added server side SMB2 signing

(This used to be commit 8e919dcb0826a5b25d037ee6144af5f7cb21f3ae)

1 files changed, 21 insertions, 11 deletions

diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c
index 561b6e528e..a9a9efb3aa 100644
--- a/source4/libcli/smb2/transport.c
+++ b/source4/libcli/smb2/transport.c
@@ -205,12 +205,6 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
 		goto error;
 	}
 
-	status = smb2_check_signature(transport, buffer, len);
-	if (!NT_STATUS_IS_OK(status)) {
-		talloc_free(buffer);
-		return status;
-	}
-	
 	flags	= IVAL(hdr, SMB2_HDR_FLAGS);
 	seqnum	= BVAL(hdr, SMB2_HDR_MESSAGE_ID);
 
@@ -241,6 +235,18 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
 	req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE);
 	req->status       = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS));
 
+	if (transport->signing.signing_started &&
+	    transport->signing.doing_signing) {
+		status = smb2_check_signature(&req->in, 
+					      transport->signing.session_key);
+		if (!NT_STATUS_IS_OK(status)) {
+			/* the spec says to ignore packets with a bad signature */
+			talloc_free(buffer);
+			return status;
+		}
+	}
+	
+
 	if (NT_STATUS_EQUAL(req->status, STATUS_PENDING)) {
 		if (flags & 0x00000002) {
 			req->cancel.can_cancel = true;
@@ -346,11 +352,15 @@ void smb2_transport_send(struct smb2_request *req)
 		return;
 	}
 
-	status = smb2_sign_message(req);
-	if (!NT_STATUS_IS_OK(status)) {
-		req->state = SMB2_REQUEST_ERROR;
-		req->status = status;
-		return;
+	/* possibly sign the message */
+	if (req->transport->signing.doing_signing &&
+	    req->transport->signing.signing_started) {
+		status = smb2_sign_message(&req->out, req->transport->signing.session_key);
+		if (!NT_STATUS_IS_OK(status)) {
+			req->state = SMB2_REQUEST_ERROR;
+			req->status = status;
+			return;
+		}
 	}
 	
 	blob = data_blob_const(req->out.buffer, req->out.size);