struct smbd_server_connection;
bool srv_check_sign_mac(struct smbd_server_connection *conn,
- const char *inbuf, uint32_t *seqnum);
+ const char *inbuf, uint32_t *seqnum, bool trusted_channel);
void srv_calculate_sign_mac(struct smbd_server_connection *conn,
char *outbuf, uint32_t seqnum);
void srv_cancel_sign_response(struct smbd_server_connection *conn);
}
/* Check the incoming SMB signature. */
- if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
+ if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) {
DEBUG(0, ("receive_smb: SMB Signature verification failed on "
"incoming packet!\n"));
return NT_STATUS_INVALID_NETWORK_RESPONSE;
************************************************************/
bool srv_check_sign_mac(struct smbd_server_connection *conn,
- const char *inbuf, uint32_t *seqnum)
+ const char *inbuf, uint32_t *seqnum,
+ bool trusted_channel)
{
/* Check if it's a non-session message. */
if(CVAL(inbuf,0)) {
return true;
}
+ if (trusted_channel) {
+ NTSTATUS status;
+
+ if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
+ DEBUG(1,("smb_signing_check_pdu: Can't check signature "
+ "on short packet! smb_len = %u\n",
+ smb_len(inbuf)));
+ return false;
+ }
+
+ status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n",
+ nt_errstr(status)));
+ return false;
+ }
+
+ *seqnum = IVAL(inbuf, smb_ss_field);
+ return true;
+ }
+
*seqnum = smb_signing_next_seqnum(conn->smb1.signing_state, false);
return smb_signing_check_pdu(conn->smb1.signing_state,
(const uint8_t *)inbuf,