diff options
| author | Shirish Pargaonkar <shirishpargaonkar@gmail.com> | 2010-10-13 19:15:00 -0400 |
|---|---|---|
| committer | Steve French <sfrench@us.ibm.com> | 2010-10-14 14:05:19 -0400 |
| commit | 5d0d28824c76409f0d1a645bf0ae81318c8ffa42 (patch) | |
| tree | 592838282fc891dc9a51424e0f57c0694ad31075 /fs/cifs/sess.c | |
| parent | d7c86ff8cd00abc730fe5d031f43dc9138b6324e (diff) | |
NTLM authentication and signing - Calculate auth response per smb session
Start calculation auth response within a session. Move/Add pertinet
data structures like session key, server challenge and ntlmv2_hash in
a session structure. We should do the calculations within a session
before copying session key and response over to server data
structures because a session setup can fail.
Only after a very first smb session succeeds, it copies/makes its
session key, session key of smb connection. This key stays with
the smb connection throughout its life.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/cifs/sess.c')
| -rw-r--r-- | fs/cifs/sess.c | 28 |
1 files changed, 8 insertions, 20 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index c926e6c7c0c6..2111bed71b1f 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
| @@ -402,7 +402,7 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, | |||
| 402 | return -EINVAL; | 402 | return -EINVAL; |
| 403 | } | 403 | } |
| 404 | 404 | ||
| 405 | memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); | 405 | memcpy(ses->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); |
| 406 | /* BB we could decode pblob->NegotiateFlags; some may be useful */ | 406 | /* BB we could decode pblob->NegotiateFlags; some may be useful */ |
| 407 | /* In particular we can examine sign flags */ | 407 | /* In particular we can examine sign flags */ |
| 408 | /* BB spec says that if AvId field of MsvAvTimestamp is populated then | 408 | /* BB spec says that if AvId field of MsvAvTimestamp is populated then |
| @@ -591,17 +591,12 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, | |||
| 591 | int bytes_remaining; | 591 | int bytes_remaining; |
| 592 | struct key *spnego_key = NULL; | 592 | struct key *spnego_key = NULL; |
| 593 | __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ | 593 | __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ |
| 594 | bool first_time; | ||
| 595 | int blob_len; | 594 | int blob_len; |
| 596 | char *ntlmsspblob = NULL; | 595 | char *ntlmsspblob = NULL; |
| 597 | 596 | ||
| 598 | if (ses == NULL) | 597 | if (ses == NULL) |
| 599 | return -EINVAL; | 598 | return -EINVAL; |
| 600 | 599 | ||
| 601 | read_lock(&cifs_tcp_ses_lock); | ||
| 602 | first_time = is_first_ses_reconnect(ses); | ||
| 603 | read_unlock(&cifs_tcp_ses_lock); | ||
| 604 | |||
| 605 | type = ses->server->secType; | 600 | type = ses->server->secType; |
| 606 | 601 | ||
| 607 | cFYI(1, "sess setup type %d", type); | 602 | cFYI(1, "sess setup type %d", type); |
| @@ -672,7 +667,7 @@ ssetup_ntlmssp_authenticate: | |||
| 672 | /* BB calculate hash with password */ | 667 | /* BB calculate hash with password */ |
| 673 | /* and copy into bcc */ | 668 | /* and copy into bcc */ |
| 674 | 669 | ||
| 675 | calc_lanman_hash(ses->password, ses->server->cryptKey, | 670 | calc_lanman_hash(ses->password, ses->cryptKey, |
| 676 | ses->server->secMode & SECMODE_PW_ENCRYPT ? | 671 | ses->server->secMode & SECMODE_PW_ENCRYPT ? |
| 677 | true : false, lnm_session_key); | 672 | true : false, lnm_session_key); |
| 678 | 673 | ||
| @@ -699,15 +694,11 @@ ssetup_ntlmssp_authenticate: | |||
| 699 | cpu_to_le16(CIFS_SESS_KEY_SIZE); | 694 | cpu_to_le16(CIFS_SESS_KEY_SIZE); |
| 700 | 695 | ||
| 701 | /* calculate session key */ | 696 | /* calculate session key */ |
| 702 | SMBNTencrypt(ses->password, ses->server->cryptKey, | 697 | SMBNTencrypt(ses->password, ses->cryptKey, ntlm_session_key); |
| 703 | ntlm_session_key); | ||
| 704 | 698 | ||
| 705 | if (first_time) /* should this be moved into common code | 699 | cifs_calculate_session_key(&ses->auth_key, |
| 706 | with similar ntlmv2 path? */ | 700 | ntlm_session_key, ses->password); |
| 707 | cifs_calculate_session_key(&ses->server->session_key, | ||
| 708 | ntlm_session_key, ses->password); | ||
| 709 | /* copy session key */ | 701 | /* copy session key */ |
| 710 | |||
| 711 | memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); | 702 | memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); |
| 712 | bcc_ptr += CIFS_SESS_KEY_SIZE; | 703 | bcc_ptr += CIFS_SESS_KEY_SIZE; |
| 713 | memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); | 704 | memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); |
| @@ -794,17 +785,14 @@ ssetup_ntlmssp_authenticate: | |||
| 794 | } | 785 | } |
| 795 | /* bail out if key is too long */ | 786 | /* bail out if key is too long */ |
| 796 | if (msg->sesskey_len > | 787 | if (msg->sesskey_len > |
| 797 | sizeof(ses->server->session_key.data.krb5)) { | 788 | sizeof(ses->auth_key.data.krb5)) { |
| 798 | cERROR(1, "Kerberos signing key too long (%u bytes)", | 789 | cERROR(1, "Kerberos signing key too long (%u bytes)", |
| 799 | msg->sesskey_len); | 790 | msg->sesskey_len); |
| 800 | rc = -EOVERFLOW; | 791 | rc = -EOVERFLOW; |
| 801 | goto ssetup_exit; | 792 | goto ssetup_exit; |
| 802 | } | 793 | } |
| 803 | if (first_time) { | 794 | ses->auth_key.len = msg->sesskey_len; |
| 804 | ses->server->session_key.len = msg->sesskey_len; | 795 | memcpy(ses->auth_key.data.krb5, msg->data, msg->sesskey_len); |
| 805 | memcpy(ses->server->session_key.data.krb5, | ||
| 806 | msg->data, msg->sesskey_len); | ||
| 807 | } | ||
| 808 | pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; | 796 | pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; |
| 809 | capabilities |= CAP_EXTENDED_SECURITY; | 797 | capabilities |= CAP_EXTENDED_SECURITY; |
| 810 | pSMB->req.Capabilities = cpu_to_le32(capabilities); | 798 | pSMB->req.Capabilities = cpu_to_le32(capabilities); |