Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2197964/?format=api
{ "id": 2197964, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2197964/?format=api", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.0/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260218213501.136844-9-ebiggers@kernel.org>", "date": "2026-02-18T21:34:54", "name": "[08/15] smb: client: Use AES-CMAC library for SMB3 signature calculation", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "d1fe327d1aa3516d07598317e1187b4a8b8764f4", "submitter": { "id": 74690, "url": "http://patchwork.ozlabs.org/api/1.0/people/74690/?format=api", "name": "Eric Biggers", "email": "ebiggers@kernel.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260218213501.136844-9-ebiggers@kernel.org/mbox/", "series": [ { "id": 492621, "url": "http://patchwork.ozlabs.org/api/1.0/series/492621/?format=api", "date": "2026-02-18T21:34:46", "name": "AES-CMAC library", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492621/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2197964/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-9449-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=Su8jtnhs;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-9449-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"Su8jtnhs\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fGVLQ0G4Jz1xvg\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 19 Feb 2026 08:40:46 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 296EE308BCE9\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 18 Feb 2026 21:37:12 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0EB6C337102;\n\tWed, 18 Feb 2026 21:36:55 +0000 (UTC)", "from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D99C13370F3;\n\tWed, 18 Feb 2026 21:36:54 +0000 (UTC)", "by smtp.kernel.org (Postfix) with ESMTPSA id 34D2CC2BCB2;\n\tWed, 18 Feb 2026 21:36:54 +0000 (UTC)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1771450614; cv=none;\n b=AqHclAmbAOGasS300cPp6WOfHldXAaieVPIJhiyy/XZMPutzI+cbzbWNr8inPBI38Odi96jsyoP4DNZijehOkP+lzYFyrbs8o0Tnv0EtRrla/azctTNBoPen9FUZ2UTxLceZ7vNx1weyFqlz9Fqo96EoT3NAWLkF/2jwGRjX7aI=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1771450614; c=relaxed/simple;\n\tbh=RfXKwO9L3mlz5kqOurMbNRJCV4vYWaJHp6x9x+hkRPc=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=T0UHcHA61SGJE2C5eVFWkFMYdJDF387/UaaSS1jP09yiWbR5fag1UtF3CO5RKTmre37sjM5ycjyI9UVabGbJOTCuZQTFZOlzNp/D/Zc3sQ0qzagthLDpaF1zVIWwdx8qgEYf1PO7HJTDL2g3QH6TUAcNr3355FaTqrwF2PKUjU4=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=Su8jtnhs; arc=none smtp.client-ip=10.30.226.201", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1771450614;\n\tbh=RfXKwO9L3mlz5kqOurMbNRJCV4vYWaJHp6x9x+hkRPc=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=Su8jtnhsciBt1sckGun8RAAdjFMXTLnvoRdF+ZZ7Tf+YPetiXSfdMtWA+QCrq/xuZ\n\t LC+tZUeX5QgxkAU1DH9WFTtxMlERcAAtnUJwHX8FpeXH9lx/jmbjWTbjl3ooJ98GFd\n\t NkvmtcEfxgccMdgMGT4QwVMtCQvvxh3sHqP41VWdfhD6g+QpIzYSyGbKRvfPuX+AFs\n\t i+ny6LvBf9MroUEPF8hCY5B1qpRdzypyCee0GTJ2phCjowvtvZaBl/Ox1dd991a22j\n\t YabktEmIWGaQVTKjgRCGGUqVbTdhWXQ1IPRxinbAfHwrnFlg4FVLKiLYhgy3wSlbID\n\t oeGNcXA04Nsww==", "From": "Eric Biggers <ebiggers@kernel.org>", "To": "linux-crypto@vger.kernel.org", "Cc": "linux-kernel@vger.kernel.org,\n\tArd Biesheuvel <ardb@kernel.org>,\n\t\"Jason A . Donenfeld\" <Jason@zx2c4.com>,\n\tHerbert Xu <herbert@gondor.apana.org.au>,\n\tlinux-arm-kernel@lists.infradead.org,\n\tlinux-cifs@vger.kernel.org,\n\tlinux-wireless@vger.kernel.org,\n\tEric Biggers <ebiggers@kernel.org>", "Subject": "[PATCH 08/15] smb: client: Use AES-CMAC library for SMB3 signature\n calculation", "Date": "Wed, 18 Feb 2026 13:34:54 -0800", "Message-ID": "<20260218213501.136844-9-ebiggers@kernel.org>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260218213501.136844-1-ebiggers@kernel.org>", "References": "<20260218213501.136844-1-ebiggers@kernel.org>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Convert smb3_calc_signature() to use the AES-CMAC library instead of a\n\"cmac(aes)\" crypto_shash.\n\nThe result is simpler and faster code. With the library there's no need\nto allocate memory, no need to handle errors except for key preparation,\nand the AES-CMAC code is accessed directly without inefficient indirect\ncalls and other unnecessary API overhead.\n\nFor now a \"cmac(aes)\" crypto_shash is still being allocated in\n'struct cifs_secmech'. Later commits will remove that, simplifying the\ncode even further.\n\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\n---\n fs/smb/client/Kconfig | 1 +\n fs/smb/client/cifsencrypt.c | 60 ++++++++++++-----------------------\n fs/smb/client/cifsglob.h | 2 +-\n fs/smb/client/smb2transport.c | 41 +++++-------------------\n 4 files changed, 30 insertions(+), 74 deletions(-)", "diff": "diff --git a/fs/smb/client/Kconfig b/fs/smb/client/Kconfig\nindex 17bd368574e9..64afd302202f 100644\n--- a/fs/smb/client/Kconfig\n+++ b/fs/smb/client/Kconfig\n@@ -9,10 +9,11 @@ config CIFS\n \tselect CRYPTO_AEAD2\n \tselect CRYPTO_CCM\n \tselect CRYPTO_GCM\n \tselect CRYPTO_ECB\n \tselect CRYPTO_AES\n+\tselect CRYPTO_LIB_AES_CBC_MACS\n \tselect CRYPTO_LIB_ARC4\n \tselect CRYPTO_LIB_MD5\n \tselect CRYPTO_LIB_SHA256\n \tselect CRYPTO_LIB_SHA512\n \tselect KEYS\ndiff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c\nindex 50b7ec39053c..f39894113821 100644\n--- a/fs/smb/client/cifsencrypt.c\n+++ b/fs/smb/client/cifsencrypt.c\n@@ -20,66 +20,49 @@\n #include <linux/random.h>\n #include <linux/highmem.h>\n #include <linux/fips.h>\n #include <linux/iov_iter.h>\n #include <crypto/aead.h>\n+#include <crypto/aes-cbc-macs.h>\n #include <crypto/arc4.h>\n #include <crypto/md5.h>\n #include <crypto/sha2.h>\n \n-static int cifs_sig_update(struct cifs_calc_sig_ctx *ctx,\n-\t\t\t const u8 *data, size_t len)\n+static size_t cifs_sig_step(void *iter_base, size_t progress, size_t len,\n+\t\t\t void *priv, void *priv2)\n {\n-\tif (ctx->md5) {\n-\t\tmd5_update(ctx->md5, data, len);\n-\t\treturn 0;\n-\t}\n-\tif (ctx->hmac) {\n-\t\thmac_sha256_update(ctx->hmac, data, len);\n-\t\treturn 