Commit fbfd0b46 authored by Steve French's avatar Steve French

smb3.1.1: add new module load parm require_gcm_256

Add new module load parameter require_gcm_256. If set, then only
request AES-256-GCM (strongest encryption type).
Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 330857a5
...@@ -71,6 +71,7 @@ bool enable_oplocks = true; ...@@ -71,6 +71,7 @@ bool enable_oplocks = true;
bool linuxExtEnabled = true; bool linuxExtEnabled = true;
bool lookupCacheEnabled = true; bool lookupCacheEnabled = true;
bool disable_legacy_dialects; /* false by default */ bool disable_legacy_dialects; /* false by default */
bool require_gcm_256; /* false by default */
unsigned int global_secflags = CIFSSEC_DEF; unsigned int global_secflags = CIFSSEC_DEF;
/* unsigned int ntlmv2_support = 0; */ /* unsigned int ntlmv2_support = 0; */
unsigned int sign_CIFS_PDUs = 1; unsigned int sign_CIFS_PDUs = 1;
...@@ -104,6 +105,9 @@ MODULE_PARM_DESC(slow_rsp_threshold, "Amount of time (in seconds) to wait " ...@@ -104,6 +105,9 @@ MODULE_PARM_DESC(slow_rsp_threshold, "Amount of time (in seconds) to wait "
module_param(enable_oplocks, bool, 0644); module_param(enable_oplocks, bool, 0644);
MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
module_param(require_gcm_256, bool, 0644);
MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
module_param(disable_legacy_dialects, bool, 0644); module_param(disable_legacy_dialects, bool, 0644);
MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be " MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be "
"helpful to restrict the ability to " "helpful to restrict the ability to "
......
...@@ -1956,6 +1956,7 @@ extern bool lookupCacheEnabled; ...@@ -1956,6 +1956,7 @@ extern bool lookupCacheEnabled;
extern unsigned int global_secflags; /* if on, session setup sent extern unsigned int global_secflags; /* if on, session setup sent
with more secure ntlmssp2 challenge/resp */ with more secure ntlmssp2 challenge/resp */
extern unsigned int sign_CIFS_PDUs; /* enable smb packet signing */ extern unsigned int sign_CIFS_PDUs; /* enable smb packet signing */
extern bool require_gcm_256; /* require use of strongest signing (aes-gcm-256) */
extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/ extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/
extern unsigned int CIFSMaxBufSize; /* max size not including hdr */ extern unsigned int CIFSMaxBufSize; /* max size not including hdr */
extern unsigned int cifs_min_rcv; /* min size of big ntwrk buf pool */ extern unsigned int cifs_min_rcv; /* min size of big ntwrk buf pool */
......
...@@ -449,10 +449,16 @@ static void ...@@ -449,10 +449,16 @@ static void
build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt) build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)
{ {
pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;
pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + two ciphers */ if (require_gcm_256) {
pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + 1 cipher */
pneg_ctxt->CipherCount = cpu_to_le16(1);
pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES256_GCM;
} else {
pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + 2 ciphers */
pneg_ctxt->CipherCount = cpu_to_le16(2); pneg_ctxt->CipherCount = cpu_to_le16(2);
pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM; pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM; pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;
}
} }
static unsigned int static unsigned int
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment