From nobody Sat Jun 20 14:12:40 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 273E047885D for ; Thu, 30 Apr 2026 17:48:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571324; cv=none; b=ZlrJ+suvImWTCha3HqKfrDWpakWUaY6NtEbAA2CpxF8Rqupv+QLBKJ/QzzaK/FnnkosTAMG8CQrbLxJWxBzRFC4/z7PNitPWb3BLqq8tQcATo19y1gubepJeY7vD8un5E9Bohzlndrbh+RK1E1eJ5tbOdxc5K9IsaT1ngq7+hmc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571324; c=relaxed/simple; bh=0dIn3pRB9mFvWh8+m3Q/ynj13bsM4JgCV1C0hx+Z2lY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=hFeRdaqo48FYHJhUcmiwWj0eInl6WUlu9OORclnbh1efveGMu+yb9Tz8p+03TWeyXh6mw8UY+xidtm+6Hc3cOOkt3tvEsgU2Bbsk71ahvLkTi7gqHUWFYAnc0RPAW525oCowwl8DEeUj/6io4Unfe22F8qSlvN052tdqzLx+vlk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Qheco9xl; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Qheco9xl" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2b23fcf90b2so10787765ad.3 for ; Thu, 30 Apr 2026 10:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777571322; x=1778176122; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=7951eQ/78Es31REawF8+h8DYhmlO7R1alAiqr8CzZJU=; b=Qheco9xlqOi6a06wOQTTS2+8a15KwXLDl7LtUdbGnOVwMxP6+6uU6SCj5D8pQoUCiS 0Z8mZXynnJXNGUXPcMcx+BHOd9Chc/XQuy1Dc41rlTHd7BKvTqCIJrnAm1UctmuNWWGH +bKp1SIV8FB2Z/xIKJzWr2kv8dsE7jdO2T98Kiy0WuupNg0LCfLFD+aY7JI3XleeEV44 p/C4FpsG5WCfjU9Os4flczfzlnggQTCGGSgeuAIn/lT29E6Jl02IpXWAYxhkUkiXtKEc +ZTTNaZioGKzw3Hdze8k+FFkDXyKDU4QXlCZ2t4wsyEKIXeTsfNU10o7t43lxhk51T4B QRiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777571322; x=1778176122; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7951eQ/78Es31REawF8+h8DYhmlO7R1alAiqr8CzZJU=; b=JDaFmXNyB0yn8LfK8YeKl+r1hkK4aNFMV6E/GwTrWmTXpLY/A3ZP+dSo4XjVnBmpW9 piKh9VAtT42i2oqaMyK/+9Zt61U6X/GLRk0ZwjJVDVR4tk8qYStBCQ7As7NkC9kSRFtO h21f6aj9OFGwQbfri/IlZsBQv5azF2LJT2u2m4zI2gWw67szJx7W4az0BF2fU2OcWeJF yPAa6tYg75xSsz93khSINMVsVq1zO3iTVPLvgsXwOjYNkGsJTbP4rVAwx6tlNOOb8xJs 6qegxwnZl+ZJSJgN/huXEKZ3ociXZeDe1GbsVQSQzUqi6kvXGhqf6hnM7Q23CT89CAIb 7l9g== X-Forwarded-Encrypted: i=1; AFNElJ9Dfrthz1OgFjfJR8TUzHTx8Oyq3Qn0BT2IwDCYtfV8U8Uh8LtnVsIuBFB4gdEx61p0KvNTZH9YJHpeH1U=@vger.kernel.org X-Gm-Message-State: AOJu0YzL5X0Bat+xYJ1cVW/mF9urGujJ6hGJQH8CDCZVyTWah09pXL2U ypA2T756Oeyxob/W/z0+r8qVbCUGooGJ8VG8ynxvScJvtvNBSSJz1nYz X-Gm-Gg: AeBDiev4j1lHNtnx0KQOgCAW7YL9TQUIXO0LL2Vkpaz4WBeVODpjc/z+TKiWo5XP6Oa CdYNQEATwEb4oGaAu1sJgwY59hb9XETmM06nqZ+okAWONAJZ1nXaml5hTVR1f7wMauNhyl5q1A1 GrgtMTZgsNPcV2SCX91a5LxduCbIYNyJ2/2wfV9ZoJHukv8xviPVATeCnz51Z8QKgSW0nTEy/YK 8WBzYaNEUDD+irV5kCVMM3RmH37Q6BxttnDubCQuA/aqpJZi97vtdi5UvN9XjyUS2o3lXQER9jv WPyrOUUavxXGil8DS83uoycwv3K1xoWbWRdRo5wbB2mCXkxAN8dnJvqWP60Wh+945Nt97w7Glhw fXy5enjgMtZaBPDYqIsDr0vrh0a7qX+h9Dlx0LYbQPFGteRZpo2vqaEEywcvUb6CPqasjLSCGFv Z9/E/lh8LF782xZ41QWs+uNbpAv9gpccdKvTyuJJu3DgXkVAfWMg== X-Received: by 2002:a17:903:24e:b0:2b4:5f69:715d with SMTP id d9443c01a7336-2b9a24b3372mr41032065ad.25.1777571322440; Thu, 30 Apr 2026 10:48:42 -0700 (PDT) Received: from localhost ([49.207.150.30]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b9caaaec82sm2285365ad.24.2026.04.30.10.48.