| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ihoaj3ymhuesevdb7k2kg2a2axdkishrrrjr2teigelhkxmt4s@do2n6pkdmaas> Date: Mon, 13 Oct 2025 11:44:37 -0300 From: Enzo Matsumiya <ematsumiya@...e.de> To: Eric Biggers <ebiggers@...nel.org> Cc: linux-cifs@...r.kernel.org, Steve French <sfrench@...ba.org>, samba-technical@...ts.samba.org, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, Paulo Alcantara <pc@...guebit.org>, Ronnie Sahlberg <ronniesahlberg@...il.com>, Shyam Prasad N <sprasad@...rosoft.com>, Tom Talpey <tom@...pey.com>, Bharath SM <bharathsm@...rosoft.com> Subject: Re: [PATCH 0/8] smb: client: More crypto library conversions Hi Eric, On 10/11, Eric Biggers wrote: >This series converts fs/smb/client/ to access SHA-512, HMAC-SHA256, MD5, >and HMAC-MD5 using the library APIs instead of crypto_shash. > >This simplifies the code significantly. It also slightly improves >performance, as it eliminates unnecessary overhead. > >Tested with Samba with all SMB versions, with mfsymlinks in the mount >options, 'server min protocol = NT1' and 'server signing = required' in >smb.conf, and doing a simple file data and symlink verification test. >That seems to cover all the modified code paths. > >However, with SMB 1.0 I get "CIFS: VFS: SMB signature verification >returned error = -13", regardless of whether this series is applied or >not. Presumably, testing that case requires some other setting I >couldn't find. > >Regardless, these are straightforward conversions and all the actual >crypto is exactly the same as before, as far as I can tell. I think the overall series looks good and do a great cleanup. Just a minor nit about fips_enabled: since it's now being handled explicitly (rather than an error on cifs_alloc_hash() currently), I think it makes sense to move the check to mount code path when 'sectype == NTLMv2' (I don't particularly care about SMB1, but something similar can be done for 'smb1 && sign' cases I guess). >Eric Biggers (8): > smb: client: Use SHA-512 library for SMB3.1.1 preauth hash > smb: client: Use HMAC-SHA256 library for key generation > smb: client: Use HMAC-SHA256 library for SMB2 signature calculation > smb: client: Use MD5 library for M-F symlink hashing > smb: client: Use MD5 library for SMB1 signature calculation > smb: client: Use HMAC-MD5 library for NTLMv2 > smb: client: Remove obsolete crypto_shash allocations > smb: client: Consolidate cmac(aes) shash allocation > > fs/smb/client/Kconfig | 7 +- > fs/smb/client/cifsencrypt.c | 201 +++++++++++++--------------------- > fs/smb/client/cifsfs.c | 4 - > fs/smb/client/cifsglob.h | 3 - > fs/smb/client/cifsproto.h | 10 +- > fs/smb/client/link.c | 31 +----- > fs/smb/client/sess.c | 2 +- > fs/smb/client/smb2misc.c | 53 ++------- > fs/smb/client/smb2proto.h | 8 +- > fs/smb/client/smb2transport.c | 164 +++++---------------------- > 10 files changed, 131 insertions(+), 352 deletions(-) > > >base-commit: 67029a49db6c1f21106a1b5fcdd0ea234a6e0711 >-- >2.51.0 Cheers, Enzo
Powered by blists - more mailing lists