From: Ralph Boehme <slow@samba.org>
Date: Tue, 22 Mar 2016 15:30:42 +0000 (+0100)
Subject: CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
X-Git-Tag: samba-4.2.10~139
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6ab8e7d337ea60e04b59afa2810d2effd892843;p=thirdparty%2Fsamba.git

CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"

This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b2617041e52..33574f7c086 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -37,6 +37,7 @@
 #include "../libcli/security/security.h"
 #include "auth/gensec/gensec.h"
 #include "lib/conn_tdb.h"
+#include "../libcli/smb/smb_signing.h"
 
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
@@ -598,7 +599,8 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	struct smbd_server_connection *sconn = req->sconn;
 	bool doencrypt = xconn->smb1.negprot.encrypted_passwords;
 	bool signing_allowed = false;
-	bool signing_mandatory = false;
+	bool signing_mandatory = smb_signing_is_mandatory(
+		xconn->smb1.signing_state);
 
 	START_PROFILE(SMBsesssetupX);