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Apr 2026 10:48:42 -0700 (PDT) From: Piyush Sachdeva X-Google-Original-From: Piyush Sachdeva Date: Thu, 30 Apr 2026 23:18:23 +0530 Subject: [PATCH v2 1/2] smb: client: Use FullSessionKey for AES-256 encryption key derivation Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260430-kerbmi-v2-1-0b98fe250425@microsoft.com> References: <20260430-kerbmi-v2-0-0b98fe250425@microsoft.com> In-Reply-To: <20260430-kerbmi-v2-0-0b98fe250425@microsoft.com> To: Steve French , linux-cifs@vger.kernel.org, Shyam Prasad N , Bharath SM Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, vaibsharma@microsoft.com X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=5862; i=psachdeva@microsoft.com; h=from:subject:message-id; bh=0dIn3pRB9mFvWh8+m3Q/ynj13bsM4JgCV1C0hx+Z2lY=; b=owGbwMvMwCV29FJ3ncRHDT/G02pJDJmfp75XTU96ckhn35m+L9G/yne8d9hW9S/K9dxZL02ve p1Hh+YIdExkYRDjYrAUU2TZcOKOLG/8Lsl5n54YwcxhZQIZIi3SwAAELAx8uYl5pUY6Rnqm2oZ6 hkY6BjrGDFycAjDVDyQZGfr+nDiu8t3cNfBnsfEM4SqJ5d76Gttj6rWz9jz9wnio8TAjww+1nX8 4pD6ombV+Un8k8EeD4yfvbRaVVY4/P2/X7LpdzQgA X-Developer-Key: i=psachdeva@microsoft.com; a=openpgp; fpr=80350F71F916134953C3EB979E19C6F9839C3CFC When Kerberos authentication is used with AES-256 encryption (AES-256-CCM or AES-256-GCM), the SMB3 encryption and decryption keys must be derived using the full session key (Session.FullSessionKey) rather than just the first 16 bytes (Session.SessionKey). Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey must be set to the full cryptographic key from the GSS authentication context. The encryption and decryption key derivation (SMBC2SCipherKey, SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The signing key derivation continues to use Session.SessionKey (first 16 bytes) in all cases. Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the HMAC-SHA256 key input length for all derivations. When Kerberos with AES-256 provides a 32-byte session key, the KDF for encryption/decryption was using only the first 16 bytes, producing keys that did not match the server's, causing mount failures with sec=3Dkrb5 and require_gcm_256=3D1. Add a full_key_size parameter to generate_key() and pass the appropriate size from generate_smb3signingkey(): - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes) - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16 Also fix cifs_dump_full_key() to report the actual session key length for AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools like Wireshark receive the correct key for decryption. Signed-off-by: Piyush Sachdeva Signed-off-by: Piyush Sachdeva Reviewed-by: Bharath SM --- fs/smb/client/ioctl.c | 2 +- fs/smb/client/smb2transport.c | 35 ++++++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c index 9afab3237e54..17408bb8ab65 100644 --- a/fs/smb/client/ioctl.c +++ b/fs/smb/client/ioctl.c @@ -296,7 +296,7 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, s= truct smb3_full_key_debug break; case SMB2_ENCRYPTION_AES256_CCM: case SMB2_ENCRYPTION_AES256_GCM: - out.session_key_length =3D CIFS_SESS_KEY_SIZE; + out.session_key_length =3D ses->auth_key.len; out.server_in_key_length =3D out.server_out_key_length =3D SMB3_GCM256_C= RYPTKEY_SIZE; break; default: diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c index 41009039b4cb..be421b852246 100644 --- a/fs/smb/client/smb2transport.c +++ b/fs/smb/client/smb2transport.c @@ -251,7 +251,8 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TCP_S= erver_Info *server) } =20 static void generate_key(struct cifs_ses *ses, struct kvec label, - struct kvec context, __u8 *key, unsigned int key_size) + struct kvec context, __u8 *key, unsigned int key_size, + unsigned int