From afce2b245a8ff137a4ecea547c3cfb65ab58dc15 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 27 Dec 2007 23:51:03 -0800
Subject: Add the capability to set "smb encrypt = required" on a share (or
 global) and have the server reply with ACCESS_DENIED for all non-encrypted
 traffic (except that used to query encryption requirements and set encryption
 state). Jeremy. (This used to be commit
 d241bfa57729bb934ada6beabf842a2ca7b4f8a2)

---
 source3/smbd/process.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'source3/smbd/process.c')

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 1260d52c77..48a6d18bc9 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1457,6 +1457,16 @@ static void switch_message(uint8 type, struct smb_request *req, int size)
 			reply_doserror(req, ERRSRV, ERRaccess);
 			return;
 		}
+
+		if (conn->encrypt_level == Required && SVAL(req->inbuf,4) != 0x45FF ) {
+			/* An encrypted packet has 0xFF 'E' at offset 4
+			 * which is little endian 0x45FF */
+			uint8 com = CVAL(req->inbuf,smb_com);
+			if (com != SMBtrans2 && com != SMBtranss2) {
+				reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+				return;
+			}
+		}
 		conn->num_smb_operations++;
 	}
 
-- 
cgit