The Samba-Bugzilla – Attachment 6879 Details for
Bug 8382
[Server signing] Samba fileshare not working with server signing =auto
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for master
tmp.diff (text/plain), 21.79 KB, created by
Stefan Metzmacher
on 2011-09-12 17:08:35 UTC
(
hide
)
Description:
Patches for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2011-09-12 17:08:35 UTC
Size:
21.79 KB
patch
obsolete
>From 4349975e433a02f79a35d2bfd6c347a9eeea86cb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 9 Sep 2011 22:44:44 +0200 >Subject: [PATCH 1/4] s3:smbd: echo FLAGS2_SMB_SECURITY_SIGNATURES* and the signature field in the reply > >This matches what windows is doing. > >metze >--- > source3/smbd/process.c | 12 +++++++++--- > 1 files changed, 9 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index a60d77e..deba86c 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -1674,15 +1674,21 @@ void remove_from_common_flags2(uint32 v) > static void construct_reply_common(struct smb_request *req, const char *inbuf, > char *outbuf) > { >+ uint16_t in_flags2 = SVAL(inbuf,smb_flg2); >+ uint16_t out_flags2 = common_flags2; >+ >+ out_flags2 |= in_flags2 & FLAGS2_UNICODE_STRINGS; >+ out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES; >+ out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED; >+ > srv_set_message(outbuf,0,0,false); > > SCVAL(outbuf, smb_com, req->cmd); > SIVAL(outbuf,smb_rcls,0); > SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); >- SSVAL(outbuf,smb_flg2, >- (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) | >- common_flags2); >+ SSVAL(outbuf,smb_flg2, out_flags2); > memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh)); >+ memcpy(outbuf+smb_ss_field, inbuf+smb_ss_field, 8); > > SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid)); > SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid)); >-- >1.7.4.1 > > >From bdeb6e07109ce762ff7d59b60c7a12d2b716f2e0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 12 Sep 2011 09:04:53 +0200 >Subject: [PATCH 2/4] s3:smb_signing: add support for easier negotiation of SMB signing > >We don't make use of it yet, but it will follow. > >metze >--- > source3/include/smb_signing.h | 5 ++- > source3/libsmb/clientgen.c | 1 + > source3/libsmb/clisigning.c | 4 +- > source3/libsmb/smb_signing.c | 100 ++++++++++++++++++++++++++++------------- > source3/smbd/signing.c | 10 +++- > 5 files changed, 83 insertions(+), 37 deletions(-) > >diff --git a/source3/include/smb_signing.h b/source3/include/smb_signing.h >index d2eda9b..481be1d 100644 >--- a/source3/include/smb_signing.h >+++ b/source3/include/smb_signing.h >@@ -26,9 +26,11 @@ struct smb_signing_state; > > struct smb_signing_state *smb_signing_init(TALLOC_CTX *mem_ctx, > bool allowed, >+ bool desired, > bool mandatory); > struct smb_signing_state *smb_signing_init_ex(TALLOC_CTX *mem_ctx, > bool allowed, >+ bool desired, > bool mandatory, > void *(*alloc_fn)(TALLOC_CTX *, size_t), > void (*free_fn)(TALLOC_CTX *, void *)); >@@ -45,7 +47,8 @@ bool smb_signing_activate(struct smb_signing_state *si, > bool smb_signing_is_active(struct smb_signing_state *si); > bool smb_signing_is_allowed(struct smb_signing_state *si); > bool smb_signing_is_mandatory(struct smb_signing_state *si); >-bool smb_signing_set_negotiated(struct smb_signing_state *si); >+bool smb_signing_set_negotiated(struct smb_signing_state *si, >+ bool allowed, bool mandatory); > bool smb_signing_is_negotiated(struct smb_signing_state *si); > > #endif /* _SMB_SIGNING_H_ */ >diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c >index f274dc0..91e2286 100644 >--- a/source3/libsmb/clientgen.c >+++ b/source3/libsmb/clientgen.c >@@ -260,6 +260,7 @@ struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx, > /* initialise signing */ > cli->signing_state = smb_signing_init(cli, > allow_smb_signing, >+ allow_smb_signing, > mandatory_signing); > if (!cli->signing_state) { > goto error; >diff --git a/source3/libsmb/clisigning.c b/source3/libsmb/clisigning.c >index ac4db76..134938f 100644 >--- a/source3/libsmb/clisigning.c >+++ b/source3/libsmb/clisigning.c >@@ -44,7 +44,7 @@ bool cli_simple_set_signing(struct cli_state *cli, > > bool cli_temp_set_signing(struct cli_state *cli) > { >- return smb_signing_set_bsrspyl(cli->signing_state); >+ return true; > } > > void cli_calculate_sign_mac(struct cli_state *cli, char *buf, uint32_t *seqnum) >@@ -70,7 +70,7 @@ bool cli_check_sign_mac(struct cli_state *cli, const char *buf, uint32_t seqnum) > > void cli_set_signing_negotiated(struct cli_state *cli) > { >- smb_signing_set_negotiated(cli->signing_state); >+ smb_signing_set_negotiated(cli->signing_state, true, false); > } > > bool client_is_signing_on(struct cli_state *cli) >diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c >index c926b48..ba20723 100644 >--- a/source3/libsmb/smb_signing.c >+++ b/source3/libsmb/smb_signing.c >@@ -29,15 +29,15 @@ struct smb_signing_state { > /* is signing localy allowed */ > bool allowed; > >+ /* is signing localy desired */ >+ bool desired; >+ > /* is signing localy mandatory */ > bool mandatory; > > /* is signing negotiated by the peer */ > bool negotiated; > >- /* send BSRSPYL signatures */ >- bool bsrspyl; >- > bool active; /* Have I ever seen a validly signed packet? */ > > /* mac_key.length > 0 means signing is started */ >@@ -54,7 +54,6 @@ struct smb_signing_state { > static void smb_signing_reset_info(struct smb_signing_state *si) > { > si->active = false; >- si->bsrspyl = false; > si->seqnum = 0; > > if (si->free_fn) { >@@ -68,6 +67,7 @@ static void smb_signing_reset_info(struct smb_signing_state *si) > > struct smb_signing_state *smb_signing_init_ex(TALLOC_CTX *mem_ctx, > bool allowed, >+ bool desired, > bool mandatory, > void *(*alloc_fn)(TALLOC_CTX *, size_t), > void (*free_fn)(TALLOC_CTX *, void *)) >@@ -92,10 +92,15 @@ struct smb_signing_state *smb_signing_init_ex(TALLOC_CTX *mem_ctx, > } > > if (mandatory) { >+ desired = true; >+ } >+ >+ if (desired) { > allowed = true; > } > > si->allowed = allowed; >+ si->desired = desired; > si->mandatory = mandatory; > > return si; >@@ -103,9 +108,11 @@ struct smb_signing_state *smb_signing_init_ex(TALLOC_CTX *mem_ctx, > > struct smb_signing_state *smb_signing_init(TALLOC_CTX *mem_ctx, > bool allowed, >+ bool desired, > bool mandatory) > { >- return smb_signing_init_ex(mem_ctx, allowed, mandatory, NULL, NULL); >+ return smb_signing_init_ex(mem_ctx, allowed, desired, mandatory, >+ NULL, NULL); > } > > static bool smb_signing_good(struct smb_signing_state *si, >@@ -210,10 +217,11 @@ void smb_signing_sign_pdu(struct smb_signing_state *si, > uint8_t *outbuf, uint32_t seqnum) > { > uint8_t calc_md5_mac[16]; >- uint16_t flags2; >+ uint8_t com; >+ uint8_t flags; > > if (si->mac_key.length == 0) { >- if (!si->bsrspyl) { >+ if (!si->negotiated) { > return; > } > } >@@ -226,15 +234,32 @@ void smb_signing_sign_pdu(struct smb_signing_state *si, > abort(); > } > >- /* mark the packet as signed - BEFORE we sign it...*/ >- flags2 = SVAL(outbuf,smb_flg2); >- flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES; >- SSVAL(outbuf, smb_flg2, flags2); >+ com = SVAL(outbuf,smb_com); >+ flags = SVAL(outbuf,smb_flg); >+ >+ if (!