[PATCH] cifs: ignore everything in SPNEGO blob after mechTypes
Steve French
smfrench at gmail.com
Sun Mar 17 08:37:27 MDT 2013
The existing code is trying to dump the "principal" from the
mechListMic (presumably for debugging) in the SMB negotiate response.
In the trace I looked at Samba server set it to "NONE" - is there a
case where we would ever need that?
On Mon, Mar 11, 2013 at 8:52 AM, Jeff Layton <jlayton at redhat.com> wrote:
> We've had several reports of people attempting to mount Windows 8 shares
> and getting failures with a return code of -EINVAL. The default sec=
> mode changed recently to sec=ntlmssp. With that, we expect and parse a
> SPNEGO blob from the server in the NEGOTIATE reply.
>
> The current decode_negTokenInit function first parses all of the
> mechTypes and then tries to parse the rest of the negTokenInit reply.
> The parser however currently expects a mechListMIC or nothing to follow the
> mechTypes, but Windows 8 puts a mechToken field there instead to carry
> some info for the new NegoEx stuff.
>
> In practice, we don't do anything with the fields after the mechTypes
> anyway so I don't see any real benefit in continuing to parse them.
> This patch just has the kernel ignore the fields after the mechTypes.
> We'll probably need to reinstate some of this if we ever want to support
> NegoEx.
>
> Reported-by: Jason Burgess <jason at jacknife2.dns2go.com>
> Reported-by: Yan Li <elliot.li.tech at gmail.com>
> Signed-off-by: Jeff Layton <jlayton at redhat.com>
> ---
> fs/cifs/asn1.c | 53 +++++------------------------------------------------
> 1 file changed, 5 insertions(+), 48 deletions(-)
>
> diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
> index cfd1ce3..1d36db1 100644
> --- a/fs/cifs/asn1.c
> +++ b/fs/cifs/asn1.c
> @@ -614,53 +614,10 @@ decode_negTokenInit(unsigned char *security_blob, int length,
> }
> }
>
> - /* mechlistMIC */
> - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) {
> - /* Check if we have reached the end of the blob, but with
> - no mechListMic (e.g. NTLMSSP instead of KRB5) */
> - if (ctx.error == ASN1_ERR_DEC_EMPTY)
> - goto decode_negtoken_exit;
> - cFYI(1, "Error decoding last part negTokenInit exit3");
> - return 0;
> - } else if ((cls != ASN1_CTX) || (con != ASN1_CON)) {
> - /* tag = 3 indicating mechListMIC */
> - cFYI(1, "Exit 4 cls = %d con = %d tag = %d end = %p (%d)",
> - cls, con, tag, end, *end);
> - return 0;
> - }
> -
> - /* sequence */
> - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) {
> - cFYI(1, "Error decoding last part negTokenInit exit5");
> - return 0;
> - } else if ((cls != ASN1_UNI) || (con != ASN1_CON)
> - || (tag != ASN1_SEQ)) {
> - cFYI(1, "cls = %d con = %d tag = %d end = %p (%d)",
> - cls, con, tag, end, *end);
> - }
> -
> - /* sequence of */
> - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) {
> - cFYI(1, "Error decoding last part negTokenInit exit 7");
> - return 0;
> - } else if ((cls != ASN1_CTX) || (con != ASN1_CON)) {
> - cFYI(1, "Exit 8 cls = %d con = %d tag = %d end = %p (%d)",
> - cls, con, tag, end, *end);
> - return 0;
> - }
> -
> - /* general string */
> - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) {
> - cFYI(1, "Error decoding last part negTokenInit exit9");
> - return 0;
> - } else if ((cls != ASN1_UNI) || (con != ASN1_PRI)
> - || (tag != ASN1_GENSTR)) {
> - cFYI(1, "Exit10 cls = %d con = %d tag = %d end = %p (%d)",
> - cls, con, tag, end, *end);
> - return 0;
> - }
> - cFYI(1, "Need to call asn1_octets_decode() function for %s",
> - ctx.pointer); /* is this UTF-8 or ASCII? */
> -decode_negtoken_exit:
> + /*
> + * We currently ignore anything at the end of the SPNEGO blob after
> + * the mechTypes have been parsed, since none of that info is
> + * used at the moment.
> + */
> return 1;
> }
> --
> 1.7.11.7
>
--
Thanks,
Steve
More information about the samba-technical
mailing list