/*
Unix SMB/CIFS implementation.
- SMB Signing Code
+ SMB Signing Common Code
Copyright (C) Jeremy Allison 2002.
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
Copyright (C) James J Myers <myersjj@samba.org> 2003
+ Copyright (C) Stefan Metzmacher <metze@samba.org> 2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "lib/crypto/crypto.h"
#include "param/param.h"
-/***********************************************************
- SMB signing - Common code before we set a new signing implementation
-************************************************************/
-bool set_smb_signing_common(struct smb_signing_context *sign_info)
+void smb_signing_init_context(struct smb_signing_context *sign_ctx,
+ enum smb_signing_state state)
+{
+ sign_ctx->engine_state = SMB_SIGNING_ENGINE_OFF;
+ sign_ctx->mac_key = data_blob(NULL, 0);
+ sign_ctx->next_seq_num = 0;
+ sign_ctx->doing_signing = false;
+
+ switch (state) {
+ case SMB_SIGNING_OFF:
+ sign_ctx->allow_signing = false;
+ sign_ctx->require_signing = false;
+ break;
+
+ case SMB_SIGNING_SUPPORTED:
+ sign_ctx->allow_signing = true;
+ sign_ctx->require_signing = false;
+ break;
+
+ case SMB_SIGNING_REQUIRED:
+ case SMB_SIGNING_AUTO:
+ default:
+ /*
+ * it's the callers task to map 'auto'
+ * if wanted, but here we choose the most secure
+ * option as default
+ */
+ sign_ctx->allow_signing = true;
+ sign_ctx->require_signing = true;
+ break;
+ }
+}
+
+bool smb_signing_allow_state_change(struct smb_signing_context *sign_info)
{
if (sign_info->doing_signing) {
DEBUG(5, ("SMB Signing already in progress, so we don't start it again\n"));
return false;
}
- if (!sign_info->allow_smb_signing) {
+ if (!sign_info->allow_signing) {
DEBUG(5, ("SMB Signing has been locally disabled\n"));
return false;
}
return true;
}
-/***********************************************************
- SMB signing - Common code before we set a new signing implementation
-************************************************************/
-static bool smbcli_set_smb_signing_common(struct smbcli_transport *transport)
+void smb_signing_set_bsrspyl(struct smb_signing_context *sign_info)
{
- if (!set_smb_signing_common(&transport->negotiate.sign_info)) {
- return false;
+ DEBUG(5,("BSRSPYL SMB signing enabled\n"));
+
+ sign_info->engine_state = SMB_SIGNING_ENGINE_BSRSPYL;
+}
+
+bool smb_signing_set_mac_key(TALLOC_CTX *mem_ctx,
+ struct smb_signing_context *sign_info,
+ const DATA_BLOB *user_session_key,
+ const DATA_BLOB *response)
+{
+ if (sign_info->require_signing) {
+ DEBUG(5, ("Mandatory SMB signing enabled!\n"));
}
- if (!(transport->negotiate.sec_mode &
- (NEGOTIATE_SECURITY_SIGNATURES_REQUIRED|NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) {
- DEBUG(5, ("SMB Signing is not negotiated by the peer\n"));
- return false;
+ DEBUG(5, ("SMB signing enabled!\n"));
+
+ if (response && response->length) {
+ sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, response->length + user_session_key->length);
+ } else {
+ sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, user_session_key->length);
}
- /* These calls are INCOMPATIBLE with SMB signing */
- transport->negotiate.readbraw_supported = false;
- transport->negotiate.writebraw_supported = false;
+ memcpy(&sign_info->mac_key.data[0], user_session_key->data, user_session_key->length);
+
+ if (response && response->length) {
+ memcpy(&sign_info->mac_key.data[user_session_key->length],response->data, response->length);
+ }
+
+ dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length);
+
+ sign_info->engine_state = SMB_SIGNING_ENGINE_ON;
return true;
}
-void mark_packet_signed(struct smb_request_buffer *out)
