The branch, master has been updated
via e20c64e14fb libsmb: Avoid smb-level encryption if quic is trusted
via f6292db0b35 libsmb: Add "smb_encryption_over_quic" to
smb311_capabilities
via 794b07516e2 param: Add "client smb encryption over quic"
via 58982f9ca79 smbd: Don't request SMB-level encryption over trusted
quic
via 5e0dbd23452 smbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY
if we trust quic
via 0286429fb9c smbd: Add the "server smb encryption over quic"
parameter
via 2a4ee224b9e smbd: Pass smbXsrv_connection to lp_server_smb_encrypt()
via e1d8227827b param: Fix whitespace
via 5007dbbbc9d smbd: Switch from a != to a ==
via 2d6899c03d9 smbd: Avoid an "else"
via c899a42f640 smbd: Modernize DEBUGs
via 5f286b4a0ad smbd: Add a comment matching the other flags
via f1670643c1f smbd: Make a few encryption-related functions static to
smbstatus
via 171c584c675 smbd: Fix a typo
via 073e82422dc smbd: Shed a nested if-expression
via 8f116ab9ff7 docs: Fix "server smb encrypt" for SMB3+
via b0b3d039615 libsmb: Negotiate SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY
over quic
via 29e0d7be86e lib: tstream_tls_verify_peer_trusted()
via bd15054462b libcli: Add tls_verify_peer_state to smbXcli_transport
via 0553b839f8e tls: Add tstream_tls_params_verify_peer()
via a881a76892d libcli: Introduce helper var in
smbXcli_negprot_smb2_subreq()
from 26065e1f1ee third_party:quic_ko_wrapper Fix compilation with
clang-20
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e20c64e14fbc6a478cf31e01cf33ae4abc19b1fe
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 21 12:17:55 2025 +0200
libsmb: Avoid smb-level encryption if quic is trusted
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Ralph Böhme <[email protected]>
Autobuild-Date(master): Fri Aug 22 14:55:47 UTC 2025 on atb-devel-224
commit f6292db0b359ee2a02bd54c404791a8f86c7ec8f
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 21 12:15:25 2025 +0200
libsmb: Add "smb_encryption_over_quic" to smb311_capabilities
Put here from the "client smb encryption over quic" settings
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 794b07516e2847a643f1cd14dceba3daf4a943c9
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 21 10:42:15 2025 +0200
param: Add "client smb encryption over quic"
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 58982f9ca790d393f75b03f8bcf8e5a962d92cc5
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 18 17:13:59 2025 +0200
smbd: Don't request SMB-level encryption over trusted quic
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 5e0dbd23452df0c4bd9b20462f3146723cd122b6
Author: Volker Lendecke <[email protected]>
Date: Fri Aug 8 12:06:13 2025 +0200
smbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY if we trust quic
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 0286429fb9c9992bb8835046db5e5e83315ccf74
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 14 15:32:12 2025 +0200
smbd: Add the "server smb encryption over quic" parameter
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 2a4ee224b9e4afc423c2222a1e1d8444e67ee884
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 18 17:06:05 2025 +0200
smbd: Pass smbXsrv_connection to lp_server_smb_encrypt()
We'll modify the value of "server smb encrypt" when we have a trusted
quic transport
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit e1d8227827b58fcd2d5ebec5d4a12e11064400f9
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 18 16:25:38 2025 +0200
param: Fix whitespace
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 5007dbbbc9d35c57a773cedd9882d5c33e60fbbf
Author: Volker Lendecke <[email protected]>
Date: Tue Aug 12 15:06:39 2025 +0200
smbd: Switch from a != to a ==
Simpler to read for me
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 2d6899c03d9d72caaacb790bc776510f860f255a
Author: Volker Lendecke <[email protected]>
Date: Wed Aug 13 15:27:39 2025 +0200
smbd: Avoid an "else"
We return in the if-branch
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit c899a42f640ac7f26ca759b28ed17494efe73564
Author: Volker Lendecke <[email protected]>
Date: Wed Aug 13 15:06:54 2025 +0200
smbd: Modernize DEBUGs
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 5f286b4a0ad1b83f896ddf7893d52de0ad5bb458
