cifs NTLMv2/NTLMSSP ntlmv2 within ntlmssp autentication code

Attribue Value (AV) pairs or Target Info (TI) pairs are part of ntlmv2 authentication. Structure ntlmv2_resp had only definition for two av pairs. So removed it, and now allocation of av pairs is dynamic. For servers like Windows 7/2008, av pairs sent by server in challege packet (type 2 in the ntlmssp exchange/negotiation) can vary. Server sends them during ntlmssp negotiation. So when ntlmssp is used as an authentication mechanism, type 2 challenge packet from server has this information. Pluck it and use the entire blob for authenticaiton purpose. If user has not specified, extract (netbios) domain name from the av pairs which is used to calculate ntlmv2 hash. Servers like Windows 7 are particular about the AV pair blob. Servers like Windows 2003, are not very strict about the contents of av pair blob used during ntlmv2 authentication. So when security mechanism such as ntlmv2 is used (not ntlmv2 in ntlmssp), there is no negotiation and so genereate a minimal blob that gets used in ntlmv2 authentication as well as gets sent. Fields tilen and tilbob are session specific. AV pair values are defined. To calculate ntlmv2 response we need ti/av pair blob. For sec mech like ntlmssp, the blob is plucked from type 2 response from the server. From this blob, netbios name of the domain is retrieved, if user has not already provided, to be included in the Target String as part of ntlmv2 hash calculations. For sec mech like ntlmv2, create a minimal, two av pair blob. The allocated blob is freed in case of error. In case there is no error, this blob is used in calculating ntlmv2 response (in CalcNTLMv2_response) and is also copied on the response to the server, and then freed. The type 3 ntlmssp response is prepared on a buffer, 5 * sizeof of struct _AUTHENTICATE_MESSAGE, an empirical value large enough to hold _AUTHENTICATE_MESSAGE plus a blob with max possible 10 values as part of ntlmv2 response and lmv2 keys and domain, user, workstation names etc. Also, kerberos gets selected as a default mechanism if server supports it, over the other security mechanisms. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Shirish Pargaonkar <shirishpargaonkar@gmail.com> 2010-09-18 23:02:18 -0400
committer: Steve French <sfrench@us.ibm.com> 2010-09-29 15:04:29 -0400
commit: 2b149f11978b44199954710d32c0eecf6c9efd9c (patch)
tree: efd48d4b64fc07a244890d1fced9c767ae4f369b /fs/cifs/cifsencrypt.c
parent: 5f98ca9afb9c004f8948c0d40920503de447918a (diff)
1 files changed, 115 insertions, 6 deletions
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index eed70cae127..730038a1298 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -27,6 +27,7 @@
 #include "md5.h"
 #include "cifs_unicode.h"
 #include "cifsproto.h"
+#include "ntlmssp.h"
 #include <linux/ctype.h>
 #include <linux/random.h>
@@ -262,6 +263,87 @@ void calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt,
 }
 #endif /* CIFS_WEAK_PW_HASH */
+/* This is just a filler for ntlmv2 type of security mechanisms.
+ * Older servers are not very particular about the contents of av pairs
+ * in the blob and for sec mechs like ntlmv2, there is no negotiation
+ * as in ntlmssp, so unless domain and server  netbios and dns names
+ * are specified, there is no way to obtain name.  In case of ntlmssp,
+ * server provides that info in type 2 challenge packet
+ */
+static int
+build_avpair_blob(struct cifsSesInfo *ses)
+{
+        struct ntlmssp2_name *attrptr;
+        ses->tilen = 2 * sizeof(struct ntlmssp2_name);
+        ses->tiblob = kzalloc(ses->tilen, GFP_KERNEL);
+        if (!ses->tiblob) {
+                ses->tilen = 0;
+                cERROR(1, "Challenge target info allocation failure");
+                return -ENOMEM;
+        }
+        attrptr = (struct ntlmssp2_name *) ses->tiblob;
+        attrptr->type = cpu_to_le16(NTLMSSP_DOMAIN_TYPE);
+        return 0;
+}
+/* Server has provided av pairs/target info in the type 2 challenge
+ * packet and we have plucked it and stored within smb session.
+ * We parse that blob here to find netbios domain name to be used
+ * as part of ntlmv2 authentication (in Target String), if not already
+ * specified on the command line.
+ * If this function returns without any error but without fetching
+ * domain name, authentication may fail against some server but
+ * may not fail against other (those who are not very particular
+ * about target string i.e. for some, just user name might suffice.