+uint32_t smb_signing_next_seq_num(struct smb_signing_context *sign_info,
+ bool single_increment)
+{
+ uint32_t seq_num;
+
+ seq_num = sign_info->next_seq_num;
+
+ switch (sign_info->engine_state) {
+ case SMB_SIGNING_ENGINE_OFF:
+ break;
+
+ case SMB_SIGNING_ENGINE_BSRSPYL:
+ break;
+
+ case SMB_SIGNING_ENGINE_ON:
+ /*
+ * some requests (eg. NTcancel) are one way, and the sequence number
+ * should be increased by 1 not 2
+ */
+ if (single_increment) {
+ sign_info->next_seq_num += 1;
+ } else {
+ sign_info->next_seq_num += 2;
+ }
+ break;
+ }
+
+ return seq_num;
+}
+
+static void mark_packet_signed(struct smb_request_buffer *out)
{
uint16_t flags2;
flags2 = SVAL(out->hdr, HDR_FLG2);
SSVAL(out->hdr, HDR_FLG2, flags2);
}
-bool signing_good(struct smb_signing_context *sign_info,
- unsigned int seq, bool good)
+void smb_signing_create_signature(struct smb_signing_context *sign_info,
+ struct smb_request_buffer *buf,
+ uint32_t seq_num,
+ const struct smb_request_buffer *peer_buf)
{
- if (good) {
- if (!sign_info->doing_signing) {
- DEBUG(5, ("Seen valid packet, so turning signing on\n"));
- sign_info->doing_signing = true;
- }
- if (!sign_info->seen_valid) {
- DEBUG(5, ("Seen valid packet, so marking signing as 'seen valid'\n"));
- sign_info->seen_valid = true;
- }
- } else {
- if (!sign_info->seen_valid) {
- /* If we have never seen a good packet, just turn it off */
- DEBUG(5, ("signing_good: signing negotiated but not required and peer\n"
- "isn't sending correct signatures. Turning off.\n"));
- smbcli_set_signing_off(sign_info);
- return true;
+ const uint8_t *signature;
+ uint8_t calc_md5_mac[16];
+ struct MD5Context md5_ctx;
+
+#if 0
+ /* enable this when packet signing is preventing you working out why valgrind
+ says that data is uninitialised */
+ file_save("pkt.dat", buf->buffer, buf->size);
+#endif
+
+ if (buf->size < (NBT_HDR_SIZE + HDR_SS_FIELD + 8)) {
+ return;
+ }
+
+ switch (sign_info->engine_state) {
+ case SMB_SIGNING_ENGINE_OFF:
+ break;
+
+ case SMB_SIGNING_ENGINE_BSRSPYL:
+ if (peer_buf && peer_buf->size >= (NBT_HDR_SIZE + HDR_SS_FIELD + 8)) {
+ /* as server we just echo the signature from the client */
+ signature = buf->hdr + HDR_SS_FIELD;
} else {
- /* bad packet after signing started - fail and disconnect. */
- DEBUG(0, ("signing_good: BAD SIG: seq %u\n", seq));
- return false;
+ /*
+ * I wonder what BSRSPYL stands for - but this is what MS
+ * actually sends!
+ */
+ signature = (const uint8_t *)"BSRSPYL ";
}
- }
- return true;
-}
-void sign_outgoing_message(struct smb_request_buffer *out, DATA_BLOB *mac_key, unsigned int seq_num)
-{
- uint8_t calc_md5_mac[16];
- struct MD5Context md5_ctx;
+ mark_packet_signed(buf);
+
+ memcpy(buf->hdr + HDR_SS_FIELD, signature, 8);
+ break;
- /*
- * Firstly put the sequence number into the first 4 bytes.
- * and zero out the next 4 bytes.
- */
- SIVAL(out->hdr, HDR_SS_FIELD, seq_num);
- SIVAL(out->hdr, HDR_SS_FIELD + 4, 0);
-
- /* mark the packet as signed - BEFORE we sign it...*/
- mark_packet_signed(out);
-
- /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, mac_key->data, mac_key->length);
- MD5Update(&md5_ctx,
- out->buffer + NBT_HDR_SIZE,
- out->size - NBT_HDR_SIZE);
- MD5Final(calc_md5_mac, &md5_ctx);
-
- memcpy(&out->hdr[HDR_SS_FIELD], calc_md5_mac, 8);
-
- DEBUG(5, ("sign_outgoing_message: SENT SIG (seq: %d): sent SMB signature of\n",
- seq_num));
- dump_data(5, calc_md5_mac, 8);
-/* req->out.hdr[HDR_SS_FIELD+2]=0;
- Uncomment this to test if the remote server actually verifies signitures...*/
+ case SMB_SIGNING_ENGINE_ON:
+ /*
+ * Firstly put the sequence number into the first 4 bytes.
