[PATCH][SMB3.1.1] Add defines for new signing context
Tom Talpey
tom at talpey.com
Thu Oct 15 18:15:32 UTC 2020
On 10/12/2020 5:50 AM, Aurélien Aptel wrote:
> Patch LGTM
>
> Reviewed-by: Aurelien Aptel <aaptel at suse.com>
>
> Stefan Metzmacher via samba-technical <samba-technical at lists.samba.org>
>> This isn't in MS-SMB2 yet.
>>
>> Is this AES_128?
>
> This is returned in latest Windows Server Insider builds but it's not
> documented yet.
>
> https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver
>
> I've asked dochelp about it during the SDC plugfest and they gave me
> this:
>
> The new ContextType is:
> SMB2_SIGNING_CAPABILITIES 0x0008
> The Data field contains a list of signing algorithms.
> • It adds a new negotiate context, which enables SMB to decouple signing algorithms from dialects. E.g. if both client and server supports it, a session may use HMAC-SHA256 with SMB 3.1.1.
> • It adds the AES-GMAC algorithm.
>
> SigningAlgorithmCount (2 bytes): Count of signing algorithms
> SigningAlgorithms (variable): An array of SigningAlgorithmCount 16-bit integer IDs specifying the supported signing algorithms.
>
> The following IDs are assigned:
> 0 = HMAC-SHA256
> 1 = AES-CMAC
> 2 = AES-GMAC
>
>
> I've been CCed in a Microsoft email thread later on and it seems to be
> unclear why this was missed/wasn't documented. Maybe this is subject to
> change so take with a grain of salt.
Just curious if you've heard back on this. Insider builds will sometimes
support things that don't make it to the release. Even Preview docs can
change. However, AES_GMAC has been on the radar since 2015 (*) so
perhaps the time has come!
I'd suggest wrapping this context and the integrity algs in some kind of
conditional, in case this is delayed...
Tom.
(*) slide 29+
https://www.snia.org/sites/default/files/SDC15_presentations/smb/GregKramer_%20SMB_3-1-1_rev.pdf
More information about the samba-technical
mailing list