diff options
| author | Stefan Metzmacher <metze@samba.org> | 2010-03-18 09:14:40 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2010-03-22 17:15:10 +0100 |
| commit | 0b7da43da0bd5c7e0986854cda63103f082a26ee (patch) | |
| tree | a432a71f31ef5703b1746a090d2468f575e06578 | |
| parent | 048c919dc0b7bc038becad34c2861c43c72c43c9 (diff) | |
| download | samba-0b7da43da0bd5c7e0986854cda63103f082a26ee.tar.gz samba-0b7da43da0bd5c7e0986854cda63103f082a26ee.tar.bz2 samba-0b7da43da0bd5c7e0986854cda63103f082a26ee.zip | |
s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels
metze
| -rw-r--r-- | source3/include/proto.h | 2 | ||||
| -rw-r--r-- | source3/smbd/process.c | 2 | ||||
| -rw-r--r-- | source3/smbd/signing.c | 24 |
3 files changed, 25 insertions, 3 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 4832a60c90..b26fa26341 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3302,7 +3302,7 @@ void cli_set_signing_negotiated(struct cli_state *cli); struct smbd_server_connection; bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum); + const char *inbuf, uint32_t *seqnum, bool trusted_channel); void srv_calculate_sign_mac(struct smbd_server_connection *conn, char *outbuf, uint32_t seqnum); void srv_cancel_sign_response(struct smbd_server_connection *conn); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index f467587ab0..09d00a3be8 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -352,7 +352,7 @@ static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd, } /* Check the incoming SMB signature. */ - if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) { + if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) { DEBUG(0, ("receive_smb: SMB Signature verification failed on " "incoming packet!\n")); return NT_STATUS_INVALID_NETWORK_RESPONSE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 9b5e3452f9..f8162d8778 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -28,13 +28,35 @@ ************************************************************/ bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum) + const char *inbuf, uint32_t *seqnum, + bool trusted_channel) { /* Check if it's a non-session message. */ if(CVAL(inbuf,0)) { return true; } + if (trusted_channel) { + NTSTATUS status; + + if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) { + DEBUG(1,("smb_signing_check_pdu: Can't check signature " + "on short packet! smb_len = %u\n", + smb_len(inbuf))); + return false; + } + + status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n", + nt_errstr(status))); + return false; + } + + *seqnum = IVAL(inbuf, smb_ss_field); + return true; + } + *seqnum = smb_signing_next_seqnum(conn->smb1.signing_state, false); return smb_signing_check_pdu(conn->smb1.signing_state, (const uint8_t *)inbuf, |