+ * and zero out the next 4 bytes.
+ */
+ SIVAL(buf->hdr, HDR_SS_FIELD, seq_num);
+ SIVAL(buf->hdr, HDR_SS_FIELD + 4, 0);
+
+ /* mark the packet as signed - BEFORE we sign it...*/
+ mark_packet_signed(buf);
+
+ /* Calculate the 16 byte MAC and place first 8 bytes into the field. */
+ MD5Init(&md5_ctx);
+ MD5Update(&md5_ctx, sign_info->mac_key.data, sign_info->mac_key.length);
+ MD5Update(&md5_ctx,
+ buf->buffer + NBT_HDR_SIZE,
+ buf->size - NBT_HDR_SIZE);
+ MD5Final(calc_md5_mac, &md5_ctx);
+
+ memcpy(buf->hdr + HDR_SS_FIELD, calc_md5_mac, 8);
+
+ DEBUG(5,("smb_signing_create_signature: SENT SIG (seq: %u): sent SMB signature of\n",
+ seq_num));
+ dump_data(5, calc_md5_mac, 8);
+
+ /*
+ * Uncomment this to test if the remote server actually verifies signitures...
+ */
+ /*req->out.hdr[HDR_SS_FIELD+2]=0;*/
+ break;
+ }
+ return;
}
-bool check_signed_incoming_message(struct smb_request_buffer *in, DATA_BLOB *mac_key, uint_t seq_num)
+static bool check_signed_incoming_message(const struct smb_request_buffer *in,
+ DATA_BLOB *mac_key,
+ uint32_t seq_num)
{
bool good;
uint8_t calc_md5_mac[16];
return good;
}
-static void smbcli_req_allocate_seq_num(struct smbcli_request *req)
+static bool signing_good(struct smb_signing_context *sign_info,
+ unsigned int seq, bool good)
{
- req->seq_num = req->transport->negotiate.sign_info.next_seq_num;
-
- /* some requests (eg. NTcancel) are one way, and the sequence number
- should be increased by 1 not 2 */
- if (req->sign_single_increment) {
- req->transport->negotiate.sign_info.next_seq_num += 1;
+ if (good) {
+ if (!sign_info->doing_signing) {
+ DEBUG(5, ("Seen valid packet, so turning signing on\n"));
+ sign_info->doing_signing = true;
+ }
} else {
- req->transport->negotiate.sign_info.next_seq_num += 2;
- }
-}
-
-/***********************************************************
- SMB signing - Simple implementation - calculate a MAC to send.
-************************************************************/
-void smbcli_request_calculate_sign_mac(struct smbcli_request *req)
-{
- const uint8_t *signature;
-#if 0
- /* enable this when packet signing is preventing you working out why valgrind
- says that data is uninitialised */
- file_save("pkt.dat", req->out.buffer, req->out.size);
-#endif
-
- switch (req->transport->negotiate.sign_info.signing_state) {
- case SMB_SIGNING_ENGINE_OFF:
- break;
-
- case SMB_SIGNING_ENGINE_BSRSPYL:
- if (req->in.size >= (HDR_SS_FIELD + 8) && req->in.hdr) {
- /* as server we just echo the signature from the client */
- signature = req->in.hdr + HDR_SS_FIELD;
+ if (!sign_info->doing_signing && !sign_info->require_signing) {
+ /* If we have never seen a good packet, just turn it off */
+ DEBUG(5, ("signing_good: signing negotiated but not required and peer\n"
+ "isn't sending correct signatures. Turning off.\n"));
+ sign_info->engine_state = SMB_SIGNING_ENGINE_OFF;
+ data_blob_free(&sign_info->mac_key);
+ return true;
} else {
- /*
- * I wonder what BSRSPYL stands for - but this is what MS
- * actually sends!
