From 7accd9003521f38b03d1073890761f7d8dc8d675 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 20 Aug 2020 16:44:32 +0200
Subject: auth:creds: Use 'client protection' option for smb sign and encrypt
 defaults

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/credentials/credentials.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'auth')

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 3975fba693f..f7c7a47bd4e 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -947,6 +947,8 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 {
 	const char *sep = NULL;
 	const char *realm = lpcfg_realm(lp_ctx);
+	enum credentials_client_protection protection =
+		lpcfg_client_protection(lp_ctx);
 
 	cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
 	if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
@@ -976,6 +978,20 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 	if (cred->signing_state_obtained <= CRED_SMB_CONF) {
 		/* Will be set to default for invalid smb.conf values */
 		cred->signing_state = lpcfg_client_signing(lp_ctx);
+		if (cred->signing_state == SMB_SIGNING_DEFAULT) {
+			switch (protection) {
+			case CRED_CLIENT_PROTECTION_DEFAULT:
+				break;
+			case CRED_CLIENT_PROTECTION_PLAIN:
+				cred->signing_state = SMB_SIGNING_OFF;
+				break;
+			case CRED_CLIENT_PROTECTION_SIGN:
+			case CRED_CLIENT_PROTECTION_ENCRYPT:
+				cred->signing_state = SMB_SIGNING_REQUIRED;
+				break;
+			}
+		}
+
 		cred->signing_state_obtained = CRED_SMB_CONF;
 	}
 
@@ -988,6 +1004,20 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 	if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
 		/* Will be set to default for invalid smb.conf values */
 		cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
+		if (cred->encryption_state == SMB_ENCRYPTION_DEFAULT) {
+			switch (protection) {
+			case CRED_CLIENT_PROTECTION_DEFAULT:
+				break;
+			case CRED_CLIENT_PROTECTION_PLAIN:
+			case CRED_CLIENT_PROTECTION_SIGN:
+				cred->encryption_state = SMB_ENCRYPTION_OFF;
+				break;
+			case CRED_CLIENT_PROTECTION_ENCRYPT:
+				cred->encryption_state = SMB_ENCRYPTION_REQUIRED;
+				break;
+			}
+		}
+
 		cred->encryption_state_obtained = CRED_SMB_CONF;
 	}
 
-- 
cgit v1.2.1