From 0b7da43da0bd5c7e0986854cda63103f082a26ee Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 18 Mar 2010 09:14:40 +0100 Subject: s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels metze --- source3/include/proto.h | 2 +- source3/smbd/process.c | 2 +- source3/smbd/signing.c | 24 +++++++++++++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) (limited to 'source3') diff --git a/source3/include/proto.h b/source3/include/proto.h index 4832a60c90..b26fa26341 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3302,7 +3302,7 @@ void cli_set_signing_negotiated(struct cli_state *cli); struct smbd_server_connection; bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum); + const char *inbuf, uint32_t *seqnum, bool trusted_channel); void srv_calculate_sign_mac(struct smbd_server_connection *conn, char *outbuf, uint32_t seqnum); void srv_cancel_sign_response(struct smbd_server_connection *conn); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index f467587ab0..09d00a3be8 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -352,7 +352,7 @@ static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd, } /* Check the incoming SMB signature. */ - if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) { + if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) { DEBUG(0, ("receive_smb: SMB Signature verification failed on " "incoming packet!\n")); return NT_STATUS_INVALID_NETWORK_RESPONSE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 9b5e3452f9..f8162d8778 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -28,13 +28,35 @@ ************************************************************/ bool srv_check_sign_mac(struct smbd_server_connection *conn, - const char *inbuf, uint32_t *seqnum) + const char *inbuf, uint32_t *seqnum, + bool trusted_channel) { /* Check if it's a non-session message. */ if(CVAL(inbuf,0)) { return true; } + if (trusted_channel) { + NTSTATUS status; + + if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) { + DEBUG(1,("smb_signing_check_pdu: Can't check signature " + "on short packet! smb_len = %u\n", + smb_len(inbuf))); + return false; + } + + status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n", + nt_errstr(status))); + return false; + } + + *seqnum = IVAL(inbuf, smb_ss_field); + return true; + } + *seqnum = smb_signing_next_seqnum(conn->smb1.signing_state, false); return smb_signing_check_pdu(conn->smb1.signing_state, (const uint8_t *)inbuf, -- cgit