From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD8D21A9F88 for ; Wed, 29 Apr 2026 08:34:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777451685; cv=none; b=OVbKTUkX4QwZuzsIhQCvX0I21/WIa1TcoDIiVTh04E518McpAKUyput8m95UVf8F1PwYruEeYOgDUyt5KqcyVgM9MqUfgJ75dQ4wfnHiyoWpuIDTMGZrvhq5vhavqykyBv5+pX6ovREjzj3mLstbnuxTrSvx9I1vuo8Hiv37dXk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777451685; c=relaxed/simple; bh=2BxllXHRUI29Rtj2KmHSh/SsqLbQkOJrSOUKabd1rLg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=BAopMK35iuWwOFBLzhc6+dgDJs7w3urkeBtnfRupwuNlLou4FBVlMb9/My3DeQyEoKPnkuvIrg6jqNboUFMUuruYd29ykVCnJYebqwCbCNbkuqOWWG0QwHnoAklxBGEjA2aOfP6QBoku/rXZ48b9HY03T3qkg8l6upY67ctVl/k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l2H+7vTJ; arc=none smtp.client-ip=209.85.215.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l2H+7vTJ" Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-c70e27e2b74so4652010a12.0 for ; Wed, 29 Apr 2026 01:34:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777451683; x=1778056483; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8JKWU7+oVtYnA2UgAwt+Mku6AWp9kXmwYjj/CQXNRjM=; b=l2H+7vTJ4CMdc+zir253WBGNW3daQGNXWAKYi+ML5qTud/W5Zwe16JzpB+gaYhM2AX LDqBT+cBHdLja5iIC47mbh+zKbNPParj91hi9vv6ixUkU8ScrS/5nGIbu8l9vJS/ZnK8 YXrqDjruAUfBG6tvbNcuENVzCZ4a2bETurBYmKt/0KR2D2ucfc7+eXruLyEv6mROLhHU ua4yZRh160fkiyjIWpvafM/U+uAYS/vZHsGCldge0aITVHDBWsiV6JkvUfm7RB5EUGlN lB71BpEAxGFOsU8tolBD5SMJh6zHQonXluWrAEq1Fto8yXjF+oukReMOrhfwb7Vdmiky 8e/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777451683; x=1778056483; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8JKWU7+oVtYnA2UgAwt+Mku6AWp9kXmwYjj/CQXNRjM=; b=Bs1h5FaMQwFf6RbdeNwUEF6BYjkRoBHHTXPmoOgCNuf2OX6tew+buQFmitARJ6Gs6i D6+UNTXpOZQf5vG/C0nwd2YXDXesrLobIOEGG8A6QOjmHo7jxq39cj20zzwz0bAEsjSi ipouO0OjYsRwNGHU0x0HTnKVpLvsVTd0HaeB63TC6x8owKAIXmrWdgSvLOesiecnbqIh E7AspNcZXcClooOKg51viAneTJhx7Efw/AEOVdFjR9eqYuFz70aJgkVYgGahHRmVhBe2 VabvkovAJARUN7E/8rvZyvkYbFwj6DvuXrmRGhkjvKRMNlB28EWDpHufHJAs6WQhRKka jM9g== X-Forwarded-Encrypted: i=1; AFNElJ9NFhdIeYzl4Bo+0IQdUPq9xAUy208iVPaVjnxqK0ge1MPwe7SPerYfh9tpuC284isGP5xr8khjo4H2tlc=@vger.kernel.org X-Gm-Message-State: AOJu0Yxu1DXlE865tTrEim8K7ocZIog2LbXOsL8jEpmmMbHKeC9FXlUh KlrgAP+TkdFTais3tvb0P4Vzbmi3Y4N6M/mSHeAn8M6aRGIYi1PKLbnarnrYqQ== X-Gm-Gg: AeBDietkTqPnZpDRVJYIataGF5uk54Qez2/0HZSYW7HzEk5RrKBLeiWGf7pF9+YQLQv PMA9qRf5t9HwR6zOMJvRZcG6r4JDQS9210PlBbJZOJ5rnXH68bT+vLeoA9y8GycbsjL58iBZOP7 Yyl7pzsEhJl1PovPcMQ1fuSfQhC9kbflqF6xKNNSotFDmSXnxft32jLhgCG3r4w8bz7KhRF49k9 nEFFY4Khxmh6/arTxIdw/W77tkf/1KtLdadCX+PT3AnQ3aHUxU+9g1zFyEjhr7Nw4ozZjk9a68B 55GCBnBmN7e/zb2tgp+lAm88RZaLWxYOEJh1ihq3eUW9FMiP/9iK6w2iLCI7tyigJf+w6grIQ8/ EFQsl8kBGoXvwsUdQe6FXOqQLbcVGT/COnalYq6/kXowiqO/g/juqTm2N3/ZzGeIt/Sx21BYatC 6GETI+aSJSNxsAykatpLbTfLTUmstL2/Dg2JRevHlVUtegcWHM0w== X-Received: by 2002:a05:6a20:431e:b0:39b:c4cd:d848 with SMTP id adf61e73a8af0-3a39c0c3245mr7513204637.22.1777451683124; Wed, 29 Apr 2026 01:34:43 -0700 (PDT) Received: from localhost ([49.207.153.169]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7fd606a079sm1299001a12.12.2026.04.29.01.34.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 01:34:42 -0700 (PDT) From: Piyush Sachdeva To: Bharath SM Cc: sfrench@samba.org, linux-cifs@vger.kernel.org, sprasad@microsoft.com, bharathsm@microsoft.com, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] smb: client: use FullSessionKey for AES-256 encryption key derivation In-Reply-To: References: <20260409161538.3618-1-s.piyush1024@gmail.com> Date: Wed, 29 Apr 2026 14:04:39 +0530 Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Bharath SM writes: > On Thu, Apr 9, 2026 at 9:16=E2=80=AFAM wrote: >> >> From: Piyush Sachdeva >> >> When Kerberos authentication is used with AES-256 encryption (AES-256-CCM >> or AES-256-GCM), the SMB3 encryption and decryption keys must be derived >> using the full session key (Session.FullSessionKey) rather than just the >> first 16 bytes (Session.SessionKey). >> >> Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and >> Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey >> must be set to the full cryptographic key from the GSS authentication >> context. The encryption and decryption key derivation (SMBC2SCipherKey, >> SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The >> signing key derivation continues to use Session.SessionKey (first 16 >> bytes) in all cases. >> >> Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the >> HMAC-SHA256 key input length for all derivations. When Kerberos with >> AES-256 provides a 32-byte session key, the KDF for encryption/decryption >> was using only the first 16 bytes, producing keys that did not match the >> server's, causing mount failures with sec=3Dkrb5 and require_gcm_256=3D1. >> >> Add a `full_key_size` parameter to generate_key() and pass the appropria= te >> size from generate_smb3signingkey(): >> - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes) >> - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16 >> >> Also fix cifs_dump_full_key() to report the actual session key length for >> AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools >> like Wireshark receive the correct key for decryption. >> >> Signed-off-by: Piyush Sachdeva >> Signed-off-by: Piyush Sachdeva >> --- >> fs/smb/client/ioctl.c | 2 +- >> fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++------- >> 2 files changed, 26 insertions(+), 8 deletions(-) >> >> diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c >> index 9afab3237e54..17408bb8ab65 100644 >> --- a/fs/smb/client/ioctl.c >> +++ b/fs/smb/client/ioctl.c >> @@ -296,7 +296,7 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon= , struct smb3_full_key_debug >> break; >> case SMB2_ENCRYPTION_AES256_CCM: >> case SMB2_ENCRYPTION_AES256_GCM: >> - out.session_key_length =3D CIFS_SESS_KEY_SIZE; >> + out.session_key_length =3D ses->auth_key.len; >> out.server_in_key_length =3D out.server_out_key_length = =3D SMB3_GCM256_CRYPTKEY_SIZE; >> break; >> default: >> diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport= .c >> index 81be2b226e26..57e515774b97 100644 >> --- a/fs/smb/client/smb2transport.c >> +++ b/fs/smb/client/smb2transport.c >> @@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TC= P_Server_Info *server, >> } >> >> static int generate_key(struct cifs_ses *ses, struct kvec label, >> - struct kvec context, __u8 *key, unsigned int key= _size) >> + struct kvec context, __u8 *key, unsigned int key= _size, >> + unsigned int full_key_size) >> { >> unsigned char zero =3D 