
}
/****************************************************************************
do a NT1 NTLM/LM encrypted session setup
@param cli client state to create do session setup on
@@ -310,8 +282,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
session_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
}
set_temp_signing_on_cli(cli);
cli_simple_set_signing(cli, session_key.data, nt_response);
} else {
/* pre-encrypted password supplied. Only used for
security=server, can't do
@@ -374,14 +345,14 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
if (session_key.data) {
/* Have plaintext orginal */
set_cli_session_key(cli, session_key);
set_signing_on_cli(cli, session_key.data, nt_response);
}
ret = True;
end:
data_blob_free(&lm_response);
data_blob_free(&nt_response);
data_blob_free(&session_key);
return True;
return ret;
}
/****************************************************************************
@@ -403,8 +374,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
set_message(cli->outbuf,12,0,True);
SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
set_temp_signing_on_cli(cli);
cli_setup_packet(cli);
SCVAL(cli->outbuf,smb_vwv0,0xFF);
@@ -883,11 +852,6 @@ BOOL cli_negprot(struct cli_state *cli)
int numprots;
int plength;
if (cli->sign_info.use_smb_signing) {
DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
return False;
}
if (cli->protocol < PROTOCOL_NT1)
cli->use_spnego = False;
@@ -1013,11 +977,6 @@ BOOL cli_session_request(struct cli_state *cli,
if (cli->port == 445)
return True;
if (cli->sign_info.use_smb_signing) {
DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
return False;
}
/* send a session request (RFC 1002) */
/* setup the packet length
* Remove four bytes from the length count, since the length

8
source/libsmb/clientgen.c
View File

@@ -177,9 +177,6 @@ void cli_setup_packet(struct cli_state *cli)
flags2 |= FLAGS2_32_BIT_ERROR_CODES;
if (cli->use_spnego)
flags2 |= FLAGS2_EXTENDED_SECURITY;
if (cli->sign_info.use_smb_signing
|| cli->sign_info.temp_smb_signing)
flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
SSVAL(cli->outbuf,smb_flg2, flags2);
}
}
@@ -262,6 +259,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
if (getenv("CLI_FORCE_DOSERR"))
cli->force_dos_errors = True;
/* initialise signing */
cli_null_set_signing(cli);
if (lp_client_signing())
cli->sign_info.allow_smb_signing = True;
@@ -303,6 +303,7 @@ void cli_close_connection(struct cli_state *cli)
SAFE_FREE(cli->outbuf);
SAFE_FREE(cli->inbuf);
cli_free_signing_context(cli);
data_blob_free(&cli->secblob);
if (cli->mem_ctx) {
@@ -314,6 +315,7 @@ void cli_close_connection(struct cli_state *cli)
close(cli->fd);
cli->fd = -1;
cli->smb_rw_error = 0;
}
/****************************************************************************

