From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 15:33:02 +0200
Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"

This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
---
 .../samba3.smb2.session-require-signing       |  1 -
 source3/smbd/smb2_signing.c                   | 19 ++++++++-----------
 2 files changed, 8 insertions(+), 12 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing

diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
deleted file mode 100644
index 53b7a7022a8..00000000000
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.session-require-signing.bug15397
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
index ef4a54d5710..73d07380dfa 100644
--- a/source3/smbd/smb2_signing.c
+++ b/source3/smbd/smb2_signing.c
@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
 		return false;
 	}
 
+	/*
+	 * For SMB2 all we need to know is if signing is mandatory.
+	 * It is always allowed and desired, whatever the smb.conf says.
+	 */
+	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+
 #if defined(WITH_SMB1SERVER)
-	if (conn->protocol >= PROTOCOL_SMB2_02) {
-#endif
-		/*
-		 * For SMB2 all we need to know is if signing is mandatory.
-		 * It is always allowed and desired, whatever the smb.conf says.
-		 */
-		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-#if defined(WITH_SMB1SERVER)
-	} else {
-		ok = smb1_srv_init_signing(lp_ctx, conn);
-	}
+	ok = smb1_srv_init_signing(lp_ctx, conn);
 #endif
+
 	talloc_unlink(conn, lp_ctx);
 	return ok;
 }
-- 
2.39.3