]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
smb: client: Use FullSessionKey for AES-256 encryption key derivation
authorPiyush Sachdeva <s.piyush1024@gmail.com>
Sun, 17 May 2026 13:51:43 +0000 (09:51 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 23 May 2026 11:03:34 +0000 (13:03 +0200)
[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]

When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).

Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.

Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the
server's, causing mount failures with sec=krb5 and require_gcm_256=1.

Add a full_key_size parameter to generate_key() and pass the appropriate
size from generate_smb3signingkey():
 - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
 - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16

Also fix cifs_dump_full_key() to report the actual session key length for
AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
like Wireshark receive the correct key for decryption.

Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ adapted upstream's void/hmac_sha256_init_usingrawkey-based generate_key() to 6.12's int-return crypto_shash_* form while threading full_key_size through all callers. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/smb/client/ioctl.c
fs/smb/client/smb2transport.c

index 855ac5a62edfaa50215cfed46e361dcb79f0c8fc..8ea532cdc4302b8b9e14d98d2fab3b6dd9616f91 100644 (file)
@@ -280,7 +280,7 @@ search_end:
                break;
        case SMB2_ENCRYPTION_AES256_CCM:
        case SMB2_ENCRYPTION_AES256_GCM:
-               out.session_key_length = CIFS_SESS_KEY_SIZE;
+               out.session_key_length = ses->auth_key.len;
                out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
                break;
        default:
index daf8ba2cd8a100d6d4b113525c945cc27ab4240c..63907fb245e9a3803f893abd6919a6d97c553e66 100644 (file)
@@ -334,7 +334,8 @@ out:
 }
 
 static int generate_key(struct cifs_ses *ses, struct kvec label,
-                       struct kvec context, __u8 *key, unsigned int key_size)
+                       struct kvec context, __u8 *key, unsigned int key_size,
+                       unsigned int full_key_size)
 {
        unsigned char zero = 0x0;
        __u8 i[4] = {0, 0, 0, 1};
@@ -355,7 +356,7 @@ static int generate_key(struct cifs_ses *ses, struct kvec label,
        }
 
        rc = crypto_shash_setkey(server->secmech.hmacsha256->tfm,
-               ses->auth_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
+               ses->auth_key.response, full_key_size);
        if (rc) {
                cifs_server_dbg(VFS, "%s: Could not set with session key\n", __func__);
                goto smb3signkey_ret;
@@ -430,6 +431,7 @@ generate_smb3signingkey(struct cifs_ses *ses,
                        struct TCP_Server_Info *server,
                        const struct derivation_triplet *ptriplet)
 {
+       unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
        int rc;
        bool is_binding = false;
        int chan_index = 0;
@@ -464,17 +466,31 @@ generate_smb3signingkey(struct cifs_ses *ses,
                rc = generate_key(ses, ptriplet->signing.label,
                                  ptriplet->signing.context,
                                  ses->chans[chan_index].signkey,
-                                 SMB3_SIGN_KEY_SIZE);
+                                 SMB3_SIGN_KEY_SIZE,
+                                 SMB2_NTLMV2_SESSKEY_SIZE);
                if (rc)
                        return rc;
        } else {
                rc = generate_key(ses, ptriplet->signing.label,
                                  ptriplet->signing.context,
                                  ses->smb3signingkey,
-                                 SMB3_SIGN_KEY_SIZE);
+                                 SMB3_SIGN_KEY_SIZE,
+                                 SMB2_NTLMV2_SESSKEY_SIZE);
                if (rc)
                        return rc;
 
+               /*
+                * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
+                * (first 16 bytes). Encryption/decryption keys use
+                * Session.FullSessionKey when dialect is 3.1.1 and cipher is
+                * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
+                */
+
+               if (server->dialect == SMB311_PROT_ID &&
+                   (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+                    server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+                       full_key_size = ses->auth_key.len;
+
                /* safe to access primary channel, since it will never go away */
                spin_lock(&ses->chan_lock);
                memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
@@ -484,13 +500,15 @@ generate_smb3signingkey(struct cifs_ses *ses,
                rc = generate_key(ses, ptriplet->encryption.label,
                                  ptriplet->encryption.context,
                                  ses->smb3encryptionkey,
-                                 SMB3_ENC_DEC_KEY_SIZE);
+                                 SMB3_ENC_DEC_KEY_SIZE,
+                                 full_key_size);
                if (rc)
                        return rc;
                rc = generate_key(ses, ptriplet->decryption.label,
                                  ptriplet->decryption.context,
                                  ses->smb3decryptionkey,
-                                 SMB3_ENC_DEC_KEY_SIZE);
+                                 SMB3_ENC_DEC_KEY_SIZE,
+                                 full_key_size);
                if (rc)
                        return rc;
        }
@@ -505,7 +523,7 @@ generate_smb3signingkey(struct cifs_ses *ses,
                        &ses->Suid);
        cifs_dbg(VFS, "Cipher type   %d\n", server->cipher_type);
        cifs_dbg(VFS, "Session Key   %*ph\n",
-                SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
+                (int)ses->auth_key.len, ses->auth_key.response);
        cifs_dbg(VFS, "Signing Key   %*ph\n",
                 SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
        if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||