From af1a2eecce1155618173aa2c9a8d9f687082a449 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Nov 2011 15:06:30 +0100
Subject: s3:smbd: calculate the negprot signing flags from the signing_state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We should map from lp_server_signing() just once in srv_init_signing().

metze

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Nov 16 18:59:49 CET 2011 on sn-devel-104
---
 source3/smbd/negprot.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'source3/smbd')

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 9b58a79795..ae9ce5a2cf 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -28,6 +28,7 @@
 #include "messages.h"
 #include "smbprofile.h"
 #include "auth/gensec/gensec.h"
+#include "../libcli/smb/smb_signing.h"
 
 extern fstring remote_proto;
 
@@ -307,6 +308,8 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 	struct timespec ts;
 	ssize_t ret;
 	struct smbd_server_connection *sconn = req->sconn;
+	bool signing_enabled = false;
+	bool signing_required = false;
 
 	sconn->smb1.negprot.encrypted_passwords = lp_encrypted_passwords();
 
@@ -368,16 +371,20 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 		secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
 	}
 
-	if (lp_server_signing() != SMB_SIGNING_OFF) {
+	signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state);
+	signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state);
+
+	if (signing_enabled) {
 	       	if (lp_security() >= SEC_USER) {
 			secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
 			/* No raw mode with smb signing. */
 			capabilities &= ~CAP_RAW_MODE;
-			if (lp_server_signing() == SMB_SIGNING_REQUIRED)
+			if (signing_required) {
 				secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
+			}
 		} else {
 			DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n"));
-			if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+			if (signing_required) {
 				exit_server_cleanly("reply_nt1: smb signing required and share level security selected.");
 			}
 		}
-- 
cgit