mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Added the "required" keyword to the "client signing" parameter to force it
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd
)
This commit is contained in:
parent
39de3249b0
commit
c44a9d25a2
@ -66,7 +66,7 @@ typedef struct smb_sign_info {
|
||||
BOOL negotiated_smb_signing;
|
||||
BOOL allow_smb_signing;
|
||||
BOOL doing_signing;
|
||||
BOOL mandetory_signing;
|
||||
BOOL mandatory_signing;
|
||||
} smb_sign_info;
|
||||
|
||||
struct cli_state {
|
||||
|
@ -45,6 +45,7 @@
|
||||
#define False (0)
|
||||
#define True (1)
|
||||
#define Auto (2)
|
||||
#define Required (3)
|
||||
|
||||
#ifndef _BOOL
|
||||
typedef int BOOL;
|
||||
|
@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
|
||||
ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
|
||||
|
||||
if (cli->sign_info.negotiated_smb_signing
|
||||
|| cli->sign_info.mandetory_signing) {
|
||||
|| cli->sign_info.mandatory_signing) {
|
||||
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
|
||||
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
|
||||
}
|
||||
@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli)
|
||||
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
|
||||
}
|
||||
|
||||
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
|
||||
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
|
||||
/* Fail if signing is mandatory and we don't want to support it. */
|
||||
if (!lp_client_signing()) {
|
||||
DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
|
||||
return False;
|
||||
}
|
||||
cli->sign_info.negotiated_smb_signing = True;
|
||||
}
|
||||
|
||||
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
|
||||
cli->sign_info.negotiated_smb_signing = True;
|
||||
|
||||
/* Fail if signing is mandatory and the server doesn't support it. */
|
||||
if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
|
||||
DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
|
||||
return False;
|
||||
}
|
||||
|
||||
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
|
||||
cli->use_spnego = False;
|
||||
cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
|
||||
|
@ -261,6 +261,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
|
||||
|
||||
if (lp_client_signing())
|
||||
cli->sign_info.allow_smb_signing = True;
|
||||
|
||||
if (lp_client_signing() == Required)
|
||||
cli->sign_info.mandatory_signing = True;
|
||||
|
||||
if (!cli->outbuf || !cli->inbuf)
|
||||
goto error;
|
||||
|
@ -72,7 +72,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
|
||||
static BOOL cli_set_smb_signing_common(struct cli_state *cli)
|
||||
{
|
||||
if (!cli->sign_info.negotiated_smb_signing
|
||||
&& !cli->sign_info.mandetory_signing) {
|
||||
&& !cli->sign_info.mandatory_signing) {
|
||||
return False;
|
||||
}
|
||||
|
||||
@ -96,7 +96,7 @@ static BOOL cli_set_smb_signing_common(struct cli_state *cli)
|
||||
|
||||
static BOOL cli_set_smb_signing_real_common(struct cli_state *cli)
|
||||
{
|
||||
if (cli->sign_info.mandetory_signing) {
|
||||
if (cli->sign_info.mandatory_signing) {
|
||||
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
|
||||
cli->sign_info.doing_signing = True;
|
||||
}
|
||||
@ -458,4 +458,3 @@ BOOL cli_check_sign_mac(struct cli_state *cli)
|
||||
|
||||
return True;
|
||||
}
|
||||
|
||||
|
@ -291,7 +291,7 @@ typedef struct
|
||||
BOOL bKernelChangeNotify;
|
||||
int restrict_anonymous;
|
||||
int name_cache_timeout;
|
||||
BOOL client_signing;
|
||||
int client_signing;
|
||||
param_opt_struct *param_opt;
|
||||
}
|
||||
global;
|
||||
@ -687,6 +687,25 @@ static const struct enum_list enum_csc_policy[] = {
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
/* SMB signing types. */
|
||||
static const struct enum_list enum_smb_signing_vals[] = {
|
||||
{False, "No"},
|
||||
{False, "False"},
|
||||
{False, "0"},
|
||||
{False, "Off"},
|
||||
{True, "Yes"},
|
||||
{True, "True"},
|
||||
{True, "1"},
|
||||
{True, "On"},
|
||||
{Required, "Required"},
|
||||
{Required, "Mandatory"},
|
||||
{Required, "Force"},
|
||||
{Required, "Forced"},
|
||||
{Required, "Enforced"},
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
Do you want session setups at user level security with a invalid
|
||||
password to be rejected or allowed in as guest? WinNT rejects them
|
||||
@ -874,7 +893,7 @@ static struct parm_struct parm_table[] = {
|
||||
{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
|
||||
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
|
||||
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
|
||||
{"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
|
||||
{"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
|
||||
{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
|
||||
|
||||
{"Tuning Options", P_SEP, P_SEPARATOR},
|
||||
|
@ -53,10 +53,10 @@ static NTSTATUS do_map_to_guest(NTSTATUS status, auth_serversupplied_info **serv
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
/****************************************************************************
|
||||
Add the standard 'Samba' signature to the end of the session setup.
|
||||
****************************************************************************/
|
||||
|
||||
static int add_signature(char *outbuf, char *p)
|
||||
{
|
||||
char *start = p;
|
||||
@ -72,8 +72,9 @@ static int add_signature(char *outbuf, char *p)
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
send a security blob via a session setup reply
|
||||
Send a security blob via a session setup reply.
|
||||
****************************************************************************/
|
||||
|
||||
static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
|
||||
DATA_BLOB blob, NTSTATUS nt_status)
|
||||
{
|
||||
@ -101,6 +102,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
|
||||
/****************************************************************************
|
||||
Do a 'guest' logon, getting back the
|
||||
****************************************************************************/
|
||||
|
||||
static NTSTATUS check_guest_password(auth_serversupplied_info **server_info)
|
||||
{
|
||||
struct auth_context *auth_context;
|
||||
@ -267,12 +269,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/****************************************************************************
|
||||
send a session setup reply, wrapped in SPNEGO.
|
||||
get vuid and check first.
|
||||
end the NTLMSSP exchange context if we are OK/complete fail
|
||||
Send a session setup reply, wrapped in SPNEGO.
|
||||
Get vuid and check first.
|
||||
End the NTLMSSP exchange context if we are OK/complete fail
|
||||
***************************************************************************/
|
||||
|
||||
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
|
||||
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
|
||||
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
|
||||
@ -326,8 +328,9 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
reply to a session setup spnego negotiate packet
|
||||
Reply to a session setup spnego negotiate packet.
|
||||
****************************************************************************/
|
||||
|
||||
static int reply_spnego_negotiate(connection_struct *conn,
|
||||
char *inbuf,
|
||||
char *outbuf,
|
||||
@ -387,11 +390,11 @@ static int reply_spnego_negotiate(connection_struct *conn,
|
||||
/* already replied */
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/****************************************************************************
|
||||
reply to a session setup spnego auth packet
|
||||
Reply to a session setup spnego auth packet.
|
||||
****************************************************************************/
|
||||
|
||||
static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
|
||||
int length, int bufsize,
|
||||
DATA_BLOB blob1)
|
||||
@ -425,10 +428,10 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/****************************************************************************
|
||||
reply to a session setup command
|
||||
Reply to a session setup command.
|
||||
****************************************************************************/
|
||||
|
||||
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
|
||||
char *outbuf,
|
||||
int length,int bufsize)
|
||||
@ -509,8 +512,9 @@ static void setup_new_vc_session(void)
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
reply to a session setup command
|
||||
Reply to a session setup command.
|
||||
****************************************************************************/
|
||||
|
||||
int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
|
||||
int length,int bufsize)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user