smbd:smb2: only enable encryption in session if desired

Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)

1 files changed, 4 insertions, 3 deletions

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index e7fc403c9be..bf40ab49157 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,12 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		x->global->signing_required = true;
 	}
 
-	if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
+	if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
 	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
-		x->global->encryption_required = true;
+		x->encryption_desired = true;
 	}
 
 	if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+		x->encryption_desired = true;
 		x->global->encryption_required = true;
 	}
 
@@ -222,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		}
 	}
 
-	if (x->global->encryption_required) {
+	if (x->encryption_desired) {
 		*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
 	}