mbox series

[v3,0/8] cifs: introduce support for AES-GMAC signing

Message ID 20220929015637.14400-1-ematsumiya@suse.de
Headers show
Series cifs: introduce support for AES-GMAC signing | expand

Message

Enzo Matsumiya Sept. 29, 2022, 1:56 a.m. UTC 
Hi all,

This is v3 of this series.  Please refer to the original cover letter here:
https://lore.kernel.org/linux-cifs/20220829213354.2714-1-ematsumiya@suse.de/

Major changes from v2:
- added patches 1-4 as some groundwork (see more below)
- the core function is now smb311_calc_signature(), and it's been simplified a
  lot, and removed the "merge" with crypt_message() (thanks metze for the help!)
- fix a very specific bug when AES-GMAC was used with KASAN enabled (patch 8/8)

Summary of each patch below.  Please refer to each individual commit message
for more details:

- Patch 1/8: smb3: rename encryption/decryption TFMs
Rename the encryption/decryption TFMs to more meaningful names.

- Patch 2/8: cifs: secmech: use shash_desc directly, remove sdesc
This patch removes the sdesc struct and uses the crypto API shash_desc directly
instead.  It's what the API use anyway, so no need for a wrapper.

- Patch 3/8: cifs: allocate ephemeral secmechs only on demand
Remove the ephemeral, single-use TFMs from cifs_secmech, and allocate/free them
only when they're used (on session setup), making the only long lived TFMs the
signing and encrypting ones.

- Patch 4/8: cifs: create sign/verify secmechs, don't leave keys in memory
This patch goes further and completely remove the algorithm-specific TFMs from
cifs_secmech, and introduce `sign' and `verify' TFMs.  This removes the need to
allocate a new TFM on every signature verification.  Another added benefit is
that's no longer necessary to keep the generated private keys in memory, as
they're set right after negprot and the TFMs will use the expanded version of
the keys internally.

- Patch 5/8: cifs: introduce AES-GMAC signing support for SMB 3.1.1
Several changes needed to be made in this patch, see the commit message/changes
for more details.

- Patch 6/8: cifs: deprecate 'enable_negotiate_signing' module param
- Patch 7/8: cifs: show signing algorithm name in DebugData
The above patches are pretty much the same as v2.

- Patch 8/8: cifs: use MAX_CIFS_SMALL_BUFFER_SIZE-8 as padding buffer
I hit a use-after-free on the crypto API when using AES-GMAC, with KASAN
enabled, and on a very specific test that used the smb2_padding array.  In
summary, KASAN was not happy with the stack-allocated array so this is the fix
the I ended up with (of all the several forms of fix that I implemented).

I welcome and expect all kinds of feedback and reviews.


Cheers,

Enzo

Enzo Matsumiya (8):
  smb3: rename encryption/decryption TFMs
  cifs: secmech: use shash_desc directly, remove sdesc
  cifs: allocate ephemeral secmechs only on demand
  cifs: create sign/verify secmechs, don't leave keys in memory
  cifs: introduce AES-GMAC signing support for SMB 3.1.1
  cifs: deprecate 'enable_negotiate_signing' module param
  cifs: show signing algorithm name in DebugData
  cifs: use MAX_CIFS_SMALL_BUFFER_SIZE-8 as padding buffer

 fs/cifs/cifs_debug.c    |   7 +-
 fs/cifs/cifsencrypt.c   | 157 ++++-------
 fs/cifs/cifsfs.c        |  14 +-
 fs/cifs/cifsglob.h      |  68 +++--
 fs/cifs/cifsproto.h     |   5 +-
 fs/cifs/link.c          |  13 +-
 fs/cifs/misc.c          |  49 ++--
 fs/cifs/sess.c          |  12 -
 fs/cifs/smb1ops.c       |   6 +
 fs/cifs/smb2glob.h      |  10 +
 fs/cifs/smb2misc.c      |  29 +-
 fs/cifs/smb2ops.c       | 103 ++-----
 fs/cifs/smb2pdu.c       |  78 ++++--
 fs/cifs/smb2pdu.h       |   2 -
 fs/cifs/smb2proto.h     |  15 +-
 fs/cifs/smb2transport.c | 581 +++++++++++++++++++++-------------------
 16 files changed, 572 insertions(+), 577 deletions(-)