summaryrefslogtreecommitdiff
path: root/libcli
diff options
context:
space:
mode:
authorRalph Boehme <slow@samba.org>2018-11-10 22:00:04 +0100
committerKarolin Seeger <kseeger@samba.org>2018-11-20 12:30:27 +0100
commit6c3577a588599f638fdd70ddea28301a6940f220 (patch)
treeaaa773579f4e588738d8fb76e58cfcb7a1da530c /libcli
parent6ca7a8a2ffb1c87f633dc0890b285dab73337bc2 (diff)
downloadsamba-6c3577a588599f638fdd70ddea28301a6940f220.tar.gz
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is signed. It will be used to implement verification of session setup reauth responses in a torture test. That comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc)
Diffstat (limited to 'libcli')
-rw-r--r--libcli/smb/smbXcli_base.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ea7ca22f644..d0cc33b8b05 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3799,14 +3799,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
*/
signing_key = NULL;
}
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Only check the signature of the last response
+ * of a successfull session auth. This matches
+ * Windows behaviour for NTLM auth and reauth.
+ */
+ state->smb2.require_signed_response = false;
+ }
}
- if (state->smb2.should_sign) {
+ if (state->smb2.should_sign ||
+ state->smb2.require_signed_response)
+ {
if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
return NT_STATUS_ACCESS_DENIED;
}
}
+ if (signing_key == NULL && state->smb2.require_signed_response) {
+ signing_key = &session->smb2_channel.signing_key;
+ }
+
if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);