Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2221532/?format=api
{ "id": 2221532, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2221532/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260409161538.3618-1-s.piyush1024@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260409161538.3618-1-s.piyush1024@gmail.com>", "date": "2026-04-09T16:15:32", "name": "smb: client: use FullSessionKey for AES-256 encryption key derivation", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "8b9b36d22adb86fde92664766139dc33ec0e68a6", "submitter": { "id": 92318, "url": "http://patchwork.ozlabs.org/api/1.1/people/92318/?format=api", "name": "Piyush Sachdeva", "email": "s.piyush1024@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260409161538.3618-1-s.piyush1024@gmail.com/mbox/", "series": [ { "id": 499326, "url": "http://patchwork.ozlabs.org/api/1.1/series/499326/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499326", "date": "2026-04-09T16:15:32", "name": "smb: client: use FullSessionKey for AES-256 encryption key derivation", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499326/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2221532/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2221532/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-10738-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=cGB2vIqG;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10738-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"cGB2vIqG\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.215.173", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fs4vH0h6Xz1yHG\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 10 Apr 2026 02:21:47 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 27832302B504\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 9 Apr 2026 16:16:10 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 992D43DEAF4;\n\tThu, 9 Apr 2026 16:16:08 +0000 (UTC)", "from mail-pg1-f173.google.com (mail-pg1-f173.google.com\n [209.85.215.173])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B77703DEAD0\n\tfor <linux-cifs@vger.kernel.org>; Thu, 9 Apr 2026 16:16:05 +0000 (UTC)", "by mail-pg1-f173.google.com with SMTP id\n 41be03b00d2f7-c70c112cb61so721152a12.0\n for <linux-cifs@vger.kernel.org>;\n Thu, 09 Apr 2026 09:16:05 -0700 (PDT)", "from localhost ([49.207.153.169])\n by smtp.gmail.com with ESMTPSA id\n 41be03b00d2f7-c76cffd9611sm19263937a12.17.2026.04.09.09.16.03\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 09 Apr 2026 09:16:04 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775751368; cv=none;\n b=mRN64jxYion1iam+4GL3MT1EGiI0s3xeG/I2xRVT00jE4U+jCk8wppgBUT9yJ7svWb9jFNmBt1m7pvXpPd2TlDca1DWlTFfIzMPU2VxXulIh0RVW5rsiC2bU1AIDWjk0pQJtkeV0iFAPunRfG7l1r8IAaFqPq7T1fYQxFGxdeSU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775751368; c=relaxed/simple;\n\tbh=Hu9T+FLiNPkkFUO5IdCVNWDzsGDI4Mfr231GXxbmBYs=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=PdGlIuYLUgb0Q5nxgfltXh34fJNGSHg/WSGiM5UfEYMVTV0hyl60vrZnKKtupCTdKi/cQL3FTEw69oJDmznY177QABE0ZNtqDPqHUCkO3ufU1BbMemHwDL9kL17LHrQXW0pgIxPe6X0+w/TTQGJzX2QiV/DFBmyibWbbBOvdcGs=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=cGB2vIqG; arc=none smtp.client-ip=209.85.215.173", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775751365; x=1776356165;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Q79DNyAnlCXZAwn0OoLPtqbdLttcixAaHmbbuH/DNfE=;\n b=cGB2vIqGReV1GhdyrSP9WgXPxOp+qnA3Sm2zy2oGUnzpwc1/NgSkvKY9Ny2TTqQ2nK\n voyym1w4Tu1nvk3SyEE/baSLD3Z8cZuOJ9NoiMk6or0wRQ06h3WOKausvEAKjBiKEbaF\n HDIzoj3mWrws0iKljiBGWKmgh/9YtGx+XM3C0HkQhiwJo5rkNvQH0AgO2KH8E1/H7fcw\n ItRNs9tphyeT822Qlw5u47/NdypqTX61bsOj5nZ+Jl4yxj18UMYPMzVkZmeD4lit8Ocv\n HGYdaE0BB5yBMDliyE7yaLnfuxRSsKIePi+ACpmfM89mrfDSxc2APWzbXtE/YzsxkEg+\n WTfA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775751365; x=1776356165;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Q79DNyAnlCXZAwn0OoLPtqbdLttcixAaHmbbuH/DNfE=;\n b=YoWVuuCaHZmFULj0pF/Yd7cOy9K9rcj1BTqH8UReU97+14sLmg7bQAkCMY7ytvdsfV\n 9t+SWvbe2w6CTpwj/dCJQucN8AQNDv7rDNm2HAjXNZ8Q3FgQ/L1Nufi5Lv4hy7GgJsef\n zr73MjzlrQsPBGTeRwyTCysXBTx3Fcw2ne/U9ZWV86w2Otu5zdiDHAhR2ElRLge9ceSE\n 4hOAtT/jWthY9tl2IquwojQr47mPmIrd0kK8L5J0LJ89lfJXZT+HiBTwzklJZiGtwZ14\n n5hMNkYf+YX0GBntxOBYxavv0BHtIVj/ct2JSxw0+WWWsr2E6/Uyerr4gYaT6kxh9s5e\n c12g==", "X-Forwarded-Encrypted": "i=1;\n AJvYcCUyYAqoJRqzIQUCsycihCh+ZkAsJZTcwvm4NZO1SQWks+oGLdge3LEcDs7ks/t0wEHbpbCJt+Cv6tKA@vger.kernel.org", "X-Gm-Message-State": "AOJu0YzRmLzR6SeS8nnDjoJ8FHYKLvLXUdA3CSFPppFNbuVwxm90FHp/\n\thdWh43ZMQu0eM+9DFWKSIruhrc7oMzdmTq0nWFYMhnUcv0h/C+tCdpc4", "X-Gm-Gg": "AeBDiesd1p4jr80K/O3Mmw/x11Pj+3cjXoETLWFABPh1upq7pjx5GgqBFvLaqxJiLD/\n\t27DtYQNQGK0NFDZWXj8XPc9+TYP58vfkA4/Iq9hIK6YBUH7xDNlwVz22PMM2Mh0XcsItVhiWJFm\n\t1qpBusM6kqgWIeQgyEaGokgjWQ+q0GsmOPMYHu8nA+nDnlkknjFjRxY7yrGysCOMvZ3+qLXwiEd\n\tThPP7DSsKxywlOeMLlQxqkn2yaD0ZkLpFlWb0ytcjnQ6scv1tyhrFq0ayoJLF5wwAVFANhOE0zM\n\t//Dfz3QsBbn+Zv+e0EI7M19LjvFp85Xk1RQjhQ7HyDEGyS2iHauFySyItPrBH6Pv5B/0qNUSNj1\n\t0rY36KZNCVLkS8/QvwiLyd884QtUvdwL8ZYatjoWwuIXS+UEcsdxmULSaPkr8f6M9FHD/rNbvZn\n\tS3hfIRoV1Hj+/pqOjUh2Ryvu1uOi//DGhdvhHel0k=", "X-Received": "by 2002:a05:6a20:158c:b0:398:a1ca:7a22 with SMTP id\n adf61e73a8af0-39f2f11afa7mr27980929637.54.1775751364647;\n Thu, 09 Apr 2026 09:16:04 -0700 (PDT)", "From": "s.piyush1024@gmail.com", "To": "sfrench@samba.org,\n\tlinux-cifs@vger.kernel.org", "Cc": "sprasad@microsoft.com,\n\tbharathsm@microsoft.com,\n\tsamba-technical@lists.samba.org,\n\tlinux-kernel@vger.kernel.org", "Subject": "[PATCH] smb: client: use FullSessionKey for AES-256 encryption key\n derivation", "Date": "Thu, 9 Apr 2026 21:45:32 +0530", "Message-ID": "<20260409161538.3618-1-s.piyush1024@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "From: Piyush Sachdeva <psachdeva@microsoft.com>\n\nWhen Kerberos authentication is used with AES-256 encryption (AES-256-CCM\nor AES-256-GCM), the SMB3 encryption and decryption keys must be derived\nusing the full session key (Session.FullSessionKey) rather than just the\nfirst 16 bytes (Session.SessionKey).\n\nPer MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is \"3.1.1\" and\nConnection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey\nmust be set to the full cryptographic key from the GSS authentication\ncontext. The encryption and decryption key derivation (SMBC2SCipherKey,\nSMBS2CCipherKey) must use this FullSessionKey as the KDF input. The\nsigning key derivation continues to use Session.SessionKey (first 16\nbytes) in all cases.\n\nPreviously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the\nHMAC-SHA256 key input length for all derivations. When Kerberos with\nAES-256 provides a 32-byte session key, the KDF for encryption/decryption\nwas using only the first 16 bytes, producing keys that did not match the\nserver's, causing mount failures with sec=krb5 and require_gcm_256=1.\n\nAdd a `full_key_size` parameter to generate_key() and pass the appropriate\nsize from generate_smb3signingkey():\n - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)\n - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16\n\nAlso fix cifs_dump_full_key() to report the actual session key length for\nAES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools\nlike Wireshark receive the correct key for decryption.\n\nSigned-off-by: Piyush Sachdeva <psachdeva@microsoft.com>\nSigned-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>\n---\n fs/smb/client/ioctl.c | 2 +-\n fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++-------\n 2 files changed, 26 insertions(+), 8 deletions(-)", "diff": "diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c\nindex 9afab3237e54..17408bb8ab65 100644\n--- a/fs/smb/client/ioctl.c\n+++ b/fs/smb/client/ioctl.c\n@@ -296,7 +296,7 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug\n \t\tbreak;\n \tcase SMB2_ENCRYPTION_AES256_CCM:\n \tcase SMB2_ENCRYPTION_AES256_GCM:\n-\t\tout.session_key_length = CIFS_SESS_KEY_SIZE;\n+\t\tout.session_key_length = ses->auth_key.len;\n \t\tout.