libcli/smb: only check the SMB2 session setup signature if required and valid

This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804
that skips the scary debug messages.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index f59f1f7ad288b3c06ed6fa92fb8a9579c58406b2..27ac2a8f58d98f5d01e4bcc33dae86a416943365 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4742,12 +4742,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
        struct smbXcli_conn *conn = session->conn;
        uint16_t no_sign_flags;
        uint8_t session_key[16];
+       bool check_signature = true;
+       uint32_t hdr_flags;
        NTSTATUS status;
 
        if (conn == NULL) {
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }
 
+       if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
+       }
+
        no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
 
        if (session->smb2->session_flags & no_sign_flags) {
@@ -4839,18 +4845,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
                return NT_STATUS_NO_MEMORY;
        }
 
-       status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
-                                       session->conn->protocol,
-                                       recv_iov, 3);
-       if (!NT_STATUS_IS_OK(status)) {
+       check_signature = conn->mandatory_signing;
+
+       hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
+       if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
                /*
                 * Sadly some vendors don't sign the
                 * final SMB2 session setup response
                 *
                 * At least Windows and Samba are always doing this
                 * if there's a session key available.
+                *
+                * We only check the signature if it's mandatory
+                * or SMB2_HDR_FLAG_SIGNED is provided.
                 */
-               if (conn->mandatory_signing) {
+               check_signature = true;
+       }
+
+       if (check_signature) {
+               status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
+                                               session->conn->protocol,
+                                               recv_iov, 3);
+               if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
        }