CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
[samba.git] / source3 / smbd / smb2_negprot.c
index e48d2b80add75a4f76753094212b030033129010..9c03b2ca8b86158db1814aff4c7dc828dd253c8b 100644 (file)
@@ -25,6 +25,7 @@
 #include "../libcli/smb/smb2_negotiate_context.h"
 #include "../lib/tsocket/tsocket.h"
 #include "../librpc/ndr/libndr.h"
+#include "../libcli/smb/smb_signing.h"
 
 extern fstring remote_proto;
 
@@ -160,6 +161,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
        uint32_t max_read = lp_smb2_max_read();
        uint32_t max_write = lp_smb2_max_write();
        NTTIME now = timeval_to_nttime(&req->request_time);
+       bool signing_required = true;
 
        status = smbd_smb2_request_verify_sizes(req, 0x24);
        if (!NT_STATUS_IS_OK(status)) {
@@ -294,7 +296,13 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
        }
 
        security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-       if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+       /*
+        * We use xconn->smb1.signing_state as that's already present
+        * and used lpcfg_server_signing_allowed() to get the correct
+        * defaults, e.g. signing_required for an ad_dc.
+        */
+       signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
+       if (signing_required) {
                security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
        }