As SMB3 has transport level encryption, allow smbclient -e to force encryted SMB3...

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 1176bb8e8733156538a874a7896a0768e684c8ae..8cbf27a9fc13b4bca235ddd51b1fd33234ec01f5 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4949,6 +4949,27 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
        return NT_STATUS_OK;
 }
 
+NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
+{
+       if (session->smb2->should_encrypt) {
+               return NT_STATUS_OK;
+       }
+
+       if (session->conn->protocol < PROTOCOL_SMB2_24) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
+       if (!(session->conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
+       if (session->smb2->signing_key.data == NULL) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+       session->smb2->should_encrypt = true;
+       return NT_STATUS_OK;
+}
+
 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
 {
        struct smbXcli_tcon *tcon;

diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index a7cfcc32607329c3ad7a7a5a437198ebff98a229..3d934272198da4ee904ae3887db2aa795a06612b 100644 (file)
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -294,6 +294,7 @@ NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
                                         const DATA_BLOB channel_key,
                                         const struct iovec *recv_iov);
+NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session);
 
 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx);
 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon);

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 1d92843f48fec3e6e5827324d126eacf47c403d9..57126e62338b46c78ae8febe77d6256f5d29c434 100644 (file)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -48,7 +48,23 @@ NTSTATUS cli_cm_force_encryption(struct cli_state *c,
                        const char *domain,
                        const char *sharename)
 {
-       NTSTATUS status = cli_force_encryption(c,
+       NTSTATUS status;
+
+       if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
+               status = smb2cli_session_encryption_on(c->smb2.session);
+               if (NT_STATUS_EQUAL(status,NT_STATUS_NOT_SUPPORTED)) {
+                       d_printf("Encryption required and "
+                               "server doesn't support "
+                               "SMB3 encryption - failing connect\n");
+               } else if (!NT_STATUS_IS_OK(status)) {
+                       d_printf("Encryption required and "
+                               "setup failed with error %s.\n",
+                               nt_errstr(status));
+               }
+               return status;
+       }
+
+       status = cli_force_encryption(c,
                                        username,
                                        password,
                                        domain);