libsmb: Avoid smb-level encryption if quic is trusted

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug 22 14:55:47 UTC 2025 on atb-devel-224

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c00f143343f4203745feed3613c9d081f62f2fa9..2389cf7c08b3ecf64751a50c4eb3c90ea215d418 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -149,6 +149,7 @@ struct smbXcli_conn {
                        uint16_t security_mode;
                        struct GUID guid;
                        struct smb311_capabilities smb3_capabilities;
+                       bool requested_transport_level_security;
                } client;
 
                struct {
@@ -3577,6 +3578,14 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
                }
        }
 
+       if (conn->smb2.server.transport_trusted) {
+               /*
+                * We as a client agreed with the server that quic
+                * encryption is enough
+                */
+               state->smb2.should_encrypt = false;
+       }
+
        if (state->smb2.should_encrypt) {
                state->smb2.should_sign = false;
        }
@@ -5459,7 +5468,10 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
 
                verify_peer = conn->transport->verify_peer;
 
-               if (tstream_tls_verify_peer_trusted(verify_peer)) {
+               if (tstream_tls_verify_peer_trusted(verify_peer) &&
+                   !conn->smb2.client.smb3_capabilities
+                            .smb_encryption_over_quic)
+               {
                        uint8_t cap_buf[sizeof(uint32_t)];
 
                        PUSH_LE_U32(cap_buf,
@@ -5475,6 +5487,8 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
                        if (!NT_STATUS_IS_OK(status)) {
                                return NULL;
                        }
+                       conn->smb2.client
+                               .requested_transport_level_security = true;
                }
 
                ok = convert_string_talloc(state,
@@ -5956,8 +5970,10 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
                conn->smb2.server.cipher = cipher_selected;
        }
 
-       transport_caps = smb2_negotiate_context_find(
-               state->out_ctx, SMB2_TRANSPORT_CAPABILITIES);
+       if (conn->smb2.client.requested_transport_level_security) {
+               transport_caps = smb2_negotiate_context_find(
+                       state->out_ctx, SMB2_TRANSPORT_CAPABILITIES);
+       }
        if (transport_caps != NULL) {
                uint32_t caps;