capabilities &= ~CAP_RAW_MODE;
if (lp_server_signing() == Required)
secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
- srv_set_signing_negotiated(sconn);
} else {
DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n"));
if (lp_server_signing() == Required) {
char *outbuf, uint32_t seqnum);
void srv_cancel_sign_response(struct smbd_server_connection *conn);
bool srv_init_signing(struct smbd_server_connection *conn);
-void srv_set_signing_negotiated(struct smbd_server_connection *conn);
+void srv_set_signing_negotiated(struct smbd_server_connection *conn,
+ bool allowed, bool mandatory);
bool srv_is_signing_active(struct smbd_server_connection *conn);
bool srv_is_signing_negotiated(struct smbd_server_connection *conn);
void srv_set_signing(struct smbd_server_connection *conn,
struct smbd_server_connection *sconn = req->sconn;
bool doencrypt = sconn->smb1.negprot.encrypted_passwords;
+ bool signing_allowed = false;
+ bool signing_mandatory = false;
START_PROFILE(SMBsesssetupX);
DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2));
+ if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES) {
+ signing_allowed = true;
+ }
+ if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED) {
+ signing_mandatory = true;
+ }
+
+ /*
+ * We can call srv_set_signing_negotiated() each time.
+ * It finds out when it needs to turn into a noop
+ * itself.
+ */
+ srv_set_signing_negotiated(req->sconn,
+ signing_allowed,
+ signing_mandatory);
+
/* a SPNEGO session setup has 12 command words, whereas a normal
NT1 session setup has 13. See the cifs spec. */
if (req->wct == 12 &&
break;
}
+ /*
+ * if the client and server allow signing,
+ * we desire to use it.
+ *
+ * This matches Windows behavior and is needed
+ * because not every client that requires signing
+ * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
+ */
desired = allowed;
if (lp_async_smb_echo_handler()) {
return true;
}
-void srv_set_signing_negotiated(struct smbd_server_connection *conn)
+void srv_set_signing_negotiated(struct smbd_server_connection *conn,
+ bool allowed, bool mandatory)
{
smb_signing_set_negotiated(conn->smb1.signing_state,
- true, false);
+ allowed, mandatory);
}
/***********************************************************