[PATCH CIFS] use CryptoAPI MD4/MD5

Steven French sfrench at us.ibm.com
Thu Oct 2 04:17:50 GMT 2003

> [Or is converting cifs to the cryptoapi is waste of time? (I hope not :-)

Converting to the crypto API at first glance seems valuable. It does not
make long term sense for cifs to use a presumably unoptimized private MD5
routine when there is a common kernel routine which has a better chance of
being optimized - especially important given that signatures will be
enabled on almost all requests and responses when Windows2003 is the server
(in most cases) and it is a good thing to configure for Samba servers as
well.   Might as well call optimized crypto routines.  I need to think
through the locking issue you describe though.

Cases  to think through are:

Assume near simultaneous requests to the same server with request one
getting mid (multiplex id) = 1 and request two gets the next number e.g.
mid = 2

Case 1) requests are signed out of order (request two is signed first even
though it has a higher mid) but sent in order over TCP
Case 2) request one gets signed before request two but request two gets
sent before request one on the TCP socket

At least case two probably would cause the server to invalidate the frame
due to unexpected signature and drop the session.  I am not convinced I
protect against that properly although even if it did happen the client
code may transparently recover in some cases (by reestablishing the

Lots of locks to choose among - per tcp session or per smb session e.g.

> On Wed, Oct 01, 2003 at 03:30:39PM +0200, Erlend Aasland wrote:
> >  static int cifs_calculate_signature(const struct smb_hdr * cifs_pdu,
const char * key, char * signature)
> [...]
> Eek. How often does this get called?

A lot - if the server is Windows 2003 - once per request and response.

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com

More information about the samba-technical mailing list