From: Stefan Metzmacher Date: Fri, 11 Jun 2021 13:33:46 +0000 (+0000) Subject: s3:smbd: make sure STATUS_PENDING responses are never signed X-Git-Tag: samba-4.15.0rc1~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90bc67f322112986d221f4401536493dcd406135;p=thirdparty%2Fsamba.git s3:smbd: make sure STATUS_PENDING responses are never signed It's important to match Windows here in order to avoid reusing a NONCE for AES-128-GMAC signing. Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 04f8c4ba10e..462689077b2 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2272,6 +2272,11 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, SIVAL(hdr, SMB2_HDR_STATUS, NT_STATUS_V(NT_STATUS_PENDING)); SSVAL(hdr, SMB2_HDR_OPCODE, SVAL(outhdr, SMB2_HDR_OPCODE)); + /* + * The STATUS_PENDING response has SMB2_HDR_FLAG_SIGNED + * clearedm, but echoes the signature field. + */ + flags &= ~SMB2_HDR_FLAG_SIGNED; SIVAL(hdr, SMB2_HDR_FLAGS, flags); SIVAL(hdr, SMB2_HDR_NEXT_COMMAND, 0); SBVAL(hdr, SMB2_HDR_MESSAGE_ID, message_id); @@ -2325,6 +2330,10 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, SMBD_SMB2_IN_HDR_IOV(req), &state->vector[1+SMBD_SMB2_HDR_IOV_OFS]); + /* + * We add SMB2_HDR_FLAG_ASYNC after smb2_set_operation_credit() + * as it reacts on it + */ SIVAL(hdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC); if (DEBUGLVL(10)) { @@ -2350,19 +2359,6 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, nt_errstr(status)); return; } - } else if (req->do_signing) { - struct smbXsrv_session *x = req->session; - struct smb2_signing_key *signing_key = - smbd_smb2_signing_key(x, xconn, NULL); - - status = smb2_signing_sign_pdu(signing_key, - &state->vector[1+SMBD_SMB2_HDR_IOV_OFS], - SMBD_SMB2_NUM_IOV_PER_REQ - 1); - if (!NT_STATUS_IS_OK(status)) { - smbd_server_connection_terminate(xconn, - nt_errstr(status)); - return; - } } state->queue_entry.mem_ctx = state;