From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 7 Jun 2008 15:14:25 +0000 (-0700)
Subject: fixed mandatory signing
X-Git-Url: http://git.samba.org/samba.git/?p=kai%2Fsamba.git;a=commitdiff_plain;h=056f16e664e581bab1c07759e99ad4f6685c58eb

fixed mandatory signing

Metze pointed out that if signing is mandatory in the server then we
need to reject packets without the signed flag if the packet contains
a session id.
---

diff --git a/source/smb_server/smb2/negprot.c b/source/smb_server/smb2/negprot.c
index 2da39001ab1..3e6e2e1a43c 100644
--- a/source/smb_server/smb2/negprot.c
+++ b/source/smb_server/smb2/negprot.c
@@ -121,6 +121,8 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 		break;
 	case SMB_SIGNING_REQUIRED:
 		io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED;
+		/* force signing on immediately */
+		req->smb_conn->doing_signing = true;
 		break;
 	}
 	io->out.dialect_revision   = SMB2_DIALECT_REVISION;
diff --git a/source/smb_server/smb2/receive.c b/source/smb_server/smb2/receive.c
index 3def8fe5638..2f4e9df2b6a 100644
--- a/source/smb_server/smb2/receive.c
+++ b/source/smb_server/smb2/receive.c
@@ -321,6 +321,10 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req)
 			smb2srv_send_error(req, status);
 			return NT_STATUS_OK;			
 		}
+	} else if (req->smb_conn->doing_signing && req->session != NULL) {
+		/* we require signing and this request was not signed */
+		smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED);
+		return NT_STATUS_OK;					
 	}
 
 	/* TODO: check the seqnum */
diff --git a/source/smb_server/smb2/sesssetup.c b/source/smb_server/smb2/sesssetup.c
index 482dd181c27..9fb32200055 100644
--- a/source/smb_server/smb2/sesssetup.c
+++ b/source/smb_server/smb2/sesssetup.c
@@ -181,8 +181,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
 	/* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client.
 	   This is deliberate as windows does not set it even when it does 
 	   set SMB2_NEGOTIATE_SIGNING_REQUIRED */
-	if ((io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
-	    lp_server_signing(req->smb_conn->lp_ctx) == SMB_SIGNING_REQUIRED) {
+	if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
 		req->smb_conn->doing_signing = true;
 	}