[jcifs] LMv2 signing fix

eglass1 at comcast.net eglass1 at comcast.net
Wed Oct 1 18:47:20 EST 2003 

Mike/all,

Attached is a fix for MAC signing with LMv2 authentication.  As it turns out, 
signing with the "empty" LMv2 key is only done in certain circumstances -- 
which just happen to match those under which the code was tested (specifically, 
the scenario in which an account from domain "A" has authenticated against a 
machine whose primary domain is "B").  This patch uses the more generally 
applicable "real" signing key; if a signature from the server fails to verify 
correctly, the signature is then tested against the empty key.  If it matches, 
the empty key is adopted for subsequent MAC signing, otherwise it fails 
normally.  This works properly under both scenarios, and explains the LMv2 
funkiness I mentioned in the earlier messages to Amar.

Also, in regards to the previous signing issue (misplaced the message, sorry), 
Chris's doc has this to say regarding anonymous/guest authentication with MAC 
signing:

    Recall, from near the beginning of the Authentication section, that the
    client sometimes uses an anonymous or guest logon to access server
    information. Watch enough packet captures and you will see that MAC
    signing doesn't really start until after a real user logon occurs. 

So to fix that, it would be appropriate to add (either in 
SmbTransport.initSigning or SmbSession where initSigning is called) something 
like:

if (NtlmPasswordAuthentication.NULL.equals(auth) ||
        NtlmPasswordAuthentication.GUEST.equals(auth)) {
    // don't set the mac key, just pretend nothing happened
}

There is probably some additional minor tweaking that would need to occur upon 
login failure; I haven't tested it, but I would assume that if authentication 
fails that the server won't sign subsequent messages.  This would probably only 
apply during the first "real" authentication on the connection (as once signing 
is set up, it isn't really affected by subsequent logins on the same 
connection).


Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 33084 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20031001/7bc73ab8/attachment.obj

More information about the jcifs mailing list