[PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w]

From: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>


Indicate to the server a capability of NTLM2 session security (NTLM2 Key)
during ntlmssp protocol exchange in one of the bits of the flags field.
If server supports this capability, send NTLM2 key even if signing is not
required on the server.
If the server requires signing, the sesison keys exchanged for NTLMv2
and NTLM2 session security in auth packet of the nlmssp exchange are same.


Signed-off-by: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 fs/cifs/sess.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 7b01d3f..122ad31 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 	/* BB is NTLMV2 session security format easier to use here? */
 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM;
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
 	if (ses->server->secMode &
 			(SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
@@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
 	sec_blob->WorkstationName.MaximumLength = 0;
 	tmp += 2;
 
-	if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
-			!calc_seckey(ses)) {
+	if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
+		((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)))
+			&& !calc_seckey(ses)) {
 		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
 		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
 		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
-- 
1.6.0.2

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Jeff Layton]

On Wed,  8 Dec 2010 09:41:05 -0600
shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:

> From: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> 
> 
> Indicate to the server a capability of NTLM2 session security (NTLM2 Key)
> during ntlmssp protocol exchange in one of the bits of the flags field.
> If server supports this capability, send NTLM2 key even if signing is not
> required on the server.
> If the server requires signing, the sesison keys exchanged for NTLMv2
> and NTLM2 session security in auth packet of the nlmssp exchange are same.
> 
> 
> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  fs/cifs/sess.c |    7 ++++---
>  1 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 7b01d3f..122ad31 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>  	/* BB is NTLMV2 session security format easier to use here? */
>  	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
>  		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
> -		NTLMSSP_NEGOTIATE_NTLM;
> +		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>  	if (ses->server->secMode &
>  			(SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
>  		flags |= NTLMSSP_NEGOTIATE_SIGN;
> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>  	sec_blob->WorkstationName.MaximumLength = 0;
>  	tmp += 2;
>  
> -	if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
> -			!calc_seckey(ses)) {
> +	if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
> +		((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)))
		^^^
		You can (and should) eliminate a set of parenthesis here.

> +			&& !calc_seckey(ses)) {
>  		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
>  		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
>  		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);

Other than that, it looks reasonable to me. I'll have to take your
word for it that this is the right thing to do as I find the NTLMSSP
spec really difficult to comprehend.

It also might be nice to add:

    Reported-and-Tested-by: Robbert Kouprie <robbert-C1IQQP51G3M@public.gmane.org>

...since he did help track this down.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Shirish Pargaonkar]

On Wed, Dec 8, 2010 at 10:06 AM, Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> On Wed,  8 Dec 2010 09:41:05 -0600
> shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>
>> From: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>
>>
>> Indicate to the server a capability of NTLM2 session security (NTLM2 Key)
>> during ntlmssp protocol exchange in one of the bits of the flags field.
>> If server supports this capability, send NTLM2 key even if signing is not
>> required on the server.
>> If the server requires signing, the sesison keys exchanged for NTLMv2
>> and NTLM2 session security in auth packet of the nlmssp exchange are same.
>>
>>
>> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>> ---
>>  fs/cifs/sess.c |    7 ++++---
>>  1 files changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>> index 7b01d3f..122ad31 100644
>> --- a/fs/cifs/sess.c
>> +++ b/fs/cifs/sess.c
>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>>       /* BB is NTLMV2 session security format easier to use here? */
>>       flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
>>               NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
>> -             NTLMSSP_NEGOTIATE_NTLM;
>> +             NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>>       if (ses->server->secMode &
>>                       (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
>>               flags |= NTLMSSP_NEGOTIATE_SIGN;
>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>>       sec_blob->WorkstationName.MaximumLength = 0;
>>       tmp += 2;
>>
>> -     if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
>> -                     !calc_seckey(ses)) {
>> +     if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
>> +             ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)))
>                ^^^
>                You can (and should) eliminate a set of parenthesis here.

Sure.

>
>> +                     && !calc_seckey(ses)) {
>>               memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
>>               sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
>>               sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
>
> Other than that, it looks reasonable to me. I'll have to take your
> word for it that this is the right thing to do as I find the NTLMSSP
> spec really difficult to comprehend.
>
> It also might be nice to add:
>
>    Reported-and-Tested-by: Robbert Kouprie <robbert-C1IQQP51G3M@public.gmane.org>
>
> ...since he did help track this down.
>
> --
> Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
>

Sure, I will respin it. Sorry for the omission Robbert.

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Shirish Pargaonkar]

On Wed, Dec 8, 2010 at 10:33 AM, Shirish Pargaonkar
<shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On Wed, Dec 8, 2010 at 10:06 AM, Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
>> On Wed,  8 Dec 2010 09:41:05 -0600
>> shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
>>
>>> From: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>
>>>
>>> Indicate to the server a capability of NTLM2 session security (NTLM2 Key)
>>> during ntlmssp protocol exchange in one of the bits of the flags field.
>>> If server supports this capability, send NTLM2 key even if signing is not
>>> required on the server.
>>> If the server requires signing, the sesison keys exchanged for NTLMv2
>>> and NTLM2 session security in auth packet of the nlmssp exchange are same.
>>>
>>>
>>> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>> ---
>>>  fs/cifs/sess.c |    7 ++++---
>>>  1 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>> index 7b01d3f..122ad31 100644
>>> --- a/fs/cifs/sess.c
>>> +++ b/fs/cifs/sess.c
>>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>>>       /* BB is NTLMV2 session security format easier to use here? */
>>>       flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
>>>               NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
>>> -             NTLMSSP_NEGOTIATE_NTLM;
>>> +             NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>>>       if (ses->server->secMode &
>>>                       (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
>>>               flags |= NTLMSSP_NEGOTIATE_SIGN;
>>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>>>       sec_blob->WorkstationName.MaximumLength = 0;
>>>       tmp += 2;
>>>
>>> -     if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
>>> -                     !calc_seckey(ses)) {
>>> +     if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
>>> +             ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)))
>>                ^^^
>>                You can (and should) eliminate a set of parenthesis here.
>
> Sure.
>
>>
>>> +                     && !calc_seckey(ses)) {
>>>               memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
>>>               sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
>>>               sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
>>
>> Other than that, it looks reasonable to me. I'll have to take your
>> word for it that this is the right thing to do as I find the NTLMSSP
>> spec really difficult to comprehend.
>>

