CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
authorStefan Metzmacher <metze@samba.org>
Tue, 15 Mar 2016 22:52:30 +0000 (23:52 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:27 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
docs-xml/smbdotconf/security/clientipcsigning.xml
lib/param/loadparm.c
source3/param/loadparm.c

index d976f2d..0881c6c 100644 (file)
     and <emphasis>disabled</emphasis>.
     </para>
 
-    <para>The default value is the same as the effective value of
-    <smbconfoption name="client signing"/> if the effective value of
-    <smbconfoption name="client ipc min protocol"/> is
-    <constant>NT1</constant>. In any other case the default value is
-    <constant>mandatory</constant>.</para>
-
-    <para>Note that the default value will be changed to <constant>mandatory</constant>
-    in all cases for Samba 4.5</para>
-
-    <para>When the effective value of this option is <constant>mandatory</constant>, SMB signing is required.</para>
+    <para>When set to mandatory or default, SMB signing is required.</para>
 
     <para>When set to auto, SMB signing is offered, but not enforced and if set
     to disabled, SMB signing is not offered either.</para>
index 878744f..f6a7cfe 100644 (file)
@@ -3350,11 +3350,7 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 {
        int client_ipc_signing = lpcfg__client_ipc_signing(lp_ctx);
        if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-               int ipc_min_protocol = lpcfg_client_ipc_min_protocol(lp_ctx);
-               if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-                       return SMB_SIGNING_REQUIRED;
-               }
-               return lpcfg_client_signing(lp_ctx);
+               return SMB_SIGNING_REQUIRED;
        }
        return client_ipc_signing;
 }
index e251a98..47d2a92 100644 (file)
@@ -4466,11 +4466,7 @@ int lp_client_ipc_signing(void)
 {
        int client_ipc_signing = lp__client_ipc_signing();
        if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-               int ipc_min_protocol = lp_client_ipc_min_protocol();
-               if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-                       return SMB_SIGNING_REQUIRED;
-               }
-               return lp_client_signing();
+               return SMB_SIGNING_REQUIRED;
        }
        return client_ipc_signing;
 }