From 5c459fb110024c81bb27274fc6f17406883927a0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 17 Sep 2013 04:12:30 +0200 Subject: [PATCH 1/2] libcli/smb: fix non mendatory signing against some vendor SMB2 servers. Windows and Samba always sign the final session setup response even if signing is not mendatory, but it ensures that the signing key is correctly in place. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Sep 17 09:40:10 CEST 2013 on sn-devel-104 (cherry picked from commit af290a03cef63c3b08446c1980de064a3b1c8804) --- libcli/smb/smbXcli_base.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 1e91975..9d187cd 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4841,7 +4841,16 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, session->conn->protocol, recv_iov, 3); if (!NT_STATUS_IS_OK(status)) { - return status; + /* + * Sadly some vendors don't sign the + * final SMB2 session setup response + * + * At least Windows and Samba are always doing this + * if there's a session key available. + */ + if (conn->mandatory_signing) { + return status; + } } session->smb2->should_sign = false; -- 1.8.1.2 From db018804d729ab60498c545e01e6ea8549a9c217 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Sep 2013 02:24:30 +0200 Subject: [PATCH 2/2] libcli/smb: only check the SMB2 session setup signature if required and valid This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804 that skips the scary debug messages. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104 (cherry picked from commit 4879d0810a2ad741e32ad174a7a14cd35521aeaf) --- libcli/smb/smbXcli_base.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 9d187cd..14d4cc3 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4740,12 +4740,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, struct smbXcli_conn *conn = session->conn; uint16_t no_sign_flags; uint8_t session_key[16]; + bool check_signature = true; + uint32_t hdr_flags; NTSTATUS status; if (conn == NULL) { return NT_STATUS_INVALID_PARAMETER_MIX; } + if (recv_iov[0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; if (session->smb2->session_flags & no_sign_flags) { @@ -4837,18 +4843,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return NT_STATUS_NO_MEMORY; } - status = smb2_signing_check_pdu(session->smb2_channel.signing_key, - session->conn->protocol, - recv_iov, 3); - if (!NT_STATUS_IS_OK(status)) { + check_signature = conn->mandatory_signing; + + hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS); + if (hdr_flags & SMB2_HDR_FLAG_SIGNED) { /* * Sadly some vendors don't sign the * final SMB2 session setup response * * At least Windows and Samba are always doing this * if there's a session key available. + * + * We only check the signature if it's mandatory + * or SMB2_HDR_FLAG_SIGNED is provided. */ - if (conn->mandatory_signing) { + check_signature = true; + } + + if (check_signature) { + status = smb2_signing_check_pdu(session->smb2_channel.signing_key, + session->conn->protocol, + recv_iov, 3); + if (!NT_STATUS_IS_OK(status)) { return status; } } -- 1.8.1.2