s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels

metze
(cherry picked from commit 0b7da43da0bd5c7e0986854cda63103f082a26ee)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index fd901cde1e012b62635082fe54d1443c3570a0a3..b6e10b4ed67370060ee70f520d0590324a7e863a 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3213,7 +3213,7 @@ bool client_is_signing_on(struct cli_state *cli);
 
 struct smbd_server_connection;
 bool srv_check_sign_mac(struct smbd_server_connection *conn,
-                       const char *inbuf, uint32_t *seqnum);
+                       const char *inbuf, uint32_t *seqnum, bool trusted_channel);
 void srv_calculate_sign_mac(struct smbd_server_connection *conn,
                            char *outbuf, uint32_t seqnum);
 void srv_cancel_sign_response(struct smbd_server_connection *conn);

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index b27302ffef540a0cc70062fad8bfcce9cf5aa8ba..039caefab2d57629edd72e14a7bc93453e1ed4fa 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -341,7 +341,7 @@ static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,     int fd,
        }
 
        /* Check the incoming SMB signature. */
-       if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
+       if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) {
                DEBUG(0, ("receive_smb: SMB Signature verification failed on "
                          "incoming packet!\n"));
                return NT_STATUS_INVALID_NETWORK_RESPONSE;

diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index b56eb71f45cbe6eb8fca396eab9850bc6464ac1b..5bee361a3453c8dafd08e9b9a37e7f635fe1b8fa 100644 (file)
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -28,13 +28,35 @@
 ************************************************************/
 
 bool srv_check_sign_mac(struct smbd_server_connection *conn,
-                       const char *inbuf, uint32_t *seqnum)
+                       const char *inbuf, uint32_t *seqnum,
+                       bool trusted_channel)
 {
        /* Check if it's a non-session message. */
        if(CVAL(inbuf,0)) {
                return true;
        }
 
+       if (trusted_channel) {
+               NTSTATUS status;
+
+               if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
+                       DEBUG(1,("smb_signing_check_pdu: Can't check signature "
+                                "on short packet! smb_len = %u\n",
+                                smb_len(inbuf)));
+                       return false;
+               }
+
+               status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4));
+               if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n",
+                                nt_errstr(status)));
+                       return false;
+               }
+
+               *seqnum = IVAL(inbuf, smb_ss_field);
+               return true;
+       }
+
        *seqnum = smb_signing_next_seqnum(conn->signing_state, false);
        return smb_signing_check_pdu(conn->signing_state,
                                     (const uint8_t *)inbuf,