Author: Volker Lendecke <[email protected]>
Date: Wed Aug 13 13:55:42 2025 +0200
smbd: Add a comment matching the other flags
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit f1670643c1f56b6085d7daa36727f5e2b81c9c87
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 11 17:02:52 2025 +0200
smbd: Make a few encryption-related functions static to smbstatus
Only referenced there, I got confused by them being part of smbd
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 171c584c67582c71efe0575b1f99f4667366de99
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 11 15:16:54 2025 +0200
smbd: Fix a typo
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 073e82422dc84370a287fbd0f407f6661af0e0c2
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 11 15:12:31 2025 +0200
smbd: Shed a nested if-expression
Review with "git show -w". This is easier to read for me.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 8f116ab9ff7672cb42f5181f3aca4c6b0b837758
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 11 14:40:16 2025 +0200
docs: Fix "server smb encrypt" for SMB3+
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit b0b3d039615f9e3a4bf6d585bf32d03e52214f13
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 12:35:23 2025 +0200
libsmb: Negotiate SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY over quic
If we trust quic, indicate to the server that we do so.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 29e0d7be86e640af9228aad145cc4bcf4372e1a2
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 08:56:08 2025 +0200
lib: tstream_tls_verify_peer_trusted()
We can only trust a tls connection if at connection setup we checked
the certificates
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit bd15054462b12904c3c7583dbf5d01c7e82eec0d
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 4 14:59:15 2025 +0200
libcli: Add tls_verify_peer_state to smbXcli_transport
We have to carry a copy over from the tstream_tls_params used to
connect, we can't get this information out once the tls-protected
tstream is established
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 0553b839f8ed68ae13a98d276e1889093c6a6814
Author: Volker Lendecke <[email protected]>
Date: Mon Aug 4 13:53:49 2025 +0200
tls: Add tstream_tls_params_verify_peer()
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit a881a76892dcc9b2ba30a32b4d11f2acb1ee135c
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 11:53:59 2025 +0200
libcli: Introduce helper var in smbXcli_negprot_smb2_subreq()
Saves a few bytes of code
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.../security/clientsmbencryptionoverquic.xml | 40 ++++++
docs-xml/smbdotconf/security/serversmbencrypt.xml | 3 +-
.../security/serversmbencryptionoverquic.xml | 46 +++++++
docs-xml/smbdotconf/security/smbencrypt.xml | 2 +-
lib/param/loadparm.c | 8 ++
lib/param/param.h | 16 +--
libcli/smb/smb2_negotiate_context.h | 9 +-
libcli/smb/smbXcli_base.c | 139 ++++++++++++++++-----
libcli/smb/smbXcli_base.h | 28 +++--
libcli/smb/util.c | 9 +-
source3/librpc/idl/smbXsrv.idl | 6 +-
source3/libsmb/clientgen.c | 6 +-
source3/libsmb/smbsock_connect.c | 43 ++++---
source3/param/loadparm.c | 21 +++-
source3/param/loadparm.h | 3 +
source3/smbd/globals.h | 6 +-
source3/smbd/smb1_pipes.c | 6 +-
source3/smbd/smb1_trans2.c | 2 +-
source3/smbd/smb2_negprot.c | 45 ++++++-
source3/smbd/smb2_process.c | 22 ++--
source3/smbd/smb2_server.c | 40 +-----
source3/smbd/smb2_service.c | 23 ++--
source3/smbd/smb2_sesssetup.c | 4 +-
source3/smbd/smb2_tcon.c | 4 +-
source3/torture/torture.c | 15 ++-
source3/utils/status.c | 32 +++++
source4/lib/tls/tls.h | 3 +
source4/lib/tls/tls_tstream.c | 21 ++++
source4/param/loadparm.c | 6 +-
source4/torture/smb2/multichannel.c | 5 +-
30 files changed, 453 insertions(+), 160 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
create mode 100644 docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
new file mode 100644
index 00000000000..a33a681ba48
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="client smb encryption over quic"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ This parameter controls whether the client requires SMB level
+ encryption even when the transport is already encrypted via QUIC
+ and thus TLS.
