smbd: Add the "server smb encryption over quic" parameter

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
new file mode 100644 (file)
index 0000000..39b8f82
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
@@ -0,0 +1,46 @@
+<samba:parameter name="server smb encryption over quic"
+                context="G"
+                type="boolean"
+                xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    This parameter controls whether the SMB server requires SMB-level
+    encryption although the transport is encrypted via QUIC.
+  </para>
+  <para>
+    <parameter>server smb encrypt</parameter> controls the use of the
+    encryption mechanism introduced with SMB3.0. If <parameter>server
+    smb encryption over quic</parameter> value is set to
+    <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+    connects via a validated QUIC (and thus TLS) connection, the
+    server ignores the requirements from the parameter
+    <parameter>server smb encrypt</parameter> and accepts all
+    SMB-level packets inside the QUIC connection as encrypted in a
+    trustworthy way. This avoids costly double-encryption.
+  </para>
+  <para>
+    If <parameter>server smb encryption over
+    quic</parameter> is left at its default <emphasis>yes</emphasis>,
+    the client connects over normal TCP, or the client does not
+    indicate that it can trust the QUIC connection it uses, the
+    requirements from <parameter>server smb encrypt</parameter> apply.
+  </para>
+  <para>
+    Note that the QUIC-layer encryption is based on a TLS-level
+    certificate presented by the server. The SMB-layer encryption is
+    based on individual user sessions and as such essentially on
+    initial user credentials such as the user's password or equivalent
+    credentials used for logging on to a Windows session. This might
+    influence your security assessment regarding the <parameter>server
+    smb encryption over quic</parameter> parameter.
+  </para>
+  <para>
+    Windows has a similar SMB server setting with the
+    <parameter>DisableSmbEncryptionOnSecureConnection</parameter>
+    switch in the <command>Set-SmbServerConfiguration</command>
+    PowerShell commandlet.
+  </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d6553d89011efeb7dc32c80a1718828fe18e84b1..ddd992793bf8b3980f4bdef3cb368e10ac64ed99 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3289,6 +3289,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "himmelblaud sfa fallback",
                                  "false");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "server smb encryption over quic",
+                                 "yes");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9fb34f0cd2b82af4ec957a125bcde7096a3b78f1..0f9c3e50f2cae90ac322ba985a91f521992238f1 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1013,6 +1013,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
        Globals.himmelblaud_hello_enabled = false;
        Globals.himmelblaud_sfa_fallback = false;
 
+       Globals.server_smb_encryption_over_quic = true;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }