smb3.1.1: add new module load parm require_gcm_256

BugLink: https://bugs.launchpad.net/bugs/1921916
Add new module load parameter require_gcm_256. If set, then only
request AES-256-GCM (strongest encryption type).

Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit fbfd0b46afa9a8b50a061b0f28204fc94c7bddcf)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 41b3c5fc958c7a40e107c0249e2fd890a8bc0ef8..f556f9257fe966a34504cbbac900ceb90fddfa1f 100644 (file)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -71,6 +71,7 @@ bool enable_oplocks = true;
 bool linuxExtEnabled = true;
 bool lookupCacheEnabled = true;
 bool disable_legacy_dialects; /* false by default */
+bool require_gcm_256; /* false by default */
 unsigned int global_secflags = CIFSSEC_DEF;
 /* unsigned int ntlmv2_support = 0; */
 unsigned int sign_CIFS_PDUs = 1;
@@ -104,6 +105,9 @@ MODULE_PARM_DESC(slow_rsp_threshold, "Amount of time (in seconds) to wait "
 module_param(enable_oplocks, bool, 0644);
 MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
 
+module_param(require_gcm_256, bool, 0644);
+MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
+
 module_param(disable_legacy_dialects, bool, 0644);
 MODULE_PARM_DESC(disable_legacy_dialects, "To improve security it may be "
                                  "helpful to restrict the ability to "

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index ef1e72c0a91b6785c89b34286f739496ce9d529b..a9f46c58488265b84344bb5561946d9e91157868 100644 (file)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1902,6 +1902,7 @@ extern bool lookupCacheEnabled;
 extern unsigned int global_secflags;   /* if on, session setup sent
                                with more secure ntlmssp2 challenge/resp */
 extern unsigned int sign_CIFS_PDUs;  /* enable smb packet signing */
+extern bool require_gcm_256; /* require use of strongest signing (aes-gcm-256) */
 extern bool linuxExtEnabled;/*enable Linux/Unix CIFS extensions*/
 extern unsigned int CIFSMaxBufSize;  /* max size not including hdr */
 extern unsigned int cifs_min_rcv;    /* min size of big ntwrk buf pool */

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 0eaef40bf1a45d029e94ce65c4920d49670570a3..9a29de8ab8b404194a1eb6d88cb0dcda885e8f7c 100644 (file)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -512,10 +512,16 @@ static void
 build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)
 {
        pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;
-       pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + two ciphers */
-       pneg_ctxt->CipherCount = cpu_to_le16(2);
-       pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
-       pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;
+       if (require_gcm_256) {
+               pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + 1 cipher */
+               pneg_ctxt->CipherCount = cpu_to_le16(1);
+               pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES256_GCM;
+       } else {
+               pneg_ctxt->DataLength = cpu_to_le16(6); /* Cipher Count + 2 ciphers */
+               pneg_ctxt->CipherCount = cpu_to_le16(2);
+               pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
+               pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;
+       }
 }
 
 static unsigned int