+ </para>
+ <para>
+ <parameter>client smb encrypt</parameter> controls the use of the
+ encryption mechanism introduced with SMB3.0. If <parameter>client
+ smb encryption over quic</parameter> value is set to
+ <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+ connects via a validated QUIC (and thus TLS) connection, the
+ client ignores the requirements from the parameter
+ <parameter>client smb encrypt</parameter> to avoid double
+ encryption.
+ </para>
+ <para>
+ If <parameter>client smb encryption over quic</parameter> is left
+ at its default <emphasis>yes</emphasis>, the client connects over
+ normal TCP, or the <parameter>tls verify peer</parameter> was set
+ to anything less than <constant>ca_and_name</constant>, the
+ requirements from <parameter>client smb encrypt</parameter> apply.
+ </para>
+ <para>
+ Note that the QUIC-layer encryption is based on a TLS-level
+ certificate presented by the server. The SMB-layer encryption is
+ based on individual user sessions and as such essentially on
+ initial user credentials such as the user's password or equivalent
+ credentials used for logging on to a Windows session. This might
+ influence your security assessment regarding the <parameter>client
+ smb encryption over quic</parameter> parameter.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml
b/docs-xml/smbdotconf/security/serversmbencrypt.xml
index 5f38b46419e..8a63de19b14 100644
--- a/docs-xml/smbdotconf/security/serversmbencrypt.xml
+++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml
@@ -1,6 +1,7 @@
<samba:parameter name="server smb encrypt"
context="S"
type="enum"
+ function="_server_smb_encrypt"
enumlist="enum_smb_encryption_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
@@ -86,7 +87,7 @@
</varlistentry>
<varlistentry>
- <term><emphasis>Effects for SMB2 and newer</emphasis></term>
+ <term><emphasis>Effects for SMB3.0 and newer</emphasis></term>
<listitem>
<para>
Native SMB transport encryption is available in SMB version 3.0
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
new file mode 100644
index 00000000000..39b8f829ea5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
@@ -0,0 +1,46 @@
+<samba:parameter name="server smb encryption over quic"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ This parameter controls whether the SMB server requires SMB-level
+ encryption although the transport is encrypted via QUIC.
+ </para>
+ <para>
+ <parameter>server smb encrypt</parameter> controls the use of the
+ encryption mechanism introduced with SMB3.0. If <parameter>server
+ smb encryption over quic</parameter> value is set to
+ <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+ connects via a validated QUIC (and thus TLS) connection, the
+ server ignores the requirements from the parameter
+ <parameter>server smb encrypt</parameter> and accepts all
+ SMB-level packets inside the QUIC connection as encrypted in a
+ trustworthy way. This avoids costly double-encryption.
+ </para>
+ <para>
+ If <parameter>server smb encryption over
+ quic</parameter> is left at its default <emphasis>yes</emphasis>,
+ the client connects over normal TCP, or the client does not
+ indicate that it can trust the QUIC connection it uses, the
+ requirements from <parameter>server smb encrypt</parameter> apply.
+ </para>
+ <para>
+ Note that the QUIC-layer encryption is based on a TLS-level
+ certificate presented by the server. The SMB-layer encryption is
+ based on individual user sessions and as such essentially on
+ initial user credentials such as the user's password or equivalent
+ credentials used for logging on to a Windows session. This might
+ influence your security assessment regarding the <parameter>server
+ smb encryption over quic</parameter> parameter.
+ </para>
+ <para>
+ Windows has a similar SMB server setting with the
+ <parameter>DisableSmbEncryptionOnSecureConnection</parameter>
+ switch in the <command>Set-SmbServerConfiguration</command>
+ PowerShell commandlet.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml
b/docs-xml/smbdotconf/security/smbencrypt.xml
index 60271200c0a..2ce5e585adf 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -2,7 +2,7 @@
context="S"
type="enum"
enumlist="enum_smb_encryption_vals"
- function="server_smb_encrypt"
+ function="_server_smb_encrypt"
synonym="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d6553d89011..05b6ec48ac8 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3289,6 +3289,14 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
"himmelblaud sfa fallback",
"false");
+ lpcfg_do_global_parameter(lp_ctx,
+ "server smb encryption over quic",
+ "yes");
+
+ lpcfg_do_global_parameter(lp_ctx,
+ "client smb encryption over quic",
+ "yes");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/param.h b/lib/param/param.h
index ef678a1cbd6..ed10fa9e90d 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -1,24 +1,24 @@
-/*
+/*
Unix SMB/CIFS implementation.
