]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
docs-xml: add "client/server smb3 signing algorithms" options
authorStefan Metzmacher <metze@samba.org>
Tue, 13 Jul 2021 19:26:19 +0000 (21:26 +0200)
committerStefan Metzmacher <metze@samba.org>
Thu, 15 Jul 2021 00:06:31 +0000 (00:06 +0000)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
docs-xml/smbdotconf/security/clientsmbsigningalgos.xml [new file with mode: 0644]
docs-xml/smbdotconf/security/serversmbsigningalgos.xml [new file with mode: 0644]
lib/param/loadparm.c
lib/param/loadparm.h
source3/param/loadparm.c

diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
new file mode 100644 (file)
index 0000000..0e0f64e
--- /dev/null
@@ -0,0 +1,22 @@
+<samba:parameter name="client smb3 signing algorithms"
+                 context="G"
+                 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This parameter specifies the availability and order of
+       signing algorithms which are available for negotiation in the SMB3_11 dialect.
+       </para>
+       <para>It is also possible to remove individual algorithms from the default list,
+       by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+       </para>
+       <para>Note: that the removal of aes-128-cmac from the list will result
+       in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+       will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+       available algorithms for these dialects.
+       </para>
+</description>
+
+<value type="default">aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
new file mode 100644 (file)
index 0000000..dadfd8a
--- /dev/null
@@ -0,0 +1,22 @@
+<samba:parameter name="server smb3 signing algorithms"
+                 context="G"
+                 type="list"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This parameter specifies the availability and order of
+       signing algorithms which are available for negotiation in the SMB3_11 dialect.
+       </para>
+       <para>It is also possible to remove individual algorithms from the default list,
+       by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+       </para>
+       <para>Note: that the removal of aes-128-cmac from the list will result
+       in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+       will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+       available algorithms for these dialects.
+       </para>
+</description>
+
+<value type="default">aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
index 6bfbe1077f64f6d3d874b0e82928059e07d26c00..59e749d9d46fe09f5f99b5e7e7145427a04ef542 100644 (file)
@@ -2980,6 +2980,13 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "winbind use krb5 enterprise principals",
                                  "yes");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "client smb3 signing algorithms",
+                                 DEFAULT_SMB3_SIGNING_ALGORITHMS);
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "server smb3 signing algorithms",
+                                 DEFAULT_SMB3_SIGNING_ALGORITHMS);
+
        lpcfg_do_global_parameter(lp_ctx,
                                  "client smb3 encryption algorithms",
                                  DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
index 0f2af4f4167c7ea294f229e902fb002a59f2e0fc..cae1a2c7de3dbe61dd7066146bc9303b4e1d7cc5 100644 (file)
@@ -285,6 +285,7 @@ enum samba_weak_crypto {
 #define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024)
 #define DEFAULT_SMB2_MAX_CREDITS 8192
 
+#define DEFAULT_SMB3_SIGNING_ALGORITHMS "aes-128-cmac hmac-sha-256"
 #define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm"
 
 #define LOADPARM_EXTRA_LOCALS                                          \
index 2e559177135e0268a5509523ff29ba42ff65cfd6..b003e54c038ad591886781db4f2df1498bfe8af5 100644 (file)
@@ -966,6 +966,11 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
        Globals.winbind_use_krb5_enterprise_principals = true;
 
+       Globals.client_smb3_signing_algorithms =
+               str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL);
+       Globals.server_smb3_signing_algorithms =
+               str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL);
+
        Globals.client_smb3_encryption_algorithms =
                str_list_make_v3_const(NULL, DEFAULT_SMB3_ENCRYPTION_ALGORITHMS, NULL);
        Globals.server_smb3_encryption_algorithms =