[SCM] Samba Shared Repository - branch v3-0-stable updated - release-3-0-33-103-g3c33ea3

Karolin Seeger kseeger at samba.org
Tue Jan 13 10:02:53 GMT 2009 

The branch, v3-0-stable has been updated
       via  3c33ea39119e8e045ec99d18098b3d22ca5c5ee6 (commit)
      from  3bf646e5f87f55c4b3f19dc58d80192ccdf0c72f (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-stable


- Log -----------------------------------------------------------------
commit 3c33ea39119e8e045ec99d18098b3d22ca5c5ee6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 12 12:32:46 2009 +0100

    s3:libsmb: handle the smb signing states the same in the krb5 and ntlmssp cases
    
    SMB signing works the same regardless of the used auth mech.
    
    We need to start with the temp signing ("BSRSPYL ")
    and the session setup response with NT_STATUS_OK
    is the first signed packet.
    
    Now we set the krb5 session key if we got the NT_STATUS_OK
    from the server and then recheck the packet.
    
    All this is needed to make the fallback from krb5 to
    ntlmssp possible. This commit also resets the cli->vuid
    value to 0, if the krb5 auth didn't succeed. Otherwise
    the server handles NTLMSSP packets as krb5 packets.
    
    The restructuring of the SMB signing code is needed to
    make sure the krb5 code only starts the signing engine
    on success. Otherwise the NTLMSSP fallback could not initialize
    the signing engine (again).
    
    metze
    (cherry picked from commit 7d9fd64f38aa5821b38c1223cf87979fc87bfb71)
    (cherry picked from commit 8e29070ccd0b5103af2e6da75644169f46700313)
    (cherry picked from commit 38b297f99ec166e5c40ba33774222b37b45b4fec)
    (a little bit modified to compile in v3-0)
    (cherry picked from commit db109da6b10a091593435e3f8b0d9adb57d3c972)

-----------------------------------------------------------------------

Summary of changes:
 source/libsmb/cliconnect.c |   52 ++++++++++++++++++++++++++++++-------------
 1 files changed, 36 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index b2425e3..519d392 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -538,7 +538,7 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
 
 #define BASE_SESSSETUP_BLOB_PACKET_SIZE (35 + 24 + 22)
 
-static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5)
+static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 {
 	int32 remaining = blob.length;
 	int32 cur = 0;
@@ -562,13 +562,8 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B
 			send_blob.length = max_blob_size;
 			remaining -= max_blob_size;
 		} else {
-			DATA_BLOB null_blob = data_blob(NULL, 0);
-
 			send_blob.length = remaining; 
                         remaining = 0;
-
-			/* This is the last packet in the sequence - turn signing on. */
-			cli_simple_set_signing(cli, session_key_krb5, null_blob); 
 		}
 
 		send_blob.data =  &blob.data[cur];
@@ -616,8 +611,13 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
 {
 	DATA_BLOB negTokenTarg;
 	DATA_BLOB session_key_krb5;
+	DATA_BLOB null_blob = data_blob(NULL, 0);
+	NTSTATUS nt_status;
+	BOOL res;
 	int rc;
 
+	cli_temp_set_signing(cli);
+
 	DEBUG(2,("Doing kerberos session setup\n"));
 
 	/* generate the encapsulated kerberos5 ticket */
@@ -633,23 +633,43 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *
 	file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
 #endif
 
-	if (!cli_session_setup_blob(cli, negTokenTarg, session_key_krb5)) {
-		data_blob_free(&negTokenTarg);
-		data_blob_free(&session_key_krb5);
-		return ADS_ERROR_NT(cli_nt_error(cli));
+	if (!cli_session_setup_blob(cli, negTokenTarg)) {
+		nt_status = cli_nt_error(cli);
+		goto nt_error;
+	}
+
+	if (cli_is_error(cli)) {
+		nt_status = cli_nt_error(cli);
+		if (NT_STATUS_IS_OK(nt_status)) {
+			nt_status = NT_STATUS_UNSUCCESSFUL;
+		}
+		goto nt_error;
 	}
 
 	cli_set_session_key(cli, session_key_krb5);
 
+	res = cli_simple_set_signing(cli, session_key_krb5, null_blob);
+	if (res) {
+		/* 'resign' the last message, so we get the right sequence numbers
+		   for checking the first reply from the server */
+		cli_calculate_sign_mac(cli);
+
+		if (!cli_check_sign_mac(cli)) {
+			nt_status = NT_STATUS_ACCESS_DENIED;
+			goto nt_error;
+		}
+	}
+
 	data_blob_free(&negTokenTarg);
 	data_blob_free(&session_key_krb5);
 
-	if (cli_is_error(cli)) {
-		if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
-			return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
-		}
-	} 
-	return ADS_ERROR_NT(cli_nt_error(cli));
+	return ADS_ERROR_NT(NT_STATUS_OK);
+
+nt_error:
+	data_blob_free(&negTokenTarg);
+	data_blob_free(&session_key_krb5);
+	cli->vuid = 0;
+	return ADS_ERROR_NT(nt_status);
 }
 #endif	/* HAVE_KRB5 */
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list