Commit 63ca5656 authored by Steve French's avatar Steve French

smb3.1.1: set gcm256 when requested

update smb encryption code to set 32 byte key length and to
set gcm256 when requested on mount.
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent fd08f2db
...@@ -58,6 +58,7 @@ ...@@ -58,6 +58,7 @@
#define SMB2_HMACSHA256_SIZE (32) #define SMB2_HMACSHA256_SIZE (32)
#define SMB2_CMACAES_SIZE (16) #define SMB2_CMACAES_SIZE (16)
#define SMB3_SIGNKEY_SIZE (16) #define SMB3_SIGNKEY_SIZE (16)
#define SMB3_GCM256_CRYPTKEY_SIZE (32)
/* Maximum buffer size value we can send with 1 credit */ /* Maximum buffer size value we can send with 1 credit */
#define SMB2_MAX_BUFFER_SIZE 65536 #define SMB2_MAX_BUFFER_SIZE 65536
......
...@@ -3820,7 +3820,8 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len, ...@@ -3820,7 +3820,8 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len,
tr_hdr->ProtocolId = SMB2_TRANSFORM_PROTO_NUM; tr_hdr->ProtocolId = SMB2_TRANSFORM_PROTO_NUM;
tr_hdr->OriginalMessageSize = cpu_to_le32(orig_len); tr_hdr->OriginalMessageSize = cpu_to_le32(orig_len);
tr_hdr->Flags = cpu_to_le16(0x01); tr_hdr->Flags = cpu_to_le16(0x01);
if (cipher_type == SMB2_ENCRYPTION_AES128_GCM) if ((cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
(cipher_type == SMB2_ENCRYPTION_AES256_GCM))
get_random_bytes(&tr_hdr->Nonce, SMB3_AES_GCM_NONCE); get_random_bytes(&tr_hdr->Nonce, SMB3_AES_GCM_NONCE);
else else
get_random_bytes(&tr_hdr->Nonce, SMB3_AES_CCM_NONCE); get_random_bytes(&tr_hdr->Nonce, SMB3_AES_CCM_NONCE);
...@@ -3954,7 +3955,12 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, ...@@ -3954,7 +3955,12 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
tfm = enc ? server->secmech.ccmaesencrypt : tfm = enc ? server->secmech.ccmaesencrypt :
server->secmech.ccmaesdecrypt; server->secmech.ccmaesdecrypt;
if (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)
rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE);
else
rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE); rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE);
if (rc) { if (rc) {
cifs_server_dbg(VFS, "%s: Failed to set aead key %d\n", __func__, rc); cifs_server_dbg(VFS, "%s: Failed to set aead key %d\n", __func__, rc);
return rc; return rc;
...@@ -3992,7 +3998,8 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, ...@@ -3992,7 +3998,8 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
goto free_sg; goto free_sg;
} }
if (server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE); memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE);
else { else {
iv[0] = 3; iv[0] = 3;
......
...@@ -352,6 +352,7 @@ struct smb2_preauth_neg_context { ...@@ -352,6 +352,7 @@ struct smb2_preauth_neg_context {
/* Encryption Algorithms Ciphers */ /* Encryption Algorithms Ciphers */
#define SMB2_ENCRYPTION_AES128_CCM cpu_to_le16(0x0001) #define SMB2_ENCRYPTION_AES128_CCM cpu_to_le16(0x0001)
#define SMB2_ENCRYPTION_AES128_GCM cpu_to_le16(0x0002) #define SMB2_ENCRYPTION_AES128_GCM cpu_to_le16(0x0002)
/* we currently do not request AES256_CCM since presumably GCM faster */
#define SMB2_ENCRYPTION_AES256_CCM cpu_to_le16(0x0003) #define SMB2_ENCRYPTION_AES256_CCM cpu_to_le16(0x0003)
#define SMB2_ENCRYPTION_AES256_GCM cpu_to_le16(0x0004) #define SMB2_ENCRYPTION_AES256_GCM cpu_to_le16(0x0004)
......
...@@ -849,12 +849,13 @@ smb3_crypto_aead_allocate(struct TCP_Server_Info *server) ...@@ -849,12 +849,13 @@ smb3_crypto_aead_allocate(struct TCP_Server_Info *server)
struct crypto_aead *tfm; struct crypto_aead *tfm;
if (!server->secmech.ccmaesencrypt) { if (!server->secmech.ccmaesencrypt) {
if (server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
tfm = crypto_alloc_aead("gcm(aes)", 0, 0); tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
else else
tfm = crypto_alloc_aead("ccm(aes)", 0, 0); tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
if (IS_ERR(tfm)) { if (IS_ERR(tfm)) {
cifs_server_dbg(VFS, "%s: Failed to alloc encrypt aead\n", cifs_server_dbg(VFS, "%s: Failed alloc encrypt aead\n",
__func__); __func__);
return PTR_ERR(tfm); return PTR_ERR(tfm);
} }
...@@ -862,7 +863,8 @@ smb3_crypto_aead_allocate(struct TCP_Server_Info *server) ...@@ -862,7 +863,8 @@ smb3_crypto_aead_allocate(struct TCP_Server_Info *server)
} }
if (!server->secmech.ccmaesdecrypt) { if (!server->secmech.ccmaesdecrypt) {
if (server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
tfm = crypto_alloc_aead("gcm(aes)", 0, 0); tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
else else
tfm = crypto_alloc_aead("ccm(aes)", 0, 0); tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment