#define SMB2_SIGNING_HMAC_SHA256 0x0000 /* default <= 0x210 */
#define SMB2_SIGNING_AES128_CMAC 0x0001 /* default >= 0x224 */
-/* Values for the SMB2_ENCRYPTION_CAPABILITIES Context (>= 0x310) */
+/* Values for the SMB2_ENCRYPTION_CAPABILITIES Context (>= 0x311) */
#define SMB2_ENCRYPTION_INVALID_ALGO 0xffff /* only used internally */
#define SMB2_ENCRYPTION_NONE 0x0000 /* only used internally */
#define SMB2_ENCRYPTION_AES128_CCM 0x0001 /* only in dialect >= 0x224 */
-#define SMB2_ENCRYPTION_AES128_GCM 0x0002 /* only in dialect >= 0x310 */
+#define SMB2_ENCRYPTION_AES128_GCM 0x0002 /* only in dialect >= 0x311 */
+#define SMB2_ENCRYPTION_AES256_CCM 0x0003 /* only in dialect >= 0x311 */
+#define SMB2_ENCRYPTION_AES256_GCM 0x0004 /* only in dialect >= 0x311 */
#define SMB2_NONCE_HIGH_MAX(nonce_len_bytes) ((uint64_t)(\
((nonce_len_bytes) >= 16) ? UINT64_MAX : \
((nonce_len_bytes) <= 8) ? 0 : \
#define WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK 31
struct smb3_encryption_capabilities {
-#define SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS 2
+#define SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS 4
uint16_t num_algos;
uint16_t algos[SMB3_ENCRYTION_CAPABILITIES_MAX_ALGOS];
};
}
in_key_length = out_key_length = 16;
break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ case SMB2_ENCRYPTION_AES256_GCM:
+ /*
+ * AES256 uses the available input and
+ * generated a 32 byte encryption key.
+ */
+ if (master_key->length == 0) {
+ DBG_ERR("cipher_algo_id[%u] without key\n",
+ cipher_algo_id);
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+ out_key_length = 32;
+ break;
default:
DBG_ERR("cipher_algo_id[%u] not supported\n", cipher_algo_id);
return NT_STATUS_FWP_INCOMPATIBLE_CIPHER_CONFIG;
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ algo = GNUTLS_CIPHER_AES_256_CCM;
+ iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+ break;
+ case SMB2_ENCRYPTION_AES256_GCM:
+ algo = GNUTLS_CIPHER_AES_256_GCM;
+ iv_size = gnutls_cipher_get_iv_size(algo);
+ break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ algo = GNUTLS_CIPHER_AES_256_CCM;
+ iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+ break;
+ case SMB2_ENCRYPTION_AES256_GCM:
+ algo = GNUTLS_CIPHER_AES_256_GCM;
+ iv_size = gnutls_cipher_get_iv_size(algo);
+ break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
case SMB2_ENCRYPTION_AES128_GCM:
nonce_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_GCM);
break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ nonce_size = SMB2_AES_128_CCM_NONCE_SIZE;
+ break;
+ case SMB2_ENCRYPTION_AES256_GCM:
+ nonce_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_GCM);
+ break;
default:
nonce_size = 0;
break;
static const struct enum_list enum_smb3_encryption_algorithms[] = {
{SMB2_ENCRYPTION_AES128_GCM, "aes-128-gcm"},
{SMB2_ENCRYPTION_AES128_CCM, "aes-128-ccm"},
+ {SMB2_ENCRYPTION_AES256_GCM, "aes-256-gcm"},
+ {SMB2_ENCRYPTION_AES256_CCM, "aes-256-ccm"},
{-1, NULL}
};