From: Volker Lendecke Date: Fri, 8 Aug 2025 10:06:13 +0000 (+0200) Subject: smbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY if we trust quic X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e0dbd23452df0c4bd9b20462f3146723cd122b6;p=thirdparty%2Fsamba.git smbd: Reply with SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY if we trust quic Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme --- diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index f4d53b83381..2017310ec3a 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -346,6 +346,7 @@ struct smbXsrv_connection { int sock; struct tevent_fd *fde; enum smb_transport_type type; + bool trusted_quic; struct { bool got_session; diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 293a7446710..7adf3ec1379 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -217,6 +217,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) struct smb2_negotiate_context *in_preauth = NULL; struct smb2_negotiate_context *in_cipher = NULL; struct smb2_negotiate_context *in_sign_algo = NULL; + struct smb2_negotiate_context *in_transport_caps = NULL; struct smb2_negotiate_contexts out_c = { .num_contexts = 0, }; const struct smb311_capabilities default_smb3_capabilities = smb311_capabilities_parse("server", @@ -379,6 +380,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) SMB2_ENCRYPTION_CAPABILITIES); in_sign_algo = smb2_negotiate_context_find(&in_c, SMB2_SIGNING_CAPABILITIES); + in_transport_caps = smb2_negotiate_context_find(&in_c, + SMB2_TRANSPORT_CAPABILITIES); /* negprot_spnego() returns the server guid in the first 16 bytes */ negprot_spnego_blob = negprot_spnego(req, xconn); @@ -687,6 +690,40 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) } } + if (in_transport_caps != NULL) { + uint32_t caps_flags; + + if (in_transport_caps->data.length != 4) { + return smbd_smb2_request_error( + req, NT_STATUS_INVALID_PARAMETER); + } + + caps_flags = PULL_LE_U32(in_transport_caps->data.data, 0); + + if ((xconn->transport.type == SMB_TRANSPORT_TYPE_QUIC) && + (caps_flags & SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY) && + !lp_server_smb_encryption_over_quic()) + { + uint8_t buf[4]; + + PUSH_LE_U32(buf, + 0, + SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY); + + status = smb2_negotiate_context_add( + req, + &out_c, + SMB2_TRANSPORT_CAPABILITIES, + buf, + sizeof(buf)); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + + xconn->transport.trusted_quic = true; + } + } + status = smb311_capabilities_check(&default_smb3_capabilities, "smb2srv_negprot", DBGLVL_NOTICE,