From: Volker Lendecke <vl@samba.org>
Date: Thu, 21 Aug 2025 08:42:15 +0000 (+0200)
Subject: param: Add "client smb encryption over quic"
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=794b07516e2847a643f1cd14dceba3daf4a943c9;p=thirdparty%2Fsamba.git

param: Add "client smb encryption over quic"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
new file mode 100644
index 00000000000..a33a681ba48
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionoverquic.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="client smb encryption over quic"
+		 context="G"
+		 type="boolean"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    This parameter controls whether the client requires SMB level
+    encryption even when the transport is already encrypted via QUIC
+    and thus TLS.
+  </para>
+  <para>
+    <parameter>client smb encrypt</parameter> controls the use of the
+    encryption mechanism introduced with SMB3.0. If <parameter>client
+    smb encryption over quic</parameter> value is set to
+    <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+    connects via a validated QUIC (and thus TLS) connection, the
+    client ignores the requirements from the parameter
+    <parameter>client smb encrypt</parameter> to avoid double
+    encryption.
+  </para>
+  <para>
+    If <parameter>client smb encryption over quic</parameter> is left
+    at its default <emphasis>yes</emphasis>, the client connects over
+    normal TCP, or the <parameter>tls verify peer</parameter> was set
+    to anything less than <constant>ca_and_name</constant>, the
+    requirements from <parameter>client smb encrypt</parameter> apply.
+  </para>
+  <para>
+    Note that the QUIC-layer encryption is based on a TLS-level
+    certificate presented by the server. The SMB-layer encryption is
+    based on individual user sessions and as such essentially on
+    initial user credentials such as the user's password or equivalent
+    credentials used for logging on to a Windows session. This might
+    influence your security assessment regarding the <parameter>client
+    smb encryption over quic</parameter> parameter.
+  </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddd992793bf..05b6ec48ac8 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3293,6 +3293,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "server smb encryption over quic",
 				  "yes");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "client smb encryption over quic",
+				  "yes");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dfa31946742..afe2aad5f33 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1015,6 +1015,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.himmelblaud_sfa_fallback = false;
 
 	Globals.server_smb_encryption_over_quic = true;
+	Globals.client_smb_encryption_over_quic = true;
 
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();