smbd:smb2: only enable encryption in session if desired

Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index e7fc403c9be26bf8db48de63b9fe57cd61dcbaf4..bf40ab49157d9d93a8b9acc17b972d53ec306478 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,12 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
                x->global->signing_required = true;
        }
 
-       if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
+       if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
            (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
-               x->global->encryption_required = true;
+               x->encryption_desired = true;
        }
 
        if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+               x->encryption_desired = true;
                x->global->encryption_required = true;
        }
 
@@ -222,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
                }
        }
 
-       if (x->global->encryption_required) {
+       if (x->encryption_desired) {
                *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
        }