* [PATCH v1] cifs: use server timestamp for ntlmv2 authentication
@ 2015-09-17 19:40 Peter Seiderer
2015-09-17 23:39 ` Steven French
[not found] ` <CAH2r5mu7Xb1zYyrgxWsq3yYDjtAT3H5zWvhA2V4RLj-tfGpv+A@mail.gmail.com>
0 siblings, 2 replies; 4+ messages in thread
From: Peter Seiderer @ 2015-09-17 19:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Steve French, linux-cifs, samba-technical
Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
10.10.5) share fails in case the clocks differ more than +/-2h:
digest-service: digest-request: od failed with 2 proto=ntlmv2
digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2
Fix this by (re-)using the given server timestamp for the
ntlmv2 authentication (as Windows 7 does).
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
fs/cifs/cifsencrypt.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index aa0dc25..e6bfa92 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -444,6 +444,48 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
return 0;
}
+/* Server has provided av pairs/target info in the type 2 challenge
+ * packet and we have plucked it and stored within smb session.
+ * We parse that blob here to find the server given timestamp
+ * as part of ntlmv2 authentication (or local current time as
+ * default in case of failure)
+ */
+static u64
+find_timestamp(struct cifs_ses *ses)
+{
+ unsigned int attrsize;
+ unsigned int type;
+ unsigned int onesize = sizeof(struct ntlmssp2_name);
+ unsigned char *blobptr;
+ unsigned char *blobend;
+ struct ntlmssp2_name *attrptr;
+
+ if (!ses->auth_key.len || !ses->auth_key.response)
+ return 0;
+
+ blobptr = ses->auth_key.response;
+ blobend = blobptr + ses->auth_key.len;
+
+ while (blobptr + onesize < blobend) {
+ attrptr = (struct ntlmssp2_name *) blobptr;
+ type = le16_to_cpu(attrptr->type);
+ if (type == NTLMSSP_AV_EOL)
+ break;
+ blobptr += 2; /* advance attr type */
+ attrsize = le16_to_cpu(attrptr->length);
+ blobptr += 2; /* advance attr size */
+ if (blobptr + attrsize > blobend)
+ break;
+ if (type == NTLMSSP_AV_TIMESTAMP) {
+ if (attrsize == sizeof(u64))
+ return *((u64 *)blobptr);
+ }
+ blobptr += attrsize; /* advance attr value */
+ }
+
+ return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
+}
+
static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash,
const struct nls_table *nls_cp)
{
@@ -641,6 +683,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
struct ntlmv2_resp *ntlmv2;
char ntlmv2_hash[16];
unsigned char *tiblob = NULL; /* target info blob */
+ u64 rsp_timestamp;
if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) {
if (!ses->domainName) {
@@ -659,6 +702,12 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
}
}
+ /* Must be within 5 minutes of the server (or in range +/-2h
+ * in case of Mac OS X), so simply carry over server timestamp
+ * (as Windows 7 does)
+ */
+ rsp_timestamp = find_timestamp(ses);
+
baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp);
tilen = ses->auth_key.len;
tiblob = ses->auth_key.response;
@@ -675,8 +724,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
(ses->auth_key.response + CIFS_SESS_KEY_SIZE);
ntlmv2->blob_signature = cpu_to_le32(0x00000101);
ntlmv2->reserved = 0;
- /* Must be within 5 minutes of the server */
- ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
+ ntlmv2->time = rsp_timestamp;
+
get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal));
ntlmv2->reserved2 = 0;
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1] cifs: use server timestamp for ntlmv2 authentication
2015-09-17 19:40 [PATCH v1] cifs: use server timestamp for ntlmv2 authentication Peter Seiderer
@ 2015-09-17 23:39 ` Steven French
[not found] ` <CAH2r5mu7Xb1zYyrgxWsq3yYDjtAT3H5zWvhA2V4RLj-tfGpv+A@mail.gmail.com>
1 sibling, 0 replies; 4+ messages in thread
From: Steven French @ 2015-09-17 23:39 UTC (permalink / raw)
To: Peter Seiderer; +Cc: linux-kernel, linux-cifs, samba-technical
Nice catch.
Merged into cifs-2.6.git for next
> On Sep 17, 2015, at 2:40 PM, Peter Seiderer <ps.report@gmx.net> wrote:
>
> Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
> 10.10.5) share fails in case the clocks differ more than +/-2h:
>
> digest-service: digest-request: od failed with 2 proto=ntlmv2
> digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2
>
> Fix this by (re-)using the given server timestamp for the
> ntlmv2 authentication (as Windows 7 does).
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
> fs/cifs/cifsencrypt.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 51 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
> index aa0dc25..e6bfa92 100644
> --- a/fs/cifs/cifsencrypt.c
> +++ b/fs/cifs/cifsencrypt.c
> @@ -444,6 +444,48 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
> return 0;
> }
>
> +/* Server has provided av pairs/target info in the type 2 challenge
> + * packet and we have plucked it and stored within smb session.
