Fix client autonegotiate signing.

Jeremy.
(This used to be commit a4d2dd1d40f6b1322e69d430023aa89dac86fda3)

diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index af1cbcfe80caff856d5a0f76fb3dc1991089237b..c120651550a660e9d48127e029d41dd25612df56 100644 (file)
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -335,7 +335,8 @@ static void popt_common_credentials_callback(poptContext con,
                        cmdline_auth_info.signing_state = -1;
                        if (strequal(arg, "off") || strequal(arg, "no") || strequal(arg, "false"))
                                cmdline_auth_info.signing_state = False;
-                       else if (strequal(arg, "on") || strequal(arg, "yes") || strequal(arg, "true"))
+                       else if (strequal(arg, "on") || strequal(arg, "yes") || strequal(arg, "true") ||
+                                       strequal(arg, "auto") )
                                cmdline_auth_info.signing_state = True;
                        else if (strequal(arg, "force") || strequal(arg, "required") || strequal(arg, "forced"))
                                cmdline_auth_info.signing_state = Required;

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1f06ebf66fb49028df98e1de3c86fc2f10a8faeb..82d6fc7cefd22a3fb2d511c9bd51c2939f980730 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1025,22 +1025,27 @@ BOOL cli_negprot(struct cli_state *cli)
                                    smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
                }
 
-               if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
-                       /* Fail if signing is mandatory and we don't want to support it. */
+               /*
+                * As signing is slow we only turn it on if either the client or
+                * the server require it. JRA.
+                */
+
+               if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+                       /* Fail if server says signing is mandatory and we don't want to support it. */
                        if (!cli->sign_info.allow_smb_signing) {
                                DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
                                return False;
                        }
                        cli->sign_info.negotiated_smb_signing = True;
-               }
-
-               if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
+                       cli->sign_info.mandatory_signing = True;
+               } else if (cli->sign_info.mandatory_signing && cli->sign_info.allow_smb_signing) {
+                       /* Fail if client says signing is mandatory and the server doesn't support it. */
+                       if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) {
+                               DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+                               return False;
+                       }
                        cli->sign_info.negotiated_smb_signing = True;
-
-               /* Fail if signing is mandatory and the server doesn't support it. */
-               if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
-                       DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
-                       return False;
+                       cli->sign_info.mandatory_signing = True;
                }
 
        } else if (cli->protocol >= PROTOCOL_LANMAN1) {