0x0; >> __u8 i[4] =3D {0, 0, 0, 1}; >> @@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses *ses, struct= kvec label, >> } >> >> hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response, >> - SMB2_NTLMV2_SESSKEY_SIZE); >> + full_key_size); >> hmac_sha256_update(&hmac_ctx, i, 4); >> hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len); >> hmac_sha256_update(&hmac_ctx, &zero, 1); >> @@ -315,6 +316,7 @@ generate_smb3signingkey(struct cifs_ses *ses, >> const struct derivation_triplet *ptriplet) >> { >> int rc; >> + unsigned int full_key_size; >> bool is_binding =3D false; >> int chan_index =3D 0; >> >> @@ -344,18 +346,32 @@ generate_smb3signingkey(struct cifs_ses *ses, >> * master connection signing key stored in the session >> */ >> >> + /* >> + * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.Sessio= nKey >> + * (first 16 bytes). Encryption/decryption keys use >> + * Session.FullSessionKey when dialect is 3.1.1 and cipher is >> + * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey. >> + */ > If this change is specific to 3.1.1 should we check for version as > this looks like a common function for SMB 3.? > >> if (is_binding) { >> rc =3D generate_key(ses, ptriplet->signing.label, >> ptriplet->signing.context, >> ses->chans[chan_index].signkey, >> - SMB3_SIGN_KEY_SIZE); >> + SMB3_SIGN_KEY_SIZE, >> + SMB2_NTLMV2_SESSKEY_SIZE); >> if (rc) >> return rc; >> } else { >> + if (server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_CC= M || >> + server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_GC= M) >> + full_key_size =3D ses->auth_key.len; > Should we validate the length passed by user space and make sure it is > within limits.? > >> + else >> + full_key_size =3D SMB2_NTLMV2_SESSKEY_SIZE; > Should we move the above assignment down ? As this change is > needed only for encryption and decryption and not for signing. > >> rc =3D generate_key(ses, ptriplet->signing.label, >> ptriplet->signing.context, >> ses->smb3signingkey, >> - SMB3_SIGN_KEY_SIZE); >> + SMB3_SIGN_KEY_SIZE, >> + SMB2_NTLMV2_SESSKEY_SIZE); >> if (rc) >> return rc; >> >> @@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses *ses, >> rc =3D generate_key(ses, ptriplet->encryption.label, >> ptriplet->encryption.context, >> ses->smb3encryptionkey, >> - SMB3_ENC_DEC_KEY_SIZE); >> + SMB3_ENC_DEC_KEY_SIZE, >> + full_key_size); >> if (rc) >> return rc; >> rc =3D generate_key(ses, ptriplet->decryption.label, >> ptriplet->decryption.context, >> ses->smb3decryptionkey, >> - SMB3_ENC_DEC_KEY_SIZE); >> + SMB3_ENC_DEC_KEY_SIZE, >> + full_key_size); >> if (rc) >> return rc; >> } >> @@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses *ses, >> &ses->Suid); >> cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type); >> cifs_dbg(VFS, "Session Key %*ph\n", >> - SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response); >> + ses->auth_key.len, ses->auth_key.response); >> cifs_dbg(VFS, "Signing Key %*ph\n", >> SMB3_SIGN_KEY_SIZE, ses->smb3signingkey); >> if ((server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_CCM) || >> -- > > Other than the above comments, Patch looks good to me. Hey Bharath, Thanks for the comments. I will prepare a V2 with the recommended changes, and post the updated patch. -- Best, Piyush