sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-04 08:22:08 +03:00
Code Activity

CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT

Browse Source 
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Ralph Boehme
2015-12-16 09:55:37 +01:00
committed by Stefan Metzmacher
parent a046ffd6cd
commit b720575f16
5 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/param/loadparm.c
View File

@ -3393,10 +3393,13 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
case SMB_SIGNING_DESIRED: case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED: case SMB_SIGNING_IF_REQUIRED:
break; break;
case SMB_SIGNING_DEFAULT:
case SMB_SIGNING_OFF: case SMB_SIGNING_OFF:
allowed = false; allowed = false;
break; break;
case SMB_SIGNING_DEFAULT:
case SMB_SIGNING_IPC_DEFAULT:
smb_panic(__location__);
break;
} }
return allowed; return allowed;

1
libcli/smb/smbXcli_base.c
View File

@ -382,6 +382,7 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
conn->desire_signing = true; conn->desire_signing = true;
conn->mandatory_signing = false; conn->mandatory_signing = false;
break; break;
case SMB_SIGNING_IPC_DEFAULT:
case SMB_SIGNING_REQUIRED: case SMB_SIGNING_REQUIRED:
/* always */ /* always */
conn->allow_signing = true; conn->allow_signing = true;

1
libcli/smb/smb_constants.h
View File

@ -95,6 +95,7 @@ enum protocol_types {
#define PROTOCOL_LATEST PROTOCOL_SMB3_11 #define PROTOCOL_LATEST PROTOCOL_SMB3_11
enum smb_signing_setting { enum smb_signing_setting {
SMB_SIGNING_IPC_DEFAULT = -2, /* Only used in C code */
SMB_SIGNING_DEFAULT = -1, SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0, SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1, SMB_SIGNING_IF_REQUIRED = 1,

9
source3/libsmb/clientgen.c
View File

@ -170,6 +170,15 @@ struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx,
use_level_II_oplocks = true; use_level_II_oplocks = true;
} }
if (signing_state == SMB_SIGNING_IPC_DEFAULT) {
/*
* Ensure for IPC/RPC the default is to require
* signing unless explicitly turned off by the
* administrator.
*/
signing_state = lp_client_ipc_signing();
}
if (signing_state == SMB_SIGNING_DEFAULT) { if (signing_state == SMB_SIGNING_DEFAULT) {
signing_state = lp_client_signing(); signing_state = lp_client_signing();
} }

1
source4/smb_server/smb2/negprot.c
View File

@ -147,6 +147,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
switch (signing_setting) { switch (signing_setting) {
case SMB_SIGNING_DEFAULT: case SMB_SIGNING_DEFAULT:
case SMB_SIGNING_IPC_DEFAULT:
smb_panic(__location__); smb_panic(__location__);
break; break;
case SMB_SIGNING_OFF: case SMB_SIGNING_OFF: