Introduce setting "desired" for 'smb encrypt' and 'client/server signing'

This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index bb215b26992a17f8ed5197fa935e6f29c904d72a..0e114288e2202cf9aecc95ea0b96439160230049 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3207,6 +3207,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
        case SMB_SIGNING_REQUIRED:
                *mandatory = true;
                break;
+       case SMB_SIGNING_DESIRED:
        case SMB_SIGNING_IF_REQUIRED:
                break;
        case SMB_SIGNING_DEFAULT:

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 287839fb7d3482e5b0d96043c664a8344d7dceb0..ff310381213f584cabdb7eac22bccaa2ba5cebf3 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -115,6 +115,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
        {SMB_SIGNING_IF_REQUIRED, "On"},
        {SMB_SIGNING_IF_REQUIRED, "enabled"},
        {SMB_SIGNING_IF_REQUIRED, "auto"},
+       {SMB_SIGNING_DESIRED, "desired"},
        {SMB_SIGNING_REQUIRED, "required"},
        {SMB_SIGNING_REQUIRED, "mandatory"},
        {SMB_SIGNING_REQUIRED, "force"},

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c8ae5b06a9006434262b5ded36bda54e491a3251..6c35430c580f1455c1db79f1531191a253f56959 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -376,6 +376,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
                conn->desire_signing = false;
                conn->mandatory_signing = false;
                break;
+       case SMB_SIGNING_DESIRED:
+               /* if the server desires it */
+               conn->allow_signing = true;
+               conn->desire_signing = true;
+               conn->mandatory_signing = false;
+               break;
        case SMB_SIGNING_REQUIRED:
                /* always */
                conn->allow_signing = true;

diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 589b1a63d9500823058904fb77077c7aca4b3ca7..c4cca1568ea45647efcdcd80d78a2b2db3607969 100644 (file)
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -98,6 +98,7 @@ enum smb_signing_setting {
        SMB_SIGNING_DEFAULT = -1,
        SMB_SIGNING_OFF = 0,
        SMB_SIGNING_IF_REQUIRED = 1,
+       SMB_SIGNING_DESIRED = 2,
        SMB_SIGNING_REQUIRED = 3,
 };
 

diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 81f2547a8e0c5afe98cbc5d6c6eee0b600599136..b48b1700bf04bcd9dd9ff9f37641471a235e35db 100644 (file)
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
        case SMB_SIGNING_OFF:
                io->out.security_mode = 0;
                break;
+       case SMB_SIGNING_DESIRED:
        case SMB_SIGNING_IF_REQUIRED:
                io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
                break;