git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7abf390)
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
authorRalph Boehme <slow@samba.org>
Sat, 10 Nov 2018 21:00:04 +0000 (22:00 +0100)
committerRalph Boehme <slow@samba.org>
Tue, 13 Nov 2018 10:13:03 +0000 (11:13 +0100)
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
libcli/smb/smbXcli_base.c patch | blob | history

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ea7ca22f6447dea01ff2bbb18c40a3a9486e1847..d0cc33b8b054e7978eba9e5b52aac1209ddc26f8 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3799,14 +3799,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                                 */
                                signing_key = NULL;
                        }
+
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /*
+                                * Only check the signature of the last response
+                                * of a successfull session auth. This matches
+                                * Windows behaviour for NTLM auth and reauth.
+                                */
+                               state->smb2.require_signed_response = false;
+                       }
                }
 
-               if (state->smb2.should_sign) {
+               if (state->smb2.should_sign ||
+                   state->smb2.require_signed_response)
+               {
                        if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
                                return NT_STATUS_ACCESS_DENIED;
                        }
                }
 
+               if (signing_key == NULL && state->smb2.require_signed_response) {
+                       signing_key = &session->smb2_channel.signing_key;
+               }
+
                if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
                        const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
                        uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
Samba Shared Repository