From f5afaafd61dc7bd191225ffa8eee184125dd97c3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 27 Dec 2003 10:11:26 +0000 Subject: [PATCH] Preliminary fix for our signing problem with failed NTLMSSP logins. This patch solves the problem for me here, I can still successfully set up signing using NTLMSSP against w2k3 and it does not show a signing error anymoe when the password was wrong. Jeremy, you might want to take a further look at it as this is not particularly elegant. Volker --- source/libsmb/cliconnect.c | 22 +++++++++++++++------- source/libsmb/smb_signing.c | 6 ++++-- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c index 6e95944f92c..2aeac7273e2 100644 --- a/source/libsmb/cliconnect.c +++ b/source/libsmb/cliconnect.c @@ -325,7 +325,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key, nt_response); + cli_simple_set_signing(cli, session_key, nt_response, 0); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -518,7 +518,7 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob); + cli_simple_set_signing(cli, session_key_krb5, null_blob, 0); blob2 = cli_session_setup_blob(cli, negTokenTarg); @@ -575,7 +575,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DATA_BLOB null_blob = data_blob(NULL, 0); if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -584,10 +583,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use msg1 = spnego_gen_auth(blob_out); } - cli_simple_set_signing(cli, - data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length), - null_blob); - /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n")); @@ -637,8 +632,21 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); if (NT_STATUS_IS_OK(nt_status)) { + + DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, + ntlmssp_state->session_key.length); + DATA_BLOB null_blob = data_blob(NULL, 0); + fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); + + /* Using NTLMSSP session setup, signing on the net only starts + * after a successful authentication and the session key has + * been determined, but with a sequence number of 2. This + * assumes that NTLMSSP needs exactly 2 roundtrips, for any + * other SPNEGO mechanism it needs adapting. */ + + cli_simple_set_signing(cli, key, null_blob, 2); } /* we have a reference conter on ntlmssp_state, if we are signing diff --git a/source/libsmb/smb_signing.c b/source/libsmb/smb_signing.c index 6b2abb9ccc8..8a056f659fb 100644 --- a/source/libsmb/smb_signing.c +++ b/source/libsmb/smb_signing.c @@ -405,7 +405,9 @@ static void simple_free_signing_context(struct smb_sign_info *si) SMB signing - Simple implementation - setup the MAC key. ************************************************************/ -BOOL cli_simple_set_signing(struct cli_state *cli, const DATA_BLOB user_session_key, const DATA_BLOB response) +BOOL cli_simple_set_signing(struct cli_state *cli, + const DATA_BLOB user_session_key, + const DATA_BLOB response, int initial_send_seq_num) { struct smb_basic_signing_context *data; @@ -443,7 +445,7 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const DATA_BLOB user_session_ dump_data_pw("MAC ssession key is:\n", data->mac_key.data, data->mac_key.length); /* Initialise the sequence number */ - data->send_seq_num = 0; + data->send_seq_num = initial_send_seq_num; /* Initialise the list of outstanding packets */ data->outstanding_packet_list = NULL; -- 2.11.4.GIT