CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
index d976f2dc00e5977bf07294a96cf0b06609a67b70..0881c6c020e29c91f0688902dad9592622c6d417 100644 (file)
--- a/docs-xml/smbdotconf/security/clientipcsigning.xml
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -11,16 +11,7 @@
     and <emphasis>disabled</emphasis>.
     </para>
 
-    <para>The default value is the same as the effective value of
-    <smbconfoption name="client signing"/> if the effective value of
-    <smbconfoption name="client ipc min protocol"/> is
-    <constant>NT1</constant>. In any other case the default value is
-    <constant>mandatory</constant>.</para>
-
-    <para>Note that the default value will be changed to <constant>mandatory</constant>
-    in all cases for Samba 4.5</para>
-
-    <para>When the effective value of this option is <constant>mandatory</constant>, SMB signing is required.</para>
+    <para>When set to mandatory or default, SMB signing is required.</para>
 
     <para>When set to auto, SMB signing is offered, but not enforced and if set
     to disabled, SMB signing is not offered either.</para>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 878744f805f399aff41fe7132e80b836d04066f3..f6a7cfefdffa21b892cf093c2adc025c699adb7d 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3350,11 +3350,7 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 {
        int client_ipc_signing = lpcfg__client_ipc_signing(lp_ctx);
        if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-               int ipc_min_protocol = lpcfg_client_ipc_min_protocol(lp_ctx);
-               if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-                       return SMB_SIGNING_REQUIRED;
-               }
-               return lpcfg_client_signing(lp_ctx);
+               return SMB_SIGNING_REQUIRED;
        }
        return client_ipc_signing;
 }

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e251a988c5514497955b4995e2bf11de1b1dc95d..47d2a929834526dee37486dfd9f905925327c19f 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4466,11 +4466,7 @@ int lp_client_ipc_signing(void)
 {
        int client_ipc_signing = lp__client_ipc_signing();
        if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-               int ipc_min_protocol = lp_client_ipc_min_protocol();
-               if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-                       return SMB_SIGNING_REQUIRED;
-               }
-               return lp_client_signing();
+               return SMB_SIGNING_REQUIRED;
        }
        return client_ipc_signing;
 }