Add a command line option (-S on|off|required) to enable signing on client

connections. Overrides smb.conf parameter if set.
Jeremy.
(This used to be commit 879309671df6b530e0bff69559422a417da4a307)

3 files changed, 28 insertions, 4 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 8873c1fdc8..94fe04a480 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -995,7 +995,7 @@ BOOL cli_negprot(struct cli_state *cli)
 
 	cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot;	
 
-	if ((cli->protocol < PROTOCOL_NT1) && (lp_client_signing() == Required)) {
+	if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) {
 		DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n"));
 		return False;
 	}
@@ -1026,7 +1026,7 @@ BOOL cli_negprot(struct cli_state *cli)
 
 		if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
 			/* Fail if signing is mandatory and we don't want to support it. */
-			if (!lp_client_signing()) {
+			if (!cli->sign_info.allow_smb_signing) {
 				DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
 				return False;
 			}
@@ -1259,6 +1259,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli,
 			     const char *service, const char *service_type,
 			     const char *user, const char *domain, 
 			     const char *password, int flags,
+			     int signing_state,
 			     BOOL *retry) 
 {
 	struct ntuser_creds creds;
@@ -1321,6 +1322,8 @@ again:
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
+	cli_setup_signing_state(cli, signing_state);
+
 	if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO)
 		cli->use_spnego = False;
 	else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS)
@@ -1491,7 +1494,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip,
 	
 	nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", 
 					user_info->username, lp_workgroup(), user_info->password, 
-					CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, NULL);
+					CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		return cli;
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index cd9edb1cc9..cdda2eb224 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -209,6 +209,27 @@ void cli_init_creds(struct cli_state *cli, const struct ntuser_creds *usr)
 }
 
 /****************************************************************************
+ Set the signing state (used from the command line).
+****************************************************************************/
+
+void cli_setup_signing_state(struct cli_state *cli, int signing_state)
+{
+	if (signing_state == Undefined)
+		return;
+
+	if (signing_state == False) {
+		cli->sign_info.allow_smb_signing = False;
+		cli->sign_info.mandatory_signing = False;
+		return;
+	}
+
+	cli->sign_info.allow_smb_signing = True;
+
+	if (signing_state == Required) 
+		cli->sign_info.mandatory_signing = True;
+}
+
+/****************************************************************************
  Initialise a client structure.
 ****************************************************************************/
 
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 77e63709aa..610f4b3c03 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -154,7 +154,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 	/* setup the anonymous connection */
 
 	result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC",
-		"", "", "", 0, &retry);
+		"", "", "", 0, Undefined, &retry);
 	if ( !NT_STATUS_IS_OK(result) )
 		goto done;