+ */
+static int
+find_domain_name(struct cifsSesInfo *ses)
+{
+        unsigned int attrsize;
+        unsigned int type;
+        unsigned int onesize = sizeof(struct ntlmssp2_name);
+        unsigned char *blobptr;
+        unsigned char *blobend;
+        struct ntlmssp2_name *attrptr;
+        if (!ses->tilen || !ses->tiblob)
+                return 0;
+        blobptr = ses->tiblob;
+        blobend = ses->tiblob + ses->tilen;
+        while (blobptr + onesize < blobend) {
+                attrptr = (struct ntlmssp2_name *) blobptr;
+                type = le16_to_cpu(attrptr->type);
+                if (type == NTLMSSP_AV_EOL)
+                        break;
+                blobptr += 2; /* advance attr type */
+                attrsize = le16_to_cpu(attrptr->length);
+                blobptr += 2; /* advance attr size */
+                if (blobptr + attrsize > blobend)
+                        break;
+                if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
+                        if (!attrsize)
+                                break;
+                        if (!ses->domainName) {
+                                ses->domainName =
+                                        kmalloc(attrsize + 1, GFP_KERNEL);
+                                if (!ses->domainName)
+                                                return -ENOMEM;
+                                cifs_from_ucs2(ses->domainName,
+                                        (__le16 *)blobptr, attrsize, attrsize,
+                                        load_nls_default(), false);
+                                break;
+                        }
+                }
+                blobptr += attrsize; /* advance attr  value */
+        }
+        return 0;
+}
 static int calc_ntlmv2_hash(struct cifsSesInfo *ses,
                            const struct nls_table *nls_cp)
 {
@@ -321,7 +403,8 @@ calc_exit_2:
        return rc;
 }
-void setup_ntlmv2_rsp(struct cifsSesInfo *ses, char *resp_buf,
+int
+setup_ntlmv2_rsp(struct cifsSesInfo *ses, char *resp_buf,
                      const struct nls_table *nls_cp)
 {
        int rc;
@@ -333,15 +416,29 @@ void setup_ntlmv2_rsp(struct cifsSesInfo *ses, char *resp_buf,
        buf->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
        get_random_bytes(&buf->client_chal, sizeof(buf->client_chal));
        buf->reserved2 = 0;
-        buf->names[0].type = cpu_to_le16(NTLMSSP_DOMAIN_TYPE);
-        buf->names[0].length = 0;
+        if (ses->server->secType == RawNTLMSSP) {
-        buf->names[1].type = 0;
+                if (!ses->domainName) {
-        buf->names[1].length = 0;
+                        rc = find_domain_name(ses);
+                        if (rc) {
+                                cERROR(1, "error %d finding domain name", rc);
+                                goto setup_ntlmv2_rsp_ret;
+                        }
+                }
+        } else {
+                rc = build_avpair_blob(ses);
+                if (rc) {
+                        cERROR(1, "error %d building av pair blob", rc);
+                        return rc;
+                }
+        }
        /* calculate buf->ntlmv2_hash */
        rc = calc_ntlmv2_hash(ses, nls_cp);
-        if (rc)
+        if (rc) {
                cERROR(1, "could not get v2 hash rc %d", rc);
+                goto setup_ntlmv2_rsp_ret;
+        }
        CalcNTLMv2_response(ses, resp_buf);
        /* now calculate the MAC key for NTLMv2 */
@@ -352,6 +449,15 @@ void setup_ntlmv2_rsp(struct cifsSesInfo *ses, char *resp_buf,
        memcpy(&ses->server->session_key.data.ntlmv2.resp, resp_buf,
               sizeof(struct ntlmv2_resp));
        ses->server->session_key.len = 16 + sizeof(struct ntlmv2_resp);
+        return 0;
+setup_ntlmv2_rsp_ret:
+        kfree(ses->tiblob);
