The branch, master has been updated
via a56c35a s3:smbd: always allow SMB1 signing, but only announce it if
configured.
via 6d6bd96 libcli/smb: add smb_signing_is_desired()
from d7ce127 auth: Remove support for HAVE_TRUNCATED_SALT from
pass_check.c
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a56c35a4deec9745ff27a66ddc85db48c5dfaf97
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Apr 15 10:08:12 2014 +0200
s3:smbd: always allow SMB1 signing, but only announce it if configured.
Always allow the client to turn on SMB1 signing using
FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104
commit 6d6bd9612c758906f575aa8269adc672c5976f4a
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Apr 15 10:03:10 2014 +0200
libcli/smb: add smb_signing_is_desired()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb_signing.c | 5 +++++
libcli/smb/smb_signing.h | 1 +
source3/smbd/negprot.c | 6 +++---
source3/smbd/signing.c | 7 +++++--
4 files changed, 14 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb_signing.c b/libcli/smb/smb_signing.c
index fa61aa8..e128e8f 100644
--- a/libcli/smb/smb_signing.c
+++ b/libcli/smb/smb_signing.c
@@ -407,6 +407,11 @@ bool smb_signing_is_allowed(struct smb_signing_state *si)
return si->allowed;
}
+bool smb_signing_is_desired(struct smb_signing_state *si)
+{
+ return si->desired;
+}
+
bool smb_signing_is_mandatory(struct smb_signing_state *si)
{
return si->mandatory;
diff --git a/libcli/smb/smb_signing.h b/libcli/smb/smb_signing.h
index 7427ada..7d9e8ad 100644
--- a/libcli/smb/smb_signing.h
+++ b/libcli/smb/smb_signing.h
@@ -47,6 +47,7 @@ bool smb_signing_activate(struct smb_signing_state *si,
const DATA_BLOB response);
bool smb_signing_is_active(struct smb_signing_state *si);
bool smb_signing_is_allowed(struct smb_signing_state *si);
+bool smb_signing_is_desired(struct smb_signing_state *si);
bool smb_signing_is_mandatory(struct smb_signing_state *si);
bool smb_signing_set_negotiated(struct smb_signing_state *si,
bool allowed, bool mandatory);
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index f470d0b..4cd12d8 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16
choice)
struct timespec ts;
ssize_t ret;
struct smbd_server_connection *sconn = req->sconn;
- bool signing_enabled = false;
+ bool signing_desired = false;
bool signing_required = false;
sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
@@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16
choice)
secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
}
- signing_enabled =
smb_signing_is_allowed(req->sconn->smb1.signing_state);
+ signing_desired =
smb_signing_is_desired(req->sconn->smb1.signing_state);
signing_required =
smb_signing_is_mandatory(req->sconn->smb1.signing_state);
- if (signing_enabled) {
+ if (signing_desired) {
secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
/* No raw mode with smb signing. */
capabilities &= ~CAP_RAW_MODE;
diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index 295c9f1..b7683cd 100644
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void
*ptr)
bool srv_init_signing(struct smbd_server_connection *conn)
{
- bool allowed;
+ bool allowed = true;
bool desired;
bool mandatory = false;
@@ -186,9 +186,12 @@ bool srv_init_signing(struct smbd_server_connection *conn)
* This matches Windows behavior and is needed
* because not every client that requires signing
* sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
+ *
+ * Note that we'll always allow signing if the client
+ * does send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
*/
- allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
+ desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
talloc_unlink(conn, lp_ctx);
if (lp_async_smb_echo_handler()) {
--
Samba Shared Repository
