BOOL negotiated_smb_signing;
BOOL allow_smb_signing;
BOOL doing_signing;
- BOOL mandetory_signing;
+ BOOL mandatory_signing;
} smb_sign_info;
struct cli_state {
#define False (0)
#define True (1)
#define Auto (2)
+#define Required (3)
#ifndef _BOOL
typedef int BOOL;
ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
if (cli->sign_info.negotiated_smb_signing
- || cli->sign_info.mandetory_signing) {
+ || cli->sign_info.mandatory_signing) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
}
- if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
+ /* Fail if signing is mandatory and we don't want to support it. */
+ if (!lp_client_signing()) {
+ DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
+ return False;
+ }
cli->sign_info.negotiated_smb_signing = True;
+ }
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
cli->sign_info.negotiated_smb_signing = True;
+ /* Fail if signing is mandatory and the server doesn't support it. */
+ if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
+ DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+ return False;
+ }
+
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
cli->use_spnego = False;
cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
if (lp_client_signing())
cli->sign_info.allow_smb_signing = True;
+
+ if (lp_client_signing() == Required)
+ cli->sign_info.mandatory_signing = True;
if (!cli->outbuf || !cli->inbuf)
goto error;
static BOOL cli_set_smb_signing_common(struct cli_state *cli)
{
if (!cli->sign_info.negotiated_smb_signing
- && !cli->sign_info.mandetory_signing) {
+ && !cli->sign_info.mandatory_signing) {
return False;
}
static BOOL cli_set_smb_signing_real_common(struct cli_state *cli)
{
- if (cli->sign_info.mandetory_signing) {
+ if (cli->sign_info.mandatory_signing) {
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
cli->sign_info.doing_signing = True;
}
return True;
}
-
BOOL bKernelChangeNotify;
int restrict_anonymous;
int name_cache_timeout;
- BOOL client_signing;
+ int client_signing;
param_opt_struct *param_opt;
}
global;
{-1, NULL}
};
+/* SMB signing types. */
+static const struct enum_list enum_smb_signing_vals[] = {
+ {False, "No"},
+ {False, "False"},
+ {False, "0"},
+ {False, "Off"},
+ {True, "Yes"},
+ {True, "True"},
+ {True, "1"},
+ {True, "On"},
+ {Required, "Required"},
+ {Required, "Mandatory"},
+ {Required, "Force"},
+ {Required, "Forced"},
+ {Required, "Enforced"},
+ {-1, NULL}
+};
+
+
/*
Do you want session setups at user level security with a invalid
password to be rejected or allowed in as guest? WinNT rejects them
{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
- {"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
{"Tuning Options", P_SEP, P_SEPARATOR},
return status;
}
-
/****************************************************************************
Add the standard 'Samba' signature to the end of the session setup.
****************************************************************************/
+
static int add_signature(char *outbuf, char *p)
{
char *start = p;
}
/****************************************************************************
-send a security blob via a session setup reply
+ Send a security blob via a session setup reply.
****************************************************************************/
+
static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
DATA_BLOB blob, NTSTATUS nt_status)
{
/****************************************************************************
Do a 'guest' logon, getting back the
****************************************************************************/
+
static NTSTATUS check_guest_password(auth_serversupplied_info **server_info)
{
struct auth_context *auth_context;
}
#endif
-
/****************************************************************************
- send a session setup reply, wrapped in SPNEGO.
- get vuid and check first.
- end the NTLMSSP exchange context if we are OK/complete fail
+ Send a session setup reply, wrapped in SPNEGO.
+ Get vuid and check first.
+ End the NTLMSSP exchange context if we are OK/complete fail
***************************************************************************/
+
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
}
/****************************************************************************
-reply to a session setup spnego negotiate packet
+ Reply to a session setup spnego negotiate packet.
****************************************************************************/
+
static int reply_spnego_negotiate(connection_struct *conn,
char *inbuf,
char *outbuf,
/* already replied */
return -1;
}
-
/****************************************************************************
-reply to a session setup spnego auth packet
+ Reply to a session setup spnego auth packet.
****************************************************************************/
+
static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
int length, int bufsize,
DATA_BLOB blob1)
return -1;
}
-
/****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
****************************************************************************/
+
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
char *outbuf,
int length,int bufsize)
}
/****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
****************************************************************************/
+
int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
int length,int bufsize)
{