From: Stefan Metzmacher Date: Tue, 13 Jul 2021 19:26:19 +0000 (+0200) Subject: docs-xml: add "client/server smb3 signing algorithms" options X-Git-Tag: samba-4.15.0rc1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be71039be4edf90f28704026aa3d16da0848231c;p=thirdparty%2Fsamba.git docs-xml: add "client/server smb3 signing algorithms" options Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml new file mode 100644 index 00000000000..0e0f64ea657 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml @@ -0,0 +1,22 @@ + + + This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of aes-128-cmac from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + + + +aes-128-cmac, hmac-sha-256 +aes-128-cmac +-aes-128-cmac + diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml new file mode 100644 index 00000000000..dadfd8a5594 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml @@ -0,0 +1,22 @@ + + + This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of aes-128-cmac from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + + + +aes-128-cmac, hmac-sha-256 +aes-128-cmac +-aes-128-cmac + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 6bfbe1077f6..59e749d9d46 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2980,6 +2980,13 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "winbind use krb5 enterprise principals", "yes"); + lpcfg_do_global_parameter(lp_ctx, + "client smb3 signing algorithms", + DEFAULT_SMB3_SIGNING_ALGORITHMS); + lpcfg_do_global_parameter(lp_ctx, + "server smb3 signing algorithms", + DEFAULT_SMB3_SIGNING_ALGORITHMS); + lpcfg_do_global_parameter(lp_ctx, "client smb3 encryption algorithms", DEFAULT_SMB3_ENCRYPTION_ALGORITHMS); diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index 0f2af4f4167..cae1a2c7de3 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -285,6 +285,7 @@ enum samba_weak_crypto { #define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024) #define DEFAULT_SMB2_MAX_CREDITS 8192 +#define DEFAULT_SMB3_SIGNING_ALGORITHMS "aes-128-cmac hmac-sha-256" #define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm" #define LOADPARM_EXTRA_LOCALS \ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 2e559177135..b003e54c038 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -966,6 +966,11 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.winbind_use_krb5_enterprise_principals = true; + Globals.client_smb3_signing_algorithms = + str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL); + Globals.server_smb3_signing_algorithms = + str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL); + Globals.client_smb3_encryption_algorithms = str_list_make_v3_const(NULL, DEFAULT_SMB3_ENCRYPTION_ALGORITHMS, NULL); Globals.server_smb3_encryption_algorithms =