(flags & FLAG_REPLY)) { >+ uint16_t flags2 = SVAL(outbuf,smb_flg2); >+ /* >+ * If this is a request, specify what is >+ * supported or required by the client >+ */ >+ if (si->negotiated && si->desired) { >+ flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES; >+ } >+ if (si->negotiated && si->mandatory) { >+ flags2 |= FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED; >+ } >+ SSVAL(outbuf, smb_flg2, flags2); >+ } > >- if (si->bsrspyl) { >+ if (si->mac_key.length == 0) { > /* I wonder what BSRSPYL stands for - but this is what MS > actually sends! */ >- memcpy(calc_md5_mac, "BSRSPYL ", 8); >+ if (com == SMBsesssetupX) { >+ memcpy(calc_md5_mac, "BSRSPYL ", 8); >+ } else { >+ memset(calc_md5_mac, 0, 8); >+ } > } else { > smb_signing_md5(&si->mac_key, outbuf, > seqnum, calc_md5_mac); >@@ -305,21 +330,6 @@ bool smb_signing_check_pdu(struct smb_signing_state *si, > return smb_signing_good(si, good, seqnum); > } > >-bool smb_signing_set_bsrspyl(struct smb_signing_state *si) >-{ >- if (!si->negotiated) { >- return false; >- } >- >- if (si->active) { >- return false; >- } >- >- si->bsrspyl = true; >- >- return true; >-} >- > bool smb_signing_activate(struct smb_signing_state *si, > const DATA_BLOB user_session_key, > const DATA_BLOB response) >@@ -398,14 +408,42 @@ bool smb_signing_is_mandatory(struct smb_signing_state *si) > return si->mandatory; > } > >-bool smb_signing_set_negotiated(struct smb_signing_state *si) >+bool smb_signing_set_negotiated(struct smb_signing_state *si, >+ bool allowed, bool mandatory) > { >- if (!si->allowed) { >+ if (si->active) { >+ return true; >+ } >+ >+ if (!si->allowed && mandatory) { > return false; > } > >- si->negotiated = true; >+ if (si->mandatory && !allowed) { >+ return false; >+ } >+ >+ if (si->mandatory) { >+ si->negotiated = true; >+ return true; >+ } >+ >+ if (mandatory) { >+ si->negotiated = true; >+ return true; >+ } >+ >+ if (!si->desired) { >+ si->negotiated = false; >+ return true; >+ } >+ >+ if (si->desired && allowed) { >+ si->negotiated = true; >+ return true; >+ } > >+ si->negotiated = false; > return true; > } > >diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c >index 25b3c40..1ae8ffc 100644 >--- a/source3/smbd/signing.c >+++ b/source3/smbd/signing.c >@@ -157,6 +157,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) > bool srv_init_signing(struct smbd_server_connection *conn) > { > bool allowed = true; >+ bool desired; > bool mandatory = false; > > switch (lp_server_signing()) { >@@ -172,6 +173,8 @@ bool srv_init_signing(struct smbd_server_connection *conn) > break; > } > >+ desired = allowed; >+ > if (lp_async_smb_echo_handler()) { > struct smbd_shm_signing *s; > >@@ -189,7 +192,7 @@ bool srv_init_signing(struct smbd_server_connection *conn) > } > talloc_set_destructor(s, smbd_shm_signing_destructor); > conn->smb1.signing_state = smb_signing_init_ex(s, >- allowed, mandatory, >+ allowed, desired, mandatory, > smbd_shm_signing_alloc, > smbd_shm_signing_free); > if (!conn->smb1.signing_state) { >@@ -199,7 +202,7 @@ bool srv_init_signing(struct smbd_server_connection *conn) > } > > conn->smb1.signing_state = smb_signing_init(server_event_context(), >- allowed, mandatory); >+ allowed, desired, mandatory); > if (!conn->smb1.signing_state) { > return false; > } >@@ -209,7 +212,8 @@ bool srv_init_signing(struct smbd_server_connection *conn) > > void srv_set_signing_negotiated(struct smbd_server_connection *conn) > { >- smb_signing_set_negotiated(conn->smb1.signing_state); >+ smb_signing_set_negotiated(conn->smb1.signing_state, >+ true, false); > } > > /*********************************************************** >-- >1.7.4.1 > > >From aff3f91516cf09a43107d3b47f5ca3312304af9d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 12 Sep 2011 09:16:27 +0200 >Subject: [PATCH 3/4] s3:libsmb: make use of new advanded SMB signing > >metze >--- > source3/libsmb/cliconnect.c | 59 ++++++++++++++++++++---------------------- > source3/libsmb/clientgen.c | 47 ++++++++++++++++++++++------------ > source3/libsmb/clisigning.c | 11 +++----- > source3/libsmb/proto.h | 4 +- > 4 files changed, 64 insertions(+), 57 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index fd0536c..860d39d 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -943,7 +943,6 @@ static struct tevent_req *cli_session_setup_nt1_send( > SMBsesskeygen_ntv1(nt_hash, session_key.data); > #endif > } >- cli_temp_set_signing(cli); > } else { > /* pre-encrypted password supplied. Only used for > security=server, can't do >@@ -1441,8 +1440,6 @@ static struct tevent_req *cli_session_setup_kerberos_send( > state->cli = cli; > state->ads_status = ADS_SUCCESS; > >- cli_temp_set_signing(cli); >- > /* > * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if > * we have to acquire a ticket. To be fixed later :-) >@@ -1587,8 +1584,6 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( > talloc_set_destructor( > state, cli_session_setup_ntlmssp_state_destructor); > >- cli_temp_set_signing(cli); >- > status = ntlmssp_client_start(state, > lp_netbios_name(), > lp_workgroup(), >@@ -2638,7 +2633,11 @@ static void cli_negprot_done(struct tevent_req *subreq) > > if (cli_state_protocol(cli) >= PROTOCOL_NT1) { > struct timespec ts; >- bool negotiated_smb_signing = false; >+ const char *client_signing = NULL; >+ bool server_mandatory; >+ bool server_allowed; >+ const char *server_signing = NULL; >+ bool ok; > > /* NT protocol */ > cli->sec_mode = CVAL(vwv + 1, 0); >@@ -2668,35 +2667,33 @@ static void cli_negprot_done(struct tevent_req *subreq) > } > } > >- /* >- * As signing is slow we only turn it on if either the client or >- * the server require it. JRA. >- */ >+ client_signing = "disabled"; >+ if (client_is_signing_allowed(cli)) { >+ client_signing = "allowed"; >+ } >+ if (client_is_signing_mandatory(cli)) { >+ client_signing = "required"; >+ } > >+ server_signing = "not supported"; >+ if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { >+ server_signing = "supported"; >+ server_allowed = true; >+ } > if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { >- /* Fail if server says signing is mandatory and we don't want to support it. */ >- if (!client_is_signing_allowed(cli)) { >- DEBUG(0,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); >- tevent_req_nterror(req, >- NT_STATUS_ACCESS_DENIED); >- return; >- } >- negotiated_smb_signing = true; >- } else if (client_is_signing_mandatory(cli) && client_is_signing_allowed(cli)) { >- /* Fail if client says signing is mandatory and the server doesn't support it. */ >- if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) { >- DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); >- tevent_req_nterror(req, >- NT_STATUS_ACCESS_DENIED); >- return; >- } >- negotiated_smb_signing = true; >- } else if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { >- negotiated_smb_signing = true; >+ server_signing = "required"; >+ server_mandatory = true; > } > >- if (negotiated_smb_signing) { >- cli_set_signing_negotiated(cli); >+ ok = cli_set_signing_negotiated(cli, >+ server_allowed, >+ server_mandatory); >+ if (!ok) { >+ DEBUG(1,("cli_negprot: SMB signing is required, " >+ "but client[%s] and server[%s] mismatch\n", >+ client_signing, server_signing)); >+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); >+ return; > } > > } else if (cli_state_protocol(cli) >= PROTOCOL_LANMAN1) { >diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c >index 91e2286..bae80ef 100644 >--- a/source3/libsmb/clientgen.c >+++ b/source3/libsmb/clientgen.c >@@ -168,8 +168,9 @@ struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx, > int signing_state, int flags) > { > struct cli_state *cli = NULL; >- bool allow_smb_signing = false; >- bool mandatory_signing = false; >+ bool allow_smb_signing; >+ bool desire_smb_signing; >+ bool mandatory_signing; > socklen_t ss_length; > int ret; > >@@ -236,31 +237,43 @@ struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx, > cli->use_level_II_oplocks = true; > } > >- if (lp_client_signing()) { >- allow_smb_signing = true; >- } >- >- if (lp_client_signing() == Required) { >- mandatory_signing = true; >- } >- >- if (signing_state != Undefined) { >- allow_smb_signing = true; >+ if (signing_state == Undefined) { >+ signing_state = lp_client_signing(); > } > >- if (signing_state == false) { >+ switch (signing_state) { >+ case false: >+ /* never */ > allow_smb_signing = false; >+ desire_smb_signing = false; > mandatory_signing = false; >- } >- >- if (signing_state == Required) { >+ break; >+ case true: >+ /* if the server supports it */ >+ allow_smb_signing = true; >+ desire_smb_signing = true; >+ mandatory_signing = false; >+ break; >+ default: >+ case Undefined: >+ case Auto: >+ /* if the server requires it */ >+ allow_smb_signing = true; >+ desire_smb_signing = false; >+ mandatory_signing = false; >+ break; >+ case Required: >+ /* always */ >+ allow_smb_signing = true; >+ desire_smb_signing = true; > mandatory_signing = true; >+ break; > } > > /* initialise signing */ > cli->signing_state = smb_signing_init(cli, > allow_smb_signing, >- allow_smb_signing, >+ desire_smb_signing, > mandatory_signing); > if (!cli->signing_state) { > goto error; >diff --git a/source3/libsmb/clisigning.c b/source3/libsmb/clisigning.c >index 134938f..acdc24f 100644 >--- a/source3/libsmb/clisigning.c >+++ b/source3/libsmb/clisigning.c >@@ -42,11 +42,6 @@ bool cli_simple_set_signing(struct cli_state *cli, > return true; > } > >-bool cli_temp_set_signing(struct cli_state *cli) >-{ >- return true; >-} >- > void cli_calculate_sign_mac(struct cli_state *cli, char *buf, uint32_t *seqnum) > { > *seqnum = smb_signing_next_seqnum(cli->signing_state, false); >@@ -68,9 +63,11 @@ bool cli_check_sign_mac(struct cli_state *cli, const char *buf, uint32_t seqnum) > return true; > } > >-void cli_set_signing_negotiated(struct cli_state *cli) >+bool cli_set_signing_negotiated(struct cli_state *cli, >+ bool allowed, bool mandatory) > { >- smb_signing_set_negotiated(cli->signing_state, true, false); >+ return smb_signing_set_negotiated(cli->signing_state, >+ allowed, mandatory); > } > > bool client_is_signing_on(struct cli_state *cli) >diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h >index 83da457..7acc13c 100644 >--- a/source3/libsmb/proto.h >+++ b/source3/libsmb/proto.h >@@ -859,13 +859,13 @@ void cli_free_enc_buffer(struct cli_state *cli, char *buf); > bool cli_simple_set_signing(struct cli_state *cli, > const DATA_BLOB user_session_key, > const DATA_BLOB response); >-bool cli_temp_set_signing(struct cli_state *cli); > void cli_calculate_sign_mac(struct cli_state *cli, char *buf, uint32_t *seqnum); > bool cli_check_sign_mac(struct cli_state *cli, const char *buf, uint32_t seqnum); > bool client_is_signing_on(struct cli_state *cli); > bool client_is_signing_allowed(struct cli_state *cli); > bool client_is_signing_mandatory(struct cli_state *cli); >-void cli_set_signing_negotiated(struct cli_state *cli); >+bool cli_set_signing_negotiated(struct cli_state *cli, >+ bool allowed, bool mandatory); > > /* The following definitions come from libsmb/reparse_symlink.c */ > >-- >1.7.4.1 > > >From c7188c18a38613d927b7e745a7359a20ed878b49 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 12 Sep 2011 09:19:06 +0200 >Subject: [PATCH 4/4] s3:smbd: make use of better SMB signing negotiation > >metze >--- > source3/smbd/negprot.c | 1 - > source3/smbd/proto.h | 3 ++- > source3/smbd/sesssetup.c | 18 ++++++++++++++++++ > source3/smbd/signing.c | 13 +++++++++++-- > 4 files changed, 31 insertions(+), 4 deletions(-) > >diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c >index 71e0291..89ef52c 100644 >--- a/source3/smbd/negprot.c >+++ b/source3/smbd/negprot.c >@@ -375,7 +375,6 @@ static void reply_nt1(struct smb_request *req, uint16 choice) > capabilities &= ~CAP_RAW_MODE; > if (lp_server_signing() == Required) > secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; >- srv_set_signing_negotiated(sconn); > } else { > DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n")); > if (lp_server_signing() == Required) { >diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h >index 8edd695..3d0665d 100644 >--- a/source3/smbd/proto.h >+++ b/source3/smbd/proto.h >@@ -54,7 +54,8 @@ void srv_calculate_sign_mac(struct smbd_server_connection *conn, > char *outbuf, uint32_t seqnum); > void srv_cancel_sign_response(struct smbd_server_connection *conn); > bool srv_init_signing(struct smbd_server_connection *conn); >-void srv_set_signing_negotiated(struct smbd_server_connection *conn); >+void srv_set_signing_negotiated(struct smbd_server_connection *conn, >+ bool allowed, bool mandatory); > bool srv_is_signing_active(struct smbd_server_connection *conn); > bool srv_is_signing_negotiated(struct smbd_server_connection *conn); > void srv_set_signing(struct smbd_server_connection *conn, >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 6dc8609..28ae24e9 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -1306,6 +1306,8 @@ void reply_sesssetup_and_X(struct smb_request *req) > struct smbd_server_connection *sconn = req->sconn; > > bool doencrypt = sconn->smb1.negprot.encrypted_passwords; >+ bool signing_allowed = false; >+ bool signing_mandatory = false; > > START_PROFILE(SMBsesssetupX); > >@@ -1315,6 +1317,22 @@ void reply_sesssetup_and_X(struct smb_request *req) > > DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2)); > >+ if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES) { >+ signing_allowed = true; >+ } >+ if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED) { >+ signing_mandatory = true; >+ } >+ >+ /* >+ * We can call srv_set_signing_negotiated() each time. >+ * It finds out when it needs to turn into a noop >+ * itself. >+ */ >+ srv_set_signing_negotiated(req->sconn, >+ signing_allowed, >+ signing_mandatory); >+ > /* a SPNEGO session setup has 12 command words, whereas a normal > NT1 session setup has 13. See the cifs spec. */ > if (req->wct == 12 && >diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c >index 1ae8ffc..bdf920c 100644 >--- a/source3/smbd/signing.c >+++ b/source3/smbd/signing.c >@@ -173,6 +173,14 @@ bool srv_init_signing(struct smbd_server_connection *conn) > break; > } > >+ /* >+ * if the client and server allow signing, >+ * we desire to use it. >+ * >+ * This matches Windows behavior and is needed >+ * because not every client that requires signing >+ * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. >+ */ > desired = allowed; > > if (lp_async_smb_echo_handler()) { >@@ -210,10 +218,11 @@ bool srv_init_signing(struct smbd_server_connection *conn) > return true; > } > >-void srv_set_signing_negotiated(struct smbd_server_connection *conn) >+void srv_set_signing_negotiated(struct smbd_server_connection *conn, >+ bool allowed, bool mandatory) > { > smb_signing_set_negotiated(conn->smb1.signing_state, >- true, false); >+ allowed, mandatory); > } > > /*********************************************************** >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 8382
:
6846
|
6847
|
6875
|
6878
| 6879