329
source/libsmb/smb_signing.c Normal file
View File

@@ -0,0 +1,329 @@
/*
Unix SMB/CIFS implementation.
SMB Signing Code
Copyright (C) Jeremy Allison 2002.
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
struct smb_basic_signing_context {
DATA_BLOB mac_key;
uint32 send_seq_num;
uint32 reply_seq_num;
};
/***********************************************************
SMB signing - Common code before we set a new signing implementation
************************************************************/
static BOOL set_smb_signing_common(struct cli_state *cli)
{
if (cli->sign_info.doing_signing) {
return False;
}
if (cli->sign_info.free_signing_context)
cli->sign_info.free_signing_context(cli);
/* These calls are INCONPATIBLE with SMB signing */
cli->readbraw_supported = False;
cli->writebraw_supported = False;
return True;
}
/***********************************************************
SMB signing - Common code for 'real' implementations
************************************************************/
static BOOL set_smb_signing_real_common(struct cli_state *cli)
{
if (cli->sign_info.mandetory_signing) {
DEBUG(5, ("Mandetory SMB signing enabled!\n"));
cli->sign_info.doing_signing = True;
}
DEBUG(5, ("SMB signing enabled!\n"));
return True;
}
static void mark_packet_signed(struct cli_state *cli)
{
uint16 flags2;
flags2 = SVAL(cli->outbuf,smb_flg2);
flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES;
SSVAL(cli->outbuf,smb_flg2, flags2);
}
/***********************************************************
SMB signing - Simple implementation - calculate a MAC to send.
************************************************************/
static void cli_simple_sign_outgoing_message(struct cli_state *cli)
{
unsigned char calc_md5_mac[16];
struct MD5Context md5_ctx;
struct smb_basic_signing_context *data = cli->sign_info.signing_context;
/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*/
SIVAL(cli->outbuf, smb_ss_field,
data->send_seq_num);
SIVAL(cli->outbuf, smb_ss_field + 4, 0);
/* mark the packet as signed - BEFORE we sign it...*/
mark_packet_signed(cli);
/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, data->mac_key.data,
data->mac_key.length);
MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
MD5Final(calc_md5_mac, &md5_ctx);
DEBUG(10, ("sent SMB signiture of\n"));
dump_data(10, calc_md5_mac, 8);
memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
/* cli->outbuf[smb_ss_field+2]=0;
Uncomment this to test if the remote server actually verifies signitures...*/
data->send_seq_num++;
data->reply_seq_num = data->send_seq_num;
data->send_seq_num++;
}
/***********************************************************
SMB signing - Simple implementation - check a MAC sent by server.
************************************************************/
static BOOL cli_simple_check_incoming_message(struct cli_state *cli)
{
BOOL good;
unsigned char calc_md5_mac[16];
unsigned char server_sent_mac[8];
struct MD5Context md5_ctx;
struct smb_basic_signing_context *data = cli->sign_info.signing_context;
/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*/
memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
DEBUG(10, ("got SMB signiture of\n"));
dump_data(10, server_sent_mac, 8);
SIVAL(cli->inbuf, smb_ss_field, data->reply_seq_num);
SIVAL(cli->inbuf, smb_ss_field + 4, 0);
/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, data->mac_key.data,
data->mac_key.length);
MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
MD5Final(calc_md5_mac, &md5_ctx);
good = (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
if (good && !cli->sign_info.doing_signing) {
cli->sign_info.doing_signing = True;
}
if (!good) {
DEBUG(1, ("SMB signiture check failed!\n"));
}
return good;
}
/***********************************************************
SMB signing - Simple implementation - free signing context
************************************************************/
static void cli_simple_free_signing_context(struct cli_state *cli)
{
struct smb_basic_signing_context *data = cli->sign_info.signing_context;
data_blob_free(&data->mac_key);
SAFE_FREE(cli->sign_info.signing_context);
return;
}
/***********************************************************
SMB signing - Simple implementation - setup the MAC key.
************************************************************/
void cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
{
struct smb_basic_signing_context *data;
if (!set_smb_signing_common(cli)) {
return;
}
if (!set_smb_signing_real_common(cli)) {
return;
}
data = smb_xmalloc(sizeof(*data));
cli->sign_info.signing_context = data;
data->mac_key = data_blob(NULL, MIN(response.length + 16, 40));
memcpy(&data->mac_key.data[0], user_session_key, 16);
memcpy(&data->mac_key.data[16],response.data, MIN(response.length, 40 - 16));
/* Initialise the sequence number */
data->send_seq_num = 0;
cli->sign_info.sign_outgoing_message = cli_simple_sign_outgoing_message;
cli->sign_info.check_incoming_message = cli_simple_check_incoming_message;
cli->sign_info.free_signing_context = cli_simple_free_signing_context;
}
/***********************************************************
SMB signing - NULL implementation - calculate a MAC to send.
************************************************************/
static void cli_null_sign_outgoing_message(struct cli_state *cli)
{
static uchar zeros[8];
memcpy(&cli->outbuf[smb_ss_field], zeros, sizeof(zeros));
}
/***********************************************************
SMB signing - NULL implementation - check a MAC sent by server.
************************************************************/
static BOOL cli_null_check_incoming_message(struct cli_state *cli)
{
return True;
}
/***********************************************************
SMB signing - NULL implementation - free signing context
************************************************************/
static void cli_null_free_signing_context(struct cli_state *cli)
{
return;
}
/***********************************************************
SMB signing - NULL implementation - setup the MAC key.
************************************************************/
void cli_null_set_signing(struct cli_state *cli)
{
struct smb_basic_sign_data *data;
if (!set_smb_signing_common(cli)) {
return;
}
cli->sign_info.signing_context = NULL;
cli->sign_info.sign_outgoing_message = cli_null_sign_outgoing_message;
cli->sign_info.check_incoming_message = cli_null_check_incoming_message;
cli->sign_info.free_signing_context = cli_null_free_signing_context;
}
/***********************************************************
SMB signing - TEMP implementation - calculate a MAC to send.
************************************************************/
static void cli_temp_sign_outgoing_message(struct cli_state *cli)
{
memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
return;
}
/***********************************************************
SMB signing - TEMP implementation - check a MAC sent by server.
************************************************************/
static BOOL cli_temp_check_incoming_message(struct cli_state *cli)
{
return True;
}
/***********************************************************
SMB signing - TEMP implementation - free signing context
************************************************************/
static void cli_temp_free_signing_context(struct cli_state *cli)
{
return;
}
/***********************************************************
SMB signing - NULL implementation - setup the MAC key.
************************************************************/
void cli_temp_set_signing(struct cli_state *cli)
{
if (!set_smb_signing_common(cli)) {
return;
}
cli->sign_info.signing_context = NULL;
cli->sign_info.sign_outgoing_message = cli_temp_sign_outgoing_message;
cli->sign_info.check_incoming_message = cli_temp_check_incoming_message;
cli->sign_info.free_signing_context = cli_temp_free_signing_context;
}
/**
* Free the singing context
*/
void cli_free_signing_context(struct cli_state *cli)
{
if (cli->sign_info.free_signing_context)
cli->sign_info.free_signing_context(cli);
cli_null_set_signing(cli);
}
void cli_caclulate_sign_mac(struct cli_state *cli)
{
cli->sign_info.sign_outgoing_message(cli);
}
BOOL cli_check_sign_mac(struct cli_state *cli)
{
BOOL good;
good = cli->sign_info.check_incoming_message(cli);
if (!good) {
if (cli->sign_info.doing_signing) {
return False;
} else {
cli_free_signing_context(cli);
}
}
return True;
}

