diff mbox series

[v1,1/2] cifs: set server->cipher_type to AES-128-CCM for SMB3.0

Message ID 20210521151928.17730-2-aaptel@suse.com (mailing list archive)
State New, archived
Headers show
Series Change CIFS_FULL_KEY_DUMP ioctl to return variable size keys | expand

Commit Message

Aurélien Aptel May 21, 2021, 3:19 p.m. UTC
From: Aurelien Aptel <aaptel@suse.com>

SMB3.0 doesn't have encryption negotiate context but simply uses
the SMB2_GLOBAL_CAP_ENCRYPTION flag.

When that flag is present in the neg response cifs.ko uses AES-128-CCM
which is the only cipher available in this context.

cipher_type was set to the server cipher only when parsing encryption
negotiate context (SMB3.1.1).

For SMB3.0 it was set to 0. This means cipher_type value can be 0 or 1
for AES-128-CCM.

Fix this by checking for SMB3.0 and encryption capability and setting
cipher_type appropriately.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
 fs/cifs/smb2pdu.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Steve French May 21, 2021, 6:39 p.m. UTC | #1
stable? How useful is it to know for debugging?

On Fri, May 21, 2021 at 10:19 AM Aurélien Aptel <aaptel@suse.com> wrote:
>
> From: Aurelien Aptel <aaptel@suse.com>
>
> SMB3.0 doesn't have encryption negotiate context but simply uses
> the SMB2_GLOBAL_CAP_ENCRYPTION flag.
>
> When that flag is present in the neg response cifs.ko uses AES-128-CCM
> which is the only cipher available in this context.
>
> cipher_type was set to the server cipher only when parsing encryption
> negotiate context (SMB3.1.1).
>
> For SMB3.0 it was set to 0. This means cipher_type value can be 0 or 1
> for AES-128-CCM.
>
> Fix this by checking for SMB3.0 and encryption capability and setting
> cipher_type appropriately.
>
> Signed-off-by: Aurelien Aptel <aaptel@suse.com>
> ---
>  fs/cifs/smb2pdu.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 9f24eb88297a..c205f93e0a10 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -958,6 +958,13 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
>         /* Internal types */
>         server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES;
>
> +       /*
> +        * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
> +        * Set the cipher type manually.
> +        */
> +       if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
> +               server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
> +
>         security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
>                                                (struct smb2_sync_hdr *)rsp);
>         /*
> --
> 2.31.1
>
Steve French May 27, 2021, 8:23 p.m. UTC | #2
Added cc:stable

On Fri, May 21, 2021 at 10:19 AM Aurélien Aptel <aaptel@suse.com> wrote:
>
> From: Aurelien Aptel <aaptel@suse.com>
>
> SMB3.0 doesn't have encryption negotiate context but simply uses
> the SMB2_GLOBAL_CAP_ENCRYPTION flag.
>
> When that flag is present in the neg response cifs.ko uses AES-128-CCM
> which is the only cipher available in this context.
>
> cipher_type was set to the server cipher only when parsing encryption
> negotiate context (SMB3.1.1).
>
> For SMB3.0 it was set to 0. This means cipher_type value can be 0 or 1
> for AES-128-CCM.
>
> Fix this by checking for SMB3.0 and encryption capability and setting
> cipher_type appropriately.
>
> Signed-off-by: Aurelien Aptel <aaptel@suse.com>
> ---
>  fs/cifs/smb2pdu.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 9f24eb88297a..c205f93e0a10 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -958,6 +958,13 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
>         /* Internal types */
>         server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES;
>
> +       /*
> +        * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
> +        * Set the cipher type manually.
> +        */
> +       if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
> +               server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
> +
>         security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
>                                                (struct smb2_sync_hdr *)rsp);
>         /*
> --
> 2.31.1
>
Aurélien Aptel May 28, 2021, 8:37 a.m. UTC | #3
Steve French <smfrench@gmail.com> writes:
> stable? How useful is it to know for debugging?

I would say it's more correct and avoids checking for 2 values when
checking for 128-CCM. Not much difference in debugging.

Cheers,
diff mbox series

Patch

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 9f24eb88297a..c205f93e0a10 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -958,6 +958,13 @@  SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
 	/* Internal types */
 	server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES;
 
+	/*
+	 * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
+	 * Set the cipher type manually.
+	 */
+	if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
+		server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
+
 	security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
 					       (struct smb2_sync_hdr *)rsp);
 	/*