From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B171533B6E3 for ; Thu, 9 Apr 2026 16:16:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775751369; cv=none; b=NAkNQ77j0Vghty9hfCutQAwIxbpoQht3smaCwyqp9MdyRCPWbQZGmeIrn9sGt2dT9j0s4/qTVD+9/bl0F+LLzpiY/W5A2RtBkFvujBJ00xSEKl63yqB12HnblEZrjTh4/CMJwzh6e7Wo457z3DeaqWEbKATZfud72IAQuuhpAnw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775751369; c=relaxed/simple; bh=Hu9T+FLiNPkkFUO5IdCVNWDzsGDI4Mfr231GXxbmBYs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jrshXKWSWqa82LTra0+pY1RiSk3S2tOQAO+RPgTQAPEbyiiN9++VbfYhb77zbIj9wU6rkie7M5sl5xvUmkIeYSbLVGbbA1hxk+aeDPtOGzREi4Z9GHDH+3NzEjYevMqVGGrYtsYAZf9qcGiV9SfEN80xngT0UUF2nCEcFC4mPmI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cGB2vIqG; arc=none smtp.client-ip=209.85.215.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cGB2vIqG" Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-c766a95a72dso768272a12.1 for ; Thu, 09 Apr 2026 09:16:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775751365; x=1776356165; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q79DNyAnlCXZAwn0OoLPtqbdLttcixAaHmbbuH/DNfE=; b=cGB2vIqGReV1GhdyrSP9WgXPxOp+qnA3Sm2zy2oGUnzpwc1/NgSkvKY9Ny2TTqQ2nK voyym1w4Tu1nvk3SyEE/baSLD3Z8cZuOJ9NoiMk6or0wRQ06h3WOKausvEAKjBiKEbaF HDIzoj3mWrws0iKljiBGWKmgh/9YtGx+XM3C0HkQhiwJo5rkNvQH0AgO2KH8E1/H7fcw ItRNs9tphyeT822Qlw5u47/NdypqTX61bsOj5nZ+Jl4yxj18UMYPMzVkZmeD4lit8Ocv HGYdaE0BB5yBMDliyE7yaLnfuxRSsKIePi+ACpmfM89mrfDSxc2APWzbXtE/YzsxkEg+ WTfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775751365; x=1776356165; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Q79DNyAnlCXZAwn0OoLPtqbdLttcixAaHmbbuH/DNfE=; b=UT9FW5h0+iD9wPutxaob9yQagUQiPcqYSd5RIy78p09AEk5fjK78XvParwy7xaE6QG DwJeHBbH+TVv3KUMEaaMWZ4I3Xs9RT+O+KU1IkhYbXo/iYlihmlBXnH6etDlq5Scz6DC V0k7NVU0yjCsVyHKVtewgKm6I63MKSZsIx8d6J+yR2CgQG2Z2YsgEUFnuvg2RXfZy59v e8eXfQgkpvupW07RnurnE34qSZCGe/LCXttahJRWHLAo6thIxAUrIQx7WjJ8xE8JZD7Y +NHiJsMP5hMp8gzyMaKXZ62gTL9cTFt9xpZaw90fIGnYbq1mb/7l+RcbDCyjaZi0Ly1D 9gZg== X-Forwarded-Encrypted: i=1; AJvYcCUG0QIsj/8/kEZZGNCl7mGt2JPdu9VTMxRrpVSDdU3VyGTGsNIRpBHYMUQGiPcT4iq6+QNZuhgKtXWZiqM=@vger.kernel.org X-Gm-Message-State: AOJu0Yz04ivh7o6fiEqC/TC228kqpjZ7vzC+zPH4Df6R93ob9HnoIm3W kxsrSeIVysxDoDVylFEOg2tS4reU2uyK2lzgFuP9U5mq7zBNM10+u57R X-Gm-Gg: AeBDieubPetqDAhjUPRsfY4X+BcsAXK9/6mdmalgBnIf9rNPxrAlR7lD3FWR2oxNU5/ xC2zeNorZVO4h2gznsihF+zcvajQ/TQSKIEf7wZF9o8hkuzcf/fLX03cShUswSHYLhUX6rFaA05 6QupJ6+UxLlrtnmitYXFa8E9Hh0iQj25WJX3fFnPVh18a+ZK//z4AQIf6ESdn2Ln+E0L+jq2LzH HS+6y1LHg04htSOtqfhHv3UXN5S1bU/xUYzB93kmjFQY1tzlBs6bfLFx34tfb7CcFxTZ8nU9KZd Zyo41Iwi+UvQa4LhE5JIY8e87aDTo0lW7/7lY2opgfYcc40a6EKkwnLdMCfwXjaNuZYp5K7et7X uRftm9YioFKdsiASp2N+VtpK/us0nLTdG+5uUWQqVkx44fpy6/kqfCl31EGzv1TUvVNxxXwGKUY 6c9FStB5uGiH8viGlbgP+B5TcEr8ikefVKyPyuuY0= X-Received: by 2002:a05:6a20:158c:b0:398:a1ca:7a22 with SMTP id adf61e73a8af0-39f2f11afa7mr27980929637.54.1775751364647; Thu, 09 Apr 2026 09:16:04 -0700 (PDT) Received: from localhost ([49.207.153.169]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c76cffd9611sm19263937a12.17.2026.04.09.09.16.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 09:16:04 -0700 (PDT) From: s.piyush1024@gmail.com To: sfrench@samba.org, linux-cifs@vger.kernel.org Cc: sprasad@microsoft.com, bharathsm@microsoft.com, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org Subject: [PATCH] smb: client: use FullSessionKey for AES-256 encryption key derivation Date: Thu, 9 Apr 2026 21:45:32 +0530 Message-ID: <20260409161538.3618-1-s.piyush1024@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Piyush Sachdeva When Kerberos authentication is used with AES-256 encryption (AES-256-CCM or AES-256-GCM), the SMB3 encryption and decryption keys must be derived using the full session key (Session.FullSessionKey) rather than just the first 16 bytes (Session.SessionKey). Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey must be set to the full cryptographic key from the GSS authentication context. The encryption and decryption key derivation (SMBC2SCipherKey, SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The signing key derivation continues to use Session.SessionKey (first 16 bytes) in all cases. Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the HMAC-SHA256 key input length for all derivations. When Kerberos with AES-256 provides a 32-byte session key, the KDF for encryption/decryption was using only the first 16 bytes, producing keys that did not match the server's, causing mount failures with sec=krb5 and require_gcm_256=1. Add a `full_key_size` parameter to generate_key() and pass the appropriate size from generate_smb3signingkey(): - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes) - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16 Also fix cifs_dump_full_key() to report the actual session key length for AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools like Wireshark receive the correct key for decryption. Signed-off-by: Piyush Sachdeva Signed-off-by: Piyush Sachdeva --- fs/smb/client/ioctl.c | 2 +- fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c index 9afab3237e54..17408bb8ab65 100644 --- a/fs/smb/client/ioctl.c +++ b/fs/smb/client/ioctl.c @@ -296,7 +296,7 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug break; case SMB2_ENCRYPTION_AES256_CCM: case SMB2_ENCRYPTION_AES256_GCM: - out.session_key_length = CIFS_SESS_KEY_SIZE; + out.session_key_length = ses->auth_key.len; out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE; break; default: diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c index 81be2b226e26..57e515774b97 100644 --- a/fs/smb/client/smb2transport.c +++ b/fs/smb/client/smb2transport.c @@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server, } static int generate_key(struct cifs_ses *ses, struct kvec label, - struct kvec context, __u8 *key, unsigned int key_size) + struct kvec context, __u8 *key, unsigned int key_size, + unsigned int full_key_size) { unsigned char zero = 0x0; __u8 i[4] = {0, 0, 0, 1}; @@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses *ses, struct kvec label, } hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response, - SMB2_NTLMV2_SESSKEY_SIZE); + full_key_size); hmac_sha256_update(&hmac_ctx, i, 4); hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len); hmac_sha256_update(&hmac_ctx, &zero, 1); @@ -315,6 +316,7 @@ generate_smb3signingkey(struct cifs_ses *ses, const struct derivation_triplet *ptriplet) { int rc; + unsigned int full_key_size; bool is_binding = false; int chan_index = 0; @@ -344,18 +346,32 @@ generate_smb3signingkey(struct cifs_ses *ses, * master connection signing key stored in the session */ + /* + * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey + * (first 16 bytes). Encryption/decryption keys use + * Session.FullSessionKey when dialect is 3.1.1 and cipher is + * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey. + */ if (is_binding) { rc = generate_key(ses, ptriplet->signing.label, ptriplet->signing.context, ses->chans[chan_index].signkey, - SMB3_SIGN_KEY_SIZE); + SMB3_SIGN_KEY_SIZE, + SMB2_NTLMV2_SESSKEY_SIZE); if (rc) return rc; } else { + if (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + server->cipher_type == SMB2_ENCRYPTION_AES256_GCM) + full_key_size = ses->auth_key.len; + else + full_key_size = SMB2_NTLMV2_SESSKEY_SIZE; + rc = generate_key(ses, ptriplet->signing.label, ptriplet->signing.context, ses->smb3signingkey, - SMB3_SIGN_KEY_SIZE); + SMB3_SIGN_KEY_SIZE, + SMB2_NTLMV2_SESSKEY_SIZE); if (rc) return rc; @@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses *ses, rc = generate_key(ses, ptriplet->encryption.label, ptriplet->encryption.context, ses->smb3encryptionkey, - SMB3_ENC_DEC_KEY_SIZE); + SMB3_ENC_DEC_KEY_SIZE, + full_key_size); if (rc) return rc; rc = generate_key(ses, ptriplet->decryption.label, ptriplet->decryption.context, ses->smb3decryptionkey, - SMB3_ENC_DEC_KEY_SIZE); + SMB3_ENC_DEC_KEY_SIZE, + full_key_size); if (rc) return rc; } @@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses *ses, &ses->Suid); cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type); cifs_dbg(VFS, "Session Key %*ph\n", - SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response); + ses->auth_key.len, ses->auth_key.response); cifs_dbg(VFS, "Signing Key %*ph\n", SMB3_SIGN_KEY_SIZE, ses->smb3signingkey); if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || -- 2.53.0