CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-09-30 21:23:25 +0200
committer: Karolin Seeger <kseeger@samba.org> 2015-12-10 11:10:54 +0100
commit: c634a143a876bd5a724d830c54fe12ef6d68d5fd (patch)
tree: 0518dd5d02fd59fea9313b5652b52c41546bc66f
parent: 4c3a492259ceefe3d02df690d4369291627883a2 (diff)
download: samba-c634a143a876bd5a724d830c54fe12ef6d68d5fd.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 5063e591784..546ce40e874 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4754,6 +4754,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
 	if (conn->mandatory_signing) {
 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 	}
+	if (session->smb2->should_sign) {
+		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+	}
 
 	return security_mode;
 }
@@ -5031,6 +5034,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
 
 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
 {
+	if (!session->smb2->should_sign) {
+		/*
+		 * We need required signing on the session
+		 * in order to prevent man in the middle attacks.
+		 */
+		return NT_STATUS_INVALID_PARAMETER_MIX;
+	}
+
 	if (session->smb2->should_encrypt) {
 		return NT_STATUS_OK;
 	}
author	Stefan Metzmacher <metze@samba.org>	2015-09-30 21:23:25 +0200
committer	Karolin Seeger <kseeger@samba.org>	2015-12-10 11:10:54 +0100
commit	c634a143a876bd5a724d830c54fe12ef6d68d5fd (patch)
tree	0518dd5d02fd59fea9313b5652b52c41546bc66f
parent	4c3a492259ceefe3d02df690d4369291627883a2 (diff)
download	samba-c634a143a876bd5a724d830c54fe12ef6d68d5fd.tar.gz