NTLM auth and sign - Define crypto hash functions and create and send keys needed for key exchange

Mark dependency on crypto modules in Kconfig. Defining per structures sdesc and cifs_secmech which are used to store crypto hash functions and contexts. They are stored per smb connection and used for all auth mechs to genereate hash values and signatures. Allocate crypto hashing functions, security descriptiors, and respective contexts when a smb/tcp connection is established. Release them when a tcp/smb connection is taken down. md5 and hmac-md5 are two crypto hashing functions that are used throught the life of an smb/tcp connection by various functions that calcualte signagure and ntlmv2 hash, HMAC etc. structure ntlmssp_auth is defined as per smb connection. ntlmssp_auth holds ciphertext which is genereated by rc4/arc4 encryption of secondary key, a nonce using ntlmv2 session key and sent in the session key field of the type 3 message sent by the client during ntlmssp negotiation/exchange A key is exchanged with the server if client indicates so in flags in type 1 messsage and server agrees in flag in type 2 message of ntlmssp negotiation. If both client and agree, a key sent by client in type 3 message of ntlmssp negotiation in the session key field. The key is a ciphertext generated off of secondary key, a nonce, using ntlmv2 hash via rc4/arc4. Signing works for ntlmssp in this patch. The sequence number within the server structure needs to be zero until session is established i.e. till type 3 packet of ntlmssp exchange of a to be very first smb session on that smb connection is sent. Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Shirish Pargaonkar <shirishpargaonkar@gmail.com> 2010-10-21 15:25:08 -0400
committer: Steve French <sfrench@us.ibm.com> 2010-10-26 14:35:31 -0400
commit: d2b915210b5ec01409f581421d633eca6c38d444 (patch)
tree: 5e4467f4888eb8c9936fbfd7b5bd7b9058af26e9 /fs/cifs/cifsglob.h
parent: b235f371a2572d7c86a121d96d889eee02ed00e2 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 66f76b2d270b..7ca5f6d8ed80 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -25,6 +25,9 @@
 #include <linux/workqueue.h>
 #include "cifs_fs_sb.h"
 #include "cifsacl.h"
+#include <crypto/internal/hash.h>
+#include <linux/scatterlist.h>
 /*
 * The sizes of various internal tables and strings
 */
@@ -102,6 +105,27 @@ struct session_key {
        char *response;
 };
+/* crypto security descriptor definition */
+struct sdesc {
+        struct shash_desc shash;
+        char ctx[];
+};
+/* crypto hashing related structure/fields, not speicific to a sec mech */
+struct cifs_secmech {
+        struct crypto_shash *hmacmd5; /* hmac-md5 hash function */
+        struct crypto_shash *md5; /* md5 hash function */
+        struct sdesc *sdeschmacmd5;  /* ctxt to generate ntlmv2 hash, CR1 */
+        struct sdesc *sdescmd5; /* ctxt to generate cifs/smb signature */
+};
+/* per smb connection structure/fields */
+struct ntlmssp_auth {
+        __u32 client_flags; /* sent by client in type 1 ntlmsssp exchange */
+        __u32 server_flags; /* sent by server in type 2 ntlmssp exchange */
+        unsigned char ciphertext[CIFS_CPHTXT_SIZE]; /* sent to server */
+};
 struct cifs_cred {
        int uid;
        int gid;
@@ -178,6 +202,7 @@ struct TCP_Server_Info {
        struct session_key session_key;
        unsigned long lstrp; /* when we got last response from this server */
        u16 dialect; /* dialect index that server chose */
+        struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
        /* extended security flavors that server supports */
        bool    sec_kerberos;           /* supports plain Kerberos */
        bool    sec_mskerberos;         /* supports legacy MS Kerberos */