Generic parameter parsing interface
Copyright (C) Jelmer Vernooij 2005
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _PARAM_H /* _PARAM_H */
-#define _PARAM_H
+#define _PARAM_H
#include <talloc.h>
@@ -205,7 +205,7 @@ bool lpcfg_is_my_domain_or_realm(struct loadparm_context
*lp_ctx,
const char *domain);
/**
- see if a string matches either our primary or one of our secondary
+ see if a string matches either our primary or one of our secondary
netbios aliases. do a case insensitive match
*/
bool lpcfg_is_myname(struct loadparm_context *lp_ctx, const char *name);
@@ -253,10 +253,10 @@ char *lpcfg_private_db_path(TALLOC_CTX *mem_ctx,
/**
return a path in the smbd.tmp directory, where all temporary file
- for smbd go. If NULL is passed for name then return the directory
+ for smbd go. If NULL is passed for name then return the directory
path itself
*/
-char *smbd_tmp_path(TALLOC_CTX *mem_ctx,
+char *smbd_tmp_path(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *name);
diff --git a/libcli/smb/smb2_negotiate_context.h
b/libcli/smb/smb2_negotiate_context.h
index 645fb64a377..7c061e4457b 100644
--- a/libcli/smb/smb2_negotiate_context.h
+++ b/libcli/smb/smb2_negotiate_context.h
@@ -71,14 +71,17 @@ struct smb3_encryption_capabilities {
struct smb311_capabilities {
struct smb3_signing_capabilities signing;
struct smb3_encryption_capabilities encryption;
+ bool smb_encryption_over_quic;
};
const char *smb3_signing_algorithm_name(uint16_t algo);
const char *smb3_encryption_algorithm_name(uint16_t algo);
-struct smb311_capabilities smb311_capabilities_parse(const char *role,
- const char * const *signing_algos,
- const char * const *encryption_algos);
+struct smb311_capabilities smb311_capabilities_parse(
+ const char *role,
+ const char *const *signing_algos,
+ const char *const *encryption_algos,
+ bool smb_encryption_over_quic);
NTSTATUS smb311_capabilities_check(const struct smb311_capabilities *c,
const char *debug_prefix,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 8e5d6bf18c3..2389cf7c08b 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -51,6 +51,7 @@ struct smbXcli_transport {
struct smb_transport transport;
int sock_fd;
struct tstream_context *tstream;
+ enum tls_verify_peer_state verify_peer;
struct samba_sockaddr laddr;
struct samba_sockaddr raddr;
@@ -148,6 +149,7 @@ struct smbXcli_conn {
uint16_t security_mode;
struct GUID guid;
struct smb311_capabilities smb3_capabilities;
+ bool requested_transport_level_security;
} client;
struct {
@@ -163,6 +165,7 @@ struct smbXcli_conn {
uint16_t sign_algo;
uint16_t cipher;
bool smb311_posix;
+ bool transport_trusted;
} server;
uint64_t mid;
@@ -423,11 +426,13 @@ static int smbXcli_transport_tstream_monitor_recv(struct
tevent_req *req)
return sys_errno;
}
-struct smbXcli_transport *smbXcli_transport_tstream(TALLOC_CTX *mem_ctx,
- struct tstream_context
**pstream,
- const struct samba_sockaddr
*laddr,
- const struct samba_sockaddr
*raddr,
- const struct smb_transport
*tp)
+struct smbXcli_transport *smbXcli_transport_tstream(
+ TALLOC_CTX *mem_ctx,
+ struct tstream_context **pstream,
+ enum tls_verify_peer_state verify_peer,
+ const struct samba_sockaddr *laddr,
+ const struct samba_sockaddr *raddr,
+ const struct smb_transport *tp)
{
struct smbXcli_transport *xtp = NULL;
@@ -438,6 +443,7 @@ struct smbXcli_transport
