[jcifs] RE: LMv2 signing fix
Laud, Amar
alaud at rsasecurity.com
Tue Oct 7 06:44:20 EST 2003
Eric,
Will there be a jcifs release with this update in near future?
Thanks.
Amar
-----Original Message-----
From: eglass1 at comcast.net [mailto:eglass1 at comcast.net]
Sent: Wednesday, October 01, 2003 1:47 AM
To: jcifs at lists.samba.org
Cc: Laud, Amar; mba2000 at ioplex.com
Subject: LMv2 signing fix
Mike/all,
Attached is a fix for MAC signing with LMv2 authentication. As it turns
out,
signing with the "empty" LMv2 key is only done in certain circumstances --
which just happen to match those under which the code was tested
(specifically,
the scenario in which an account from domain "A" has authenticated against a
machine whose primary domain is "B"). This patch uses the more generally
applicable "real" signing key; if a signature from the server fails to
verify
correctly, the signature is then tested against the empty key. If it
matches,
the empty key is adopted for subsequent MAC signing, otherwise it fails
normally. This works properly under both scenarios, and explains the LMv2
funkiness I mentioned in the earlier messages to Amar.
Also, in regards to the previous signing issue (misplaced the message,
sorry),
Chris's doc has this to say regarding anonymous/guest authentication with
MAC
signing:
Recall, from near the beginning of the Authentication section, that the
client sometimes uses an anonymous or guest logon to access server
information. Watch enough packet captures and you will see that MAC
signing doesn't really start until after a real user logon occurs.
So to fix that, it would be appropriate to add (either in
SmbTransport.initSigning or SmbSession where initSigning is called)
something
like:
if (NtlmPasswordAuthentication.NULL.equals(auth) ||
NtlmPasswordAuthentication.GUEST.equals(auth)) {
// don't set the mac key, just pretend nothing happened
}
There is probably some additional minor tweaking that would need to occur
upon
login failure; I haven't tested it, but I would assume that if
authentication
fails that the server won't sign subsequent messages. This would probably
only
apply during the first "real" authentication on the connection (as once
signing
is set up, it isn't really affected by subsequent logins on the same
connection).
Eric
More information about the jcifs
mailing list