+        ses->tiblob = NULL;
+        ses->tilen = 0;
+        return rc;
 }
 void CalcNTLMv2_response(const struct cifsSesInfo *ses,
@@ -365,6 +471,9 @@ void CalcNTLMv2_response(const struct cifsSesInfo *ses,
        hmac_md5_update(v2_session_response+8,
                        sizeof(struct ntlmv2_resp) - 8, &context);
+        if (ses->tilen)
+                hmac_md5_update(ses->tiblob, ses->tilen, &context);
        hmac_md5_final(v2_session_response, &context);
 /*      cifs_dump_mem("v2_sess_rsp: ", v2_session_response, 32); */
 }
author	Shirish Pargaonkar <shirishpargaonkar@gmail.com>	2010-09-18 23:02:18 -0400
committer	Steve French <sfrench@us.ibm.com>	2010-09-29 15:04:29 -0400
commit	2b149f11978b44199954710d32c0eecf6c9efd9c (patch)
tree	efd48d4b64fc07a244890d1fced9c767ae4f369b /fs/cifs/cifsencrypt.c
parent	5f98ca9afb9c004f8948c0d40920503de447918a (diff)

diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c index eed70cae127..730038a1298 100644 --- a/fs/cifs/cifsencrypt.c +++ b/fs/cifs/cifsencrypt.c
@@ -27,6 +27,7 @@
27	#include "md5.h"	27	#include "md5.h"
28	#include "cifs_unicode.h"	28	#include "cifs_unicode.h"
29	#include "cifsproto.h"	29	#include "cifsproto.h"
		30	#include "ntlmssp.h"
30	#include <linux/ctype.h>	31	#include <linux/ctype.h>
31	#include <linux/random.h>	32	#include <linux/random.h>
32		33
@@ -262,6 +263,87 @@ void calc_lanman_hash(const char password, const char cryptkey, bool encrypt,
262	}	263	}
263	#endif /* CIFS_WEAK_PW_HASH */	264	#endif /* CIFS_WEAK_PW_HASH */
264		265
		266	/* This is just a filler for ntlmv2 type of security mechanisms.
		267	* Older servers are not very particular about the contents of av pairs
		268	* in the blob and for sec mechs like ntlmv2, there is no negotiation
		269	* as in ntlmssp, so unless domain and server netbios and dns names
		270	* are specified, there is no way to obtain name. In case of ntlmssp,
		271	* server provides that info in type 2 challenge packet
		272	*/
		273	static int
		274	build_avpair_blob(struct cifsSesInfo *ses)
		275	{
		276	struct ntlmssp2_name *attrptr;
		277
		278	ses->tilen = 2 * sizeof(struct ntlmssp2_name);
		279	ses->tiblob = kzalloc(ses->tilen, GFP_KERNEL);
		280	if (!ses->tiblob) {
		281	ses->tilen = 0;
		282	cERROR(1, "Challenge target info allocation failure");
		283	return -ENOMEM;
		284	}
		285	attrptr = (struct ntlmssp2_name *) ses->tiblob;
		286	attrptr->type = cpu_to_le16(NTLMSSP_DOMAIN_TYPE);
		287
		288	return 0;
		289	}
		290
		291	/* Server has provided av pairs/target info in the type 2 challenge
		292	* packet and we have plucked it and stored within smb session.
		293	* We parse that blob here to find netbios domain name to be used
		294	* as part of ntlmv2 authentication (in Target String), if not already
		295	* specified on the command line.
		296	* If this function returns without any error but without fetching
		297	* domain name, authentication may fail against some server but
		298	* may not fail against other (those who are not very particular
		299	* about target string i.e. for some, just user name might suffice.
		300	*/
		301	static int
		302	find_domain_name(struct cifsSesInfo *ses)
		303	{
		304	unsigned int attrsize;
		305	unsigned int type;
		306	unsigned int onesize = sizeof(struct ntlmssp2_name);
		307	unsigned char *blobptr;
		308	unsigned char *blobend;
		309	struct ntlmssp2_name *attrptr;
		310
		311	if (!ses->tilen \|\| !ses->tiblob)
		312	return 0;
		313
		314	blobptr = ses->tiblob;
		315	blobend = ses->tiblob + ses->tilen;
		316
		317	while (blobptr + onesize < blobend) {
		318	attrptr = (struct ntlmssp2_name *) blobptr;
		319	type = le16_to_cpu(attrptr->type);
		320	if (type == NTLMSSP_AV_EOL)
		321	break;
		322	blobptr += 2; /* advance attr type */
		323	attrsize = le16_to_cpu(attrptr->length);