Yes. It is very confusing.  One of these days, I am planning to go through
all the flags that cifs client sends during ntlmssp negotiation stage (type 1).
I think flags do not matter when client sends authentication request (type 3).
To verify, I set flags field to 0x0 in type 3 packet and both sec=ntlmssp and
sec=ntlmsspi, were successful on a Windows 2003 Server Windows 7, and
Windows 2008 Server.

So we just have to get flags right in ntlmssp negotiate packet (type 1) that
client sends and send things according to capabilities that server returned in
flags in ntlmssp challenge packet (type 2), in ntlmssp authentication packet
(type 3).

>> It also might be nice to add:
>>
>>    Reported-and-Tested-by: Robbert Kouprie <robbert-C1IQQP51G3M@public.gmane.org>
>>
>> ...since he did help track this down.
>>
>> --
>> Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
>>
>
> Sure, I will respin it. Sorry for the omission Robbert.
>

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Robbert Kouprie]

Also,

Op 8-12-2010 18:28, Shirish Pargaonkar schreef:
> On Wed, Dec 8, 2010 at 10:33 AM, Shirish Pargaonkar

>>>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>>> index 7b01d3f..122ad31 100644
>>>> --- a/fs/cifs/sess.c
>>>> +++ b/fs/cifs/sess.c
>>>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,

(...)

>>>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,

The patch you sent me (and which I tested successfully) had an extra
hunk in it:

@@ -477,7 +477,7 @@ static int build_ntlmssp_auth_blob(unsigned char
*pbuffer,
        flags = NTLMSSP_NEGOTIATE_56 |
                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-               NTLMSSP_NEGOTIATE_NTLM;
+               NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
        if (ses->server->secMode &
           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
                flags |= NTLMSSP_NEGOTIATE_SIGN;

Is it your intent to leave out this hunk?

Regards,
Robbert

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Shirish Pargaonkar]

On Wed, Dec 8, 2010 at 12:16 PM, Robbert Kouprie <robbert-C1IQQP51G3M@public.gmane.org> wrote:
> Also,
>
> Op 8-12-2010 18:28, Shirish Pargaonkar schreef:
>> On Wed, Dec 8, 2010 at 10:33 AM, Shirish Pargaonkar
>
>>>>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>>>> index 7b01d3f..122ad31 100644
>>>>> --- a/fs/cifs/sess.c
>>>>> +++ b/fs/cifs/sess.c
>>>>> @@ -437,7 +437,7 @@ static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
>
> (...)
>
>>>>> @@ -544,8 +544,9 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
>
> The patch you sent me (and which I tested successfully) had an extra
> hunk in it:
>
> @@ -477,7 +477,7 @@ static int build_ntlmssp_auth_blob(unsigned char
> *pbuffer,
>        flags = NTLMSSP_NEGOTIATE_56 |
>                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
>                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
> -               NTLMSSP_NEGOTIATE_NTLM;
> +               NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
>        if (ses->server->secMode &
>           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
>                flags |= NTLMSSP_NEGOTIATE_SIGN;
>
> Is it your intent to leave out this hunk?

Yes, it does not matter whether that flag bit exists or not in ntlmssp
auth packet (type 3).

>
> Regards,
> Robbert
>

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Robbert Kouprie]

Op 8-12-2010 19:53, Shirish Pargaonkar schreef:
>> Is it your intent to leave out this hunk?
> 
> Yes, it does not matter whether that flag bit exists or not in ntlmssp
> auth packet (type 3).

FWIW, I just verified this on my side. It still works without this hunk.

Regards,
Robbert

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Robbert Kouprie]

Ahem,

>> Yes, it does not matter whether that flag bit exists or not in ntlmssp
>> auth packet (type 3).
>
> FWIW, I just verified this on my side. It still works without this hunk.

Not sure what I smoked yesterday, but yesterday's conclusion is NOT 
correct.

I actually do need the NTLM2 flag in the AUTH packet as well as the 
NEGOTIATE packet, so I do need the extra hunk of the patch that you left 
out when you submitted it to the list.

Regards,
Robbert

Re: [PATCH] cifs: Support NTLM2 session security during NTLMSSP authentication

[Shirish Pargaonkar]

On Thu, Dec 9, 2010 at 6:56 AM, Robbert Kouprie <robbert-C1IQQP51G3M@public.gmane.org> wrote:
> Ahem,
>
>>> Yes, it does not matter whether that flag bit exists or not in ntlmssp
>>> auth packet (type 3).
>>
>> FWIW, I just verified this on my side. It still works without this hunk.
>
> Not sure what I smoked yesterday, but yesterday's conclusion is NOT correct.
>
> I actually do need the NTLM2 flag in the AUTH packet as well as the
> NEGOTIATE packet, so I do need the extra hunk of the patch that you left out
> when you submitted it to the list.
>
> Regards,
> Robbert
>

Robbert, can you send me the wireshark trace of the failing session setup
(auth failure)?  I will go through MS-NLMP document also to see what it says
about the flags in all three types of packets in ntlmssp exchange.

Regards,

Shirish