From patchwork Sun May 2 21:00:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1472896 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYJS02Mg1z9s1l; Mon, 3 May 2021 07:01:20 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ldJDG-00056O-WB; Sun, 02 May 2021 21:01:15 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ldJD9-0004yy-4z for kernel-team@lists.ubuntu.com; Sun, 02 May 2021 21:01:07 +0000 Received: from mail-pj1-f70.google.com ([209.85.216.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ldJD7-0005Sg-PD for kernel-team@lists.ubuntu.com; Sun, 02 May 2021 21:01:05 +0000 Received: by mail-pj1-f70.google.com with SMTP id l3-20020a17090aa4c3b029015634c426b5so4856207pjw.9 for ; Sun, 02 May 2021 14:01:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=A7sjRBp25JkVtsN9JFlUBj902rxGLTBKdglRkzTL5rU=; b=TT2eSkoGvIJaLEUuHr35Ehn+6U+k8bnsJb+362T4KTTMePuZod3Ya56XyO7InF6BfU eoipVFnXZtRy7iuk4Tp6356zJq4PZgaA8IB9Eg0TVMJ6xmgtLxo9FZzFgrOM7fbR/jT5 cjv9ZP2GMEWZAIS0+zn7L4eku/W50vKf/SD1ZtoG1bEY57vLlbljTMJhZXxxWQFHHE/0 crhhnCjeW1X31b4io6XwHVhky7cBJBAmC4acThwJmihY0NbDCSbfCRAWAIe8d9HACRdl KRMsixDPAIVjsZnVSTeSSZPRDjl3pv7L2FmqY0SrvKLD0QZZ2ntqjAABECyub2ah9rAd Xu8g== X-Gm-Message-State: AOAM532z/US2Tqbr46TjY2Bgq+e4pCmew1uFzAAVgVXF1uZ86LuBiyPb yw6QQeHrpo7q2We7AyfJvLGFPQGkqpdMA1zy+FN1kbnDG73PavmchbAXs8dugToR3dVh/VPuOd5 dnLIrkq5kx87gNPqlgUOPBUTGsxnPUgbonPTzIBpgpQ== X-Received: by 2002:a17:90a:6583:: with SMTP id k3mr17749305pjj.227.1619989264117; Sun, 02 May 2021 14:01:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXxCzcVAsdNHgL8Kj8/G44jpy5i+J/NBBJlpW9fd7qX6+J8acNrxV94xCHudLdYJP8npYoOg== X-Received: by 2002:a17:90a:6583:: with SMTP id k3mr17749292pjj.227.1619989263929; Sun, 02 May 2021 14:01:03 -0700 (PDT) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id y3sm7344209pjr.40.2021.05.02.14.01.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 02 May 2021 14:01:03 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [Groovy][PATCH 3/7] smb3.1.1: add new module load parm enable_gcm_256 Date: Sun, 2 May 2021 15:00:36 -0600 Message-Id: <20210502210040.18628-11-tim.gardner@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210502210040.18628-1-tim.gardner@canonical.com> References: <20210502210040.18628-1-tim.gardner@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Steve French BugLink: https://bugs.launchpad.net/bugs/1921916 Add new module load parameter enable_gcm_256. If set, then add AES-256-GCM (strongest encryption type) to the list of encryption types requested. Put it in the list as the second choice (since AES-128-GCM is faster and much more broadly supported by SMB3 servers). To make this stronger encryption type, GCM-256, required (the first and only choice, you would use module parameter "require_gcm_256." Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French (cherry picked from commit 29e279230413cdd5e00fb5d269cae1099184ab85) Signed-off-by: Tim Gardner --- fs/cifs/cifsfs.c | 4 ++++ fs/cifs/cifsglob.h | 1 + fs/cifs/smb2pdu.c | 6 ++++++ fs/cifs/smb2pdu.h | 5 +++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 462dbbd17c5f..472cb7777e3e 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -71,6 +71,7 @@ bool enable_oplocks = true; bool linuxExtEnabled = true; bool lookupCacheEnabled = true; bool disable_legacy_dialects; /* false by default */ +bool enable_gcm_256; /* false by default, change when more servers support it */ bool require_gcm_256; /* false by default */ unsigned int global_secflags = CIFSSEC_DEF; /* unsigned int ntlmv2_support = 0; */ @@ -105,6 +106,9 @@ MODULE_PARM_DESC(slow_rsp_threshold, "Amount of time (in seconds) to wait " module_param(enable_oplocks, bool, 0644); MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); +module_param(enable_gcm_256, bool, 0644); +MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0"); + module_param(require_gcm_256, bool, 0644); MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 620f98f242ee..7e57be185b3d 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1956,6 +1956,7 @@ extern bool lookupCacheEnabled; extern unsigned int global_secflags; /* if on, session setup sent with more secure ntlmssp2 challenge/resp */ extern unsigned int sign_CIFS_PDUs; /* enable smb packet signing */ +extern bool enable_gcm_256; /* allow optional negotiate of strongest signing (aes-gcm-256) */ extern bool require_gcm_256; /* require use of strongest signing (aes-gcm-256) */ extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/ extern unsigned int CIFSMaxBufSize; /* max size not including hdr */ diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 792839ef2b21..33491227cf85 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -564,6 +564,12 @@ build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt) pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + 1 cipher */ pneg_ctxt->CipherCount = cpu_to_le16(1); pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES256_GCM; + } else if (enable_gcm_256) { + pneg_ctxt->DataLength = cpu_to_le16(8); /* Cipher Count + 3 ciphers */ + pneg_ctxt->CipherCount = cpu_to_le16(3); + pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM; + pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES256_GCM; + pneg_ctxt->Ciphers[2] = SMB2_ENCRYPTION_AES128_CCM; } else { pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + 2 ciphers */ pneg_ctxt->CipherCount = cpu_to_le16(2); diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index aa7ebb4b6a37..cc19c5063320 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h @@ -342,8 +342,9 @@ struct smb2_encryption_neg_context { __le16 ContextType; /* 2 */ __le16 DataLength; __le32 Reserved; - __le16 CipherCount; /* AES-128-GCM and AES-128-CCM */ - __le16 Ciphers[2]; + /* CipherCount usally 2, but can be 3 when AES256-GCM enabled */ + __le16 CipherCount; /* AES128-GCM and AES128-CCM by default */ + __le16 Ciphers[3]; } __packed; /* See MS-SMB2 2.2.3.1.3 */