source: trunk/server/source3/smbd/smb2_signing.c@ 845

/*
   Unix SMB/CIFS implementation.
   SMB2 signing

   Copyright (C) Stefan Metzmacher 2009

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "smbd/smbd.h"
#include "smbd/globals.h"
#include "../libcli/smb/smb_common.h"
#include "../lib/crypto/crypto.h"

NTSTATUS smb2_signing_sign_pdu(DATA_BLOB session_key,
                               struct iovec *vector,
                               int count)
{
        uint8_t *hdr;
        uint64_t session_id;
        struct HMACSHA256Context m;
        uint8_t res[SHA256_DIGEST_LENGTH];
        int i;

        if (count < 2) {
                return NT_STATUS_INVALID_PARAMETER;
        }

        if (vector[0].iov_len != SMB2_HDR_BODY) {
                return NT_STATUS_INVALID_PARAMETER;
        }

        hdr = (uint8_t *)vector[0].iov_base;

        session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
        if (session_id == 0) {
                /*
                 * do not sign messages with a zero session_id.
                 * See MS-SMB2 3.2.4.1.1
                 */
                return NT_STATUS_OK;
        }

        if (session_key.length == 0) {
                DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
                         (unsigned)session_key.length));
                return NT_STATUS_ACCESS_DENIED;
        }

        memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);

        SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);

        ZERO_STRUCT(m);
        hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m);
        for (i=0; i < count; i++) {
                hmac_sha256_update((const uint8_t *)vector[i].iov_base,
                                   vector[i].iov_len, &m);
        }
        hmac_sha256_final(res, &m);
        DEBUG(5,("signed SMB2 message\n"));

        memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);

        return NT_STATUS_OK;
}

NTSTATUS smb2_signing_check_pdu(DATA_BLOB session_key,
                                const struct iovec *vector,
                                int count)
{
        const uint8_t *hdr;
        const uint8_t *sig;
        uint64_t session_id;
        struct HMACSHA256Context m;
        uint8_t res[SHA256_DIGEST_LENGTH];
        static const uint8_t zero_sig[16] = { 0, };
        int i;

        if (count < 2) {