libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED...

author Stefan Metzmacher <metze@samba.org>

Mon, 8 Mar 2021 01:03:30 +0000 (02:03 +0100)

committer Stefan Metzmacher <metze@samba.org>

Thu, 15 Jul 2021 00:06:31 +0000 (00:06 +0000)
author Stefan Metzmacher <metze@samba.org>
Mon, 8 Mar 2021 01:03:30 +0000 (02:03 +0100)
committer Stefan Metzmacher <metze@samba.org>
Thu, 15 Jul 2021 00:06:31 +0000 (00:06 +0000)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c

index 9ffc60ff33068be3875061023acc1fb9c3ef16dc..30df9b244ea43ac77fcc8ec720b3bba850584cb9 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3896,6 +3896,46 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                         state->smb2.signing_skipped = true;
                         signing_key = NULL;
                 }
+               if (NT_STATUS_EQUAL(status, NT_STATUS_REQUEST_OUT_OF_SEQUENCE)) {
+                       /*
+                        * if the server returns
+                        * NT_STATUS_REQUEST_OUT_OF_SEQUENCE for a session setup
+                        * request, the response is not signed and we should
+                        * propagate the NT_STATUS_REQUEST_OUT_OF_SEQUENCE
+                        * status to the caller
+                        */
+                       if (opcode == SMB2_OP_SESSSETUP) {
+                               state->smb2.signing_skipped = true;
+                               signing_key = NULL;
+                       }
+               }
+               if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+                       /*
+                        * if the server returns NT_STATUS_NOT_SUPPORTED
+                        * for a session setup request, the response is not
+                        * signed and we should propagate the NT_STATUS_NOT_SUPPORTED
+                        * status to the caller.
+                        */
+                       if (opcode == SMB2_OP_SESSSETUP) {
+                               state->smb2.signing_skipped = true;
+                               signing_key = NULL;
+                       }
+               }
+               if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+                       /*
+                        * if the server returns
+                        * NT_STATUS_ACCESS_DENIED for a session setup
+                        * request, the response is not signed and we should
+                        * propagate the NT_STATUS_ACCESS_DENIED
+                        * status to the caller without disconnecting
+                        * the connection because we where not able to
+                        * verify the response signature.
+                        */
+                       if (opcode == SMB2_OP_SESSSETUP) {
+                               state->smb2.signing_skipped = true;
+                               signing_key = NULL;
+                       }
+               }
  
                 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
                         /*
author	Stefan Metzmacher <metze@samba.org>
	Mon, 8 Mar 2021 01:03:30 +0000 (02:03 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Thu, 15 Jul 2021 00:06:31 +0000 (00:06 +0000)