- */
- signature = (const uint8_t *)"BSRSPYL ";
+ /* bad packet after signing started - fail and disconnect. */
+ DEBUG(0, ("signing_good: BAD SIG: seq %u\n", seq));
+ return false;
}
-
- /* mark the packet as signed - BEFORE we sign it...*/
- mark_packet_signed(&req->out);
-
- memcpy((req->out.hdr + HDR_SS_FIELD), signature, 8);
- break;
-
- case SMB_SIGNING_ENGINE_ON:
-
- smbcli_req_allocate_seq_num(req);
- sign_outgoing_message(&req->out,
- &req->transport->negotiate.sign_info.mac_key,
- req->seq_num);
- break;
}
- return;
-}
-
-
-/**
- SMB signing - NULL implementation
-
- @note Used as an initialisation only - it will not correctly
- shut down a real signing mechanism
-*/
-bool smbcli_set_signing_off(struct smb_signing_context *sign_info)
-{
- DEBUG(5, ("Shutdown SMB signing\n"));
- sign_info->doing_signing = false;
- data_blob_free(&sign_info->mac_key);
- sign_info->signing_state = SMB_SIGNING_ENGINE_OFF;
- return true;
-}
-
-/**
- SMB signing - TEMP implementation - setup the MAC key.
-
-*/
-bool smbcli_temp_set_signing(struct smbcli_transport *transport)
-{
- if (!smbcli_set_smb_signing_common(transport)) {
- return false;
- }
- DEBUG(5, ("BSRSPYL SMB signing enabled\n"));
- smbcli_set_signing_off(&transport->negotiate.sign_info);
-
- transport->negotiate.sign_info.mac_key = data_blob(NULL, 0);
- transport->negotiate.sign_info.signing_state = SMB_SIGNING_ENGINE_BSRSPYL;
-
return true;
}
-/***********************************************************
- SMB signing - Simple implementation - check a MAC sent by server.
-************************************************************/
-/**
- * Check a packet supplied by the server.
- * @return false if we had an established signing connection
- * which had a back checksum, true otherwise
- */
-bool smbcli_request_check_sign_mac(struct smbcli_request *req)
+bool smb_signing_check_signature(struct smb_signing_context *sign_info,
+ const struct smb_request_buffer *buf,
+ uint32_t seq_num)
{
bool good;
- if (!req->transport->negotiate.sign_info.doing_signing &&
- req->sign_caller_checks) {
- return true;
- }
-
- req->sign_caller_checks = false;
-
- switch (req->transport->negotiate.sign_info.signing_state)
- {
+ switch (sign_info->engine_state) {
case SMB_SIGNING_ENGINE_OFF:
return true;
- case SMB_SIGNING_ENGINE_BSRSPYL:
- if (req->in.size < (HDR_SS_FIELD + 8)) {
- return false;
- }
- good = check_signed_incoming_message(&req->in,
- &req->transport->negotiate.sign_info.mac_key,
- req->seq_num+1);
+ case SMB_SIGNING_ENGINE_BSRSPYL:
+ good = check_signed_incoming_message(buf, &sign_info->mac_key, seq_num);
if (good) {
- return signing_good(&req->transport->negotiate.sign_info,
- req->seq_num+1, good);
+ return signing_good(sign_info, seq_num, good);
}
/*
* It's not an error if the signature isn't valid.
return true;
case SMB_SIGNING_ENGINE_ON:
- if (req->in.size < (HDR_SS_FIELD + 8)) {
- return false;
- }
-
- good = check_signed_incoming_message(&req->in,
- &req->transport->negotiate.sign_info.mac_key,
- req->seq_num+1);
-
- return signing_good(&req->transport->negotiate.sign_info,
- req->seq_num+1, good);
- }
- return false;
-}
-
-
-/***********************************************************
- SMB signing - Simple implementation - setup the MAC key.
