Commit 511ac89e authored by Steve French's avatar Steve French
Browse files

smb3.1.1: print warning if server does not support requested encryption type 



If server does not support AES-256-GCM and it was required on mount, print
warning message. Also log and return a different error message (EOPNOTSUPP)
when encryption mechanism is not supported vs the case when an unknown
unrequested encryption mechanism could be returned (EINVAL).

Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
parent 29e27923

fs/cifs/smb2pdu.c

+13 −2
Original line number Diff line number Diff line
@@ -610,8 +610,19 @@ static int decode_encrypt_ctx(struct TCP_Server_Info *server, 
		return -EINVAL;

	}

	cifs_dbg(FYI, "SMB311 cipher type:%d\n", le16_to_cpu(ctxt->Ciphers[0]));

	if ((ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES128_CCM) &&

	    (ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES128_GCM)) {

	if (require_gcm_256) {

		if (ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES256_GCM) {

			cifs_dbg(VFS, "Server does not support requested encryption type (AES256 GCM)\n");

			return -EOPNOTSUPP;

		}

	} else if (ctxt->Ciphers[0] == 0) {

		/* e.g. if server only supported AES256_CCM (very unlikely) */

		cifs_dbg(VFS, "Server does not support requested encryption types\n");

		return -EOPNOTSUPP;

	} else if ((ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES128_CCM) &&

		   (ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES128_GCM) &&

		   (ctxt->Ciphers[0] != SMB2_ENCRYPTION_AES256_GCM)) {

		/* server returned a cipher we didn't ask for */

		pr_warn_once("Invalid SMB3.11 cipher returned\n");

		return -EINVAL;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE