From 64dce265338f325e9fdee6b4a95e918d3b704cbf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 8 Aug 2012 06:25:10 +0200 Subject: s3:smb2_sesssetup: set global->encryption_required and enforce it This the account or client doesn't support encryption we should reject the session setup. metze --- source3/smbd/smb2_sesssetup.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'source3') diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 07a168f8f6..6135efcd54 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -190,6 +190,10 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_required = true; } + if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { + x->global->encryption_required = true; + } + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; @@ -199,6 +203,24 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, guest = true; } + if (guest && x->global->encryption_required) { + DEBUG(1,("reject guest session as encryption is required\n")); + return NT_STATUS_ACCESS_DENIED; + } + + if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) { + if (x->global->encryption_required) { + DEBUG(1,("reject session with dialect[0x%04X] " + "as encryption is required\n", + conn->smb2.server.dialect)); + return NT_STATUS_ACCESS_DENIED; + } + } + + if (x->global->encryption_required) { + *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA; + } + ZERO_STRUCT(session_key); memcpy(session_key, session_info->session_key.data, MIN(session_info->session_key.length, sizeof(session_key))); -- cgit