From 0286429fb9c9992bb8835046db5e5e83315ccf74 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 14 Aug 2025 15:32:12 +0200
Subject: [PATCH] smbd: Add the "server smb encryption over quic" parameter

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 .../security/serversmbencryptionoverquic.xml  | 46 +++++++++++++++++++
 lib/param/loadparm.c                          |  4 ++
 source3/param/loadparm.c                      |  2 +
 3 files changed, 52 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml

diff --git a/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
new file mode 100644
index 00000000000..39b8f829ea5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencryptionoverquic.xml
@@ -0,0 +1,46 @@
+<samba:parameter name="server smb encryption over quic"
+		 context="G"
+		 type="boolean"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    This parameter controls whether the SMB server requires SMB-level
+    encryption although the transport is encrypted via QUIC.
+  </para>
+  <para>
+    <parameter>server smb encrypt</parameter> controls the use of the
+    encryption mechanism introduced with SMB3.0. If <parameter>server
+    smb encryption over quic</parameter> value is set to
+    <emphasis>no</emphasis>, <emphasis>and</emphasis> the client
+    connects via a validated QUIC (and thus TLS) connection, the
+    server ignores the requirements from the parameter
+    <parameter>server smb encrypt</parameter> and accepts all
+    SMB-level packets inside the QUIC connection as encrypted in a
+    trustworthy way. This avoids costly double-encryption.
+  </para>
+  <para>
+    If <parameter>server smb encryption over
+    quic</parameter> is left at its default <emphasis>yes</emphasis>,
+    the client connects over normal TCP, or the client does not
+    indicate that it can trust the QUIC connection it uses, the
+    requirements from <parameter>server smb encrypt</parameter> apply.
+  </para>
+  <para>
+    Note that the QUIC-layer encryption is based on a TLS-level
+    certificate presented by the server. The SMB-layer encryption is
+    based on individual user sessions and as such essentially on
+    initial user credentials such as the user's password or equivalent
+    credentials used for logging on to a Windows session. This might
+    influence your security assessment regarding the <parameter>server
+    smb encryption over quic</parameter> parameter.
+  </para>
+  <para>
+    Windows has a similar SMB server setting with the
+    <parameter>DisableSmbEncryptionOnSecureConnection</parameter>
+    switch in the <command>Set-SmbServerConfiguration</command>
+    PowerShell commandlet.
+  </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d6553d89011..ddd992793bf 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3289,6 +3289,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "himmelblaud sfa fallback",
 				  "false");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "server smb encryption over quic",
+				  "yes");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9fb34f0cd2b..0f9c3e50f2c 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1013,6 +1013,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.himmelblaud_hello_enabled = false;
 	Globals.himmelblaud_sfa_fallback = false;
 
+	Globals.server_smb_encryption_over_quic = true;
+
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
 }
-- 
2.47.3