-************************************************************/
-bool smbcli_simple_set_signing(TALLOC_CTX *mem_ctx,
- struct smb_signing_context *sign_info,
- const DATA_BLOB *user_session_key,
- const DATA_BLOB *response)
-{
- if (sign_info->mandatory_signing) {
- DEBUG(5, ("Mandatory SMB signing enabled!\n"));
- }
-
- DEBUG(5, ("SMB signing enabled!\n"));
-
- if (response && response->length) {
- sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, response->length + user_session_key->length);
- } else {
- sign_info->mac_key = data_blob_talloc(mem_ctx, NULL, user_session_key->length);
- }
-
- memcpy(&sign_info->mac_key.data[0], user_session_key->data, user_session_key->length);
-
- if (response && response->length) {
- memcpy(&sign_info->mac_key.data[user_session_key->length],response->data, response->length);
+ good = check_signed_incoming_message(buf, &sign_info->mac_key, seq_num);
+ return signing_good(sign_info, seq_num, good);
}
- dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length);
-
- sign_info->signing_state = SMB_SIGNING_ENGINE_ON;
-
- return true;
-}
-
-
-/***********************************************************
- SMB signing - Simple implementation - setup the MAC key.
-************************************************************/
-bool smbcli_transport_simple_set_signing(struct smbcli_transport *transport,
- const DATA_BLOB user_session_key,
- const DATA_BLOB response)
-{
- if (!smbcli_set_smb_signing_common(transport)) {
- return false;
- }
-
- return smbcli_simple_set_signing(transport,
- &transport->negotiate.sign_info,
- &user_session_key,
- &response);
-}
-
-
-bool smbcli_init_signing(struct smbcli_transport *transport)
-{
- transport->negotiate.sign_info.next_seq_num = 0;
- transport->negotiate.sign_info.mac_key = data_blob(NULL, 0);
- if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) {
- return false;
- }
-
- switch (transport->options.signing) {
- case SMB_SIGNING_OFF:
- transport->negotiate.sign_info.allow_smb_signing = false;
- break;
- case SMB_SIGNING_SUPPORTED:
- case SMB_SIGNING_AUTO:
- transport->negotiate.sign_info.allow_smb_signing = true;
- break;
- case SMB_SIGNING_REQUIRED:
- transport->negotiate.sign_info.allow_smb_signing = true;
- transport->negotiate.sign_info.mandatory_signing = true;
- break;
- }
- return true;
+ return false;
}
*/
void smbsrv_sign_packet(struct smbsrv_request *req)
{
-#if 0
- /* enable this when packet signing is preventing you working out why valgrind
- says that data is uninitialised */
- file_save("pkt.dat", req->out.buffer, req->out.size);
-#endif
-
- switch (req->smb_conn->signing.signing_state) {
- case SMB_SIGNING_ENGINE_OFF:
- break;
-
- case SMB_SIGNING_ENGINE_BSRSPYL:
- /* mark the packet as signed - BEFORE we sign it...*/
- mark_packet_signed(&req->out);
-
- /* I wonder what BSRSPYL stands for - but this is what MS
- actually sends! */
- memcpy((req->out.hdr + HDR_SS_FIELD), "BSRSPYL ", 8);
- break;
-
- case SMB_SIGNING_ENGINE_ON:
-
- sign_outgoing_message(&req->out,
- &req->smb_conn->signing.mac_key,
- req->seq_num+1);
- break;
- }
- return;
+ smb_signing_create_signature(&req->smb_conn->signing,
+ &req->out, req->seq_num+1, &req->in);
}
-
-
/*
setup the signing key for a connection. Called after authentication succeeds
in a session setup
DATA_BLOB *session_key,
DATA_BLOB *response)
{
- if (!set_smb_signing_common(&smb_conn->signing)) {
+ if (!smb_signing_allow_state_change(&smb_conn->signing)) {
return false;
}
- return smbcli_simple_set_signing(smb_conn,
- &smb_conn->signing, session_key, response);
+ return smb_signing_set_mac_key(smb_conn, &smb_conn->signing,
+ session_key, response);
}
void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
DATA_BLOB *response,
bool authenticated_session)
{
- if (!smb_conn->signing.seen_valid) {
- DEBUG(5, ("Client did not send a valid signature on "