		324	blobptr += 2; /* advance attr size */
		325	if (blobptr + attrsize > blobend)
		326	break;
		327	if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
		328	if (!attrsize)
		329	break;
		330	if (!ses->domainName) {
		331	ses->domainName =
		332	kmalloc(attrsize + 1, GFP_KERNEL);
		333	if (!ses->domainName)
		334	return -ENOMEM;
		335	cifs_from_ucs2(ses->domainName,
		336	(__le16 *)blobptr, attrsize, attrsize,
		337	load_nls_default(), false);
		338	break;
		339	}
		340	}
		341	blobptr += attrsize; /* advance attr value */
		342	}
		343
		344	return 0;
		345	}
		346
265	static int calc_ntlmv2_hash(struct cifsSesInfo *ses,	347	static int calc_ntlmv2_hash(struct cifsSesInfo *ses,
266	const struct nls_table *nls_cp)	348	const struct nls_table *nls_cp)
267	{	349	{
@@ -321,7 +403,8 @@ calc_exit_2:
321	return rc;	403	return rc;
322	}	404	}
323		405
324	void setup_ntlmv2_rsp(struct cifsSesInfo ses, char resp_buf,	406	int
		407	setup_ntlmv2_rsp(struct cifsSesInfo ses, char resp_buf,
325	const struct nls_table *nls_cp)	408	const struct nls_table *nls_cp)
326	{	409	{
327	int rc;	410	int rc;
@@ -333,15 +416,29 @@ void setup_ntlmv2_rsp(struct cifsSesInfo ses, char resp_buf,
333	buf->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));	416	buf->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
334	get_random_bytes(&buf->client_chal, sizeof(buf->client_chal));	417	get_random_bytes(&buf->client_chal, sizeof(buf->client_chal));
335	buf->reserved2 = 0;	418	buf->reserved2 = 0;
336	buf->names[0].type = cpu_to_le16(NTLMSSP_DOMAIN_TYPE);	419
337	buf->names[0].length = 0;	420	if (ses->server->secType == RawNTLMSSP) {
338	buf->names[1].type = 0;	421	if (!ses->domainName) {
339	buf->names[1].length = 0;	422	rc = find_domain_name(ses);
		423	if (rc) {
		424	cERROR(1, "error %d finding domain name", rc);
		425	goto setup_ntlmv2_rsp_ret;
		426	}
		427	}
		428	} else {
		429	rc = build_avpair_blob(ses);
		430	if (rc) {
		431	cERROR(1, "error %d building av pair blob", rc);
		432	return rc;
		433	}
		434	}
340		435
341	/* calculate buf->ntlmv2_hash */	436	/* calculate buf->ntlmv2_hash */
342	rc = calc_ntlmv2_hash(ses, nls_cp);	437	rc = calc_ntlmv2_hash(ses, nls_cp);
343	if (rc)	438	if (rc) {
344	cERROR(1, "could not get v2 hash rc %d", rc);	439	cERROR(1, "could not get v2 hash rc %d", rc);
		440	goto setup_ntlmv2_rsp_ret;
		441	}
345	CalcNTLMv2_response(ses, resp_buf);	442	CalcNTLMv2_response(ses, resp_buf);
346		443
347	/* now calculate the MAC key for NTLMv2 */	444	/* now calculate the MAC key for NTLMv2 */
@@ -352,6 +449,15 @@ void setup_ntlmv2_rsp(struct cifsSesInfo ses, char resp_buf,
352	memcpy(&ses->server->session_key.data.ntlmv2.resp, resp_buf,	449	memcpy(&ses->server->session_key.data.ntlmv2.resp, resp_buf,
353	sizeof(struct ntlmv2_resp));	450	sizeof(struct ntlmv2_resp));
354	ses->server->session_key.len = 16 + sizeof(struct ntlmv2_resp);	451	ses->server->session_key.len = 16 + sizeof(struct ntlmv2_resp);
		452
		453	return 0;
		454
		455	setup_ntlmv2_rsp_ret:
		456	kfree(ses->tiblob);
		457	ses->tiblob = NULL;
		458	ses->tilen = 0;
		459
		460	return rc;
355	}	461	}
356		462
357	void CalcNTLMv2_response(const struct cifsSesInfo *ses,	463	void CalcNTLMv2_response(const struct cifsSesInfo *ses,
@@ -365,6 +471,9 @@ void CalcNTLMv2_response(const struct cifsSesInfo *ses,
365	hmac_md5_update(v2_session_response+8,	471	hmac_md5_update(v2_session_response+8,
366	sizeof(struct ntlmv2_resp) - 8, &context);	472	sizeof(struct ntlmv2_resp) - 8, &context);
367		473
		474	if (ses->tilen)
		475	hmac_md5_update(ses->tiblob, ses->tilen, &context);
		476
368	hmac_md5_final(v2_session_response, &context);	477	hmac_md5_final(v2_session_response, &context);
369	/* cifs_dump_mem("v2_sess_rsp: ", v2_session_response, 32); */	478	/* cifs_dump_mem("v2_sess_rsp: ", v2_session_response, 32); */
370	}	479	}