From: Felix Schumacher Date: Wed, 6 Aug 2008 14:13:12 +0000 (+0200) Subject: jcifs-0.7.19 from tgz X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=af20818637a20ba738be8337a4c4b7dd1a47710a;p=jcifs_without_docs.git jcifs-0.7.19 from tgz Mon Jan 19 22:06:54 EST 2004 jcifs-0.7.19 released It was discovered that SmbComNTCreateAndX as well as SmbComReadAndx commands did not calculate MAC response signitures properly. In one case a field was not properly decoded and in the case of reading the payload, which is read directly from the stream into the supplied buffer as an optimization, was not being properly factored into the signature. These issues have been fixed. --- diff --git a/CHANGES.txt b/CHANGES.txt index 5d419e8..e3efec8 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,36 @@ +Mon Jan 19 22:06:54 EST 2004 +jcifs-0.7.19 released + +It was discovered that SmbComNTCreateAndX as well as SmbComReadAndx +commands did not calculate MAC response signitures properly. In one case a +field was not properly decoded and in the case of reading the payload, +which is read directly from the stream into the supplied buffer as an +optimization, was not being properly factored into the signature. These +issues have been fixed. + +Wed Jan 7 19:24:59 EST 2004 +jcifs-0.7.18 released + +Only SMBs that follow authentication need to be actually signed if SMB +signing is enabled. Because it was assumed that SMBs would follow +authentication an Exception was coded to be thrown if password hashes are +determined to be inadiquate to generate a MAC signing key. However because +the NTLM HTTP Filter does not send additional SMBs, signing will never +actually occur. The Exception is only generated if the password hashes are +"externel" (meaning from the NTLM HTTP Filter) but this is precisely the +case where signing will never occur. Therefore, the Exception coded to +detect external password hashes has been removed so that additional SMBs +will generate a signing error but the NTLM HTTP Filter will be permitted to +proceed without error. + +The NtlmPasswordAuthencation class has also been made Serializable to +permit certain containers to serialize the state of an HTTP session. It is +not known however if the client will seamlessly re-authenticate when the +NPA is de-serialized and discovered to be invalid. Regardless, the Filter +will now work with these containers albeit possibly not to their greatest +potential. + + Tue Dec 23 03:43:15 EST 2003 jcifs-0.7.17 released diff --git a/README.txt b/README.txt index cd8f416..99b8927 100644 --- a/README.txt +++ b/README.txt @@ -1,3 +1,17 @@ +Mon Jan 19 22:06:54 EST 2004 +jcifs-0.7.19 released + +SMB signature varification was not working properly and has been fixed. + +Wed Jan 7 19:24:59 EST 2004 +jcifs-0.7.18 released + +The NTLM HTTP Authentication Filter should now work with domain controllers +that negotiate signing as well as without generating the benign "exception +reading from socket input" Exception. Also, the NtlmPasswordAuthentication +class is now Serializable to increase compatability with certain Servlet +containers. + Tue Dec 23 03:43:15 EST 2003 jcifs-0.7.17 released diff --git a/build.xml b/build.xml index 508df84..872fbea 100644 --- a/build.xml +++ b/build.xml @@ -66,24 +66,24 @@ - + - + - - - + + + - + - + diff --git a/src/jcifs/smb/NtlmPasswordAuthentication.java b/src/jcifs/smb/NtlmPasswordAuthentication.java index d5650de..e6c02e6 100644 --- a/src/jcifs/smb/NtlmPasswordAuthentication.java +++ b/src/jcifs/smb/NtlmPasswordAuthentication.java @@ -23,6 +23,7 @@ import jcifs.util.DES; import jcifs.util.MD4; import jcifs.util.HMACT64; import java.io.UnsupportedEncodingException; +import java.io.Serializable; import java.security.Principal; import java.util.Random; import java.util.Arrays; @@ -38,7 +39,7 @@ import jcifs.Config; * NtlmAuthenticator for related information. */ -public final class NtlmPasswordAuthentication implements Principal { +public final class NtlmPasswordAuthentication implements Principal, Serializable { private static final int LM_COMPATIBILITY = Config.getInt("jcifs.smb.lmCompatibility", 0); diff --git a/src/jcifs/smb/SmbComNTCreateAndXResponse.java b/src/jcifs/smb/SmbComNTCreateAndXResponse.java index 74a24df..20482b4 100644 --- a/src/jcifs/smb/SmbComNTCreateAndXResponse.java +++ b/src/jcifs/smb/SmbComNTCreateAndXResponse.java @@ -67,6 +67,8 @@ class SmbComNTCreateAndXResponse extends AndXServerMessageBlock { bufferIndex += 8; changeTime = readTime( buffer, bufferIndex ); bufferIndex += 8; +/* file attributes */ +bufferIndex += 4; allocationSize = readLong( buffer, bufferIndex ); bufferIndex += 8; endOfFile = readLong( buffer, bufferIndex ); diff --git a/src/jcifs/smb/SmbTransport.java b/src/jcifs/smb/SmbTransport.java index d66a059..cabd7da 100644 --- a/src/jcifs/smb/SmbTransport.java +++ b/src/jcifs/smb/SmbTransport.java @@ -404,7 +404,7 @@ synchronized( rcv_buf ) { if( response.errorCode != 0 || e.hasMoreElements() == false ) { ((SmbComTransactionResponse)response).hasMore = false; if( useSigning ) { - response.verifyFailed = verify(rcv_buf, 0, response.length, response.verifySequence); + response.verifyFailed = verify(rcv_buf, 0, response); } response.notify(); } else { @@ -422,7 +422,8 @@ synchronized( rcv_buf ) { } Log.printHexDump( "smb received", rcv_buf, 0, response.length ); if( useSigning ) { - response.verifyFailed = verify(rcv_buf, 0, response.length, response.verifySequence); + int length = response.length; + response.verifyFailed = verify(rcv_buf, 0, response); } response.notify(); @@ -453,10 +454,6 @@ synchronized( rcv_buf ) { void initSigning(NtlmPasswordAuthentication auth) throws SmbException { if( auth.hashesExternal ) { - if( server.signaturesRequired ) { - throw new SmbException( SmbException.ERRCLI, SmbException.ERRioe, - "Signing is required by the server but passwords are external." ); - } useSigning = false; return; } @@ -536,17 +533,26 @@ synchronized( rcv_buf ) { * @param offset The starting offset at which the SMB header begins. * @param length The length of the SMB data starting at offset. */ - private boolean verify(byte[] data, int offset, int length, int verifySequence) throws IOException { + private boolean verify(byte[] data, int offset, ServerMessageBlock response) throws IOException { if (macSigningKey == null) return false; signingDigest.update(macSigningKey); int index = offset; signingDigest.update(data, index, ServerMessageBlock.SIGNATURE_OFFSET); index += ServerMessageBlock.SIGNATURE_OFFSET; byte[] sequence = new byte[8]; - ServerMessageBlock.writeInt4(verifySequence, sequence, 0); + ServerMessageBlock.writeInt4(response.verifySequence, sequence, 0); signingDigest.update(sequence); index += 8; - signingDigest.update(data, index, length - ServerMessageBlock.SIGNATURE_OFFSET - 8); + if( response.command == ServerMessageBlock.SMB_COM_READ_ANDX ) { + /* SmbComReadAndXResponse reads directly from the stream into separate byte[] b. + */ + SmbComReadAndXResponse raxr = (SmbComReadAndXResponse)response; + int length = response.length - raxr.dataLength; + signingDigest.update(data, index, length - ServerMessageBlock.SIGNATURE_OFFSET - 8); + signingDigest.update(raxr.b, raxr.off, raxr.dataLength); + } else { + signingDigest.update(data, index, response.length - ServerMessageBlock.SIGNATURE_OFFSET - 8); + } byte[] signature = signingDigest.digest(); for (int i = 0; i < 8; i++) { if (signature[i] != data[offset + ServerMessageBlock.SIGNATURE_OFFSET + i]) { @@ -556,10 +562,10 @@ synchronized( rcv_buf ) { index = offset; signingDigest.update(data, index, ServerMessageBlock.SIGNATURE_OFFSET); index += ServerMessageBlock.SIGNATURE_OFFSET; - ServerMessageBlock.writeInt4(verifySequence, sequence, 0); + ServerMessageBlock.writeInt4(response.verifySequence, sequence, 0); signingDigest.update(sequence); index += 8; - signingDigest.update(data, index, length - ServerMessageBlock.SIGNATURE_OFFSET - 8); + signingDigest.update(data, index, response.length - ServerMessageBlock.SIGNATURE_OFFSET - 8); signature = signingDigest.digest(); for (i = 0; i < 8; i++) { if (signature[i] != data[offset + ServerMessageBlock.SIGNATURE_OFFSET + i]) {