*smbXcli_transport_tstream(TALLOC_CTX *mem_ctx,
xtp->transport = *tp;
xtp->sock_fd = -1;
+ xtp->verify_peer = verify_peer;
xtp->laddr = *laddr;
xtp->raddr = *raddr;
@@ -508,9 +514,11 @@ static int smbXcli_transport_bsd_monitor_recv(struct
tevent_req *req)
return wait_for_error_recv(req);
}
-struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX *mem_ctx,
- int *_fd,
- const struct smb_transport *tp)
+struct smbXcli_transport *smbXcli_transport_bsd(
+ TALLOC_CTX *mem_ctx,
+ int *_fd,
+ enum tls_verify_peer_state verify_peer,
+ const struct smb_transport *tp)
{
struct smbXcli_transport *xtp = NULL;
int fd = *_fd;
@@ -523,6 +531,7 @@ struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX
*mem_ctx,
xtp->transport = *tp;
xtp->sock_fd = fd;
+ xtp->verify_peer = verify_peer;
xtp->laddr.sa_socklen = sizeof(xtp->laddr.u);
ret = getsockname(fd, &xtp->laddr.u.sa, &xtp->laddr.sa_socklen);
@@ -557,9 +566,10 @@ struct smbXcli_transport *smbXcli_transport_bsd(TALLOC_CTX
*mem_ctx,
}
struct smbXcli_transport *smbXcli_transport_bsd_tstream(
- TALLOC_CTX *mem_ctx,
- int *fd,
- const struct smb_transport *tp)
+ TALLOC_CTX *mem_ctx,
+ int *fd,
+ enum tls_verify_peer_state verify_peer,
+ const struct smb_transport *tp)
{
struct samba_sockaddr laddr = {
.sa_socklen = sizeof(struct sockaddr_storage),
@@ -593,7 +603,8 @@ struct smbXcli_transport *smbXcli_transport_bsd_tstream(
*fd = -1;
tstream_bsd_optimize_readv(tstream, true);
- xtp = smbXcli_transport_tstream(mem_ctx, &tstream, &laddr, &raddr, tp);
+ xtp = smbXcli_transport_tstream(
+ mem_ctx, &tstream, verify_peer, &laddr, &raddr, tp);
TALLOC_FREE(tstream);
return xtp;
}
@@ -3567,6 +3578,14 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX
*mem_ctx,
}
}
+ if (conn->smb2.server.transport_trusted) {
+ /*
+ * We as a client agreed with the server that quic
+ * encryption is enough
+ */
+ state->smb2.should_encrypt = false;
+ }
+
if (state->smb2.should_encrypt) {
state->smb2.should_sign = false;
}
@@ -5334,6 +5353,7 @@ static size_t smbXcli_padding_helper(uint32_t offset,
size_t n)
static struct tevent_req *smbXcli_negprot_smb2_subreq(struct
smbXcli_negprot_state *state)
{
+ struct smbXcli_conn *conn = state->conn;
size_t i;
uint8_t *buf;
uint16_t dialect_count = 0;
@@ -5343,11 +5363,11 @@ static struct tevent_req
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
bool ok;
uint8_t val[2];
- if (smb2cli_prots[i].proto < state->conn->min_protocol) {
+ if (smb2cli_prots[i].proto < conn->min_protocol) {
continue;
}
- if (smb2cli_prots[i].proto > state->conn->max_protocol) {
+ if (smb2cli_prots[i].proto > conn->max_protocol) {
continue;
}
@@ -5364,27 +5384,28 @@ static struct tevent_req
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
buf = state->smb2.fixed;
SSVAL(buf, 0, 36);
SSVAL(buf, 2, dialect_count);
- SSVAL(buf, 4, state->conn->smb2.client.security_mode);
+ SSVAL(buf, 4, conn->smb2.client.security_mode);
SSVAL(buf, 6, 0); /* Reserved */
- if (state->conn->max_protocol >= PROTOCOL_SMB3_00) {
- SIVAL(buf, 8, state->conn->smb2.client.capabilities);
+ if (conn->max_protocol >= PROTOCOL_SMB3_00) {
+ SIVAL(buf, 8, conn->smb2.client.capabilities);
} else {
SIVAL(buf, 8, 0); /* Capabilities */
}
- if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
+ if (conn->max_protocol >= PROTOCOL_SMB2_10) {
struct GUID_ndr_buf guid_buf = { .buf = {0}, };
