Add a command line option (-S on|off|required) to enable signing on client

connections. Overrides smb.conf parameter if set.
Jeremy.
(This used to be commit 879309671df6b530e0bff69559422a417da4a307)

19 files changed, 72 insertions, 21 deletions

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index e2fc273479..aacea261fe 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -69,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	/* Attempt connection */
 	*retry = True;
 	result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, 
-		"IPC$", "IPC", "", "", "", 0, retry);
+		"IPC$", "IPC", "", "", "", 0, Undefined, retry);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		/* map to something more useful */
diff --git a/source3/client/client.c b/source3/client/client.c
index 5319a5ebf5..e17ae82c0a 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2529,6 +2529,8 @@ static struct cli_state *do_connect(const char *server, const char *share)
 
 	c->protocol = max_protocol;
 	c->use_kerberos = use_kerberos;
+	cli_setup_signing_state(c, cmdline_auth_info.signing_state);
+		
 
 	if (!cli_session_request(c, &calling, &called)) {
 		char *p;
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 68165792da..5daefec5a5 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -282,7 +282,7 @@ smb_connect(const char *workgroup,		/* I - Workgroup */
   get_myname(myname);  
   	
   nt_status = cli_full_connection(&c, myname, server, NULL, 0, share, "?????", 
-				  username, workgroup, password, 0, NULL);
+				  username, workgroup, password, 0, Undefined, NULL);
   
   if (!NT_STATUS_IS_OK(nt_status)) {
 	  fprintf(stderr, "ERROR:  Connection failed with error %s\n", nt_errstr(nt_status));
diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h
index 57850bf682..6db30fbc0a 100644
--- a/source3/include/popt_common.h
+++ b/source3/include/popt_common.h
@@ -41,6 +41,7 @@ struct user_auth_info {
 	pstring password;
 	BOOL got_pass;
 	BOOL use_kerberos;
+	int signing_state;
 };
 
 extern struct user_auth_info cmdline_auth_info;
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 6a1d816898..deeb61034d 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -42,6 +42,7 @@
 #define SMB_PORT2 139
 #define SMB_PORTS "445 139"
 
+#define Undefined (-1)
 #define False (0)
 #define True (1)
 #define Auto (2)
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index b8e77b2d9e..af1cbcfe80 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -258,19 +258,21 @@ static void get_credentials_file(const char *file, struct user_auth_info *info)
  *		-A,--authentication-file
  *		-k,--use-kerberos
  *		-N,--no-pass
+ *		-S,--signing
  */
 
 
 static void popt_common_credentials_callback(poptContext con, 
-											 enum poptCallbackReason reason,
-											 const struct poptOption *opt,
-											 const char *arg, const void *data)
+					enum poptCallbackReason reason,
+					const struct poptOption *opt,
+					const char *arg, const void *data)
 {
 	char *p;
 
 	if (reason == POPT_CALLBACK_REASON_PRE) {
 		cmdline_auth_info.use_kerberos = False;
 		cmdline_auth_info.got_pass = False;
+		cmdline_auth_info.signing_state = Undefined;
 		pstrcpy(cmdline_auth_info.username, "GUEST");	
 
 		if (getenv("LOGNAME"))pstrcpy(cmdline_auth_info.username,getenv("LOGNAME"));
@@ -327,6 +329,22 @@ static void popt_common_credentials_callback(poptContext con,
 		cmdline_auth_info.got_pass = True;
 #endif
 		break;
+
+	case 'S':
+		{
+			cmdline_auth_info.signing_state = -1;
+			if (strequal(arg, "off") || strequal(arg, "no") || strequal(arg, "false"))
+				cmdline_auth_info.signing_state = False;
+			else if (strequal(arg, "on") || strequal(arg, "yes") || strequal(arg, "true"))
+				cmdline_auth_info.signing_state = True;
+			else if (strequal(arg, "force") || strequal(arg, "required") || strequal(arg, "forced"))
+				cmdline_auth_info.signing_state = Required;
+			else {
+				fprintf(stderr, "Unknown signing option %s\n", arg );
+				exit(1);
+			}
+		}
+		break;
 	}
 }
 
