[jcifs] LMv2 signing fix
eglass1 at comcast.net
eglass1 at comcast.net
Wed Oct 1 18:47:20 EST 2003
Mike/all,
Attached is a fix for MAC signing with LMv2 authentication. As it turns out,
signing with the "empty" LMv2 key is only done in certain circumstances --
which just happen to match those under which the code was tested (specifically,
the scenario in which an account from domain "A" has authenticated against a
machine whose primary domain is "B"). This patch uses the more generally
applicable "real" signing key; if a signature from the server fails to verify
correctly, the signature is then tested against the empty key. If it matches,
the empty key is adopted for subsequent MAC signing, otherwise it fails
normally. This works properly under both scenarios, and explains the LMv2
funkiness I mentioned in the earlier messages to Amar.
Also, in regards to the previous signing issue (misplaced the message, sorry),
Chris's doc has this to say regarding anonymous/guest authentication with MAC
signing:
Recall, from near the beginning of the Authentication section, that the
client sometimes uses an anonymous or guest logon to access server
information. Watch enough packet captures and you will see that MAC
signing doesn't really start until after a real user logon occurs.
So to fix that, it would be appropriate to add (either in
SmbTransport.initSigning or SmbSession where initSigning is called) something
like:
if (NtlmPasswordAuthentication.NULL.equals(auth) ||
NtlmPasswordAuthentication.GUEST.equals(auth)) {
// don't set the mac key, just pretend nothing happened
}
There is probably some additional minor tweaking that would need to occur upon
login failure; I haven't tested it, but I would assume that if authentication
fails that the server won't sign subsequent messages. This would probably only
apply during the first "real" authentication on the connection (as once signing
is set up, it isn't really affected by subsequent logins on the same
connection).
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 33084 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20031001/7bc73ab8/attachment.obj
More information about the jcifs
mailing list