- "SPNEGO session setup - ignored, expect good next time\n"));
- /* force things back on (most clients do not sign this packet)... */
- smbsrv_setup_signing(smb_conn, session_key, response);
- smb_conn->signing.next_seq_num = 2;
+ bool ok;
- /* If mandetory_signing is set, and this was an authenticated logon, then force on */
- if (smb_conn->signing.mandatory_signing && authenticated_session) {
- DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n"));
- /* if this is mandatory, then
- * pretend we have seen a
- * valid packet, so we don't
- * turn it off */
- smb_conn->signing.seen_valid = true;
- }
+ if (!smb_signing_allow_state_change(&smb_conn->signing)) {
+ return;
}
-}
-bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
-{
- smb_conn->signing.mac_key = data_blob(NULL, 0);
- if (!smbcli_set_signing_off(&smb_conn->signing)) {
- return false;
- }
-
- switch (lp_server_signing(smb_conn->lp_ctx)) {
- case SMB_SIGNING_OFF:
- smb_conn->signing.allow_smb_signing = false;
- break;
- case SMB_SIGNING_SUPPORTED:
- smb_conn->signing.allow_smb_signing = true;
- break;
- case SMB_SIGNING_REQUIRED:
- smb_conn->signing.allow_smb_signing = true;
- smb_conn->signing.mandatory_signing = true;
- break;
- case SMB_SIGNING_AUTO:
- if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
- smb_conn->signing.allow_smb_signing = true;
- smb_conn->signing.mandatory_signing = true;
- } else {
- smb_conn->signing.allow_smb_signing = true;
- }
- break;
- }
- return true;
-}
+/* TODO: handle anon...*/
-/*
- allocate a sequence number to a request
-*/
-static void req_signing_alloc_seq_num(struct smbsrv_request *req)
-{
- req->seq_num = req->smb_conn->signing.next_seq_num;
+ DEBUG(5, ("Client did not send a valid signature on "
+ "SPNEGO session setup - ignored, expect good next time\n"));
- if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
- req->smb_conn->signing.next_seq_num += 2;
+ ok = smb_signing_set_mac_key(smb_conn, &smb_conn->signing,
+ session_key, response);
+ if (ok) {
+ smb_signing_next_seq_num(&smb_conn->signing, false);
}
}
-/*
- called for requests that do not produce a reply of their own
-*/
-void smbsrv_signing_no_reply(struct smbsrv_request *req)
+void smbsrv_init_signing(struct smbsrv_connection *smb_conn)
{
- if (req->smb_conn->signing.signing_state != SMB_SIGNING_ENGINE_OFF) {
- req->smb_conn->signing.next_seq_num--;
+ enum smb_signing_state signing = lp_server_signing(smb_conn->lp_ctx);
+
+ if (signing == SMB_SIGNING_AUTO) {
+ if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
+ signing = SMB_SIGNING_REQUIRED;
+ } else {
+ signing = SMB_SIGNING_SUPPORTED;
+ }
}
+
+ smb_signing_init_context(&smb_conn->signing, signing);
}
-/***********************************************************
- SMB signing - Simple implementation - check a MAC sent by client
-************************************************************/
-/**
- * Check a packet supplied by the server.
- * @return false if we had an established signing connection
- * which had a back checksum, true otherwise
- */
bool smbsrv_signing_check_incoming(struct smbsrv_request *req,
bool single_increment)
{
- bool good;
-
- req_signing_alloc_seq_num(req);
- if (single_increment) {
- smbsrv_signing_no_reply(req);
- }
+ req->seq_num = smb_signing_next_seq_num(&req->smb_conn->signing,
+ single_increment);
- switch (req->smb_conn->signing.signing_state)
- {
- case SMB_SIGNING_ENGINE_OFF:
- return true;
- case SMB_SIGNING_ENGINE_BSRSPYL:
- case SMB_SIGNING_ENGINE_ON:
- {
- if (req->in.size < (HDR_SS_FIELD + 8)) {
- return false;
- } else {
- good = check_signed_incoming_message(&req->in,
- &req->smb_conn->signing.mac_key,
- req->seq_num);
-
- return signing_good(&req->smb_conn->signing,
- req->seq_num+1, good);
- }
- }
- }
- return false;
+ return smb_signing_check_signature(&req->smb_conn->signing,
+ &req->in, req->seq_num);
}