From c682472fdf28894858d14eb95b13cb4214847ecd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 12 Sep 2011 09:16:27 +0200 Subject: s3:libsmb: make use of new advanded SMB signing metze --- source3/libsmb/cliconnect.c | 59 +++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 31 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4ebabceaa7..54cd669c10 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -944,7 +944,6 @@ static struct tevent_req *cli_session_setup_nt1_send( SMBsesskeygen_ntv1(nt_hash, session_key.data); #endif } - cli_temp_set_signing(cli); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -1444,8 +1443,6 @@ static struct tevent_req *cli_session_setup_kerberos_send( state->cli = cli; state->ads_status = ADS_SUCCESS; - cli_temp_set_signing(cli); - /* * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if * we have to acquire a ticket. To be fixed later :-) @@ -1590,8 +1587,6 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( talloc_set_destructor( state, cli_session_setup_ntlmssp_state_destructor); - cli_temp_set_signing(cli); - status = ntlmssp_client_start(state, lp_netbios_name(), lp_workgroup(), @@ -2643,7 +2638,11 @@ static void cli_negprot_done(struct tevent_req *subreq) if (cli_state_protocol(cli) >= PROTOCOL_NT1) { struct timespec ts; - bool negotiated_smb_signing = false; + const char *client_signing = NULL; + bool server_mandatory; + bool server_allowed; + const char *server_signing = NULL; + bool ok; if (wct != 0x11) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); @@ -2678,35 +2677,33 @@ static void cli_negprot_done(struct tevent_req *subreq) } } - /* - * As signing is slow we only turn it on if either the client or - * the server require it. JRA. - */ + client_signing = "disabled"; + if (client_is_signing_allowed(cli)) { + client_signing = "allowed"; + } + if (client_is_signing_mandatory(cli)) { + client_signing = "required"; + } + server_signing = "not supported"; + if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { + server_signing = "supported"; + server_allowed = true; + } if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { - /* Fail if server says signing is mandatory and we don't want to support it. */ - if (!client_is_signing_allowed(cli)) { - DEBUG(0,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); - tevent_req_nterror(req, - NT_STATUS_ACCESS_DENIED); - return; - } - negotiated_smb_signing = true; - } else if (client_is_signing_mandatory(cli) && client_is_signing_allowed(cli)) { - /* Fail if client says signing is mandatory and the server doesn't support it. */ - if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) { - DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); - tevent_req_nterror(req, - NT_STATUS_ACCESS_DENIED); - return; - } - negotiated_smb_signing = true; - } else if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { - negotiated_smb_signing = true; + server_signing = "required"; + server_mandatory = true; } - if (negotiated_smb_signing) { - cli_set_signing_negotiated(cli); + ok = cli_set_signing_negotiated(cli, + server_allowed, + server_mandatory); + if (!ok) { + DEBUG(1,("cli_negprot: SMB signing is required, " + "but client[%s] and server[%s] mismatch\n", + client_signing, server_signing)); + tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); + return; } } else if (cli_state_protocol(cli) >= PROTOCOL_LANMAN1) { -- cgit