@@ -220,6 +245,7 @@ struct cifsSesInfo {
        char ntlmv2_hash[16];
        unsigned int tilen; /* length of the target info blob */
        unsigned char *tiblob; /* target info blob in challenge response */
+        struct ntlmssp_auth ntlmssp; /* ciphertext, flags */
        bool need_reconnect:1; /* connection reset, uid now invalid */
 };
 /* no more than one of the following three session flags may be set */
author	Shirish Pargaonkar <shirishpargaonkar@gmail.com>	2010-10-21 15:25:08 -0400
committer	Steve French <sfrench@us.ibm.com>	2010-10-26 14:35:31 -0400
commit	d2b915210b5ec01409f581421d633eca6c38d444 (patch)
tree	5e4467f4888eb8c9936fbfd7b5bd7b9058af26e9 /fs/cifs/cifsglob.h
parent	b235f371a2572d7c86a121d96d889eee02ed00e2 (diff)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 66f76b2d270b..7ca5f6d8ed80 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -25,6 +25,9 @@
25	#include <linux/workqueue.h>	25	#include <linux/workqueue.h>
26	#include "cifs_fs_sb.h"	26	#include "cifs_fs_sb.h"
27	#include "cifsacl.h"	27	#include "cifsacl.h"
		28	#include <crypto/internal/hash.h>
		29	#include <linux/scatterlist.h>
		30
28	/*	31	/*
29	* The sizes of various internal tables and strings	32	* The sizes of various internal tables and strings
30	*/	33	*/
@@ -102,6 +105,27 @@ struct session_key {
102	char *response;	105	char *response;
103	};	106	};
104		107
		108	/* crypto security descriptor definition */
		109	struct sdesc {
		110	struct shash_desc shash;
		111	char ctx[];
		112	};
		113
		114	/* crypto hashing related structure/fields, not speicific to a sec mech */
		115	struct cifs_secmech {
		116	struct crypto_shash hmacmd5; / hmac-md5 hash function */
		117	struct crypto_shash md5; / md5 hash function */
		118	struct sdesc sdeschmacmd5; / ctxt to generate ntlmv2 hash, CR1 */
		119	struct sdesc sdescmd5; / ctxt to generate cifs/smb signature */
		120	};
		121
		122	/* per smb connection structure/fields */
		123	struct ntlmssp_auth {
		124	__u32 client_flags; /* sent by client in type 1 ntlmsssp exchange */
		125	__u32 server_flags; /* sent by server in type 2 ntlmssp exchange */
		126	unsigned char ciphertext[CIFS_CPHTXT_SIZE]; /* sent to server */
		127	};
		128
105	struct cifs_cred {	129	struct cifs_cred {
106	int uid;	130	int uid;
107	int gid;	131	int gid;
@@ -178,6 +202,7 @@ struct TCP_Server_Info {
178	struct session_key session_key;	202	struct session_key session_key;
179	unsigned long lstrp; /* when we got last response from this server */	203	unsigned long lstrp; /* when we got last response from this server */
180	u16 dialect; /* dialect index that server chose */	204	u16 dialect; /* dialect index that server chose */
		205	struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
181	/* extended security flavors that server supports */	206	/* extended security flavors that server supports */
182	bool sec_kerberos; /* supports plain Kerberos */	207	bool sec_kerberos; /* supports plain Kerberos */
183	bool sec_mskerberos; /* supports legacy MS Kerberos */	208	bool sec_mskerberos; /* supports legacy MS Kerberos */
@@ -220,6 +245,7 @@ struct cifsSesInfo {
220	char ntlmv2_hash[16];	245	char ntlmv2_hash[16];
221	unsigned int tilen; /* length of the target info blob */	246	unsigned int tilen; /* length of the target info blob */
222	unsigned char tiblob; / target info blob in challenge response */	247	unsigned char tiblob; / target info blob in challenge response */
		248	struct ntlmssp_auth ntlmssp; /* ciphertext, flags */
223	bool need_reconnect:1; /* connection reset, uid now invalid */	249	bool need_reconnect:1; /* connection reset, uid now invalid */
224	};	250	};
225	/* no more than one of the following three session flags may be set */	251	/* no more than one of the following three session flags may be set */