full_key_size) { unsigned char zero =3D 0x0; __u8 i[4] =3D {0, 0, 0, 1}; @@ -265,7 +266,7 @@ static void generate_key(struct cifs_ses *ses, struct k= vec label, memset(key, 0x0, key_size); =20 hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response, - SMB2_NTLMV2_SESSKEY_SIZE); + full_key_size); hmac_sha256_update(&hmac_ctx, i, 4); hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len); hmac_sha256_update(&hmac_ctx, &zero, 1); @@ -298,6 +299,7 @@ generate_smb3signingkey(struct cifs_ses *ses, struct TCP_Server_Info *server, const struct derivation_triplet *ptriplet) { + unsigned int full_key_size =3D SMB2_NTLMV2_SESSKEY_SIZE; bool is_binding =3D false; int chan_index =3D 0; =20 @@ -330,12 +332,24 @@ generate_smb3signingkey(struct cifs_ses *ses, if (is_binding) { generate_key(ses, ptriplet->signing.label, ptriplet->signing.context, - ses->chans[chan_index].signkey, - SMB3_SIGN_KEY_SIZE); + ses->chans[chan_index].signkey, SMB3_SIGN_KEY_SIZE, + SMB2_NTLMV2_SESSKEY_SIZE); } else { generate_key(ses, ptriplet->signing.label, - ptriplet->signing.context, - ses->smb3signingkey, SMB3_SIGN_KEY_SIZE); + ptriplet->signing.context, ses->smb3signingkey, + SMB3_SIGN_KEY_SIZE, SMB2_NTLMV2_SESSKEY_SIZE); + + /* + * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey + * (first 16 bytes). Encryption/decryption keys use + * Session.FullSessionKey when dialect is 3.1.1 and cipher is + * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey. + */ + + if (server->dialect =3D=3D SMB311_PROT_ID && + (server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_CCM || + server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_GCM)) + full_key_size =3D ses->auth_key.len; =20 /* safe to access primary channel, since it will never go away */ spin_lock(&ses->chan_lock); @@ -345,10 +359,13 @@ generate_smb3signingkey(struct cifs_ses *ses, =20 generate_key(ses, ptriplet->encryption.label, ptriplet->encryption.context, - ses->smb3encryptionkey, SMB3_ENC_DEC_KEY_SIZE); + ses->smb3encryptionkey, SMB3_ENC_DEC_KEY_SIZE, + full_key_size); + generate_key(ses, ptriplet->decryption.label, ptriplet->decryption.context, - ses->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE); + ses->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE, + full_key_size); } =20 #ifdef CONFIG_CIFS_DEBUG_DUMP_KEYS @@ -361,7 +378,7 @@ generate_smb3signingkey(struct cifs_ses *ses, &ses->Suid); cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type); cifs_dbg(VFS, "Session Key %*ph\n", - SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response); + ses->auth_key.len, ses->auth_key.response); cifs_dbg(VFS, "Signing Key %*ph\n", SMB3_SIGN_KEY_SIZE, ses->smb3signingkey); if ((server->cipher_type =3D=3D SMB2_ENCRYPTION_AES256_CCM) || --=20 2.53.0 From nobody Sat Jun 20 14:12:40 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6692942E01C for ; Thu, 30 Apr 2026 17:48:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571328; cv=none; b=OwYUjKN1AX9DpIUyomW8PAXvwl+4XagrJgspBJasyFSfIhkIdzQnrWWWQRWGiWB0M+8g/a2bJGBU/Sx4ByxWu/xd+Qqq+O8yhsE7MBrvhe7F6fYg7OyRWPKkLKCPW4dBRFf1vxZnhhyixBf56FkvPKoZ7LiURjAxRkiegeUNa7I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571328; c=relaxed/simple; bh=aHoBqTbdr56DO71Zlzzaandq5SHQ8sCJYyYln2KmSW0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XpKy9VHW2RJw+IaoC8nVhxdfkgbef6Ywe13YPTn5Z5sT9dztJu6QESmnh44fo5hQwGOU/oHXW72/gX2vT3QXIywEmOfXNITz7Ld8+YcmqftK2xSRxD6v77Nix7LtStn1SUxFNVn0kDPGe/UBJwRS+7+QkmrQ75iRYccXUkVyqpA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ajX4S1oZ; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ajX4S1oZ" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-835066ef130so477798b3a.1 