From 690dc634738c2b49e19edeeedc51ad419a8e610f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 22 Mar 2010 09:31:57 +0100 Subject: [PATCH] s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels metze (cherry picked from commit 0b7da43da0bd5c7e0986854cda63103f082a26ee) --- source3/include/proto.h | 2 +- source3/smbd/process.c | 2 +- source3/smbd/signing.c | 24 +++++++++++++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index fd901cde1e..b6e10b4ed6 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3213,7 +3213,7 @@ bool client_is_signing_on(struct cli_state *cli); struct smbd_server_connection; bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum); + const char *inbuf, uint32_t *seqnum, bool trusted_channel); void srv_calculate_sign_mac(struct smbd_server_connection *conn, char *outbuf, uint32_t seqnum); void srv_cancel_sign_response(struct smbd_server_connection *conn); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index b27302ffef..039caefab2 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -341,7 +341,7 @@ static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd, } /* Check the incoming SMB signature. */ - if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) { + if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) { DEBUG(0, ("receive_smb: SMB Signature verification failed on " "incoming packet!\n")); return NT_STATUS_INVALID_NETWORK_RESPONSE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index b56eb71f45..5bee361a34 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -28,13 +28,35 @@ ************************************************************/ bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum) + const char *inbuf, uint32_t *seqnum, + bool trusted_channel) { /* Check if it's a non-session message. */ if(CVAL(inbuf,0)) { return true; } + if (trusted_channel) { + NTSTATUS status; + + if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) { + DEBUG(1,("smb_signing_check_pdu: Can't check signature " + "on short packet! smb_len = %u\n", + smb_len(inbuf))); + return false; + } + + status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n", + nt_errstr(status))); + return false; + } + + *seqnum = IVAL(inbuf, smb_ss_field); + return true; + } + *seqnum = smb_signing_next_seqnum(conn->signing_state, false); return smb_signing_check_pdu(conn->signing_state, (const uint8_t *)inbuf, -- 2.34.1