Metze pointed out that if signing is mandatory in the server then we
need to reject packets without the signed flag if the packet contains
a session id.
(This used to be commit
056f16e664e581bab1c07759e99ad4f6685c58eb)
break;
case SMB_SIGNING_REQUIRED:
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED;
+ /* force signing on immediately */
+ req->smb_conn->doing_signing = true;
break;
}
io->out.dialect_revision = SMB2_DIALECT_REVISION;
smb2srv_send_error(req, status);
return NT_STATUS_OK;
}
+ } else if (req->smb_conn->doing_signing && req->session != NULL) {
+ /* we require signing and this request was not signed */
+ smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED);
+ return NT_STATUS_OK;
}
/* TODO: check the seqnum */
/* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client.
This is deliberate as windows does not set it even when it does
set SMB2_NEGOTIATE_SIGNING_REQUIRED */
- if ((io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
- lp_server_signing(req->smb_conn->lp_ctx) == SMB_SIGNING_REQUIRED) {
+ if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
req->smb_conn->doing_signing = true;
}