diff mbox

[2/3] cifs: Add a variable specific to NTLMSSP for key exchange.

Message ID 1377783311-3924-3-git-send-email-shirishpargaonkar@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Shirish Pargaonkar Aug. 29, 2013, 1:35 p.m. UTC
Add a variable specific to NTLMSSP authentication to determine
whether to exchange keys during negotiation and authentication phases.

Since session key for smb1 is per smb connection, once a very first
sesion is established, there is no need for key exchange during
subsequent session setups. As a result, smb1 session setup code sets this
variable as false.

Since session key for smb2 and smb3 is per smb connection, we need to
exchange keys to generate session key for every sesion being established.
As a result, smb2/3 session setup code sets this variable as true.
---
 fs/cifs/cifsglob.h | 1 +
 fs/cifs/sess.c     | 8 ++++++--
 fs/cifs/smb2pdu.c  | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

Comments

Jeff Layton Sept. 6, 2013, 1:13 p.m. UTC | #1
On Thu, 29 Aug 2013 08:35:10 -0500
Shirish Pargaonkar <shirishpargaonkar@gmail.com> wrote:

> Add a variable specific to NTLMSSP authentication to determine
> whether to exchange keys during negotiation and authentication phases.
> 
> Since session key for smb1 is per smb connection, once a very first
> sesion is established, there is no need for key exchange during
> subsequent session setups. As a result, smb1 session setup code sets this
> variable as false.
> 
> Since session key for smb2 and smb3 is per smb connection, we need to
> exchange keys to generate session key for every sesion being established.
> As a result, smb2/3 session setup code sets this variable as true.
> ---
>  fs/cifs/cifsglob.h | 1 +
>  fs/cifs/sess.c     | 8 ++++++--
>  fs/cifs/smb2pdu.c  | 1 +
>  3 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
> index 52ca861..cce26a8 100644
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -135,6 +135,7 @@ struct cifs_secmech {
>  
>  /* per smb session structure/fields */
>  struct ntlmssp_auth {
> +	bool sesskey_per_smbsess; /* whether session key is per smb session */
>  	__u32 client_flags; /* sent by client in type 1 ntlmsssp exchange */
>  	__u32 server_flags; /* sent by server in type 2 ntlmssp exchange */
>  	unsigned char ciphertext[CIFS_CPHTXT_SIZE]; /* sent to server */
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 7afd54a..d7907c4 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -428,7 +428,8 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>  		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>  	if (ses->server->sign) {
>  		flags |= NTLMSSP_NEGOTIATE_SIGN;
> -		if (!ses->server->session_estab)
> +		if (!ses->server->session_estab ||
> +				ses->ntlmssp->sesskey_per_smbsess)
>  			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
>  	}
>  
> @@ -466,7 +467,8 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>  		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>  	if (ses->server->sign) {
>  		flags |= NTLMSSP_NEGOTIATE_SIGN;
> -		if (!ses->server->session_estab)
> +		if (!ses->server->session_estab ||
> +				ses->ntlmssp->sesskey_per_smbsess)
>  			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
>  	}
>  
> @@ -641,6 +643,8 @@ CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
>  		ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
>  		if (!ses->ntlmssp)
>  			return -ENOMEM;
> +		ses->ntlmssp->sesskey_per_smbsess = false;
> +
>  	}
>  
>  ssetup_ntlmssp_authenticate:
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 05a0186..28083b4 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -491,6 +491,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
>  	ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
>  	if (!ses->ntlmssp)
>  		return -ENOMEM;
> +	ses->ntlmssp->sesskey_per_smbsess = true;
>  
>  	/* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */
>  	ses->sectype = RawNTLMSSP;

Acked-by: Jeff Layton <jlayton@samba.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 52ca861..cce26a8 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -135,6 +135,7 @@  struct cifs_secmech {
 
 /* per smb session structure/fields */
 struct ntlmssp_auth {
+	bool sesskey_per_smbsess; /* whether session key is per smb session */
 	__u32 client_flags; /* sent by client in type 1 ntlmsssp exchange */
 	__u32 server_flags; /* sent by server in type 2 ntlmssp exchange */
 	unsigned char ciphertext[CIFS_CPHTXT_SIZE]; /* sent to server */
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 7afd54a..d7907c4 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -428,7 +428,8 @@  void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
 	if (ses->server->sign) {
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab)
+		if (!ses->server->session_estab ||
+				ses->ntlmssp->sesskey_per_smbsess)
 			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 	}
 
@@ -466,7 +467,8 @@  int build_ntlmssp_auth_blob(unsigned char *pbuffer,
 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
 	if (ses->server->sign) {
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab)
+		if (!ses->server->session_estab ||
+				ses->ntlmssp->sesskey_per_smbsess)
 			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 	}
 
@@ -641,6 +643,8 @@  CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
 		ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
 		if (!ses->ntlmssp)
 			return -ENOMEM;
+		ses->ntlmssp->sesskey_per_smbsess = false;
+
 	}
 
 ssetup_ntlmssp_authenticate:
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 05a0186..28083b4 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -491,6 +491,7 @@  SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
 	ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
 	if (!ses->ntlmssp)
 		return -ENOMEM;
+	ses->ntlmssp->sesskey_per_smbsess = true;
 
 	/* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */
 	ses->sectype = RawNTLMSSP;