summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-08-08 06:25:10 +0200
committerStefan Metzmacher <metze@samba.org>2012-08-09 08:21:35 +0200
commit64dce265338f325e9fdee6b4a95e918d3b704cbf (patch)
treeffd4ffe5a78e426149600bc541b28768579a503b /source3/smbd
parent87348873486b01a0367ff9889d8a7b51b7073e26 (diff)
downloadsamba-64dce265338f325e9fdee6b4a95e918d3b704cbf.tar.gz
samba-64dce265338f325e9fdee6b4a95e918d3b704cbf.tar.bz2
samba-64dce265338f325e9fdee6b4a95e918d3b704cbf.zip
s3:smb2_sesssetup: set global->encryption_required and enforce it
This the account or client doesn't support encryption we should reject the session setup. metze
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_sesssetup.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 07a168f8f6..6135efcd54 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,6 +190,10 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
x->global->signing_required = true;
}
+ if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+ x->global->encryption_required = true;
+ }
+
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
@@ -199,6 +203,24 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
guest = true;
}
+ if (guest && x->global->encryption_required) {
+ DEBUG(1,("reject guest session as encryption is required\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
+ if (x->global->encryption_required) {
+ DEBUG(1,("reject session with dialect[0x%04X] "
+ "as encryption is required\n",
+ conn->smb2.server.dialect));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (x->global->encryption_required) {
+ *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
+ }
+
ZERO_STRUCT(session_key);
memcpy(session_key, session_info->session_key.data,
MIN(session_info->session_key.length, sizeof(session_key)));