Added the "required" keyword to the "client signing" parameter to force it

on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)

7 files changed, 58 insertions, 20 deletions

diff --git a/source3/include/client.h b/source3/include/client.h
index f3f4ef109a..fad2c099b9 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -66,7 +66,7 @@ typedef struct smb_sign_info {
 	BOOL negotiated_smb_signing;
 	BOOL allow_smb_signing;
 	BOOL doing_signing;
-	BOOL mandetory_signing;
+	BOOL mandatory_signing;
 } smb_sign_info;
 
 struct cli_state {
diff --git a/source3/include/smb.h b/source3/include/smb.h
index f18391516f..d2714e78bc 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -45,6 +45,7 @@
 #define False (0)
 #define True (1)
 #define Auto (2)
+#define Required (3)
 
 #ifndef _BOOL
 typedef int BOOL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 8c02c4fdfe..fa9af19bf5 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 	ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
 
 	if (cli->sign_info.negotiated_smb_signing 
-	    || cli->sign_info.mandetory_signing) {
+	    || cli->sign_info.mandatory_signing) {
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 	}
@@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli)
 				    smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
 		}
 
-		if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
+		if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
+			/* Fail if signing is mandatory and we don't want to support it. */
+			if (!lp_client_signing()) {
+				DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
+				return False;
+			}
 			cli->sign_info.negotiated_smb_signing = True;
+		}
 
 		if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
 			cli->sign_info.negotiated_smb_signing = True;
 
+		/* Fail if signing is mandatory and the server doesn't support it. */
+		if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
+			DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+			return False;
+		}
+
 	} else if (cli->protocol >= PROTOCOL_LANMAN1) {
 		cli->use_spnego = False;
 		cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 93fa94c1db..58c5ad8cd3 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -261,6 +261,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
 
 	if (lp_client_signing()) 
 		cli->sign_info.allow_smb_signing = True;
+
+	if (lp_client_signing() == Required) 
+		cli->sign_info.mandatory_signing = True;
                                    
 	if (!cli->outbuf || !cli->inbuf)
                 goto error;
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 466f32cb92..d4f77bf07c 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -72,7 +72,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
 static BOOL cli_set_smb_signing_common(struct cli_state *cli) 
 {
 	if (!cli->sign_info.negotiated_smb_signing 
-	    && !cli->sign_info.mandetory_signing) {
+	    && !cli->sign_info.mandatory_signing) {
 		return False;
 	}
 
@@ -96,7 +96,7 @@ static BOOL cli_set_smb_signing_common(struct cli_state *cli)
 
 static BOOL cli_set_smb_signing_real_common(struct cli_state *cli) 
 {
-	if (cli->sign_info.mandetory_signing) {
+	if (cli->sign_info.mandatory_signing) {
 		DEBUG(5, ("Mandatory SMB signing enabled!\n"));
 		cli->sign_info.doing_signing = True;
 	}
@@ -458,4 +458,3 @@ BOOL cli_check_sign_mac(struct cli_state *cli)
 
 	return True;
 }
-
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9194274a61..dd429fa688 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -291,7 +291,7 @@ typedef struct
 	BOOL bKernelChangeNotify;
 	int restrict_anonymous;
 	int name_cache_timeout;
-	BOOL client_signing;
+	int client_signing;
 	param_opt_struct *param_opt;
 }
 global;
@@ -687,6 +687,25 @@ static const struct enum_list enum_csc_policy[] = {
 	{-1, NULL}
 };
 
+/* SMB signing types. */
+static const struct enum_list enum_smb_signing_vals[] = {
+	{False, "No"},
+	{False, "False"},
+	{False, "0"},
+	{False, "Off"},
+	{True, "Yes"},
+	{True, "True"},
+	{True, "1"},
+	{True, "On"},
+	{Required, "Required"},
+	{Required, "Mandatory"},
+	{Required, "Force"},
+	{Required, "Forced"},
+	{Required, "Enforced"},
+	{-1, NULL}
+};
+
+
 /* 
    Do you want session setups at user level security with a invalid
    password to be rejected or allowed in as guest? WinNT rejects them
@@ -874,7 +893,7 @@ static struct parm_struct parm_table[] = {
 	{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
-	{"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
 
 	{"Tuning Options", P_SEP, P_SEPARATOR},
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 2631961739..7d77ed3071 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -53,10 +53,10 @@ static NTSTATUS do_map_to_guest(NTSTATUS status, auth_serversupplied_info **serv
 	return status;
 }
 
-
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
 ****************************************************************************/
+
 static int add_signature(char *outbuf, char *p)
 {
 	char *start = p;
@@ -72,8 +72,9 @@ static int add_signature(char *outbuf, char *p)
 }
 
 /****************************************************************************
-send a security blob via a session setup reply
+ Send a security blob via a session setup reply.
 ****************************************************************************/
+
 static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
 				 DATA_BLOB blob, NTSTATUS nt_status)
 {
@@ -101,6 +102,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
 /****************************************************************************
  Do a 'guest' logon, getting back the 
 ****************************************************************************/
+
 static NTSTATUS check_guest_password(auth_serversupplied_info **server_info) 
 {
 	struct auth_context *auth_context;
@@ -267,12 +269,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
 }
 #endif
 
-
 /****************************************************************************
- send a session setup reply, wrapped in SPNEGO.
- get vuid and check first.
- end the NTLMSSP exchange context if we are OK/complete fail
+ Send a session setup reply, wrapped in SPNEGO.
+ Get vuid and check first.
+ End the NTLMSSP exchange context if we are OK/complete fail
 ***************************************************************************/
+
 static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
 				 AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
 				 DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status) 
@@ -326,8 +328,9 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
 }
 
 /****************************************************************************
-reply to a session setup spnego negotiate packet
+ Reply to a session setup spnego negotiate packet.
 ****************************************************************************/
+
 static int reply_spnego_negotiate(connection_struct *conn, 
 				  char *inbuf,
 				  char *outbuf,
@@ -387,11 +390,11 @@ static int reply_spnego_negotiate(connection_struct *conn,
 	/* already replied */
 	return -1;
 }
-
 	
 /****************************************************************************
-reply to a session setup spnego auth packet
+ Reply to a session setup spnego auth packet.
 ****************************************************************************/
+
 static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 			     int length, int bufsize,
 			     DATA_BLOB blob1)
@@ -425,10 +428,10 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 	return -1;
 }
 
-
 /****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
 ****************************************************************************/
+
 static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
 					char *outbuf,
 					int length,int bufsize)
@@ -509,8 +512,9 @@ static void setup_new_vc_session(void)
 }
 
 /****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
 ****************************************************************************/
+
 int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 			  int length,int bufsize)
 {