From c52097ae1739c5aab6306ce43b3029b5deabe8f3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Mar 2016 23:52:30 +0100
Subject: [PATCH] CVE-2016-2115: docs-xml: always default "client ipc signing"
 to "mandatory"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 docs-xml/smbdotconf/security/clientipcsigning.xml | 11 +----------
 lib/param/loadparm.c                              |  6 +-----
 source3/param/loadparm.c                          |  6 +-----
 3 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
index d976f2dc00e..0881c6c020e 100644
--- a/docs-xml/smbdotconf/security/clientipcsigning.xml
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -11,16 +11,7 @@
     and <emphasis>disabled</emphasis>.
     </para>
 
-    <para>The default value is the same as the effective value of
-    <smbconfoption name="client signing"/> if the effective value of
-    <smbconfoption name="client ipc min protocol"/> is
-    <constant>NT1</constant>. In any other case the default value is
-    <constant>mandatory</constant>.</para>
-
-    <para>Note that the default value will be changed to <constant>mandatory</constant>
-    in all cases for Samba 4.5</para>
-
-    <para>When the effective value of this option is <constant>mandatory</constant>, SMB signing is required.</para>
+    <para>When set to mandatory or default, SMB signing is required.</para>
 
     <para>When set to auto, SMB signing is offered, but not enforced and if set
     to disabled, SMB signing is not offered either.</para>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 878744f805f..f6a7cfefdff 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3350,11 +3350,7 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 {
 	int client_ipc_signing = lpcfg__client_ipc_signing(lp_ctx);
 	if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-		int ipc_min_protocol = lpcfg_client_ipc_min_protocol(lp_ctx);
-		if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-			return SMB_SIGNING_REQUIRED;
-		}
-		return lpcfg_client_signing(lp_ctx);
+		return SMB_SIGNING_REQUIRED;
 	}
 	return client_ipc_signing;
 }
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e251a988c55..47d2a929834 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4466,11 +4466,7 @@ int lp_client_ipc_signing(void)
 {
 	int client_ipc_signing = lp__client_ipc_signing();
 	if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
-		int ipc_min_protocol = lp_client_ipc_min_protocol();
-		if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
-			return SMB_SIGNING_REQUIRED;
-		}
-		return lp_client_signing();
+		return SMB_SIGNING_REQUIRED;
 	}
 	return client_ipc_signing;
 }
-- 
2.11.4.GIT