[jcifs] Re: SMB Signing
eglass1 at comcast.net
eglass1 at comcast.net
Mon Sep 8 18:19:55 EST 2003
> However, I think we should move most of this into SmbSession. For one,
> it's not clear to me that initSigning() should be called more than once
> for each session. We can add an SmbSession member to the
> ServerMessageBlock class that get's set in
> SmbSession.send()/sendTransaction() to 'this' session. That way we can
> access the session from within SmbTransport through req.session and put
> all session specific state there like the macSigningKey, signSequence,
> etc. We could also put the sign and varify routines in there since the NPA
> of interest is a member. We probably don't need the signingLock either.
> Using multiple locks in the transport was the cause of that deadlock we
> had.
>
Sounds okay; you might have to fiddle with it a bit. The signing is *kind of*
per-session, but not really; after the initial setup on the transport (with
the first session setup request) the sequence/key isn't reset until another
NegProt comes in. This gets kind of funky, since we have multiple sessions
over a single transport. The mac signing key is established using the first
user's NTLM response. Subsequent session setup requests (even from other users)
don't reset the mac signing -- it is still done using the first user's key
(which is weird). When a negotiate() happens, the sequence and keys are reset
and initialized using the next session setup.
It also gets strange since multiple threads can be throwing stuff at us (that's
why I put separate sequence counters for signing and verifying; I had a single
counter, but it all fell apart under multithreading because I would get i.e. 2
consecutive requests and lose sequence). The best way to test is to find a
server with signing enabled and send a couple of threads at it with requests
from multiple users, like:
final SmbFile f1 = new SmbFile("smb://DOM;testa:passwd@server/share/dir2/");
final SmbFile f2 = new SmbFile("smb://DOM;testb:pass2@server/share/dir/");
(new Thread() {
public void run() {
try {
f1.listFiles();
f2.listFiles();
f1.listFiles();
f1.listFiles();
f2.listFiles();
} catch (Exception ex) {
ex.printStackTrace();
}
}
}).start();
(new Thread() {
public void run() {
try {
f2.listFiles();
f1.listFiles();
f2.listFiles();
f2.listFiles();
f1.listFiles();
} catch (Exception ex) {
ex.printStackTrace();
}
}
}).start();
If the sequence gets screwed up, you'll get errors pretty quick (either
locally, in the verify() method, or remotely via access exceptions).
> Currently I'm looking closely at docs/todo and thinking about a 0.8
> release. I'll present my objectives on the list in a day or so. I'll add
> this to that.
>
> Mike
Looking forward to it! I've got a couple of minor items I'd like to see,
so I'll see if they make the list.
Eric
More information about the jcifs
mailing list