summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-07-15 23:05:57 +0000
committerJeremy Allison <jra@samba.org>2003-07-15 23:05:57 +0000
commitc44a9d25a2bfff9d5ebede80f30e13e41aca797c (patch)
tree11dcb00a982f123ea0dd60bafe3e064a7e51d371
parent39de3249b0676a65cfbce23484d964f1e3334baa (diff)
downloadsamba-c44a9d25a2bfff9d5ebede80f30e13e41aca797c.tar.gz
samba-c44a9d25a2bfff9d5ebede80f30e13e41aca797c.tar.bz2
samba-c44a9d25a2bfff9d5ebede80f30e13e41aca797c.zip
Added the "required" keyword to the "client signing" parameter to force it
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
-rw-r--r--source3/include/client.h2
-rw-r--r--source3/include/smb.h1
-rw-r--r--source3/libsmb/cliconnect.c16
-rw-r--r--source3/libsmb/clientgen.c3
-rw-r--r--source3/libsmb/smb_signing.c5
-rw-r--r--source3/param/loadparm.c23
-rw-r--r--source3/smbd/sesssetup.c28
7 files changed, 58 insertions, 20 deletions
diff --git a/source3/include/client.h b/source3/include/client.h
index f3f4ef109a..fad2c099b9 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -66,7 +66,7 @@ typedef struct smb_sign_info {
BOOL negotiated_smb_signing;
BOOL allow_smb_signing;
BOOL doing_signing;
- BOOL mandetory_signing;
+ BOOL mandatory_signing;
} smb_sign_info;
struct cli_state {
diff --git a/source3/include/smb.h b/source3/include/smb.h
index f18391516f..d2714e78bc 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -45,6 +45,7 @@
#define False (0)
#define True (1)
#define Auto (2)
+#define Required (3)
#ifndef _BOOL
typedef int BOOL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 8c02c4fdfe..fa9af19bf5 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
if (cli->sign_info.negotiated_smb_signing
- || cli->sign_info.mandetory_signing) {
+ || cli->sign_info.mandatory_signing) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
@@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli)
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
}
- if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
+ /* Fail if signing is mandatory and we don't want to support it. */
+ if (!lp_client_signing()) {
+ DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
+ return False;
+ }
cli->sign_info.negotiated_smb_signing = True;
+ }
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
cli->sign_info.negotiated_smb_signing = True;
+ /* Fail if signing is mandatory and the server doesn't support it. */
+ if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
+ DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+ return False;
+ }
+
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
cli->use_spnego = False;
cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 93fa94c1db..58c5ad8cd3 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -261,6 +261,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
if (lp_client_signing())
cli->sign_info.allow_smb_signing = True;
+
+ if (lp_client_signing() == Required)
+ cli->sign_info.mandatory_signing = True;
if (!cli->outbuf || !cli->inbuf)
goto error;
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 466f32cb92..d4f77bf07c 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -72,7 +72,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
static BOOL cli_set_smb_signing_common(struct cli_state *cli)
{
if (!cli->sign_info.negotiated_smb_signing
- && !cli->sign_info.mandetory_signing) {
+ && !cli->sign_info.mandatory_signing) {
return False;
}
@@ -96,7 +96,7 @@ static BOOL cli_set_smb_signing_common(struct cli_state *cli)
static BOOL cli_set_smb_signing_real_common(struct cli_state *cli)
{
- if (cli->sign_info.mandetory_signing) {
+ if (cli->sign_info.mandatory_signing) {
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
cli->sign_info.doing_signing = True;
}
@@ -458,4 +458,3 @@ BOOL cli_check_sign_mac(struct cli_state *cli)
return True;
}
-
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9194274a61..dd429fa688 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -291,7 +291,7 @@ typedef struct
BOOL bKernelChangeNotify;
int restrict_anonymous;
int name_cache_timeout;
- BOOL client_signing;
+ int client_signing;
param_opt_struct *param_opt;
}
global;
@@ -687,6 +687,25 @@ static const struct enum_list enum_csc_policy[] = {
{-1, NULL}
};
+/* SMB signing types. */
+static const struct enum_list enum_smb_signing_vals[] = {
+ {False, "No"},
+ {False, "False"},
+ {False, "0"},
+ {False, "Off"},
+ {True, "Yes"},
+ {True, "True"},
+ {True, "1"},
+ {True, "On"},
+ {Required, "Required"},
+ {Required, "Mandatory"},
+ {Required, "Force"},
+ {Required, "Forced"},
+ {Required, "Enforced"},
+ {-1, NULL}
+};
+
+
/*
Do you want session setups at user level security with a invalid
password to be rejected or allowed in as guest? WinNT rejects them
@@ -874,7 +893,7 @@ static struct parm_struct parm_table[] = {
{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
- {"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
{"Tuning Options", P_SEP, P_SEPARATOR},
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 2631961739..7d77ed3071 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -53,10 +53,10 @@ static NTSTATUS do_map_to_guest(NTSTATUS status, auth_serversupplied_info **serv
return status;
}
-
/****************************************************************************
Add the standard 'Samba' signature to the end of the session setup.
****************************************************************************/
+
static int add_signature(char *outbuf, char *p)
{
char *start = p;
@@ -72,8 +72,9 @@ static int add_signature(char *outbuf, char *p)
}
/****************************************************************************
-send a security blob via a session setup reply
+ Send a security blob via a session setup reply.
****************************************************************************/
+
static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
DATA_BLOB blob, NTSTATUS nt_status)
{
@@ -101,6 +102,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
/****************************************************************************
Do a 'guest' logon, getting back the
****************************************************************************/
+
static NTSTATUS check_guest_password(auth_serversupplied_info **server_info)
{
struct auth_context *auth_context;
@@ -267,12 +269,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
}
#endif
-
/****************************************************************************
- send a session setup reply, wrapped in SPNEGO.
- get vuid and check first.
- end the NTLMSSP exchange context if we are OK/complete fail
+ Send a session setup reply, wrapped in SPNEGO.
+ Get vuid and check first.
+ End the NTLMSSP exchange context if we are OK/complete fail
***************************************************************************/
+
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
@@ -326,8 +328,9 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
}
/****************************************************************************
-reply to a session setup spnego negotiate packet
+ Reply to a session setup spnego negotiate packet.
****************************************************************************/
+
static int reply_spnego_negotiate(connection_struct *conn,
char *inbuf,
char *outbuf,
@@ -387,11 +390,11 @@ static int reply_spnego_negotiate(connection_struct *conn,
/* already replied */
return -1;
}
-
/****************************************************************************
-reply to a session setup spnego auth packet
+ Reply to a session setup spnego auth packet.
****************************************************************************/
+
static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
int length, int bufsize,
DATA_BLOB blob1)
@@ -425,10 +428,10 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
return -1;
}
-
/****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
****************************************************************************/
+
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
char *outbuf,
int length,int bufsize)
@@ -509,8 +512,9 @@ static void setup_new_vc_session(void)
}
/****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
****************************************************************************/
+
int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
int length,int bufsize)
{