for ; Thu, 30 Apr 2026 10:48:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777571327; x=1778176127; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=yv2fHWPI4GY7ycdmc2I4lTP92YQsllQ8O6sfU4iOItg=; b=ajX4S1oZV31iH1kiV4kkA4B8RGAnF0rE6h+o3ciGBmAmWHhXiALgOGjPIfoVvsb7KJ B4e1dTmZTG49CTBcC9tMZRSQo5mrLHP0HHg5dIKK51U/El0WNCOlen2W7kcyrGwpnWsf 33X/IY/A7G+/SRAs94fF2TxkEaN0BoIaXS6kFLvqlEeNR5MyxWCI8DBgYTqpZyNGT/Rj bMHgwqrk0xN5sjG40YdopSfGl/oiAarzBqa7pvQQkU9DoIFFyeTwsDQ5UfNu66fD+4Gq ynhuV/xDESNNqF0O30319g/RTobqFtkPh7/oMoUvGmDdBz3IM5ZaAAYdSNivaQNH8NDT +8GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777571327; x=1778176127; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=yv2fHWPI4GY7ycdmc2I4lTP92YQsllQ8O6sfU4iOItg=; b=CZiaL0k5/Icx3s6DhdCghfU6pz3l0ufqRoM5v5j6b1Mu0oljPAnwNSb6ozNR7Q5hi6 Mc1UmoPA7SPnH3exzmFkviyQy441T6O5YbVkdkKLDd9aKzCdFVOFuLxWxaGTOQW04tJO DSswmyYcy3Ye6U/sJc9C3NlCYT47NQeZHbysGpkIKYOKqFEn69w3gLhvTXcNm3Y5vQMv s6ahaXrLhvrN0mgjainXZQkcF67ffw+ExiTF+1Y61RT42iq/GgWlYjANmKovAxFLz/Db 3klIhIpwh/R5LXNW6DTK6vg0vsW6VU3SqrUVCgzyA7OsgXTY+budvEQ9ab2iHVa4Dxg9 bvCA== X-Forwarded-Encrypted: i=1; AFNElJ9y/k0FmtLa2PfXYSwfR1cIdZcBstze6cF7Br+rEX0vQIEpvr3gOiriJI/u2uw+cd+DaYCdw3Bo3U2THhU=@vger.kernel.org X-Gm-Message-State: AOJu0YxdxqQqg8f66d08beoWC7d214FaA040gxUgxXhkNTjf94Qal92F Lro6orh4c7hk36e55WcXN0EDydfRU5fE9PeSWfqlXdJHwaI9A3EIMbUy X-Gm-Gg: AeBDievHF/LEA3HMPw2+8ssMqSUzGMnzgIQElaRd8/e6uHT8tURCkUFeOW2B3KBg8O5 E+I5RIKG4YF7zFYBe9gUv/t0EM3Yl2G612hM3pr6HfGry41TEKxgQR7HoOx5BLa3MdMbA1H/NLc X0iwXsbLtrrwvvfrvajJynpxNC5nAEzsJ9v4POo0AHE/BqsY42sSJJGs6faMwC648nmaHtkSJpY MFlfLH1uuxoRr3a+0/k+rnof8gRFr9jTO7iuCOWpC7Xl8HHURW8nLkvDRio9fl79QDsXnmibiED p27vAVQ3YSBBhQZCsG7NlXEcaj0p6SRks8WVxP1jst49vUpR8AQw3fTIVuN+wBeUvU2ixzUHMui CCZ6ZYDrH2CSvRxZh7cQCIDRqmPql4L800Fr9HigOHgjnkUtFikC9EnqC9C1NCm9na5BdNJZd4B KY68toMkZGltqUG2OSveVixpIliU1hIPq0W+jkgzZMdAEu3SOATXBJOQtl4QUS X-Received: by 2002:a05:6a00:909d:b0:81f:5037:a317 with SMTP id d2e1a72fcca58-834fdb1345emr4334423b3a.11.1777571326639; Thu, 30 Apr 2026 10:48:46 -0700 (PDT) Received: from localhost ([49.207.150.30]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8351582e185sm278771b3a.3.2026.04.30.10.48.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Apr 2026 10:48:46 -0700 (PDT) From: Piyush Sachdeva X-Google-Original-From: Piyush Sachdeva Date: Thu, 30 Apr 2026 23:18:24 +0530 Subject: [PATCH v2 2/2] smb: client: Zero-pad short GSS session keys per MS-SMB2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260430-kerbmi-v2-2-0b98fe250425@microsoft.com> References: <20260430-kerbmi-v2-0-0b98fe250425@microsoft.com> In-Reply-To: <20260430-kerbmi-v2-0-0b98fe250425@microsoft.com> To: Steve French , linux-cifs@vger.kernel.org, Shyam Prasad N , Bharath SM Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, vaibsharma@microsoft.com X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=3414; i=psachdeva@microsoft.com; h=from:subject:message-id; bh=aHoBqTbdr56DO71Zlzzaandq5SHQ8sCJYyYln2KmSW0=; b=owGbwMvMwCV29FJ3ncRHDT/G02pJDJmfp36Y1SsyOXPuWc+60JDNV/zit7Tq/pv3nulpyY+Li Y/fX9es7JjIwiDGxWAppsiy4cQdWd74XZLzPj0xgpnDygQyRFqkgQEIWBj4chPzSo10jPRMtQ31 