diff options
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/seal.c | 31 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 5 |
2 files changed, 34 insertions, 2 deletions
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index 9910a84f4c..8283346c28 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -385,8 +385,36 @@ NTSTATUS srv_request_encryption_setup(unsigned char **ppdata, size_t *p_data_siz Negotiation was successful - turn on server-side encryption. ******************************************************************************/ -void srv_encryption_start(void) +static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec) { + if (!ec || !ec->es) { + return NT_STATUS_LOGON_FAILURE; + } + + if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) { + if ((ec->es->ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) != + (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + } + /* Todo - check gssapi case. */ + + return NT_STATUS_OK; +} + +/****************************************************************************** + Negotiation was successful - turn on server-side encryption. +******************************************************************************/ + +NTSTATUS srv_encryption_start(void) +{ + NTSTATUS status; + + /* Check that we are really doing sign+seal. */ + status = check_enc_good(partial_srv_trans_enc_ctx); + if (!NT_STATUS_IS_OK(status)) { + return status; + } /* Throw away the context we're using currently (if any). */ srv_free_encryption_context(&srv_trans_enc_ctx); @@ -395,6 +423,7 @@ void srv_encryption_start(void) srv_trans_enc_ctx->es->enc_on = True; partial_srv_trans_enc_ctx = NULL; + return NT_STATUS_OK; } /****************************************************************************** diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 25fd6621e9..158642a588 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2781,7 +2781,10 @@ cap_low = 0x%x, cap_high = 0x%x\n", if (NT_STATUS_IS_OK(status)) { /* Server-side transport encryption is now *on*. */ - srv_encryption_start(); + status = srv_encryption_start(); + if (!NT_STATUS_IS_OK(status)) { + exit_server_cleanly("Failure in setting up encrypted transport"); + } } return -1; } |