s3:smb2_negprot: prefer AES128_CCM if the client supports it

Callgrind showed that we use 28,165,720,719 cpu cycles to send
a 100MB file to a client using aes-ccm.

With aes-gcm this is raises up to 723,094,413,831 cpu cycles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd0ec51cfca2b3baed60d304125079c74815073a)

source3/smbd/smb2_negprot.c

@@ -421,6 +421,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 		uint8_t buf[4];
 		DATA_BLOB b;
 		size_t i;
+		bool aes_128_ccm_supported = false;
+		bool aes_128_gcm_supported = false;
 
 		capabilities &= ~SMB2_CAP_ENCRYPTION;
 
@@ -451,15 +453,23 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 			p += 2;
 
 			if (v == SMB2_ENCRYPTION_AES128_GCM) {
-				xconn->smb2.server.cipher = v;
-				break;
+				aes_128_gcm_supported = true;
 			}
 			if (v == SMB2_ENCRYPTION_AES128_CCM) {
-				xconn->smb2.server.cipher = v;
-				break;
+				aes_128_ccm_supported = true;
 			}
 		}
 
+		/*
+		 * For now we preferr CCM because our implementation
+		 * is faster than GCM, see bug #11451.
+		 */
+		if (aes_128_ccm_supported) {
+			xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
+		} else if (aes_128_gcm_supported) {
+			xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM;
+		}
+
 		SSVAL(buf, 0, 1); /* ChiperCount */
 		SSVAL(buf, 2, xconn->smb2.server.cipher);