libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()

This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc)

1 files changed, 16 insertions, 1 deletions

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 07de4297707..512cbd8c6f4 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3798,14 +3798,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 				 */
 				signing_key = NULL;
 			}
+
+			if (!NT_STATUS_IS_OK(status)) {
+				/*
+				 * Only check the signature of the last response
+				 * of a successfull session auth. This matches
+				 * Windows behaviour for NTLM auth and reauth.
+				 */
+				state->smb2.require_signed_response = false;
+			}
 		}
 
-		if (state->smb2.should_sign) {
+		if (state->smb2.should_sign ||
+		    state->smb2.require_signed_response)
+		{
 			if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
 				return NT_STATUS_ACCESS_DENIED;
 			}
 		}
 
+		if (signing_key == NULL && state->smb2.require_signed_response) {
+			signing_key = &session->smb2_channel.signing_key;
+		}
+
 		if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
 			const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
 			uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);