diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-09-30 21:23:25 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2015-12-10 11:10:54 +0100 |
commit | c634a143a876bd5a724d830c54fe12ef6d68d5fd (patch) | |
tree | 0518dd5d02fd59fea9313b5652b52c41546bc66f /libcli/smb | |
parent | 4c3a492259ceefe3d02df690d4369291627883a2 (diff) | |
download | samba-c634a143a876bd5a724d830c54fe12ef6d68d5fd.tar.gz |
CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli/smb')
-rw-r--r-- | libcli/smb/smbXcli_base.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 5063e591784..546ce40e874 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4754,6 +4754,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session) if (conn->mandatory_signing) { security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; } + if (session->smb2->should_sign) { + security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; + } return security_mode; } @@ -5031,6 +5034,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session) { + if (!session->smb2->should_sign) { + /* + * We need required signing on the session + * in order to prevent man in the middle attacks. + */ + return NT_STATUS_INVALID_PARAMETER_MIX; + } + if (session->smb2->should_encrypt) { return NT_STATUS_OK; } |