[jcifs] RE: LMv2 signing fix

Laud, Amar alaud at rsasecurity.com
Tue Oct 7 06:44:20 EST 2003 

Eric,

Will there be a jcifs release with this update in near future?

Thanks.

Amar

-----Original Message-----
From: eglass1 at comcast.net [mailto:eglass1 at comcast.net]
Sent: Wednesday, October 01, 2003 1:47 AM
To: jcifs at lists.samba.org
Cc: Laud, Amar; mba2000 at ioplex.com
Subject: LMv2 signing fix


Mike/all,

Attached is a fix for MAC signing with LMv2 authentication.  As it turns
out, 
signing with the "empty" LMv2 key is only done in certain circumstances -- 
which just happen to match those under which the code was tested
(specifically, 
the scenario in which an account from domain "A" has authenticated against a

machine whose primary domain is "B").  This patch uses the more generally 
applicable "real" signing key; if a signature from the server fails to
verify 
correctly, the signature is then tested against the empty key.  If it
matches, 
the empty key is adopted for subsequent MAC signing, otherwise it fails 
normally.  This works properly under both scenarios, and explains the LMv2 
funkiness I mentioned in the earlier messages to Amar.

Also, in regards to the previous signing issue (misplaced the message,
sorry), 
Chris's doc has this to say regarding anonymous/guest authentication with
MAC 
signing:

    Recall, from near the beginning of the Authentication section, that the
    client sometimes uses an anonymous or guest logon to access server
    information. Watch enough packet captures and you will see that MAC
    signing doesn't really start until after a real user logon occurs. 

So to fix that, it would be appropriate to add (either in 
SmbTransport.initSigning or SmbSession where initSigning is called)
something 
like:

if (NtlmPasswordAuthentication.NULL.equals(auth) ||
        NtlmPasswordAuthentication.GUEST.equals(auth)) {
    // don't set the mac key, just pretend nothing happened
}

There is probably some additional minor tweaking that would need to occur
upon 
login failure; I haven't tested it, but I would assume that if
authentication 
fails that the server won't sign subsequent messages.  This would probably
only 
apply during the first "real" authentication on the connection (as once
signing 
is set up, it isn't really affected by subsequent logins on the same 
connection).


Eric

More information about the jcifs mailing list