CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
authorRalph Boehme <slow@samba.org>
Tue, 22 Mar 2016 15:30:42 +0000 (16:30 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:26 +0000 (19:25 +0200)
This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source3/smbd/sesssetup.c

index fbc40139663f73c95aaf85c2c366ec44bb7ea19c..b7fdd00147e1d20c92f408fb5c1f162edbcd8f60 100644 (file)
@@ -32,6 +32,7 @@
 #include "../libcli/security/security.h"
 #include "auth/gensec/gensec.h"
 #include "lib/conn_tdb.h"
+#include "../libcli/smb/smb_signing.h"
 
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
@@ -607,7 +608,8 @@ void reply_sesssetup_and_X(struct smb_request *req)
        struct smbd_server_connection *sconn = req->sconn;
        bool doencrypt = xconn->smb1.negprot.encrypted_passwords;
        bool signing_allowed = false;
-       bool signing_mandatory = false;
+       bool signing_mandatory = smb_signing_is_mandatory(
+               xconn->smb1.signing_state);
 
        START_PROFILE(SMBsesssetupX);