Introduce setting "desired" for 'smb encrypt' and 'client/server sign…

…ing'

This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>

lib/param/loadparm.c

@@ -3207,6 +3207,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
 	case SMB_SIGNING_REQUIRED:
 		*mandatory = true;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		break;
 	case SMB_SIGNING_DEFAULT:

lib/param/param_table.c

@@ -115,6 +115,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{SMB_SIGNING_IF_REQUIRED, "On"},
 	{SMB_SIGNING_IF_REQUIRED, "enabled"},
 	{SMB_SIGNING_IF_REQUIRED, "auto"},
+	{SMB_SIGNING_DESIRED, "desired"},
 	{SMB_SIGNING_REQUIRED, "required"},
 	{SMB_SIGNING_REQUIRED, "mandatory"},
 	{SMB_SIGNING_REQUIRED, "force"},

libcli/smb/smbXcli_base.c

@@ -376,6 +376,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
 		conn->desire_signing = false;
 		conn->mandatory_signing = false;
 		break;
+	case SMB_SIGNING_DESIRED:
+		/* if the server desires it */
+		conn->allow_signing = true;
+		conn->desire_signing = true;
+		conn->mandatory_signing = false;
+		break;
 	case SMB_SIGNING_REQUIRED:
 		/* always */
 		conn->allow_signing = true;

libcli/smb/smb_constants.h

@@ -98,6 +98,7 @@ enum smb_signing_setting {
 	SMB_SIGNING_DEFAULT = -1,
 	SMB_SIGNING_OFF = 0,
 	SMB_SIGNING_IF_REQUIRED = 1,
+	SMB_SIGNING_DESIRED = 2,
 	SMB_SIGNING_REQUIRED = 3,
 };
 

source4/smb_server/smb2/negprot.c

@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 	case SMB_SIGNING_OFF:
 		io->out.security_mode = 0;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 		break;