Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsg upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-05 17:47:29 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-05 17:47:29 +0000
commit: 4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree: 8ce7b00f7a76baa386372422adebbe64510812d4 /source4/smb_server/smb/signing.c
parent: Initial commit. (diff)
download: samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
1 files changed, 147 insertions, 0 deletions
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c
new file mode 100644
index 0000000..3fe7cff
--- /dev/null
+++ b/source4/smb_server/smb/signing.c
@@ -0,0 +1,147 @@
+/* 
+   Unix SMB/CIFS implementation.
+   
+   Copyright (C) Andrew Tridgell              2004
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_server/smb_server.h"
+#include "libcli/raw/libcliraw.h"
+#include "libcli/raw/raw_proto.h"
+#include "param/param.h"
+
+
+/*
+  sign an outgoing packet
+*/
+void smbsrv_sign_packet(struct smbsrv_request *req)
+{
+#if 0
+	/* enable this when packet signing is preventing you working out why valgrind 
+	   says that data is uninitialised */
+	file_save("pkt.dat", req->out.buffer, req->out.size);
+#endif
+
+	switch (req->smb_conn->signing.signing_state) {
+	case SMB_SIGNING_ENGINE_OFF:
+		break;
+
+	case SMB_SIGNING_ENGINE_BSRSPYL:
+		/* mark the packet as signed - BEFORE we sign it...*/
+		mark_packet_signed(&req->out);
+		
+		/* I wonder what BSRSPYL stands for - but this is what MS 
+		   actually sends! */
+		memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8);
+		break;
+
+	case SMB_SIGNING_ENGINE_ON:
+			
+		sign_outgoing_message(&req->out, 
+				      &req->smb_conn->signing.mac_key, 
+				      req->seq_num+1);
+		break;
+	}
+	return;
+}
+
+
+
+/*
+  setup the signing key for a connection. Called after authentication succeeds
+  in a session setup
+*/
+bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn,
+			  DATA_BLOB *session_key,
+			  DATA_BLOB *response)
+{
+	if (!set_smb_signing_common(&smb_conn->signing)) {
+		return false;
+	}
+	return smbcli_simple_set_signing(smb_conn,
+					 &smb_conn->signing, session_key, response);
+}
+
+bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
+{
+	smb_conn->signing.mac_key = data_blob(NULL, 0);
+	if (!smbcli_set_signing_off(&smb_conn->signing)) {
+		return false;
+	}
+
+	smb_conn->signing.allow_smb_signing
+		= lpcfg_server_signing_allowed(smb_conn->lp_ctx,
+					       &smb_conn->signing.mandatory_signing);
+	return true;
+}
+
+/*
+  allocate a sequence number to a request
+*/
+static void req_signing_alloc_seq_num(struct smbsrv_request *req)
+{
+	req->seq_num = req->smb_conn->signing.next_seq_num;
+
+	if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
+		req->smb_conn->signing.next_seq_num += 2;
+	}
+}
+
+/*
+  called for requests that do not produce a reply of their own
+*/
+void smbsrv_signing_no_reply(struct smbsrv_request *req)
+{
+	if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
+		req->smb_conn->signing.next_seq_num--;
+	}
+}
+
+/***********************************************************
+ SMB signing - Simple implementation - check a MAC sent by client
+************************************************************/
+/**
+ * Check a packet supplied by the server.
+ * @return false if we had an established signing connection
+ *         which had a back checksum, true otherwise
+ */
+bool smbsrv_signing_check_incoming(struct smbsrv_request *req)
+{
+	bool good;
+
+	req_signing_alloc_seq_num(req);
+
+	switch (req->smb_conn->signing.signing_state) 
+	{
+	case SMB_SIGNING_ENGINE_OFF:
+		return true;
+	case SMB_SIGNING_ENGINE_BSRSPYL:
+	case SMB_SIGNING_ENGINE_ON:
+	{			
+		if (req->in.size < (HDR_SS_FIELD + 8)) {
+			return false;
+		} else {
+			good = check_signed_incoming_message(&req->in, 
+							     &req->smb_conn->signing.mac_key, 
+							     req->seq_num);
+			
+			return signing_good(&req->smb_conn->signing, 
+					    req->seq_num+1, good);
+		}
+	}
+	}
+	return false;
+}
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-05 17:47:29 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-05 17:47:29 +0000
commit	4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree	8ce7b00f7a76baa386372422adebbe64510812d4 /source4/smb_server/smb/signing.c
parent	Initial commit. (diff)
download	samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip