Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2224815,
    "url": "http://patchwork.ozlabs.org/api/patches/2224815/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260418221311.67583-2-ebiggers@kernel.org/",
    "project": {
        "id": 12,
        "url": "http://patchwork.ozlabs.org/api/projects/12/?format=api",
        "name": "Linux CIFS Client",
        "link_name": "linux-cifs-client",
        "list_id": "linux-cifs.vger.kernel.org",
        "list_email": "linux-cifs@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260418221311.67583-2-ebiggers@kernel.org>",
    "list_archive_url": null,
    "date": "2026-04-18T22:13:08",
    "name": "[v2,1/4] smb: client: Use AES-CMAC library for SMB3 signature calculation",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "c57eb8af5aef0988fedfae85373a7a9b9123ac93",
    "submitter": {
        "id": 74690,
        "url": "http://patchwork.ozlabs.org/api/people/74690/?format=api",
        "name": "Eric Biggers",
        "email": "ebiggers@kernel.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260418221311.67583-2-ebiggers@kernel.org/mbox/",
    "series": [
        {
            "id": 500471,
            "url": "http://patchwork.ozlabs.org/api/series/500471/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500471",
            "date": "2026-04-18T22:13:07",
            "name": "smb: client: Use AES-CMAC library",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/500471/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2224815/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2224815/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <linux-cifs+bounces-10903-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-cifs@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=dPG2NKF2;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10903-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"dPG2NKF2\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fymHq6zWlz1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 19 Apr 2026 08:14:15 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0DE2D301F9B7\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 22:13:39 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0EF2D346FA6;\n\tSat, 18 Apr 2026 22:13:38 +0000 (UTC)",
            "from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id DD8A7346A07;\n\tSat, 18 Apr 2026 22:13:37 +0000 (UTC)",
            "by smtp.kernel.org (Postfix) with ESMTPSA id 6339FC2BCB4;\n\tSat, 18 Apr 2026 22:13:37 +0000 (UTC)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776550417; cv=none;\n b=ItIl9v59lKf8qJk2pYiD8VopytvPkDQ+EUNsqb5qmY9lqgDnxXIZYcUIEp0x/y9b9v5vpVIhBp/offdDrjPfZkcCz3GIZl5mNPPA7oRzs11w7s6KH1AlWWxy/NzjnNUYEZXXLmNgzTcfVKVQbPTW3TnuABa1dOk9Kr5yXIIYqlg=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776550417; c=relaxed/simple;\n\tbh=waPxGS4ymJDY+x+TK7tcOvGyddpnwah8yt2ZpfyHgA8=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=SmXKMsh3P7yKtzT+WQJJXu/abNpUbZipRF85670OTMJuTzopL9QJJYV1f917ktr1oJX+lWE4NnWpEYXRR1CMNNxQzqW329kURqMPbodTatgZxiQ/6vvQVpuMJSAceWi2fw6NtPVQfTWO6wuvSJyNtZQCEv7u9FIv4H6R5VSQPGw=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=dPG2NKF2; arc=none smtp.client-ip=10.30.226.201",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776550417;\n\tbh=waPxGS4ymJDY+x+TK7tcOvGyddpnwah8yt2ZpfyHgA8=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=dPG2NKF28m/Yrg6E7dZuZ6LoOL9j9Q4hFjaG22y3ZQwdh2nvCDoM1SXuBoJh2hb1Y\n\t VFpWKY/JwTdWiksVmwCjBNjC8QBVcvq6j6SN0OpwKKiUK0unou/A/Y53MAv9hOOZj6\n\t m08VPI3iEnH1J108CXep2KgytDiF+LJZo0ew+x/pzYOJz/roL6hi3WnEHz90AbsZb9\n\t HnaMxRoxJtOFjiM1lIVkWowTxUNzTb4lz1lBav6YflrQkI/we6LO7ojSU/soxPGaRk\n\t trqdNJYiuLTZPGm8m8o1L9/LW/lkjertIKyLvI4ZN49ZWGJf1UXLTicUksBfYwJJ2f\n\t 2TmVfF4HRnLmQ==",
