summaryrefslogtreecommitdiff
path: root/libcli/smb
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2015-09-30 21:23:25 +0200
committerKarolin Seeger <kseeger@samba.org>2015-12-10 10:23:30 +0100
commita819d2b440aafa3138d95ff6e8b824da885a70e9 (patch)
treeb7de078b4ee72f80bac66b26dbac629f42ed865e /libcli/smb
parent1ba49b8f389eda3414b14410c7fbcb4041ca06b1 (diff)
downloadsamba-a819d2b440aafa3138d95ff6e8b824da885a70e9.tar.gz
CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli/smb')
-rw-r--r--libcli/smb/smbXcli_base.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 6fe4816c3b5..505d40dd4f5 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5446,6 +5446,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
if (conn->mandatory_signing) {
security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
}
+ if (session->smb2->should_sign) {
+ security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+ }
return security_mode;
}
@@ -5877,6 +5880,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
{
+ if (!session->smb2->should_sign) {
+ /*
+ * We need required signing on the session
+ * in order to prevent man in the middle attacks.
+ */
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
if (session->smb2->should_encrypt) {
return NT_STATUS_OK;
}
View Lorry Controller Status