diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-08-17 08:56:43 +0200 |
---|---|---|
committer | Ralph Böhme <slow@samba.org> | 2015-08-17 17:43:36 +0200 |
commit | bd0ec51cfca2b3baed60d304125079c74815073a (patch) | |
tree | 5af8806886ad512ea1125933d64a3817d71a6140 /source3/smbd | |
parent | 05dbd3b47a728acada971b545df458ae0e082ec5 (diff) | |
download | samba-bd0ec51cfca2b3baed60d304125079c74815073a.tar.gz |
s3:smb2_negprot: prefer AES128_CCM if the client supports it
Callgrind showed that we use 28,165,720,719 cpu cycles to send
a 100MB file to a client using aes-ccm.
With aes-gcm this is raises up to 723,094,413,831 cpu cycles.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/smb2_negprot.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 3106ef38c7a..18382a9dc1a 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -421,6 +421,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) uint8_t buf[4]; DATA_BLOB b; size_t i; + bool aes_128_ccm_supported = false; + bool aes_128_gcm_supported = false; capabilities &= ~SMB2_CAP_ENCRYPTION; @@ -451,15 +453,23 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) p += 2; if (v == SMB2_ENCRYPTION_AES128_GCM) { - xconn->smb2.server.cipher = v; - break; + aes_128_gcm_supported = true; } if (v == SMB2_ENCRYPTION_AES128_CCM) { - xconn->smb2.server.cipher = v; - break; + aes_128_ccm_supported = true; } } + /* + * For now we preferr CCM because our implementation + * is faster than GCM, see bug #11451. + */ + if (aes_128_ccm_supported) { + xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; + } else if (aes_128_gcm_supported) { + xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM; + } + SSVAL(buf, 0, 1); /* ChiperCount */ SSVAL(buf, 2, xconn->smb2.server.cipher); |