From: Stefan Metzmacher Date: Wed, 14 Jul 2021 10:13:49 +0000 (+0200) Subject: s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0* X-Git-Tag: samba-4.15.0rc1~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b123bc97aaef40277408a301a485fda5c922b34;p=thirdparty%2Fsamba.git s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0* SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless 'client smb3 encryption algorithms' allows them. Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 98a06274c10..1dd411f398a 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -535,6 +535,17 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; } + status = smb311_capabilities_check(&default_smb3_capabilities, + "smb2srv_negprot", + DBGLVL_NOTICE, + NT_STATUS_INVALID_PARAMETER, + "server", + protocol, + xconn->smb2.server.cipher); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); + } + if (protocol >= PROTOCOL_SMB3_00 && xconn->client->server_multi_channel_enabled) {