From e4ad580b99c5b372353c285569204ab94c177748 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 7 Jun 2008 08:14:25 -0700 Subject: [PATCH 1/1] fixed mandatory signing Metze pointed out that if signing is mandatory in the server then we need to reject packets without the signed flag if the packet contains a session id. (This used to be commit 056f16e664e581bab1c07759e99ad4f6685c58eb) --- source4/smb_server/smb2/negprot.c | 2 ++ source4/smb_server/smb2/receive.c | 4 ++++ source4/smb_server/smb2/sesssetup.c | 3 +-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 2da39001ab1..3e6e2e1a43c 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -121,6 +121,8 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 break; case SMB_SIGNING_REQUIRED: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED; + /* force signing on immediately */ + req->smb_conn->doing_signing = true; break; } io->out.dialect_revision = SMB2_DIALECT_REVISION; diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index 3def8fe5638..2f4e9df2b6a 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -321,6 +321,10 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req) smb2srv_send_error(req, status); return NT_STATUS_OK; } + } else if (req->smb_conn->doing_signing && req->session != NULL) { + /* we require signing and this request was not signed */ + smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED); + return NT_STATUS_OK; } /* TODO: check the seqnum */ diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 482dd181c27..9fb32200055 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -181,8 +181,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses /* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client. This is deliberate as windows does not set it even when it does set SMB2_NEGOTIATE_SIGNING_REQUIRED */ - if ((io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || - lp_server_signing(req->smb_conn->lp_ctx) == SMB_SIGNING_REQUIRED) { + if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) { req->smb_conn->doing_signing = true; } -- 2.34.1