Added the "required" keyword to the "client signing" parameter to force it

author Jeremy Allison <jra@samba.org>

Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)

committer Jeremy Allison <jra@samba.org>

Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)
author Jeremy Allison <jra@samba.org>
Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)
committer Jeremy Allison <jra@samba.org>
Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)
diff --git a/source3/include/client.h b/source3/include/client.h

index f3f4ef109afa4d1bca241df3b326d459995a8424..fad2c099b9677e68de61e885f529837d4cd3863e 100644 (file)
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -66,7 +66,7 @@ typedef struct smb_sign_info {
         BOOL negotiated_smb_signing;
         BOOL allow_smb_signing;
         BOOL doing_signing;
-       BOOL mandetory_signing;
+       BOOL mandatory_signing;
  } smb_sign_info;
  
  struct cli_state {
diff --git a/source3/include/smb.h b/source3/include/smb.h

index f18391516f7247221ec8dff3ce425ea4cbbf7641..d2714e78bc87ca6782201dcf8d3e397fbf75cba1 100644 (file)
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -45,6 +45,7 @@
  #define False (0)
  #define True (1)
  #define Auto (2)
+#define Required (3)
  
  #ifndef _BOOL
  typedef int BOOL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c

index 8c02c4fdfeeda8abd83b35dc54542109a6a39abc..fa9af19bf5064734aace6825a6137a0de52b7b08 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
         ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
  
         if (cli->sign_info.negotiated_smb_signing 
-           || cli->sign_info.mandetory_signing) {
+           || cli->sign_info.mandatory_signing) {
                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
         }
@@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli)
                                     smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
                 }
  
-               if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
+               if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
+                       /* Fail if signing is mandatory and we don't want to support it. */
+                       if (!lp_client_signing()) {
+                               DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
+                               return False;
+                       }
                         cli->sign_info.negotiated_smb_signing = True;
+               }
  
                 if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
                         cli->sign_info.negotiated_smb_signing = True;
  
+               /* Fail if signing is mandatory and the server doesn't support it. */
+               if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
+                       DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+                       return False;
+               }
+
         } else if (cli->protocol >= PROTOCOL_LANMAN1) {
                 cli->use_spnego = False;
                 cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c

index 93fa94c1db8a821a7384262b47aa2989688f54eb..58c5ad8cd3b8ee9939c7aab7c6518dd142181d7a 100644 (file)
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -261,6 +261,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
  
         if (lp_client_signing()) 
                 cli->sign_info.allow_smb_signing = True;
+
+       if (lp_client_signing() == Required) 
+               cli->sign_info.mandatory_signing = True;
                                     
         if (!cli->outbuf || !cli->inbuf)
                  goto error;
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c

index 466f32cb92e9f18f7a04566cd2efae7bc808d745..d4f77bf07c89c8f3099e0ef17a2059b3017d847f 100644 (file)
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -72,7 +72,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
  static BOOL cli_set_smb_signing_common(struct cli_state *cli) 
  {
         if (!cli->sign_info.negotiated_smb_signing 
-           && !cli->sign_info.mandetory_signing) {
+           && !cli->sign_info.mandatory_signing) {
                 return False;
         }
  
@@ -96,7 +96,7 @@ static BOOL cli_set_smb_signing_common(struct cli_state *cli)
  
  static BOOL cli_set_smb_signing_real_common(struct cli_state *cli) 
  {
-       if (cli->sign_info.mandetory_signing) {
+       if (cli->sign_info.mandatory_signing) {
                 DEBUG(5, ("Mandatory SMB signing enabled!\n"));
                 cli->sign_info.doing_signing = True;
         }
@@ -458,4 +458,3 @@ BOOL cli_check_sign_mac(struct cli_state *cli)
  
         return True;
  }
-
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 9194274a617514a565c6c4997263fd1f0aca7182..dd429fa6889421c19dc3290f58bed8fea3e15f99 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -291,7 +291,7 @@ typedef struct
         BOOL bKernelChangeNotify;
         int restrict_anonymous;
         int name_cache_timeout;
-       BOOL client_signing;
+       int client_signing;
         param_opt_struct *param_opt;
  }
  global;
@@ -687,6 +687,25 @@ static const struct enum_list enum_csc_policy[] = {
         {-1, NULL}
  };
  
