2025-01-11 05:18:09 +03:00 · 2014-04-15 10:08:12 +02:00 · 2014-04-15 10:08:12 +02:00 · a56c35a4de
commit a56c35a4de
parent 6d6bd9612c
2 changed files with 8 additions and 5 deletions
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@ -250,7 +250,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 	struct timespec ts;
 	ssize_t ret;
 	struct smbd_server_connection *sconn = req->sconn;
-	bool signing_enabled = false;
+	bool signing_desired = false;
 	bool signing_required = false;

 	sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
@ -313,10 +313,10 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
 		secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
 	}

-	signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state);
+	signing_desired = smb_signing_is_desired(req->sconn->smb1.signing_state);
 	signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state);

-	if (signing_enabled) {
+	if (signing_desired) {
 		secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
 		/* No raw mode with smb signing. */
 		capabilities &= ~CAP_RAW_MODE;
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@ -169,7 +169,7 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)

 bool srv_init_signing(struct smbd_server_connection *conn)
 {
-	bool allowed;
+	bool allowed = true;
 	bool desired;
 	bool mandatory = false;

@ -186,9 +186,12 @@ bool srv_init_signing(struct smbd_server_connection *conn)
 	 * This matches Windows behavior and is needed
 	 * because not every client that requires signing
 	 * sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
+	 *
+	 * Note that we'll always allow signing if the client
+	 * does send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
 	 */

-	allowed = desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
+	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
 	talloc_unlink(conn, lp_ctx);

 	if (lp_async_smb_echo_handler()) {