diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-09-30 21:23:25 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2015-12-10 10:23:30 +0100 |
commit | a819d2b440aafa3138d95ff6e8b824da885a70e9 (patch) | |
tree | b7de078b4ee72f80bac66b26dbac629f42ed865e | |
parent | 1ba49b8f389eda3414b14410c7fbcb4041ca06b1 (diff) | |
download | samba-a819d2b440aafa3138d95ff6e8b824da885a70e9.tar.gz |
CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | libcli/smb/smbXcli_base.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 6fe4816c3b5..505d40dd4f5 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5446,6 +5446,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session) if (conn->mandatory_signing) { security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; } + if (session->smb2->should_sign) { + security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; + } return security_mode; } @@ -5877,6 +5880,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session) { + if (!session->smb2->should_sign) { + /* + * We need required signing on the session + * in order to prevent man in the middle attacks. + */ + return NT_STATUS_INVALID_PARAMETER_MIX; + } + if (session->smb2->should_encrypt) { return NT_STATUS_OK; } |