[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Wed Apr 16 02:08:03 MDT 2014 

The branch, master has been updated
       via  a56c35a s3:smbd: always allow SMB1 signing, but only announce it if configured.
       via  6d6bd96 libcli/smb: add smb_signing_is_desired()
      from  d7ce127 auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a56c35a4deec9745ff27a66ddc85db48c5dfaf97
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 15 10:08:12 2014 +0200

    s3:smbd: always allow SMB1 signing, but only announce it if configured.
    
    Always allow the client to turn on SMB1 signing using
    FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104

commit 6d6bd9612c758906f575aa8269adc672c5976f4a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 15 10:03:10 2014 +0200

    libcli/smb: add smb_signing_is_desired()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb_signing.c |    5 +++++
 libcli/smb/smb_signing.h |    1 +
 source3/smbd/negprot.c   |    6 +++---
 source3/smbd/signing.c   |    7 +++++--
 4 files changed, 14 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb_signing.c b/libcli/smb/smb_signing.c
index fa61aa8..e128e8f 100644
--- a/libcli/smb/smb_signing.c
+++ b/libcli/smb/smb_signing.c
@@ -407,6 +407,11 @@ bool smb_signing_is_allowed(struct smb_signing_state *si)
 	return si->allowed;
 }
 
+bool smb_signing_is_desired(struct smb_signing_state *si)
+{
+	return si->desired;
+}
+
 bool smb_signing_is_mandatory(struct smb_signing_state *si)
 {
 	return si->mandatory;
diff --git a/libcli/smb/smb_signing.h b/libcli/smb/smb_signing.h
index 7427ada..7d9e8ad 100644
--- a/libcli/smb/smb_signing.h
+++ b/libcli/smb/smb_signing.h
@@ -47,6 +47,7 @@ bool smb_signing_activate(struct smb_signing_state *si,
 			  const DATA_BLOB response);
 bool smb_signing_is_active(struct smb_signing_state *si);
 bool smb_signing_is_allowed(struct smb_signing_state *si);
+bool smb_signing_is_desired(struct smb_signing_state *si);
 bool smb_signing_is_mandatory(struct smb_signing_state *si);
 bool smb_signing_set_negotiated(struct smb_signing_state *si,
 				bool allowed, bool mandatory);
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index f470d0b..4cd12d8 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 	struct timespec ts;
 	ssize_t ret;
 	struct smbd_server_connection *sconn = req->sconn;
-	bool signing_enabled = false;
+	bool signing_desired = false;
 	bool signing_required = false;
 
 	sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
@@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 		secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
 	}
 
-	signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state);
+	signing_desired = smb_signing_is_desired(req->sconn->smb1.signing_state);
 	signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state);
 
-	if (signing_enabled) {
+	if (signing_desired) {
 		secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
 		/* No raw mode with smb signing. */
 		capabilities &= ~CAP_RAW_MODE;
diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index 295c9f1..b7683cd 100644
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
 
 bool srv_init_signing(struct smbd_server_connection *conn)
 {
-	bool allowed;
+	bool allowed = true;
 	bool desired;
 	bool mandatory = false;
 
@@ -186,9 +186,12 @@ bool srv_init_signing(struct smbd_server_connection *conn)
 	 * This matches Windows behavior and is needed
 	 * because not every client that requires signing
 	 * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
+	 *
+	 * Note that we'll always allow signing if the client
+	 * does send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
 	 */
 
-	allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
+	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
 	talloc_unlink(conn, lp_ctx);
 
 	if (lp_async_smb_echo_handler()) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list