1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Added the "required" keyword to the "client signing" parameter to force it

on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd)
This commit is contained in:
Jeremy Allison 2003-07-15 23:05:57 +00:00
parent 39de3249b0
commit c44a9d25a2
7 changed files with 58 additions and 20 deletions

View File

@ -66,7 +66,7 @@ typedef struct smb_sign_info {
BOOL negotiated_smb_signing;
BOOL allow_smb_signing;
BOOL doing_signing;
BOOL mandetory_signing;
BOOL mandatory_signing;
} smb_sign_info;
struct cli_state {

View File

@ -45,6 +45,7 @@
#define False (0)
#define True (1)
#define Auto (2)
#define Required (3)
#ifndef _BOOL
typedef int BOOL;

View File

@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
if (cli->sign_info.negotiated_smb_signing
|| cli->sign_info.mandetory_signing) {
|| cli->sign_info.mandatory_signing) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli)
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
}
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) {
/* Fail if signing is mandatory and we don't want to support it. */
if (!lp_client_signing()) {
DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
return False;
}
cli->sign_info.negotiated_smb_signing = True;
}
if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
cli->sign_info.negotiated_smb_signing = True;
/* Fail if signing is mandatory and the server doesn't support it. */
if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) {
DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
return False;
}
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
cli->use_spnego = False;
cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);

View File

@ -261,6 +261,9 @@ struct cli_state *cli_initialise(struct cli_state *cli)
if (lp_client_signing())
cli->sign_info.allow_smb_signing = True;
if (lp_client_signing() == Required)
cli->sign_info.mandatory_signing = True;
if (!cli->outbuf || !cli->inbuf)
goto error;

View File

@ -72,7 +72,7 @@ static BOOL get_sequence_for_reply(struct outstanding_packet_lookup **list,
static BOOL cli_set_smb_signing_common(struct cli_state *cli)
{
if (!cli->sign_info.negotiated_smb_signing
&& !cli->sign_info.mandetory_signing) {
&& !cli->sign_info.mandatory_signing) {
return False;
}
@ -96,7 +96,7 @@ static BOOL cli_set_smb_signing_common(struct cli_state *cli)
static BOOL cli_set_smb_signing_real_common(struct cli_state *cli)
{
if (cli->sign_info.mandetory_signing) {
if (cli->sign_info.mandatory_signing) {
DEBUG(5, ("Mandatory SMB signing enabled!\n"));
cli->sign_info.doing_signing = True;
}
@ -458,4 +458,3 @@ BOOL cli_check_sign_mac(struct cli_state *cli)
return True;
}

View File

@ -291,7 +291,7 @@ typedef struct
BOOL bKernelChangeNotify;
int restrict_anonymous;
int name_cache_timeout;
BOOL client_signing;
int client_signing;
param_opt_struct *param_opt;
}
global;
@ -687,6 +687,25 @@ static const struct enum_list enum_csc_policy[] = {
{-1, NULL}
};
/* SMB signing types. */
static const struct enum_list enum_smb_signing_vals[] = {
{False, "No"},
{False, "False"},
{False, "0"},
{False, "Off"},
{True, "Yes"},
{True, "True"},
{True, "1"},
{True, "On"},
{Required, "Required"},
{Required, "Mandatory"},
{Required, "Force"},
{Required, "Forced"},
{Required, "Enforced"},
{-1, NULL}
};
/*
Do you want session setups at user level security with a invalid
password to be rejected or allowed in as guest? WinNT rejects them
@ -874,7 +893,7 @@ static struct parm_struct parm_table[] = {
{"time server", P_BOOL, P_GLOBAL, &Globals.bTimeServer, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"unix extensions", P_BOOL, P_GLOBAL, &Globals.bUnixExtensions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"use spnego", P_BOOL, P_GLOBAL, &Globals.bUseSpnego, NULL, NULL, FLAG_DEVELOPER},
{"client signing", P_BOOL, P_GLOBAL, &Globals.client_signing, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"client signing", P_ENUM, P_GLOBAL, &Globals.client_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED | FLAG_DEVELOPER},
{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_DEVELOPER},
{"Tuning Options", P_SEP, P_SEPARATOR},

View File

@ -53,10 +53,10 @@ static NTSTATUS do_map_to_guest(NTSTATUS status, auth_serversupplied_info **serv
return status;
}
/****************************************************************************
Add the standard 'Samba' signature to the end of the session setup.
****************************************************************************/
static int add_signature(char *outbuf, char *p)
{
char *start = p;
@ -72,8 +72,9 @@ static int add_signature(char *outbuf, char *p)
}
/****************************************************************************
send a security blob via a session setup reply
Send a security blob via a session setup reply.
****************************************************************************/
static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
DATA_BLOB blob, NTSTATUS nt_status)
{
@ -101,6 +102,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
/****************************************************************************
Do a 'guest' logon, getting back the
****************************************************************************/
static NTSTATUS check_guest_password(auth_serversupplied_info **server_info)
{
struct auth_context *auth_context;
@ -267,12 +269,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
}
#endif
/****************************************************************************
send a session setup reply, wrapped in SPNEGO.
get vuid and check first.
end the NTLMSSP exchange context if we are OK/complete fail
Send a session setup reply, wrapped in SPNEGO.
Get vuid and check first.
End the NTLMSSP exchange context if we are OK/complete fail
***************************************************************************/
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
@ -326,8 +328,9 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
}
/****************************************************************************
reply to a session setup spnego negotiate packet
Reply to a session setup spnego negotiate packet.
****************************************************************************/
static int reply_spnego_negotiate(connection_struct *conn,
char *inbuf,
char *outbuf,
@ -387,11 +390,11 @@ static int reply_spnego_negotiate(connection_struct *conn,
/* already replied */
return -1;
}
/****************************************************************************
reply to a session setup spnego auth packet
Reply to a session setup spnego auth packet.
****************************************************************************/
static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
int length, int bufsize,
DATA_BLOB blob1)
@ -425,10 +428,10 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
return -1;
}
/****************************************************************************
reply to a session setup command
Reply to a session setup command.
****************************************************************************/
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,
char *outbuf,
int length,int bufsize)
@ -509,8 +512,9 @@ static void setup_new_vc_session(void)
}
/****************************************************************************
reply to a session setup command
Reply to a session setup command.
****************************************************************************/
int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
int length,int bufsize)
{