From: Volker Lendecke <vl@samba.org>
Date: Mon, 18 Aug 2025 15:13:59 +0000 (+0200)
Subject: smbd: Don't request SMB-level encryption over trusted quic
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58982f9ca790d393f75b03f8bcf8e5a962d92cc5;p=thirdparty%2Fsamba.git

smbd: Don't request SMB-level encryption over trusted quic

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0f9c3e50f2c..dfa31946742 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -82,6 +82,7 @@
 #include "source3/librpc/gen_ndr/ads.h"
 #include "lib/util/time_basic.h"
 #include "libds/common/flags.h"
+#include "source3/smbd/globals.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -4934,5 +4935,15 @@ int lp_smb3_directory_leases(void)
 
 int lp_server_smb_encrypt(struct smbXsrv_connection *xconn, int snum)
 {
-	return lp__server_smb_encrypt(snum);
+	enum smb_encryption_setting enc = lp__server_smb_encrypt(snum);
+
+	if (xconn->transport.trusted_quic) {
+		/*
+		 * Our transport is already encrypted in a trustworthy
+		 * way, don't request SMB level double-encryption
+		 */
+		enc = MIN(enc, SMB_ENCRYPTION_IF_REQUIRED);
+	}
+
+	return enc;
 }