0;\n-\t}\n-\treturn crypto_shash_update(ctx->shash, data, len);\n+\tstruct cifs_calc_sig_ctx *ctx = priv;\n+\n+\tif (ctx->md5)\n+\t\tmd5_update(ctx->md5, iter_base, len);\n+\telse if (ctx->hmac)\n+\t\thmac_sha256_update(ctx->hmac, iter_base, len);\n+\telse\n+\t\taes_cmac_update(ctx->cmac, iter_base, len);\n+\treturn 0; /* Return value is length *not* processed, i.e. 0. */\n }\n \n-static int cifs_sig_final(struct cifs_calc_sig_ctx *ctx, u8 *out)\n+static void cifs_sig_final(struct cifs_calc_sig_ctx *ctx, u8 *out)\n {\n-\tif (ctx->md5) {\n+\tif (ctx->md5)\n \t\tmd5_final(ctx->md5, out);\n-\t\treturn 0;\n-\t}\n-\tif (ctx->hmac) {\n+\telse if (ctx->hmac)\n \t\thmac_sha256_final(ctx->hmac, out);\n-\t\treturn 0;\n-\t}\n-\treturn crypto_shash_final(ctx->shash, out);\n-}\n-\n-static size_t cifs_sig_step(void *iter_base, size_t progress, size_t len,\n-\t\t\t void *priv, void *priv2)\n-{\n-\tstruct cifs_calc_sig_ctx *ctx = priv;\n-\tint ret, *pret = priv2;\n-\n-\tret = cifs_sig_update(ctx, iter_base, len);\n-\tif (ret < 0) {\n-\t\t*pret = ret;\n-\t\treturn len;\n-\t}\n-\treturn 0;\n+\telse\n+\t\taes_cmac_final(ctx->cmac, out);\n }\n \n /*\n * Pass the data from an iterator into a hash.\n */\n static int cifs_sig_iter(const struct iov_iter *iter, size_t maxsize,\n \t\t\t struct cifs_calc_sig_ctx *ctx)\n {\n \tstruct iov_iter tmp_iter = *iter;\n \tsize_t did;\n-\tint err;\n \n-\tdid = iterate_and_advance_kernel(&tmp_iter, maxsize, ctx, &err,\n+\tdid = iterate_and_advance_kernel(&tmp_iter, maxsize, ctx, NULL,\n \t\t\t\t\t cifs_sig_step);\n \tif (did != maxsize)\n \t\treturn smb_EIO2(smb_eio_trace_sig_iter, did, maxsize);\n \treturn 0;\n }\n@@ -106,15 +89,12 @@ int __cifs_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n \n \trc = cifs_sig_iter(&rqst->rq_iter, iov_iter_count(&rqst->rq_iter), ctx);\n \tif (rc < 0)\n \t\treturn rc;\n \n-\trc = cifs_sig_final(ctx, signature);\n-\tif (rc)\n-\t\tcifs_dbg(VFS, \"%s: Could not generate hash\\n\", __func__);\n-\n-\treturn rc;\n+\tcifs_sig_final(ctx, signature);\n+\treturn 0;\n }\n \n /* Build a proper attribute value/target info pairs blob.\n * Fill in netbios and dns domain name and workstation name\n * and client time (total five av pairs and + one end of fields indicator.\ndiff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h\nindex 080ea601c209..2ff43bd35c5f 100644\n--- a/fs/smb/client/cifsglob.h\n+++ b/fs/smb/client/cifsglob.h\n@@ -2285,11 +2285,11 @@ static inline void mid_execute_callback(struct TCP_Server_Info *server,\n \t FILE_SUPPORTS_REPARSE_POINTS))\n \n struct cifs_calc_sig_ctx {\n \tstruct md5_ctx *md5;\n \tstruct hmac_sha256_ctx *hmac;\n-\tstruct shash_desc *shash;\n+\tstruct aes_cmac_ctx *cmac;\n };\n \n #define CIFS_RECONN_DELAY_SECS\t30\n #define CIFS_MAX_RECONN_DELAY\t(4 * CIFS_RECONN_DELAY_SECS)\n \ndiff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c\nindex 81be2b226e26..b233e0cd9152 100644\n--- a/fs/smb/client/smb2transport.c\n+++ b/fs/smb/client/smb2transport.c\n@@ -17,10 +17,11 @@\n #include <linux/uaccess.h>\n #include <asm/processor.h>\n #include <linux/mempool.h>\n #include <linux/highmem.h>\n #include <crypto/aead.h>\n+#include <crypto/aes-cbc-macs.h>\n #include <crypto/sha2.h>\n #include <crypto/utils.h>\n #include \"cifsglob.h\"\n #include \"cifsproto.h\"\n #include \"smb2proto.h\"\n@@ -472,11 +473,12 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n {\n \tint rc;\n \tunsigned char smb3_signature[SMB2_CMACAES_SIZE];\n \tstruct kvec *iov = rqst->rq_iov;\n \tstruct smb2_hdr *shdr = (struct smb2_hdr *)iov[0].iov_base;\n-\tstruct shash_desc *shash = NULL;\n+\tstruct aes_cmac_key cmac_key;\n+\tstruct aes_cmac_ctx cmac_ctx;\n \tstruct smb_rqst drqst;\n \tu8 key[SMB3_SIGN_KEY_SIZE];\n \n \tif (server->vals->protocol_id <= SMB21_PROT_ID)\n \t\treturn smb2_calc_signature(rqst, server, allocate_crypto);\n@@ -485,67 +487,40 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n \tif (unlikely(rc)) {\n \t\tcifs_server_dbg(FYI, \"%s: Could not get signing key\\n\", __func__);\n \t\treturn rc;\n \t}\n \n-\tif (allocate_crypto) {\n-\t\trc = cifs_alloc_hash(\"cmac(aes)\", &shash);\n-\t\tif (rc)\n-\t\t\treturn rc;\n-\t} else {\n-\t\tshash = server->secmech.aes_cmac;\n-\t}\n-\n \tmemset(smb3_signature, 0x0, SMB2_CMACAES_SIZE);\n \tmemset(shdr->Signature, 0x0, SMB2_SIGNATURE_SIZE);\n \n-\trc = crypto_shash_setkey(shash->tfm, key, SMB2_CMACAES_SIZE);\n+\trc = aes_cmac_preparekey(&cmac_key, key, SMB2_CMACAES_SIZE);\n \tif (rc) {\n \t\tcifs_server_dbg(VFS, \"%s: Could not set key for cmac aes\\n\", __func__);\n-\t\tgoto out;\n+\t\treturn rc;\n \t}\n \n-\t/*\n-\t * we already allocate aes_cmac when we init smb3 signing key,\n-\t * so unlike smb2 case we do not have to check here if secmech are\n-\t * initialized\n-\t */\n-\trc = crypto_shash_init(shash);\n-\tif (rc) {\n-\t\tcifs_server_dbg(VFS, \"%s: Could not init cmac aes\\n\", __func__);\n-\t\tgoto out;\n-\t}\n+\taes_cmac_init(&cmac_ctx, &cmac_key);\n \n \t/*\n \t * For SMB2+, __cifs_calc_signature() expects to sign only the actual\n \t * data, that is, iov[0] should not contain a rfc1002 length.\n \t *\n \t * Sign the rfc1002 length prior to passing the data (iov[1-N]) down to\n \t * __cifs_calc_signature().\n \t */\n \tdrqst = *rqst;\n \tif (drqst.rq_nvec >= 2 && iov[0].iov_len == 4) {\n-\t\trc = crypto_shash_update(shash, iov[0].iov_base,\n-\t\t\t\t\t iov[0].iov_len);\n-\t\tif (rc) {\n-\t\t\tcifs_server_dbg(VFS, \"%s: Could not update with payload\\n\",\n-\t\t\t\t __func__);\n-\t\t\tgoto out;\n-\t\t}\n+\t\taes_cmac_update(&cmac_ctx, iov[0].iov_base, iov[0].iov_len);\n \t\tdrqst.rq_iov++;\n \t\tdrqst.rq_nvec--;\n \t}\n \n \trc = __cifs_calc_signature(\n \t\t&drqst, server, smb3_signature,\n-\t\t&(struct cifs_calc_sig_ctx){ .shash = shash });\n+\t\t&(struct cifs_calc_sig_ctx){ .cmac = &cmac_ctx });\n \tif (!rc)\n \t\tmemcpy(shdr->Signature, smb3_signature, SMB2_SIGNATURE_SIZE);\n-\n-out:\n-\tif (allocate_crypto)\n-\t\tcifs_free_hash(&shash);\n \treturn rc;\n }\n \n /* must be called with server->srv_mutex held */\n static int\n", "prefixes": [ "08/15" ] }