Commit fbfd0b46 authored by Steve French's avatar Steve French
Browse files

smb3.1.1: add new module load parm require_gcm_256 



Add new module load parameter require_gcm_256. If set, then only
request AES-256-GCM (strongest encryption type).

Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 330857a5

fs/cifs/cifsfs.c

+4 −0
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ bool enable_oplocks = true; 
bool linuxExtEnabled = true;

bool lookupCacheEnabled = true;

bool disable_legacy_dialects; /* false by default */

bool require_gcm_256; /* false by default */

unsigned int global_secflags = CIFSSEC_DEF;

/* unsigned int ntlmv2_support = 0; */

unsigned int sign_CIFS_PDUs = 1;
@@ -104,6 +105,9 @@ MODULE_PARM_DESC(slow_rsp_threshold, "Amount of time (in seconds) to wait " 
module_param(enable_oplocks, bool, 0644);

MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");



module_param(require_gcm_256, bool, 0644);

MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");



module_param(disable_legacy_dialects, bool, 0644);

MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be "

				  "helpful to restrict the ability to "

fs/cifs/cifsglob.h

+1 −0
Original line number Diff line number Diff line
@@ -1956,6 +1956,7 @@ extern bool lookupCacheEnabled; 
extern unsigned int global_secflags;	/* if on, session setup sent

				with more secure ntlmssp2 challenge/resp */

extern unsigned int sign_CIFS_PDUs;  /* enable smb packet signing */

extern bool require_gcm_256; /* require use of strongest signing (aes-gcm-256) */

extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/

extern unsigned int CIFSMaxBufSize;  /* max size not including hdr */

extern unsigned int cifs_min_rcv;    /* min size of big ntwrk buf pool */

fs/cifs/smb2pdu.c

+10 −4
Original line number Diff line number Diff line
@@ -449,11 +449,17 @@ static void 
build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)

{

	pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;

	pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + two ciphers */

	if (require_gcm_256) {

		pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + 1 cipher */

		pneg_ctxt->CipherCount = cpu_to_le16(1);

		pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES256_GCM;

	} else {

		pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + 2 ciphers */

		pneg_ctxt->CipherCount = cpu_to_le16(2);

		pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;

		pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;

	}

}



static unsigned int

build_netname_ctxt(struct smb2_netname_neg_context *pneg_ctxt, char *hostname)

CRA Git | Maintained and supported by SUSTech CRA and CCSE