Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 8, 2010 at 10:33 AM, Shirish Pargaonkar
<shirishpargaonkar@xxxxxxxxx> wrote:
> On Wed, Dec 8, 2010 at 10:06 AM, Jeff Layton <jlayton@xxxxxxxxx> wrote:
>> On Wed,  8 Dec 2010 09:41:05 -0600
>> shirishpargaonkar@xxxxxxxxx wrote:
>>
>>> From: Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx>
>>>
>>>
>>> Indicate to the server a capability of NTLM2 session security (NTLM2 Key)
>>> during ntlmssp protocol exchange in one of the bits of the flags field.
>>> If server supports this capability, send NTLM2 key even if signing is not
>>> required on the server.
>>> If the server requires signing, the sesison keys exchanged for NTLMv2
>>> and NTLM2 session security in auth packet of the nlmssp exchange are same.
>>>
>>>
>>> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx>
>>> ---
>>>  fs/cifs/sess.c |    7 ++++---
>>>  1 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>> index 7b01d3f..122ad31 100644
>>> --- a/fs/cifs/sess.c
>>> +++ b/fs/cifs/sess.c
>>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>>>       /* BB is NTLMV2 session security format easier to use here? */
>>>       flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
>>>               NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
>>> -             NTLMSSP_NEGOTIATE_NTLM;
>>> +             NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>>>       if (ses->server->secMode &
>>>                       (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
>>>               flags |= NTLMSSP_NEGOTIATE_SIGN;
>>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>>>       sec_blob->WorkstationName.MaximumLength = 0;
>>>       tmp += 2;
>>>
>>> -     if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
>>> -                     !calc_seckey(ses)) {
>>> +     if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
>>> +             ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)))
>>                ^^^
>>                You can (and should) eliminate a set of parenthesis here.
>
> Sure.
>
>>
>>> +                     && !calc_seckey(ses)) {
>>>               memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
>>>               sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
>>>               sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
>>
>> Other than that, it looks reasonable to me. I'll have to take your
>> word for it that this is the right thing to do as I find the NTLMSSP
>> spec really difficult to comprehend.
>>

Yes. It is very confusing.  One of these days, I am planning to go through
all the flags that cifs client sends during ntlmssp negotiation stage (type 1).
I think flags do not matter when client sends authentication request (type 3).
To verify, I set flags field to 0x0 in type 3 packet and both sec=ntlmssp and
sec=ntlmsspi, were successful on a Windows 2003 Server Windows 7, and
Windows 2008 Server.

So we just have to get flags right in ntlmssp negotiate packet (type 1) that
client sends and send things according to capabilities that server returned in
flags in ntlmssp challenge packet (type 2), in ntlmssp authentication packet
(type 3).

>> It also might be nice to add:
>>
>>    Reported-and-Tested-by: Robbert Kouprie <robbert@xxxxxx>
>>
>> ...since he did help track this down.
>>
>> --
>> Jeff Layton <jlayton@xxxxxxxxx>
>>
>
> Sure, I will respin it. Sorry for the omission Robbert.
>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux