diff options
author | Ralph Boehme <slow@samba.org> | 2018-11-10 22:00:04 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-11-23 09:01:26 +0100 |
commit | 7a5077d7e9a5ef8c346877f10426355a298ea6e4 (patch) | |
tree | 9bbdbcf9f02e5d9b764cbb9fa57ac6e6475b55b8 /libcli | |
parent | 4ba496bf3c13c567b7a2617133e0bc7f5a2c8f1f (diff) | |
download | samba-7a5077d7e9a5ef8c346877f10426355a298ea6e4.tar.gz |
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc)
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/smb/smbXcli_base.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 07de4297707..512cbd8c6f4 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3798,14 +3798,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, */ signing_key = NULL; } + + if (!NT_STATUS_IS_OK(status)) { + /* + * Only check the signature of the last response + * of a successfull session auth. This matches + * Windows behaviour for NTLM auth and reauth. + */ + state->smb2.require_signed_response = false; + } } - if (state->smb2.should_sign) { + if (state->smb2.should_sign || + state->smb2.require_signed_response) + { if (!(flags & SMB2_HDR_FLAG_SIGNED)) { return NT_STATUS_ACCESS_DENIED; } } + if (signing_key == NULL && state->smb2.require_signed_response) { + signing_key = &session->smb2_channel.signing_key; + } + if (cur[0].iov_len == SMB2_TF_HDR_SIZE) { const uint8_t *tf = (const uint8_t *)cur[0].iov_base; uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID); |