diff options
Diffstat (limited to 'source3/smbd/smb2_negprot.c')
| -rw-r--r-- | source3/smbd/smb2_negprot.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 3106ef38c7a..18382a9dc1a 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -421,6 +421,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) uint8_t buf[4]; DATA_BLOB b; size_t i; + bool aes_128_ccm_supported = false; + bool aes_128_gcm_supported = false; capabilities &= ~SMB2_CAP_ENCRYPTION; @@ -451,15 +453,23 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) p += 2; if (v == SMB2_ENCRYPTION_AES128_GCM) { - xconn->smb2.server.cipher = v; - break; + aes_128_gcm_supported = true; } if (v == SMB2_ENCRYPTION_AES128_CCM) { - xconn->smb2.server.cipher = v; - break; + aes_128_ccm_supported = true; } } + /* + * For now we preferr CCM because our implementation + * is faster than GCM, see bug #11451. + */ + if (aes_128_ccm_supported) { + xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM; + } else if (aes_128_gcm_supported) { + xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM; + } + SSVAL(buf, 0, 1); /* ChiperCount */ SSVAL(buf, 2, xconn->smb2.server.cipher); |