DI10DHSMGbg4BWCqk70YGS7MWcO/smkdz+xDRxMlFA+wFglfelvZMl18p1FeW8XMRm5Ghs9LPzf KHc2z6mDWbLqhnLiEwzTQV+9R897QyJ1aWy8z8AMA X-Developer-Key: i=psachdeva@microsoft.com; a=openpgp; fpr=80350F71F916134953C3EB979E19C6F9839C3CFC Per MS-SMB2 section 3.2.5.3, Session.SessionKey is the first 16 bytes of the GSS cryptographic key, right-padded with zero bytes if the key is shorter than 16 bytes. SMB2_auth_kerberos() copies the GSS session key from the cifs.upcall response using kmemdup(msg->data, msg->sesskey_len, ...) and stores the GSS-reported length verbatim in ses->auth_key.len. generate_key() reads SMB2_NTLMV2_SESSKEY_SIZE bytes from this buffer when feeding the HMAC-SHA256 KDF for signing key derivation. If a GSS mechanism returns a session key shorter than 16 bytes (e.g. a deprecated single-DES Kerberos enctype with an 8-byte session key), the KDF call performs an out-of-bounds slab read and derives keys that do not match the server, which pads per the spec. Modern KDCs disable short-key enctypes by default, so this is latent rather than reachable in production, but it is still a kernel heap over-read. Allocate auth_key.response with kzalloc() at a length of max(msg->sesskey_len, SMB2_NTLMV2_SESSKEY_SIZE), copy the GSS key in, and rely on kzalloc()'s zero initialization for the spec-mandated padding. Set ses->auth_key.len to the padded length. Larger GSS keys (e.g. the 32-byte aes256-cts-hmac-sha1-96 session key) continue to be stored at their natural length, preserving the FullSessionKey path. Emit a cifs_dbg(VFS, ...) message when a short key is encountered to surface deprecated-enctype usage. NTLMv2 and NTLMSSP code paths produce a 16-byte session key by construction and are unaffected. Signed-off-by: Piyush Sachdeva Signed-off-by: Piyush Sachdeva --- fs/smb/client/smb2pdu.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index cb61051f9af3..995fcdd30681 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -1713,17 +1713,30 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data) is_binding =3D (ses->ses_status =3D=3D SES_GOOD); spin_unlock(&ses->ses_lock); =20 + /* + * Per MS-SMB2 3.2.5.3, Session.SessionKey is the first 16 bytes of the + * GSS cryptographic key, right-padded with zero bytes if shorter. + * Allocate at least SMB2_NTLMV2_SESSKEY_SIZE bytes (zeroed) so the KDF + * input buffer is always valid for HMAC-SHA256 even with deprecated + * Kerberos enctypes that return a short session key. + */ + if (unlikely(msg->sesskey_len < SMB2_NTLMV2_SESSKEY_SIZE)) + cifs_dbg(VFS, + "short GSS session key (%u bytes); zero-padding per MS-SMB2 3.2.5.3\n", + msg->sesskey_len); + kfree_sensitive(ses->auth_key.response); - ses->auth_key.response =3D kmemdup(msg->data, - msg->sesskey_len, - GFP_KERNEL); + ses->auth_key.len =3D max_t(unsigned int, msg->sesskey_len, + SMB2_NTLMV2_SESSKEY_SIZE); + ses->auth_key.response =3D kzalloc(ses->auth_key.len, GFP_KERNEL); if (!ses->auth_key.response) { cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n", - __func__, msg->sesskey_len); + __func__, ses->auth_key.len); + ses->auth_key.len =3D 0; rc =3D -ENOMEM; goto out_put_spnego_key; } - ses->auth_key.len =3D msg->sesskey_len; + memcpy(ses->auth_key.response, msg->data, msg->sesskey_len); =20 sess_data->iov[1].iov_base =3D msg->data + msg->sesskey_len; sess_data->iov[1].iov_len =3D msg->secblob_len; --=20 2.53.0