From b615fb6cc5eed3320d635f6ca06c12cd408e89a1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 30 Jun 2015 14:16:19 +0200 Subject: [PATCH] Introduce setting "desired" for 'smb encrypt' and 'client/server signing' This should trigger the behaviour where the server requires signing when the client supports it, but does not reject clients that don't support it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam Reviewed-by: Guenther Deschner (cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3) --- lib/param/param_table.c | 1 + libcli/smb/smbXcli_base.c | 6 ++++++ libcli/smb/smb_constants.h | 1 + source4/smb_server/smb2/negprot.c | 1 + 4 files changed, 9 insertions(+) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index d590bd11e45..aa1696990bc 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -101,6 +101,7 @@ static const struct enum_list enum_smb_signing_vals[] = { {SMB_SIGNING_IF_REQUIRED, "On"}, {SMB_SIGNING_IF_REQUIRED, "enabled"}, {SMB_SIGNING_IF_REQUIRED, "auto"}, + {SMB_SIGNING_DESIRED, "desired"}, {SMB_SIGNING_REQUIRED, "required"}, {SMB_SIGNING_REQUIRED, "mandatory"}, {SMB_SIGNING_REQUIRED, "force"}, diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 0c6a6d29476..5063e591784 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -354,6 +354,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx, conn->desire_signing = false; conn->mandatory_signing = false; break; + case SMB_SIGNING_DESIRED: + /* if the server desires it */ + conn->allow_signing = true; + conn->desire_signing = true; + conn->mandatory_signing = false; + break; case SMB_SIGNING_REQUIRED: /* always */ conn->allow_signing = true; diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h index 175ffafc4d1..6dbaa288e2e 100644 --- a/libcli/smb/smb_constants.h +++ b/libcli/smb/smb_constants.h @@ -94,6 +94,7 @@ enum smb_signing_setting { SMB_SIGNING_DEFAULT = -1, SMB_SIGNING_OFF = 0, SMB_SIGNING_IF_REQUIRED = 1, + SMB_SIGNING_DESIRED = 2, SMB_SIGNING_REQUIRED = 3, }; diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 83cae18bf31..6a8f6efc2df 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 case SMB_SIGNING_OFF: io->out.security_mode = 0; break; + case SMB_SIGNING_DESIRED: case SMB_SIGNING_IF_REQUIRED: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; break; -- 2.34.1