s3:smbd: add an option to skip signings checks srv_check_sign_mac for trusted channels

metze

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 4832a60c90ab3527965bc65fc5a331a3982f0126..b26fa263415143c93e33d9cc8538efd8994f2f18 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3302,7 +3302,7 @@ void cli_set_signing_negotiated(struct cli_state *cli);
 
 struct smbd_server_connection;
 bool srv_check_sign_mac(struct smbd_server_connection *conn,
-                       const char *inbuf, uint32_t *seqnum);
+                       const char *inbuf, uint32_t *seqnum, bool trusted_channel);
 void srv_calculate_sign_mac(struct smbd_server_connection *conn,
                            char *outbuf, uint32_t seqnum);
 void srv_cancel_sign_response(struct smbd_server_connection *conn);

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index f467587ab099d7c2b8f4f3beaf722aa568ffcda9..09d00a3be88e52ff8543ab45e273a62052af8b09 100644 (file)
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -352,7 +352,7 @@ static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,     int fd,
        }
 
        /* Check the incoming SMB signature. */
-       if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
+       if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, false)) {
                DEBUG(0, ("receive_smb: SMB Signature verification failed on "
                          "incoming packet!\n"));
                return NT_STATUS_INVALID_NETWORK_RESPONSE;

diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index 9b5e3452f9d32c5eda7eb73b51498aca6bdf7f6d..f8162d8778b7ad509b9eaf75fa5f2af042fc545b 100644 (file)
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -28,13 +28,35 @@
 ************************************************************/
 
 bool srv_check_sign_mac(struct smbd_server_connection *conn,
-                       const char *inbuf, uint32_t *seqnum)
+                       const char *inbuf, uint32_t *seqnum,
+                       bool trusted_channel)
 {
        /* Check if it's a non-session message. */
        if(CVAL(inbuf,0)) {
                return true;
        }
 
+       if (trusted_channel) {
+               NTSTATUS status;
+
+               if (smb_len(inbuf) < (smb_ss_field + 8 - 4)) {
+                       DEBUG(1,("smb_signing_check_pdu: Can't check signature "
+                                "on short packet! smb_len = %u\n",
+                                smb_len(inbuf)));
+                       return false;
+               }
+
+               status = NT_STATUS(IVAL(inbuf, smb_ss_field + 4));
+               if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(1,("smb_signing_check_pdu: trusted channel passed %s\n",
+                                nt_errstr(status)));
+                       return false;
+               }
+
+               *seqnum = IVAL(inbuf, smb_ss_field);
+               return true;
+       }
+
        *seqnum = smb_signing_next_seqnum(conn->smb1.signing_state, false);
        return smb_signing_check_pdu(conn->smb1.signing_state,
                                     (const uint8_t *)inbuf,