On Wed, Dec 8, 2010 at 10:33 AM, Shirish Pargaonkar <[email protected]> wrote: > On Wed, Dec 8, 2010 at 10:06 AM, Jeff Layton <[email protected]> wrote: >> On Wed, 8 Dec 2010 09:41:05 -0600 >> [email protected] wrote: >> >>> From: Shirish Pargaonkar <[email protected]> >>> >>> >>> Indicate to the server a capability of NTLM2 session security (NTLM2 Key) >>> during ntlmssp protocol exchange in one of the bits of the flags field. >>> If server supports this capability, send NTLM2 key even if signing is not >>> required on the server. >>> If the server requires signing, the sesison keys exchanged for NTLMv2 >>> and NTLM2 session security in auth packet of the nlmssp exchange are same. >>> >>> >>> Signed-off-by: Shirish Pargaonkar <[email protected]> >>> --- >>> fs/cifs/sess.c | 7 ++++--- >>> 1 files changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c >>> index 7b01d3f..122ad31 100644 >>> --- a/fs/cifs/sess.c >>> +++ b/fs/cifs/sess.c >>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char >>> *pbuffer, >>> /* BB is NTLMV2 session security format easier to use here? */ >>> flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | >>> NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | >>> - NTLMSSP_NEGOTIATE_NTLM; >>> + NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC; >>> if (ses->server->secMode & >>> (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) { >>> flags |= NTLMSSP_NEGOTIATE_SIGN; >>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char >>> *pbuffer, >>> sec_blob->WorkstationName.MaximumLength = 0; >>> tmp += 2; >>> >>> - if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && >>> - !calc_seckey(ses)) { >>> + if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) || >>> + ((ses->ntlmssp->server_flags & >>> NTLMSSP_NEGOTIATE_EXTENDED_SEC))) >> ^^^ >> You can (and should) eliminate a set of parenthesis here. > > Sure. > >> >>> + && !calc_seckey(ses)) { >>> memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); >>> sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - >>> pbuffer); >>> sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); >> >> Other than that, it looks reasonable to me. I'll have to take your >> word for it that this is the right thing to do as I find the NTLMSSP >> spec really difficult to comprehend. >>
Yes. It is very confusing. One of these days, I am planning to go through all the flags that cifs client sends during ntlmssp negotiation stage (type 1). I think flags do not matter when client sends authentication request (type 3). To verify, I set flags field to 0x0 in type 3 packet and both sec=ntlmssp and sec=ntlmsspi, were successful on a Windows 2003 Server Windows 7, and Windows 2008 Server. So we just have to get flags right in ntlmssp negotiate packet (type 1) that client sends and send things according to capabilities that server returned in flags in ntlmssp challenge packet (type 2), in ntlmssp authentication packet (type 3). >> It also might be nice to add: >> >> Reported-and-Tested-by: Robbert Kouprie <[email protected]> >> >> ...since he did help track this down. >> >> -- >> Jeff Layton <[email protected]> >> > > Sure, I will respin it. Sorry for the omission Robbert. > -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