        "From": "Eric Biggers <ebiggers@kernel.org>",
        "To": "linux-cifs@vger.kernel.org,\n\tSteve French <sfrench@samba.org>",
        "Cc": "linux-crypto@vger.kernel.org,\n\tsamba-technical@lists.samba.org,\n\tlinux-kernel@vger.kernel.org,\n\tArd Biesheuvel <ardb@kernel.org>,\n\tPaulo Alcantara <pc@manguebit.org>,\n\tRonnie Sahlberg <ronniesahlberg@gmail.com>,\n\tShyam Prasad N <sprasad@microsoft.com>,\n\tTom Talpey <tom@talpey.com>,\n\tBharath SM <bharathsm@microsoft.com>,\n\tEric Biggers <ebiggers@kernel.org>",
        "Subject": "[PATCH v2 1/4] smb: client: Use AES-CMAC library for SMB3 signature\n calculation",
        "Date": "Sat, 18 Apr 2026 15:13:08 -0700",
        "Message-ID": "<20260418221311.67583-2-ebiggers@kernel.org>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<20260418221311.67583-1-ebiggers@kernel.org>",
        "References": "<20260418221311.67583-1-ebiggers@kernel.org>",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-cifs@vger.kernel.org",
        "List-Id": "<linux-cifs.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "Convert smb3_calc_signature() to use the AES-CMAC library instead of a\n\"cmac(aes)\" crypto_shash.\n\nThe result is simpler and faster code.  With the library there's no need\nto allocate memory, no need to handle errors except for key preparation,\nand the AES-CMAC code is accessed directly without inefficient indirect\ncalls and other unnecessary API overhead.\n\nFor now a \"cmac(aes)\" crypto_shash is still being allocated in\n'struct cifs_secmech'.  Later commits will remove that, simplifying the\ncode even further.\n\nReviewed-by: Ard Biesheuvel <ardb@kernel.org>\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\n---\n fs/smb/client/Kconfig         |  1 +\n fs/smb/client/cifsencrypt.c   | 60 ++++++++++++-----------------------\n fs/smb/client/cifsglob.h      |  2 +-\n fs/smb/client/smb2transport.c | 41 +++++-------------------\n 4 files changed, 30 insertions(+), 74 deletions(-)",
    "diff": "diff --git a/fs/smb/client/Kconfig b/fs/smb/client/Kconfig\nindex 63831242fddfb..029bbe595d5fa 100644\n--- a/fs/smb/client/Kconfig\n+++ b/fs/smb/client/Kconfig\n@@ -8,10 +8,11 @@ config CIFS\n \tselect CRYPTO_CMAC\n \tselect CRYPTO_AEAD2\n \tselect CRYPTO_CCM\n \tselect CRYPTO_GCM\n \tselect CRYPTO_AES\n+\tselect CRYPTO_LIB_AES_CBC_MACS\n \tselect CRYPTO_LIB_ARC4\n \tselect CRYPTO_LIB_MD5\n \tselect CRYPTO_LIB_SHA256\n \tselect CRYPTO_LIB_SHA512\n \tselect KEYS\ndiff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c\nindex 3d731f3af235f..d092bca2df62d 100644\n--- a/fs/smb/client/cifsencrypt.c\n+++ b/fs/smb/client/cifsencrypt.c\n@@ -20,66 +20,49 @@\n #include <linux/random.h>\n #include <linux/highmem.h>\n #include <linux/fips.h>\n #include <linux/iov_iter.h>\n #include <crypto/aead.h>\n+#include <crypto/aes-cbc-macs.h>\n #include <crypto/arc4.h>\n #include <crypto/md5.h>\n #include <crypto/sha2.h>\n \n-static int cifs_sig_update(struct cifs_calc_sig_ctx *ctx,\n-\t\t\t   const u8 *data, size_t len)\n+static size_t cifs_sig_step(void *iter_base, size_t progress, size_t len,\n+\t\t\t    void *priv, void *priv2)\n {\n-\tif (ctx->md5) {\n-\t\tmd5_update(ctx->md5, data, len);\n-\t\treturn 0;\n-\t}\n-\tif (ctx->hmac) {\n-\t\thmac_sha256_update(ctx->hmac, data, len);\n-\t\treturn 0;\n-\t}\n-\treturn crypto_shash_update(ctx->shash, data, len);\n+\tstruct cifs_calc_sig_ctx *ctx = priv;\n+\n+\tif (ctx->md5)\n+\t\tmd5_update(ctx->md5, iter_base, len);\n+\telse if (ctx->hmac)\n+\t\thmac_sha256_update(ctx->hmac, iter_base, len);\n+\telse\n+\t\taes_cmac_update(ctx->cmac, iter_base, len);\n+\treturn 0; /* Return value is length *not* processed, i.e. 0. */\n }\n \n-static int cifs_sig_final(struct cifs_calc_sig_ctx *ctx, u8 *out)\n+static void cifs_sig_final(struct cifs_calc_sig_ctx *ctx, u8 *out)\n {\n-\tif (ctx->md5) {\n+\tif (ctx->md5)\n \t\tmd5_final(ctx->md5, out);\n-\t\treturn 0;\n-\t}\n-\tif (ctx->hmac) {\n+\telse if (ctx->hmac)\n \t\thmac_sha256_final(ctx->hmac, out);\n-\t\treturn 0;\n-\t}\n-\treturn crypto_shash_final(ctx->shash, out);\n-}\n-\n-static size_t cifs_sig_step(void *iter_base, size_t progress, size_t len,\n-\t\t\t    void *priv, void *priv2)\n-{\n-\tstruct cifs_calc_sig_ctx *ctx = priv;\n-\tint ret, *pret = priv2;\n-\n-\tret = cifs_sig_update(ctx, iter_base, len);\n-\tif (ret < 0) {\n-\t\t*pret = ret;\n-\t\treturn len;\n-\t}\n-\treturn 0;\n+\telse\n+\t\taes_cmac_final(ctx->cmac, out);\n }\n \n /*\n  * Pass the data from an iterator into a hash.\n  */\n static int cifs_sig_iter(const struct iov_iter *iter, size_t maxsize,\n \t\t\t struct cifs_calc_sig_ctx *ctx)\n {\n \tstruct iov_iter tmp_iter = *iter;\n \tsize_t did;\n-\tint err;\n \n-\tdid = iterate_and_advance_kernel(&tmp_iter, maxsize, ctx, &err,\n+\tdid = iterate_and_advance_kernel(&tmp_iter, maxsize, ctx, NULL,\n \t\t\t\t\t cifs_sig_step);\n \tif (did != maxsize)\n \t\treturn smb_EIO2(smb_eio_trace_sig_iter, did, maxsize);\n \treturn 0;\n }\n@@ -106,15 +89,12 @@ int __cifs_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n \n \trc = cifs_sig_iter(&rqst->rq_iter, iov_iter_count(&rqst->rq_iter), ctx);\n \tif (rc < 0)\n \t\treturn rc;\n \n-\trc = cifs_sig_final(ctx, signature);\n-\tif (rc)\n-\t\tcifs_dbg(VFS, \"%s: Could not generate hash\\n\", __func__);\n-\n-\treturn rc;\n+\tcifs_sig_final(ctx, signature);\n+\treturn 0;\n }\n \n /* Build a proper attribute value/target info pairs blob.\n  * Fill in netbios and dns domain name and workstation name\n  * and client time (total five av pairs and + one end of fields indicator.\ndiff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h\nindex ccfde157d3bef..74265d055c265 100644\n--- a/fs/smb/client/cifsglob.h\n+++ b/fs/smb/client/cifsglob.h\n@@ -2322,11 +2322,11 @@ static inline void mid_execute_callback(struct TCP_Server_Info *server,\n \t  FILE_SUPPORTS_REPARSE_POINTS))\n \n struct cifs_calc_sig_ctx {\n \tstruct md5_ctx *md5;\n \tstruct hmac_sha256_ctx *hmac;\n-\tstruct shash_desc *shash;\n+\tstruct aes_cmac_ctx *cmac;\n };\n \n #define CIFS_RECONN_DELAY_SECS\t30\n #define CIFS_MAX_RECONN_DELAY\t(4 * CIFS_RECONN_DELAY_SECS)\n \ndiff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c\nindex 81be2b226e264..b233e0cd91529 100644\n--- a/fs/smb/client/smb2transport.c\n+++ b/fs/smb/client/smb2transport.c\n@@ -17,10 +17,11 @@\n #include <linux/uaccess.h>\n #include <asm/processor.h>\n #include <linux/mempool.h>\n #include <linux/highmem.h>\n #include <crypto/aead.h>\n+#include <crypto/aes-cbc-macs.h>\n #include <crypto/sha2.h>\n #include <crypto/utils.h>\n #include \"cifsglob.h\"\n #include \"cifsproto.h\"\n #include \"smb2proto.h\"\n@@ -472,11 +473,12 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n {\n \tint rc;\n \tunsigned char smb3_signature[SMB2_CMACAES_SIZE];\n \tstruct kvec *iov = rqst->rq_iov;\n \tstruct smb2_hdr *shdr = (struct smb2_hdr *)iov[0].iov_base;\n-\tstruct shash_desc *shash = NULL;\n+\tstruct aes_cmac_key cmac_key;\n+\tstruct aes_cmac_ctx cmac_ctx;\n \tstruct smb_rqst drqst;\n \tu8 key[SMB3_SIGN_KEY_SIZE];\n \n \tif (server->vals->protocol_id <= SMB21_PROT_ID)\n \t\treturn smb2_calc_signature(rqst, server, allocate_crypto);\n@@ -485,67 +487,40 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,\n \tif (unlikely(rc)) {\n \t\tcifs_server_dbg(FYI, \"%s: Could not get signing key\\n\", __func__);\n \t\treturn rc;\n \t}\n \n-\tif (allocate_crypto) {\n-\t\trc = cifs_alloc_hash(\"cmac(aes)\", &shash);\n-\t\tif (rc)\n-\t\t\treturn rc;\n-\t} else {\n-\t\tshash = server->secmech.aes_cmac;\n-\t}\n-\n \tmemset(smb3_signature, 0x0, SMB2_CMACAES_SIZE);\n \tmemset(shdr->Signature, 0x0, SMB2_SIGNATURE_SIZE);\n \n-\trc = crypto_shash_setkey(shash->tfm, key, SMB2_CMACAES_SIZE);\n+\trc = aes_cmac_preparekey(&cmac_key, key, SMB2_CMACAES_SIZE);\n \tif (rc) {\n \t\tcifs_server_dbg(VFS, \"%s: Could not set key for cmac aes\\n\", __func__);\n-\t\tgoto out;\n+\t\treturn rc;\n \t}\n \n-\t/*\n-\t * we already allocate aes_cmac when we init smb3 signing key,\n-\t * so unlike smb2 case we do not have to check here if secmech are\n-\t * initialized\n-\t */\n-\trc = crypto_shash_init(shash);\n-\tif (rc) {\n-\t\tcifs_server_dbg(VFS, \"%s: Could not init cmac aes\\n\", __func__);\n-\t\tgoto out;\n-\t}\n+\taes_cmac_init(&cmac_ctx, &cmac_key);\n \n \t/*\n \t * For SMB2+, __cifs_calc_signature() expects to sign only the actual\n \t * data, that is, iov[0] should not contain a rfc1002 length.\n \t *\n \t * Sign the rfc1002 length prior to passing the data (iov[1-N]) down to\n \t * __cifs_calc_signature().\n \t */\n \tdrqst = *rqst;\n \tif (drqst.rq_nvec >= 2 && iov[0].iov_len == 4) {\n-\t\trc = crypto_shash_update(shash, iov[0].iov_base,\n-\t\t\t\t\t iov[0].iov_len);\n-\t\tif (rc) {\n-\t\t\tcifs_server_dbg(VFS, \"%s: Could not update with payload\\n\",\n-\t\t\t\t __func__);\n-\t\t\tgoto out;\n-\t\t}\n+\t\taes_cmac_update(&cmac_ctx, iov[0].iov_base, iov[0].iov_len);\n \t\tdrqst.rq_iov++;\n \t\tdrqst.rq_nvec--;\n \t}\n \n \trc = __cifs_calc_signature(\n \t\t&drqst, server, smb3_signature,\n-\t\t&(struct cifs_calc_sig_ctx){ .shash = shash });\n+\t\t&(struct cifs_calc_sig_ctx){ .cmac = &cmac_ctx });\n \tif (!rc)\n \t\tmemcpy(shdr->Signature, smb3_signature, SMB2_SIGNATURE_SIZE);\n-\n-out:\n-\tif (allocate_crypto)\n-\t\tcifs_free_hash(&shash);\n \treturn rc;\n }\n \n /* must be called with server->srv_mutex held */\n static int\n",
    "prefixes": [
        "v2",
        "1/4"
    ]
}