100
source/libsmb/smbencrypt.c
View File

@@ -295,7 +295,7 @@ void SMBsesskeygen_ntv1(const uchar kr[16],
#endif
}
DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
static DATA_BLOB NTLMv2_generate_response(uchar ntlm_v2_hash[16],
DATA_BLOB server_chal, size_t client_chal_length)
{
uchar ntlmv2_response[16];
@@ -416,101 +416,3 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd,
return True;
}
/***********************************************************
SMB signing - setup the MAC key.
************************************************************/
void cli_calculate_mac_key(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
{
memcpy(&cli->sign_info.mac_key[0], user_session_key, 16);
memcpy(&cli->sign_info.mac_key[16],response.data, MIN(response.length, 40 - 16));
cli->sign_info.mac_key_len = MIN(response.length + 16, 40);
cli->sign_info.use_smb_signing = True;
/* These calls are INCONPATIBLE with SMB signing */
cli->readbraw_supported = False;
cli->writebraw_supported = False;
/* Reset the sequence number in case we had a previous (aborted) attempt */
cli->sign_info.send_seq_num = 2;
}
/***********************************************************
SMB signing - calculate a MAC to send.
************************************************************/
void cli_caclulate_sign_mac(struct cli_state *cli)
{
unsigned char calc_md5_mac[16];
struct MD5Context md5_ctx;
if (cli->sign_info.temp_smb_signing) {
memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8);
cli->sign_info.temp_smb_signing = False;
return;
}
if (!cli->sign_info.use_smb_signing) {
return;
}
/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*/
SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num);
SIVAL(cli->outbuf, smb_ss_field + 4, 0);
/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf));
MD5Final(calc_md5_mac, &md5_ctx);
memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8);
/* cli->outbuf[smb_ss_field+2]=0;
Uncomment this to test if the remote server actually verifies signitures...*/
cli->sign_info.send_seq_num++;
cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num;
cli->sign_info.send_seq_num++;
}
/***********************************************************
SMB signing - check a MAC sent by server.
************************************************************/
BOOL cli_check_sign_mac(struct cli_state *cli)
{
unsigned char calc_md5_mac[16];
unsigned char server_sent_mac[8];
struct MD5Context md5_ctx;
if (cli->sign_info.temp_smb_signing) {
return True;
}
if (!cli->sign_info.use_smb_signing) {
return True;
}
/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*/
memcpy(server_sent_mac, &cli->inbuf[smb_ss_field], sizeof(server_sent_mac));
SIVAL(cli->inbuf, smb_ss_field, cli->sign_info.reply_seq_num);
SIVAL(cli->inbuf, smb_ss_field + 4, 0);
/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len);
MD5Update(&md5_ctx, cli->inbuf + 4, smb_len(cli->inbuf));
MD5Final(calc_md5_mac, &md5_ctx);
return (memcmp(server_sent_mac, calc_md5_mac, 8) == 0);
}