s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*

SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless
'client smb3 encryption algorithms' allows them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 98a06274c103631d613b7021994404f14cac4bee..1dd411f398afc804078282d50039da4f1a9c7bf9 100644 (file)
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -535,6 +535,17 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
                xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
        }
 
+       status = smb311_capabilities_check(&default_smb3_capabilities,
+                                          "smb2srv_negprot",
+                                          DBGLVL_NOTICE,
+                                          NT_STATUS_INVALID_PARAMETER,
+                                          "server",
+                                          protocol,
+                                          xconn->smb2.server.cipher);
+       if (!NT_STATUS_IS_OK(status)) {
+               return smbd_smb2_request_error(req, status);
+       }
+
        if (protocol >= PROTOCOL_SMB3_00 &&
            xconn->client->server_multi_channel_enabled)
        {