From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Jul 2015 08:57:03 +0000 (+0200)
Subject: CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
X-Git-Tag: samba-4.2.10~141
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87d7973d7fc0538dcfa197c630c600d4f3b3a623;p=thirdparty%2Fsamba.git

CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"

This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.

The main logic for this hides in lpcfg_server_signing_allowed().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index e6a9bde15e1..c92272120ef 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -518,6 +518,7 @@ void reply_negprot(struct smb_request *req)
 	size_t converted_size;
 	struct smbXsrv_connection *xconn = req->xconn;
 	struct smbd_server_connection *sconn = req->sconn;
+	bool signing_required = true;
 
 	START_PROFILE(SMBnegprot);
 
@@ -689,8 +690,9 @@ void reply_negprot(struct smb_request *req)
 
 	DEBUG( 5, ( "negprot index=%d\n", choice ) );
 
-	if ((lp_server_signing() == SMB_SIGNING_REQUIRED)
-	    && (chosen_level < PROTOCOL_NT1)) {
+	/* We always have xconn->smb1.signing_state also for >= SMB2_02 */
+	signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
+	if (signing_required && (chosen_level < PROTOCOL_NT1)) {
 		exit_server_cleanly("SMB signing is required and "
 			"client negotiated a downlevel protocol");
 	}
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 1f7f1a9a56b..39fd23b249e 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -24,6 +24,7 @@
 #include "../libcli/smb/smb_common.h"
 #include "../lib/tsocket/tsocket.h"
 #include "../librpc/ndr/libndr.h"
+#include "../libcli/smb/smb_signing.h"
 
 extern fstring remote_proto;
 
@@ -149,6 +150,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 	uint32_t max_read = lp_smb2_max_read();
 	uint32_t max_write = lp_smb2_max_write();
 	NTTIME now = timeval_to_nttime(&req->request_time);
+	bool signing_required = true;
 
 	status = smbd_smb2_request_verify_sizes(req, 0x24);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -221,7 +223,13 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 	}
 
 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-	if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+	/*
+	 * We use xconn->smb1.signing_state as that's already present
+	 * and used lpcfg_server_signing_allowed() to get the correct
+	 * defaults, e.g. signing_required for an ad_dc.
+	 */
+	signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
+	if (signing_required) {
 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 	}
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index e255e46ba95..8b239c9b3b0 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -186,7 +186,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 	struct smbXsrv_connection *xconn = smb2req->xconn;
 
 	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
-	    lp_server_signing() == SMB_SIGNING_REQUIRED) {
+	    (xconn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
+	{
 		x->global->signing_required = true;
 	}