> + * We parse that blob here to find the server given timestamp
> + * as part of ntlmv2 authentication (or local current time as
> + * default in case of failure)
> + */
> +static u64
> +find_timestamp(struct cifs_ses *ses)
> +{
> + unsigned int attrsize;
> + unsigned int type;
> + unsigned int onesize = sizeof(struct ntlmssp2_name);
> + unsigned char *blobptr;
> + unsigned char *blobend;
> + struct ntlmssp2_name *attrptr;
> +
> + if (!ses->auth_key.len || !ses->auth_key.response)
> + return 0;
> +
> + blobptr = ses->auth_key.response;
> + blobend = blobptr + ses->auth_key.len;
> +
> + while (blobptr + onesize < blobend) {
> + attrptr = (struct ntlmssp2_name *) blobptr;
> + type = le16_to_cpu(attrptr->type);
> + if (type == NTLMSSP_AV_EOL)
> + break;
> + blobptr += 2; /* advance attr type */
> + attrsize = le16_to_cpu(attrptr->length);
> + blobptr += 2; /* advance attr size */
> + if (blobptr + attrsize > blobend)
> + break;
> + if (type == NTLMSSP_AV_TIMESTAMP) {
> + if (attrsize == sizeof(u64))
> + return *((u64 *)blobptr);
> + }
> + blobptr += attrsize; /* advance attr value */
> + }
> +
> + return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
> +}
> +
> static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash,
> const struct nls_table *nls_cp)
> {
> @@ -641,6 +683,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
> struct ntlmv2_resp *ntlmv2;
> char ntlmv2_hash[16];
> unsigned char *tiblob = NULL; /* target info blob */
> + u64 rsp_timestamp;
>
> if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) {
> if (!ses->domainName) {
> @@ -659,6 +702,12 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
> }
> }
>
> + /* Must be within 5 minutes of the server (or in range +/-2h
> + * in case of Mac OS X), so simply carry over server timestamp
> + * (as Windows 7 does)
> + */
> + rsp_timestamp = find_timestamp(ses);
> +
> baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp);
> tilen = ses->auth_key.len;
> tiblob = ses->auth_key.response;
> @@ -675,8 +724,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
> (ses->auth_key.response + CIFS_SESS_KEY_SIZE);
> ntlmv2->blob_signature = cpu_to_le32(0x00000101);
> ntlmv2->reserved = 0;
> - /* Must be within 5 minutes of the server */
> - ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
> + ntlmv2->time = rsp_timestamp;
> +
> get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal));
> ntlmv2->reserved2 = 0;
>
> --
> 2.1.4
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] cifs: use server timestamp for ntlmv2 authentication
[not found] ` <CAH2r5mu7Xb1zYyrgxWsq3yYDjtAT3H5zWvhA2V4RLj-tfGpv+A@mail.gmail.com>
@ 2015-09-18 3:49 ` Steve French
2015-09-21 19:06 ` Peter Seiderer
0 siblings, 1 reply; 4+ messages in thread
From: Steve French @ 2015-09-18 3:49 UTC (permalink / raw)
To: Peter Seiderer; +Cc: samba-technical, LKML, linux-cifs@vger.kernel.org
Corrected endian error and repushed
https://git.samba.org/?p=sfrench/cifs-2.6.git;a=patch;h=79a5296f14b26ac8644239286ffd7a62dbbc385e
On Thu, Sep 17, 2015 at 6:41 PM, Steve French <smfrench@gmail.com> wrote:
> Nice catch.
>
> Merged into cifs-2.6.git for-next
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] cifs: use server timestamp for ntlmv2 authentication
2015-09-18 3:49 ` Steve French
@ 2015-09-21 19:06 ` Peter Seiderer
0 siblings, 0 replies; 4+ messages in thread
From: Peter Seiderer @ 2015-09-21 19:06 UTC (permalink / raw)
To: Steve French; +Cc: samba-technical, LKML, linux-cifs@vger.kernel.org
Hello Steve,
On Thu, 17 Sep 2015 22:49:54 -0500, Steve French <smfrench@gmail.com> wrote:
> Corrected endian error and repushed
>
> https://git.samba.org/?p=sfrench/cifs-2.6.git;a=patch;h=79a5296f14b26ac8644239286ffd7a62dbbc385e
>
Many thanks for fixing the endianissue (next time I will try out your
sparse compile hint)...
Regards,
Peter
> On Thu, Sep 17, 2015 at 6:41 PM, Steve French <smfrench@gmail.com> wrote:
> > Nice catch.
> >
> > Merged into cifs-2.6.git for-next
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-21 19:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-17 19:40 [PATCH v1] cifs: use server timestamp for ntlmv2 authentication Peter Seiderer
2015-09-17 23:39 ` Steven French
[not found] ` <CAH2r5mu7Xb1zYyrgxWsq3yYDjtAT3H5zWvhA2V4RLj-tfGpv+A@mail.gmail.com>
2015-09-18 3:49 ` Steve French
2015-09-21 19:06 ` Peter Seiderer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox