The branch, master has been updated via a56c35a s3:smbd: always allow SMB1 signing, but only announce it if configured. via 6d6bd96 libcli/smb: add smb_signing_is_desired() from d7ce127 auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a56c35a4deec9745ff27a66ddc85db48c5dfaf97 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 15 10:08:12 2014 +0200 s3:smbd: always allow SMB1 signing, but only announce it if configured. Always allow the client to turn on SMB1 signing using FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104 commit 6d6bd9612c758906f575aa8269adc672c5976f4a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 15 10:03:10 2014 +0200 libcli/smb: add smb_signing_is_desired() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb_signing.c | 5 +++++ libcli/smb/smb_signing.h | 1 + source3/smbd/negprot.c | 6 +++--- source3/smbd/signing.c | 7 +++++-- 4 files changed, 14 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb_signing.c b/libcli/smb/smb_signing.c index fa61aa8..e128e8f 100644 --- a/libcli/smb/smb_signing.c +++ b/libcli/smb/smb_signing.c @@ -407,6 +407,11 @@ bool smb_signing_is_allowed(struct smb_signing_state *si) return si->allowed; } +bool smb_signing_is_desired(struct smb_signing_state *si) +{ + return si->desired; +} + bool smb_signing_is_mandatory(struct smb_signing_state *si) { return si->mandatory; diff --git a/libcli/smb/smb_signing.h b/libcli/smb/smb_signing.h index 7427ada..7d9e8ad 100644 --- a/libcli/smb/smb_signing.h +++ b/libcli/smb/smb_signing.h @@ -47,6 +47,7 @@ bool smb_signing_activate(struct smb_signing_state *si, const DATA_BLOB response); bool smb_signing_is_active(struct smb_signing_state *si); bool smb_signing_is_allowed(struct smb_signing_state *si); +bool smb_signing_is_desired(struct smb_signing_state *si); bool smb_signing_is_mandatory(struct smb_signing_state *si); bool smb_signing_set_negotiated(struct smb_signing_state *si, bool allowed, bool mandatory); diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index f470d0b..4cd12d8 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) struct timespec ts; ssize_t ret; struct smbd_server_connection *sconn = req->sconn; - bool signing_enabled = false; + bool signing_desired = false; bool signing_required = false; sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); @@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16 choice) secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } - signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state); + signing_desired = smb_signing_is_desired(req->sconn->smb1.signing_state); signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state); - if (signing_enabled) { + if (signing_desired) { secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; /* No raw mode with smb signing. */ capabilities &= ~CAP_RAW_MODE; diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 295c9f1..b7683cd 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) bool srv_init_signing(struct smbd_server_connection *conn) { - bool allowed; + bool allowed = true; bool desired; bool mandatory = false; @@ -186,9 +186,12 @@ bool srv_init_signing(struct smbd_server_connection *conn) * This matches Windows behavior and is needed * because not every client that requires signing * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. + * + * Note that we'll always allow signing if the client + * does send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED. */ - allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); + desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); talloc_unlink(conn, lp_ctx); if (lp_async_smb_echo_handler()) { -- Samba Shared Repository