Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c16fefa5 authored by Steve French's avatar Steve French
Browse files

[CIFS] distinguish between Kerberos and MSKerberos in upcall 



Properly handle MSKRB5 by passing sec=mskrb5 to the upcall so that the
spengo blob can be generated appropriately. Also, make
decode_negTokenInit prefer whichever mechanism is first in the list.

Needed for some NetApp servers, and possibly some older
versions of Windows which treat the two KRB5 mechanisms differently.

Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent cb7691b6

fs/cifs/asn1.c

+8 −3
Original line number Diff line number Diff line
@@ -476,6 +476,7 @@ decode_negTokenInit(unsigned char *security_blob, int length, 
	unsigned int cls, con, tag, oidlen, rc;

	bool use_ntlmssp = false;

	bool use_kerberos = false;

	bool use_mskerberos = false;



	*secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/
@@ -574,10 +575,12 @@ decode_negTokenInit(unsigned char *security_blob, int length, 
					 *(oid + 1), *(oid + 2), *(oid + 3)));



				if (compare_oid(oid, oidlen, MSKRB5_OID,

						MSKRB5_OID_LEN))

					use_kerberos = true;

						MSKRB5_OID_LEN) &&

						!use_kerberos)

					use_mskerberos = true;

				else if (compare_oid(oid, oidlen, KRB5_OID,

						     KRB5_OID_LEN))

						     KRB5_OID_LEN) &&

						     !use_mskerberos)

					use_kerberos = true;

				else if (compare_oid(oid, oidlen, NTLMSSP_OID,

						     NTLMSSP_OID_LEN))
@@ -630,6 +633,8 @@ decode_negTokenInit(unsigned char *security_blob, int length, 


	if (use_kerberos)

		*secType = Kerberos;

	else if (use_mskerberos)

		*secType = MSKerberos;

	else if (use_ntlmssp)

		*secType = NTLMSSP;

fs/cifs/cifs_spnego.c

+3 −1
Original line number Diff line number Diff line
@@ -114,9 +114,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo) 


	dp = description + strlen(description);



	/* for now, only sec=krb5 is valid */

	/* for now, only sec=krb5 and sec=mskrb5 are valid */

	if (server->secType == Kerberos)

		sprintf(dp, ";sec=krb5");

	else if (server->secType == MSKerberos)

		sprintf(dp, ";sec=mskrb5");

	else

		goto out;

fs/cifs/cifsglob.h

+2 −1
Original line number Diff line number Diff line
@@ -80,7 +80,8 @@ enum securityEnum { 
	NTLMv2,			/* Legacy NTLM auth with NTLMv2 hash */

	RawNTLMSSP,		/* NTLMSSP without SPNEGO */

	NTLMSSP,		/* NTLMSSP via SPNEGO */

	Kerberos		/* Kerberos via SPNEGO */

	Kerberos,		/* Kerberos via SPNEGO */

	MSKerberos,		/* MS Kerberos via SPNEGO */

};



enum protocolEnum {

fs/cifs/sess.c

+1 −1
Original line number Diff line number Diff line
@@ -505,7 +505,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, 
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);

		} else

			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);

	} else if (type == Kerberos) {

	} else if (type == Kerberos || type == MSKerberos) {

#ifdef CONFIG_CIFS_UPCALL

		struct cifs_spnego_msg *msg;

		spnego_key = cifs_get_spnego_key(ses);