s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels

metze

1 files changed, 23 insertions, 1 deletions

diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index 9b5e3452f9..f8162d8778 100644
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -28,13 +28,35 @@
 ************************************************************/
 
 bool srv_check_sign_mac(struct smbd_server_connection *conn,
-			const char *inbuf, uint32_t *seqnum)
+			const char *inbuf, uint32_t *seqnum,
+			bool trusted_channel)
 {
 	/* Check if it's a non-session message. */
 	if(CVAL(inbuf,0)) {
 		return true;
 	}
 
+	if (trusted_channel) {
+		NTSTATUS status;
+
+		if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
+			DEBUG(1,("smb_signing_check_pdu: Can't check signature "
+				 "on short packet! smb_len = %u\n",
+				 smb_len(inbuf)));
+			return false;
+		}
+
+		status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4));
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n",
+				 nt_errstr(status)));
+			return false;
+		}
+
+		*seqnum = IVAL(inbuf, smb_ss_field);
+		return true;
+	}
+
 	*seqnum = smb_signing_next_seqnum(conn->smb1.signing_state, false);
 	return smb_signing_check_pdu(conn->smb1.signing_state,
 				     (const uint8_t *)inbuf,