@@ -338,5 +356,6 @@ struct poptOption popt_common_credentials[] = {
 	{ "no-pass", 'N', POPT_ARG_NONE, &cmdline_auth_info.got_pass, 0, "Don't ask for a password" },
 	{ "kerberos", 'k', POPT_ARG_NONE, &cmdline_auth_info.use_kerberos, 'k', "Use kerberos (active directory) authentication" },
 	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
+	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
 	POPT_TABLEEND
 };
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 8873c1fdc8..94fe04a480 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -995,7 +995,7 @@ BOOL cli_negprot(struct cli_state *cli)
 
 	cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot;	
 
-	if ((cli->protocol < PROTOCOL_NT1) && (lp_client_signing() == Required)) {
+	if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) {
 		DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n"));
 		return False;
 	}
@@ -1026,7 +1026,7 @@ BOOL cli_negprot(struct cli_state *cli)
 
 		if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
 			/* Fail if signing is mandatory and we don't want to support it. */
-			if (!lp_client_signing()) {
+			if (!cli->sign_info.allow_smb_signing) {
 				DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
 				return False;
 			}
@@ -1259,6 +1259,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli,
 			     const char *service, const char *service_type,
 			     const char *user, const char *domain, 
 			     const char *password, int flags,
+			     int signing_state,
 			     BOOL *retry) 
 {
 	struct ntuser_creds creds;
@@ -1321,6 +1322,8 @@ again:
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
+	cli_setup_signing_state(cli, signing_state);
+
 	if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO)
 		cli->use_spnego = False;
 	else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS)
@@ -1491,7 +1494,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip,
 	
 	nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", 
 					user_info->username, lp_workgroup(), user_info->password, 
-					CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, NULL);
+					CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		return cli;
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index cd9edb1cc9..cdda2eb224 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -209,6 +209,27 @@ void cli_init_creds(struct cli_state *cli, const struct ntuser_creds *usr)
 }
 
 /****************************************************************************
+ Set the signing state (used from the command line).
+****************************************************************************/
+
+void cli_setup_signing_state(struct cli_state *cli, int signing_state)
+{
+	if (signing_state == Undefined)
+		return;
+
+	if (signing_state == False) {
+		cli->sign_info.allow_smb_signing = False;
+		cli->sign_info.mandatory_signing = False;
+		return;
+	}
+
+	cli->sign_info.allow_smb_signing = True;
+
+	if (signing_state == Required) 
+		cli->sign_info.mandatory_signing = True;
+}
+
+/****************************************************************************
  Initialise a client structure.
 ****************************************************************************/
 
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 77e63709aa..610f4b3c03 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -154,7 +154,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 	/* setup the anonymous connection */
 
 	result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC",
-		"", "", "", 0, &retry);
+		"", "", "", 0, Undefined, &retry);
 	if ( !NT_STATUS_IS_OK(result) )
 		goto done;
 
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index f9da38660d..dbc3062edd 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -152,7 +152,8 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
 		
 		result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller, 
 					     &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain, 
-					     ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, &retry);
+					     ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK,
+					     Undefined, &retry);
 		
 		secrets_named_mutex_release(new_conn->controller);
 
diff --git a/source3/python/py_common.c b/source3/python/py_common.c
index ea092d9370..02d22bbdab 100644
--- a/source3/python/py_common.c
+++ b/source3/python/py_common.c
@@ -223,7 +223,7 @@ struct cli_state *open_pipe_creds(char *server, PyObject *creds,
 
 	result = cli_full_connection(
 		&cli, NULL, server, NULL, 0, "IPC$", "IPC",
-		username, domain, password, 0, NULL);
+		username, domain, password, 0, Undefined, NULL);
 	
 	if (!NT_STATUS_IS_OK(result)) {
 		*errstr = strdup("error connecting to IPC$ pipe");
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index b4c4d2a9cb..831d2beaa4 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -726,7 +726,8 @@ out_free:
 					opt_ipaddr ? &server_ip : NULL, 0,
 					"IPC$", "IPC",  
 					cmdline_auth_info.username, lp_workgroup(),
-					cmdline_auth_info.password, 0, NULL);
+					cmdline_auth_info.password, 0,
+					cmdline_auth_info.signing_state,NULL);
 	