+/* SMB signing types. */
+static const struct enum_list enum_smb_signing_vals[] = {
+       {False, "No"},
+       {False, "False"},
+       {False, "0"},
+       {False, "Off"},
+       {True, "Yes"},
+       {True, "True"},
+       {True, "1"},
+       {True, "On"},
+       {Required, "Required"},
+       {Required, "Mandatory"},
+       {Required, "Force"},
+       {Required, "Forced"},
+       {Required, "Enforced"},
+       {-1, NULL}
+};
+
+
  /* 
     Do you want session setups at user level security with a invalid
     password to be rejected or allowed in as guest? WinNT rejects them
@@ -874,7 +893,7 @@ static struct parm_struct parm_table[] = {
         {"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
         {"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
         {"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
-       {"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+       {"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
         {"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
  
         {"Tuning Options", P_SEP, P_SEPARATOR},
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c

index 263196173927d5e9a88e945b63474b987a06690d..7d77ed307105162d37240b79b0488d17b8bfb894 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -53,10 +53,10 @@ static NTSTATUS do_map_to_guest(NTSTATUS status, auth_serversupplied_info **serv
         return status;
  }
  
-
  /****************************************************************************
   Add the standard 'Samba' signature to the end of the session setup.
  ****************************************************************************/
+
  static int add_signature(char *outbuf, char *p)
  {
         char *start = p;
@@ -72,8 +72,9 @@ static int add_signature(char *outbuf, char *p)
  }
  
  /****************************************************************************
-send a security blob via a session setup reply
+ Send a security blob via a session setup reply.
  ****************************************************************************/
+
  static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
                                  DATA_BLOB blob, NTSTATUS nt_status)
  {
@@ -101,6 +102,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
  /****************************************************************************
   Do a 'guest' logon, getting back the 
  ****************************************************************************/
+
  static NTSTATUS check_guest_password(auth_serversupplied_info **server_info) 
  {
         struct auth_context *auth_context;
@@ -267,12 +269,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
  }
  #endif
  
-
  /****************************************************************************
- send a session setup reply, wrapped in SPNEGO.
- get vuid and check first.
- end the NTLMSSP exchange context if we are OK/complete fail
+ Send a session setup reply, wrapped in SPNEGO.
+ Get vuid and check first.
+ End the NTLMSSP exchange context if we are OK/complete fail
  ***************************************************************************/
+
  static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
                                  AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
                                  DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status) 
@@ -326,8 +328,9 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
  }
  
  /****************************************************************************
-reply to a session setup spnego negotiate packet
+ Reply to a session setup spnego negotiate packet.
  ****************************************************************************/
+
  static int reply_spnego_negotiate(connection_struct *conn, 
                                   char *inbuf,
                                   char *outbuf,
@@ -387,11 +390,11 @@ static int reply_spnego_negotiate(connection_struct *conn,
         /* already replied */
         return -1;
  }
-
         
  /****************************************************************************
-reply to a session setup spnego auth packet
+ Reply to a session setup spnego auth packet.
  ****************************************************************************/
+
  static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
                              int length, int bufsize,
                              DATA_BLOB blob1)
@@ -425,10 +428,10 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
         return -1;
  }
  
-
  /****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
  ****************************************************************************/
+
  static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
                                         char *outbuf,
                                         int length,int bufsize)
@@ -509,8 +512,9 @@ static void setup_new_vc_session(void)
  }
  
  /****************************************************************************
-reply to a session setup command
+ Reply to a session setup command.
  ****************************************************************************/
+
  int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
                           int length,int bufsize)
  {
author	Jeremy Allison <jra@samba.org>
	Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)
committer	Jeremy Allison <jra@samba.org>
	Tue, 15 Jul 2003 23:05:57 +0000 (23:05 +0000)
source3/include/client.h		patch \| blob \| history
source3/include/smb.h		patch \| blob \| history
source3/libsmb/cliconnect.c		patch \| blob \| history
source3/libsmb/clientgen.c		patch \| blob \| history
source3/libsmb/smb_signing.c		patch \| blob \| history
source3/param/loadparm.c		patch \| blob \| history
source3/smbd/sesssetup.c		patch \| blob \| history