diff options
author | Stefan Metzmacher <metze@samba.org> | 2014-04-15 10:08:12 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-04-16 10:07:56 +0200 |
commit | a56c35a4deec9745ff27a66ddc85db48c5dfaf97 (patch) | |
tree | b0f88e5f593f67a2a17d56b8e1b1cc248ee07ede /source3/smbd | |
parent | 6d6bd9612c758906f575aa8269adc672c5976f4a (diff) | |
download | samba-a56c35a4deec9745ff27a66ddc85db48c5dfaf97.tar.gz |
s3:smbd: always allow SMB1 signing, but only announce it if configured.
Always allow the client to turn on SMB1 signing using
FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/negprot.c | 6 | ||||
-rw-r--r-- | source3/smbd/signing.c | 7 |
2 files changed, 8 insertions, 5 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index f470d0b0571..4cd12d82d47 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) struct timespec ts; ssize_t ret; struct smbd_server_connection *sconn = req->sconn; - bool signing_enabled = false; + bool signing_desired = false; bool signing_required = false; sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); @@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16 choice) secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } - signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state); + signing_desired = smb_signing_is_desired(req->sconn->smb1.signing_state); signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state); - if (signing_enabled) { + if (signing_desired) { secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; /* No raw mode with smb signing. */ capabilities &= ~CAP_RAW_MODE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 295c9f1b790..b7683cdc9d0 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) bool srv_init_signing(struct smbd_server_connection *conn) { - bool allowed; + bool allowed = true; bool desired; bool mandatory = false; @@ -186,9 +186,12 @@ bool srv_init_signing(struct smbd_server_connection *conn) * This matches Windows behavior and is needed * because not every client that requires signing * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. + * + * Note that we'll always allow signing if the client + * does send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. */ - allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); + desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); talloc_unlink(conn, lp_ctx); if (lp_async_smb_echo_handler()) { |