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("Cannot connect to server.  Error was %s\n", nt_errstr(nt_status)));
diff --git a/source3/smbd/change_trust_pw.c b/source3/smbd/change_trust_pw.c
index 4993e285ca..2eff77b1f7 100644
--- a/source3/smbd/change_trust_pw.c
+++ b/source3/smbd/change_trust_pw.c
@@ -58,7 +58,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
 					   NULL, 0,
 					   "IPC$", "IPC",  
 					   "", "",
-					   "", 0, NULL))) 
+					   "", 0, Undefined, NULL))) 
 	{
 		DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
 		nt_status = NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/torture/locktest2.c b/source3/torture/locktest2.c
index 29b3c7c4b2..5fbaf9ec58 100644
--- a/source3/torture/locktest2.c
+++ b/source3/torture/locktest2.c
@@ -177,7 +177,7 @@ static struct cli_state *connect_one(char *share)
 
 	nt_status = cli_full_connection(&c, myname, server_n, NULL, 0, share, "?????", 
 					username, lp_workgroup(), password, 0,
-					NULL);
+					Undefined, NULL);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("cli_full_connection failed with error %s\n", nt_errstr(nt_status)));
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 0be79d04a9..d20c48d645 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -159,7 +159,7 @@ BOOL torture_open_connection(struct cli_state **c)
 				     host, NULL, port_to_use, 
 				     share, "?????", 
 				     username, workgroup, 
-				     password, flags, &retry);
+				     password, flags, Undefined, &retry);
 	if (!NT_STATUS_IS_OK(status)) {
 		return False;
 	}
@@ -1128,7 +1128,7 @@ static BOOL run_tcon_devtype_test(int dummy)
 				     host, NULL, port_to_use,
 				     NULL, NULL,
 				     username, workgroup,
-				     password, flags, &retry);
+				     password, flags, Undefined, &retry);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("could not open connection\n");
diff --git a/source3/utils/net.c b/source3/utils/net.c
index a22d34a720..8f6b09a3fa 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -141,7 +141,7 @@ NTSTATUS connect_to_ipc(struct cli_state **c, struct in_addr *server_ip,
 					server_ip, opt_port,
 					"IPC$", "IPC",  
 					opt_user_name, opt_workgroup,
-					opt_password, 0, NULL);
+					opt_password, 0, Undefined, NULL);
 	
 	if (NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
@@ -171,7 +171,7 @@ NTSTATUS connect_to_ipc_anonymous(struct cli_state **c,
 					server_ip, opt_port,
 					"IPC$", "IPC",  
 					"", "",
-					"", 0, NULL);
+					"", 0, Undefined, NULL);
 	
 	if (NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index edf5ec37c2..631e235127 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -848,7 +848,7 @@ static int net_ads_printer_publish(int argc, const char **argv)
 					opt_user_name, opt_workgroup,
 					opt_password ? opt_password : "", 
 					CLI_FULL_CONNECTION_USE_KERBEROS, 
-					NULL);
+					Undefined, NULL);
 
 	if (NT_STATUS_IS_ERR(nt_status)) {
 		d_printf("Unable to open a connnection to %s to obtain data "
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index 69dc2dd47a..c90c042106 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -724,7 +724,8 @@ static struct cli_state *connect_one(const char *share)
 							    &ip, 0,
 							    share, "?????",  
 							    cmdline_auth_info.username, lp_workgroup(),
-							    cmdline_auth_info.password, 0, NULL))) {
+							    cmdline_auth_info.password, 0,
+							    cmdline_auth_info.signing_state, NULL))) {
 		return c;
 	} else {
 		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
index 9c7379ca2a..64321d5bfc 100644
--- a/source3/utils/smbcquotas.c
+++ b/source3/utils/smbcquotas.c
@@ -371,7 +371,8 @@ static struct cli_state *connect_one(const char *share)
 							    &ip, 0,
 							    share, "?????",  
 							    cmdline_auth_info.username, lp_workgroup(),
-							    cmdline_auth_info.password, 0, NULL))) {
+							    cmdline_auth_info.password, 0,
+							    cmdline_auth_info.signing_state, NULL))) {
 		return c;
 	} else {
 		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));