2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell <tridge@samba.org> 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/raw/libcliraw.h"
24 #include "libcli/smb2/smb2.h"
25 #include "libcli/smb2/smb2_calls.h"
27 #include <gnutls/gnutls.h>
28 #include <gnutls/crypto.h>
29 #include "lib/crypto/gnutls_helpers.h"
32 sign an outgoing message
34 NTSTATUS
smb2_sign_message(struct smb2_request_buffer
*buf
, DATA_BLOB session_key
)
36 uint8_t digest
[gnutls_hash_get_len(GNUTLS_MAC_SHA256
)];
41 if (buf
->size
< NBT_HDR_SIZE
+ SMB2_HDR_SIGNATURE
+ 16) {
42 /* can't sign non-SMB2 messages */
46 hdr_offset
= buf
->hdr
- buf
->buffer
;
48 session_id
= BVAL(buf
->hdr
, SMB2_HDR_SESSION_ID
);
49 if (session_id
== 0) {
50 /* we don't sign messages with a zero session_id. See
55 if (session_key
.length
== 0) {
56 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
57 (unsigned)session_key
.length
));
58 return NT_STATUS_ACCESS_DENIED
;
61 memset(buf
->hdr
+ SMB2_HDR_SIGNATURE
, 0, 16);
63 SIVAL(buf
->hdr
, SMB2_HDR_FLAGS
, IVAL(buf
->hdr
, SMB2_HDR_FLAGS
) | SMB2_HDR_FLAG_SIGNED
);
65 rc
= gnutls_hmac_fast(GNUTLS_MAC_SHA256
,
67 MIN(session_key
.length
, 16),
69 buf
->size
- hdr_offset
,
72 return gnutls_error_to_ntstatus(rc
, NT_STATUS_HMAC_NOT_SUPPORTED
);
75 DEBUG(5,("signed SMB2 message of size %u\n", (unsigned)buf
->size
- NBT_HDR_SIZE
));
77 memcpy(buf
->hdr
+ SMB2_HDR_SIGNATURE
, digest
, 16);
83 check an incoming signature
85 NTSTATUS
smb2_check_signature(struct smb2_request_buffer
*buf
, DATA_BLOB session_key
)
88 uint8_t digest
[gnutls_hash_get_len(GNUTLS_MAC_SHA256
)];
93 if (buf
->size
< NBT_HDR_SIZE
+ SMB2_HDR_SIGNATURE
+ 16) {
94 /* can't check non-SMB2 messages */
98 hdr_offset
= buf
->hdr
- buf
->buffer
;
100 session_id
= BVAL(buf
->hdr
, SMB2_HDR_SESSION_ID
);
101 if (session_id
== 0) {
102 /* don't sign messages with a zero session_id. See
107 if (session_key
.length
== 0) {
108 /* we don't have the session key yet */
112 memcpy(sig
, buf
->hdr
+SMB2_HDR_SIGNATURE
, 16);
114 memset(buf
->hdr
+ SMB2_HDR_SIGNATURE
, 0, 16);
116 rc
= gnutls_hmac_fast(GNUTLS_MAC_SHA256
,
118 MIN(session_key
.length
, 16),
120 buf
->size
- hdr_offset
,
123 return gnutls_error_to_ntstatus(rc
, NT_STATUS_HMAC_NOT_SUPPORTED
);
126 memcpy(buf
->hdr
+ SMB2_HDR_SIGNATURE
, digest
, 16);
128 if (memcmp_const_time(digest
, sig
, 16) != 0) {
129 DEBUG(0,("Bad SMB2 signature for message of size %u\n",
130 (unsigned)buf
->size
-NBT_HDR_SIZE
));
131 dump_data(0, sig
, 16);
132 dump_data(0, digest
, 16);
134 return NT_STATUS_ACCESS_DENIED
;