From: Volker Lendecke Date: Mon, 18 Aug 2025 15:06:05 +0000 (+0200) Subject: smbd: Pass smbXsrv_connection to lp_server_smb_encrypt() X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a4ee224b9e4afc423c2222a1e1d8444e67ee884;p=thirdparty%2Fsamba.git smbd: Pass smbXsrv_connection to lp_server_smb_encrypt() We'll modify the value of "server smb encrypt" when we have a trusted quic transport Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme --- diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml index 56d33046382..8a63de19b14 100644 --- a/docs-xml/smbdotconf/security/serversmbencrypt.xml +++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml @@ -1,6 +1,7 @@ diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 60271200c0a..2ce5e585adf 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -2,7 +2,7 @@ context="S" type="enum" enumlist="enum_smb_encryption_vals" - function="server_smb_encrypt" + function="_server_smb_encrypt" synonym="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 6dd9ccbe39f..9fb34f0cd2b 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -249,7 +249,7 @@ static const struct loadparm_service _sDefault = .aio_read_size = 1, .aio_write_size = 1, .map_readonly = MAP_READONLY_NO, - .server_smb_encrypt = SMB_ENCRYPTION_DEFAULT, + ._server_smb_encrypt = SMB_ENCRYPTION_DEFAULT, .kernel_share_modes = false, .durable_handles = true, .check_parent_directory_delete_on_close = false, @@ -4929,3 +4929,8 @@ int lp_smb3_directory_leases(void) dirleases &= !lp_kernel_oplocks(GLOBAL_SECTION_SNUM); return dirleases; } + +int lp_server_smb_encrypt(struct smbXsrv_connection *xconn, int snum) +{ + return lp__server_smb_encrypt(snum); +} diff --git a/source3/param/loadparm.h b/source3/param/loadparm.h index ff4087ce9c2..72773a8b2ec 100644 --- a/source3/param/loadparm.h +++ b/source3/param/loadparm.h @@ -72,6 +72,9 @@ enum samba_weak_crypto lp_weak_crypto(void); bool lp_strict_rename(int snum); int lp_smb3_directory_leases(void); +struct smbXsrv_connection; +int lp_server_smb_encrypt(struct smbXsrv_connection *xconn, int snum); + int lp_wi_scan_global_parametrics( const char *regex, size_t max_matches, bool (*cb)(const char *string, regmatch_t matches[], diff --git a/source3/smbd/smb1_trans2.c b/source3/smbd/smb1_trans2.c index 568a5611223..253507f4c14 100644 --- a/source3/smbd/smb1_trans2.c +++ b/source3/smbd/smb1_trans2.c @@ -1805,7 +1805,7 @@ static void call_trans2setfsinfo(connection_struct *conn, return; } - if (lp_server_smb_encrypt(SNUM(conn)) == + if (lp_server_smb_encrypt(xconn, SNUM(conn)) == SMB_ENCRYPTION_OFF) { reply_nterror( req, diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index d44ce7c7863..293a7446710 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -409,7 +409,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) } if ((protocol >= PROTOCOL_SMB3_00) && - (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) && + (lp_server_smb_encrypt(xconn, -1) != SMB_ENCRYPTION_OFF) && (in_capabilities & SMB2_CAP_ENCRYPTION)) { capabilities |= SMB2_CAP_ENCRYPTION; } diff --git a/source3/smbd/smb2_service.c b/source3/smbd/smb2_service.c index 286a4732f73..f7220915a8d 100644 --- a/source3/smbd/smb2_service.c +++ b/source3/smbd/smb2_service.c @@ -535,10 +535,10 @@ NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, /* Case options for the share. */ conn_setup_case_options(conn); - conn->encrypt_level = lp_server_smb_encrypt(snum); + conn->encrypt_level = lp_server_smb_encrypt(xconn, snum); if ((conn->encrypt_level > SMB_ENCRYPTION_OFF) && - (lp_server_smb_encrypt(-1) == SMB_ENCRYPTION_OFF)) { + (lp_server_smb_encrypt(xconn, -1) == SMB_ENCRYPTION_OFF)) { if (conn->encrypt_level == SMB_ENCRYPTION_REQUIRED) { DBG_ERR("Service [%s] requires encryption, but " diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index de98979788c..da6b98f40e9 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -255,12 +255,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED; } - if ((lp_server_smb_encrypt(-1) >= SMB_ENCRYPTION_DESIRED) && + if ((lp_server_smb_encrypt(xconn, -1) >= SMB_ENCRYPTION_DESIRED) && (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED; } - if (lp_server_smb_encrypt(-1) == SMB_ENCRYPTION_REQUIRED) { + if (lp_server_smb_encrypt(xconn, -1) == SMB_ENCRYPTION_REQUIRED) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED | SMBXSRV_ENCRYPTION_DESIRED; } diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 0945f00da0f..1739f51de3f 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -306,13 +306,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, TALLOC_FREE(proxy); } - if ((lp_server_smb_encrypt(snum) >= SMB_ENCRYPTION_DESIRED) && + if ((lp_server_smb_encrypt(conn, snum) >= SMB_ENCRYPTION_DESIRED) && (conn->smb2.server.cipher != 0)) { encryption_desired = true; } - if (lp_server_smb_encrypt(snum) == SMB_ENCRYPTION_REQUIRED) { + if (lp_server_smb_encrypt(conn, snum) == SMB_ENCRYPTION_REQUIRED) { encryption_desired = true; encryption_required = true; }