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;\n \t\tbreak;\n \tdefault:\ndiff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c\nindex 81be2b226e26..57e515774b97 100644\n--- a/fs/smb/client/smb2transport.c\n+++ b/fs/smb/client/smb2transport.c\n@@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n }\n \n static int generate_key(struct cifs_ses *ses, struct kvec label,\n-\t\t\tstruct kvec context, __u8 *key, unsigned int key_size)\n+\t\t\tstruct kvec context, __u8 *key, unsigned int key_size,\n+\t\t\tunsigned int full_key_size)\n {\n \tunsigned char zero = 0x0;\n \t__u8 i[4] = {0, 0, 0, 1};\n@@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses *ses, struct kvec label,\n \t}\n \n \thmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response,\n-\t\t\t\t SMB2_NTLMV2_SESSKEY_SIZE);\n+\t\t\t\t full_key_size);\n \thmac_sha256_update(&hmac_ctx, i, 4);\n \thmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len);\n \thmac_sha256_update(&hmac_ctx, &zero, 1);\n@@ -315,6 +316,7 @@ generate_smb3signingkey(struct cifs_ses *ses,\n \t\t\tconst struct derivation_triplet *ptriplet)\n {\n \tint rc;\n+\tunsigned int full_key_size;\n \tbool is_binding = false;\n \tint chan_index = 0;\n \n@@ -344,18 +346,32 @@ generate_smb3signingkey(struct cifs_ses *ses,\n \t * master connection signing key stored in the session\n \t */\n \n+\t/*\n+\t * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey\n+\t * (first 16 bytes). Encryption/decryption keys use\n+\t * Session.FullSessionKey when dialect is 3.1.1 and cipher is\n+\t * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.\n+\t */\n \tif (is_binding) {\n \t\trc = generate_key(ses, ptriplet->signing.label,\n \t\t\t\t ptriplet->signing.context,\n \t\t\t\t ses->chans[chan_index].signkey,\n-\t\t\t\t SMB3_SIGN_KEY_SIZE);\n+\t\t\t\t SMB3_SIGN_KEY_SIZE,\n+\t\t\t\t SMB2_NTLMV2_SESSKEY_SIZE);\n \t\tif (rc)\n \t\t\treturn rc;\n \t} else {\n+\t\tif (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||\n+\t\t server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)\n+\t\t\tfull_key_size = ses->auth_key.len;\n+\t\telse\n+\t\t\tfull_key_size = SMB2_NTLMV2_SESSKEY_SIZE;\n+\n \t\trc = generate_key(ses, ptriplet->signing.label,\n \t\t\t\t ptriplet->signing.context,\n \t\t\t\t ses->smb3signingkey,\n-\t\t\t\t SMB3_SIGN_KEY_SIZE);\n+\t\t\t\t SMB3_SIGN_KEY_SIZE,\n+\t\t\t\t SMB2_NTLMV2_SESSKEY_SIZE);\n \t\tif (rc)\n \t\t\treturn rc;\n \n@@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses *ses,\n \t\trc = generate_key(ses, ptriplet->encryption.label,\n \t\t\t\t ptriplet->encryption.context,\n \t\t\t\t ses->smb3encryptionkey,\n-\t\t\t\t SMB3_ENC_DEC_KEY_SIZE);\n+\t\t\t\t SMB3_ENC_DEC_KEY_SIZE,\n+\t\t\t\t full_key_size);\n \t\tif (rc)\n \t\t\treturn rc;\n \t\trc = generate_key(ses, ptriplet->decryption.label,\n \t\t\t\t ptriplet->decryption.context,\n \t\t\t\t ses->smb3decryptionkey,\n-\t\t\t\t SMB3_ENC_DEC_KEY_SIZE);\n+\t\t\t\t SMB3_ENC_DEC_KEY_SIZE,\n+\t\t\t\t full_key_size);\n \t\tif (rc)\n \t\t\treturn rc;\n \t}\n@@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses *ses,\n \t\t\t&ses->Suid);\n \tcifs_dbg(VFS, \"Cipher type %d\\n\", server->cipher_type);\n \tcifs_dbg(VFS, \"Session Key %*ph\\n\",\n-\t\t SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);\n+\t\t ses->auth_key.len, ses->auth_key.response);\n \tcifs_dbg(VFS, \"Signing Key %*ph\\n\",\n \t\t SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);\n \tif ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||\n", "prefixes": [] }