>From f2e5c072bfae87d66be54d5c4580feb716646f2f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 15 Apr 2014 10:03:10 +0200 Subject: [PATCH 1/2] libcli/smb: add smb_signing_is_desired() Signed-off-by: Stefan Metzmacher --- libcli/smb/smb_signing.c | 5 +++++ libcli/smb/smb_signing.h | 1 + 2 files changed, 6 insertions(+) diff --git a/libcli/smb/smb_signing.c b/libcli/smb/smb_signing.c index fa61aa8..e128e8f 100644 --- a/libcli/smb/smb_signing.c +++ b/libcli/smb/smb_signing.c @@ -407,6 +407,11 @@ bool smb_signing_is_allowed(struct smb_signing_state *si) return si->allowed; } +bool smb_signing_is_desired(struct smb_signing_state *si) +{ + return si->desired; +} + bool smb_signing_is_mandatory(struct smb_signing_state *si) { return si->mandatory; diff --git a/libcli/smb/smb_signing.h b/libcli/smb/smb_signing.h index 7427ada..7d9e8ad 100644 --- a/libcli/smb/smb_signing.h +++ b/libcli/smb/smb_signing.h @@ -47,6 +47,7 @@ bool smb_signing_activate(struct smb_signing_state *si, const DATA_BLOB response); bool smb_signing_is_active(struct smb_signing_state *si); bool smb_signing_is_allowed(struct smb_signing_state *si); +bool smb_signing_is_desired(struct smb_signing_state *si); bool smb_signing_is_mandatory(struct smb_signing_state *si); bool smb_signing_set_negotiated(struct smb_signing_state *si, bool allowed, bool mandatory); -- 1.7.9.5 >From ca0d7302f5afd409c88a90f21de0b4fdddd30bab Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 15 Apr 2014 10:08:12 +0200 Subject: [PATCH 2/2] s3:smbd: always allow SMB1 signing, but only announce it if configured. Always allow the client to turn on SMB1 signing using FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. Signed-off-by: Stefan Metzmacher --- source3/smbd/negprot.c | 6 +++--- source3/smbd/signing.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index f470d0b..4cd12d8 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) struct timespec ts; ssize_t ret; struct smbd_server_connection *sconn = req->sconn; - bool signing_enabled = false; + bool signing_desired = false; bool signing_required = false; sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); @@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16 choice) secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } - signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state); + signing_desired = smb_signing_is_desired(req->sconn->smb1.signing_state); signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state); - if (signing_enabled) { + if (signing_desired) { secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; /* No raw mode with smb signing. */ capabilities &= ~CAP_RAW_MODE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 295c9f1..9ddc791 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) bool srv_init_signing(struct smbd_server_connection *conn) { - bool allowed; + bool allowed = true; bool desired; bool mandatory = false; @@ -188,7 +188,7 @@ bool srv_init_signing(struct smbd_server_connection *conn) * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. */ - allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); + desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); talloc_unlink(conn, lp_ctx); if (lp_async_smb_echo_handler()) { -- 1.7.9.5