diff options
| author | Andrew Tridgell <tridge@samba.org> | 2008-06-07 08:14:25 -0700 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2008-06-07 08:14:25 -0700 |
| commit | e4ad580b99c5b372353c285569204ab94c177748 (patch) | |
| tree | 7543e5b1b306a703fdb311b902134e04d00be6b6 /source4/smb_server/smb2 | |
| parent | 5d5c8a09f07ae441d44f6aaa2fb60a594256fd42 (diff) | |
| download | samba-e4ad580b99c5b372353c285569204ab94c177748.tar.gz samba-e4ad580b99c5b372353c285569204ab94c177748.tar.bz2 samba-e4ad580b99c5b372353c285569204ab94c177748.zip | |
fixed mandatory signing
Metze pointed out that if signing is mandatory in the server then we
need to reject packets without the signed flag if the packet contains
a session id.
(This used to be commit 056f16e664e581bab1c07759e99ad4f6685c58eb)
Diffstat (limited to 'source4/smb_server/smb2')
| -rw-r--r-- | source4/smb_server/smb2/negprot.c | 2 | ||||
| -rw-r--r-- | source4/smb_server/smb2/receive.c | 4 | ||||
| -rw-r--r-- | source4/smb_server/smb2/sesssetup.c | 3 |
3 files changed, 7 insertions, 2 deletions
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 2da39001ab..3e6e2e1a43 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -121,6 +121,8 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 break; case SMB_SIGNING_REQUIRED: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED; + /* force signing on immediately */ + req->smb_conn->doing_signing = true; break; } io->out.dialect_revision = SMB2_DIALECT_REVISION; diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index 3def8fe563..2f4e9df2b6 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -321,6 +321,10 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req) smb2srv_send_error(req, status); return NT_STATUS_OK; } + } else if (req->smb_conn->doing_signing && req->session != NULL) { + /* we require signing and this request was not signed */ + smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED); + return NT_STATUS_OK; } /* TODO: check the seqnum */ diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 482dd181c2..9fb3220005 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -181,8 +181,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses /* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client. This is deliberate as windows does not set it even when it does set SMB2_NEGOTIATE_SIGNING_REQUIRED */ - if ((io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || - lp_server_signing(req->smb_conn->lp_ctx) == SMB_SIGNING_REQUIRED) { + if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) { req->smb_conn->doing_signing = true; } |