param: Add "client smb encryption over quic"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
new file mode 100644 (file)
index 0000000..a33a681
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="client smb encryption over quic"
+                context="G"
+                type="boolean"
+                xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    This parameter controls whether the client requires SMB level
+    encryption even when the transport is already encrypted via QUIC
+    and thus TLS.
+  </para>
+  <para>
+    <parameter>client smb encrypt</parameter> controls the use of the
+    encryption mechanism introduced with SMB3.0. If <parameter>client
+    smb encryption over quic</parameter> value is set to
+    <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+    connects via a validated QUIC (and thus TLS) connection, the
+    client ignores the requirements from the parameter
+    <parameter>client smb encrypt</parameter> to avoid double
+    encryption.
+  </para>
+  <para>
+    If <parameter>client smb encryption over quic</parameter> is left
+    at its default <emphasis>yes</emphasis>, the client connects over
+    normal TCP, or the <parameter>tls verify peer</parameter> was set
+    to anything less than <constant>ca_and_name</constant>, the
+    requirements from <parameter>client smb encrypt</parameter> apply.
+  </para>
+  <para>
+    Note that the QUIC-layer encryption is based on a TLS-level
+    certificate presented by the server. The SMB-layer encryption is
+    based on individual user sessions and as such essentially on
+    initial user credentials such as the user's password or equivalent
+    credentials used for logging on to a Windows session. This might
+    influence your security assessment regarding the <parameter>client
+    smb encryption over quic</parameter> parameter.
+  </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddd992793bf8b3980f4bdef3cb368e10ac64ed99..05b6ec48ac8b1df1e2a3363d26d292b927d52cd8 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3293,6 +3293,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "server smb encryption over quic",
                                  "yes");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "client smb encryption over quic",
+                                 "yes");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dfa319467422b280152f2978b421fed5679bc7e3..afe2aad5f33df3691fc147318158375e37953490 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1015,6 +1015,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
        Globals.himmelblaud_sfa_fallback = false;
 
        Globals.server_smb_encryption_over_quic = true;
+       Globals.client_smb_encryption_over_quic = true;
 
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();