- GUID_to_ndr_buf(&state->conn->smb2.client.guid, &guid_buf);
+ GUID_to_ndr_buf(&conn->smb2.client.guid, &guid_buf);
memcpy(buf+12, guid_buf.buf, 16); /* ClientGuid */
} else {
memset(buf+12, 0, 16); /* ClientGuid */
}
- if (state->conn->max_protocol >= PROTOCOL_SMB3_11) {
+ if (conn->max_protocol >= PROTOCOL_SMB3_11) {
const struct smb3_signing_capabilities *client_sign_algos =
- &state->conn->smb2.client.smb3_capabilities.signing;
+ &conn->smb2.client.smb3_capabilities.signing;
const struct smb3_encryption_capabilities *client_ciphers =
- &state->conn->smb2.client.smb3_capabilities.encryption;
+ &conn->smb2.client.smb3_capabilities.encryption;
+ enum tls_verify_peer_state verify_peer;
NTSTATUS status;
struct smb2_negotiate_contexts c = { .num_contexts = 0, };
uint8_t *netname_utf16 = NULL;
@@ -5445,10 +5466,38 @@ static struct tevent_req
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
}
}
- ok = convert_string_talloc(state, CH_UNIX, CH_UTF16,
- state->conn->remote_name,
- strlen(state->conn->remote_name),
- &netname_utf16, &netname_utf16_len);
+ verify_peer = conn->transport->verify_peer;
+
+ if (tstream_tls_verify_peer_trusted(verify_peer) &&
+ !conn->smb2.client.smb3_capabilities
+ .smb_encryption_over_quic)
+ {
+ uint8_t cap_buf[sizeof(uint32_t)];
+
+ PUSH_LE_U32(cap_buf,
+ 0,
+ SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY);
+
+ status = smb2_negotiate_context_add(
+ state,
+ &c,
+ SMB2_TRANSPORT_CAPABILITIES,
+ cap_buf,
+ sizeof(cap_buf));
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+ conn->smb2.client
+ .requested_transport_level_security = true;
+ }
+
+ ok = convert_string_talloc(state,
+ CH_UNIX,
+ CH_UTF16,
+ conn->remote_name,
+ strlen(conn->remote_name),
+ &netname_utf16,
+ &netname_utf16_len);
if (!ok) {
return NULL;
}
@@ -5505,13 +5554,19 @@ static struct tevent_req
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
SBVAL(buf, 28, 0); /* Reserved/ClientStartTime */
}
- return smb2cli_req_send(state, state->ev,
- state->conn, SMB2_OP_NEGPROT,
- 0, 0, /* flags */
+ return smb2cli_req_send(state,
+ state->ev,
+ conn,
+ SMB2_OP_NEGPROT,
+ 0, /* additional_flags */
+ 0, /* clear_flags */
state->timeout_msec,
- NULL, NULL, /* tcon, session */
- state->smb2.fixed, sizeof(state->smb2.fixed),
- dyn.data, dyn.length,
+ NULL, /* tcon */
+ NULL, /* session */
+ state->smb2.fixed,
+ sizeof(state->smb2.fixed),
+ dyn.data,
+ dyn.length,
UINT16_MAX); /* max_dyn_len */
}
@@ -5547,6 +5602,7 @@ static void smbXcli_negprot_smb2_done(struct tevent_req
*subreq)
struct smb2_negotiate_context *sign_algo = NULL;
struct smb2_negotiate_context *cipher = NULL;
struct smb2_negotiate_context *posix = NULL;
+ struct smb2_negotiate_context *transport_caps = NULL;
struct iovec sent_iov[3] = {{0}, {0}, {0}};
static const struct smb2cli_req_expected_response expected[] = {
{
@@ -5914,6 +5970,25 @@ static void smbXcli_negprot_smb2_done(struct tevent_req
*subreq)
conn->smb2.server.cipher = cipher_selected;
}
+ if (conn->smb2.client.requested_transport_level_security) {
+ transport_caps = smb2_negotiate_context_find(
+ state->out_ctx, SMB2_TRANSPORT_CAPABILITIES);
+ }
+ if (transport_caps != NULL) {
+ uint32_t caps;
+
+ if (transport_caps->data.length != sizeof(uint32_t)) {
+ tevent_req_nterror(req,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
--
Samba Shared Repository
