Add a URL argument and API to enforce signing

Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>

diff --git a/README b/README
index f6d41d8e583d8868a33dc4a2fbbae7767d5f2e80..b68c17a23ce09450e8c4394c4683e1b98c976daa 100644 (file)
--- a/README
+++ b/README
@@ -53,6 +53,7 @@ Aruments supported by libsmb2 are :
                  2.02, 2.10, 3.00, 3.02 : negotiate a specific version.
                  Default is to negotiate any SMB2 or SMB3 version.
   seal          : Enable SMB3 encryption.
+  sign          : Require SMB2/3 signing.
 
 NOTE:-
        When using krb5cc mode use smb2_set_domain() and smb2_set_password() in the examples and applications

diff --git a/include/smb2/libsmb2.h b/include/smb2/libsmb2.h
index 1aa4df114abb51b6be6e58d16964d66d5b0ab3c1..956ba37466eaf5562e0c9ef52d7f159195ee5061 100644 (file)
--- a/include/smb2/libsmb2.h
+++ b/include/smb2/libsmb2.h
@@ -180,6 +180,13 @@ void smb2_set_security_mode(struct smb2_context *smb2, uint16_t security_mode);
  */
 void smb2_set_seal(struct smb2_context *smb2, int val);
 
+/*
+ * Set whether smb2 signing should be required or not
+ * 0  : do not require signing. This is the default.
+ * !0 : require signing.
+ */
+void smb2_set_sign(struct smb2_context *smb2, int val);
+
 /*
  * Set authentication method.
  * SMB2_SEC_UNDEFINED (use KRB if available or NTLM if not)

diff --git a/lib/init.c b/lib/init.c
index 15dd971e2d632329ecf6d06c85c31bfd6752e2d4..fc106ef0ce5fa9016c84eae4a9c8050c8de1da29 100644 (file)
--- a/lib/init.c
+++ b/lib/init.c
@@ -93,6 +93,8 @@ smb2_parse_args(struct smb2_context *smb2, const char *args)
 
                 if (!strcmp(args, "seal")) {
                         smb2->seal = 1;
+                } else if (!strcmp(args, "sign")) {
+                        smb2->sign = 1;
                 } else if (!strcmp(args, "ndr32")) {
                         smb2->ndr = 1;
                 } else if (!strcmp(args, "ndr64")) {
@@ -510,6 +512,11 @@ void smb2_set_seal(struct smb2_context *smb2, int val)
         smb2->seal = val;
 }
 
+void smb2_set_sign(struct smb2_context *smb2, int val)
+{
+        smb2->sign = val;
+}
+
 void smb2_set_authentication(struct smb2_context *smb2, int val)
 {
         smb2->sec = val;

diff --git a/lib/libsmb2.c b/lib/libsmb2.c
index 2a5cdd972886929100eb7960da7979805bc6337e..c883bc4a460476395c8e8d4864f5ade4da99f75c 100644 (file)
--- a/lib/libsmb2.c
+++ b/lib/libsmb2.c
@@ -771,6 +771,16 @@ negotiate_cb(struct smb2_context *smb2, int status,
                 }
         }
 
+        if (smb2->sign &&
+            !(rep->security_mode & SMB2_NEGOTIATE_SIGNING_ENABLED)) {
+                smb2_set_error(smb2, "Signing requested but server "
+                               "does not support signing.");
+                smb2_close_context(smb2);
+                c_data->cb(smb2, -ENOMEM, NULL, c_data->cb_data);
+                free_c_data(smb2, c_data);
+                return;
+        }
+
         if (rep->security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
                 smb2->sign = 1;
         }

diff --git a/lib/libsmb2.syms b/lib/libsmb2.syms
index 862a276177fed31ef436b6701d01b0b92f6df107..20d9006c8fbfe0dacb8b15fc5d29628fdc1c931b 100644 (file)
--- a/lib/libsmb2.syms
+++ b/lib/libsmb2.syms
@@ -70,6 +70,7 @@ smb2_set_password
 smb2_set_domain
 smb2_set_workstation
 smb2_set_seal
+smb2_set_sign
 smb2_stat
 smb2_stat_async
 smb2_statvfs