From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E75DC4338F for ; Fri, 20 Aug 2021 06:08:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5513060FDC for ; Fri, 20 Aug 2021 06:08:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238071AbhHTGJ3 (ORCPT ); Fri, 20 Aug 2021 02:09:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237102AbhHTGJ3 (ORCPT ); Fri, 20 Aug 2021 02:09:29 -0400 Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DBDFC061575 for ; Thu, 19 Aug 2021 23:08:51 -0700 (PDT) Received: by mail-lf1-x135.google.com with SMTP id i9so18136019lfg.10 for ; Thu, 19 Aug 2021 23:08:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lyqYJijj14SanfJS8R76Ep6LaB9qcrzjMw1GpNwlwCk=; b=IFR6lRmq+nwgOwrGu6GSWySJ5yGAFC1eErTFh8dvgw9Z4+ZCwI5ZS78TwGiHNrIpZI wKyGXltnc7E40vh3dOQaqSXbJDxKKVzs+rntZV3oBJpJjIWigNoh7v+HuHRgkcb1jQYX kqO0I/hWGZ+HnWGcvCKjBhndxyjv/rftYE4eOHUu6smM784AIErh0Yf9P2cIMtbVq2Li 2HsEAYY3r7X/RiysFoPMLsAgHtph+ymneb97bYilmixqdwlLC901PZvMDkGCRhslcwQt k+kRmMKAG5t6zERaC6kLcr4ltX0Kg5Ku5XYM+5nDV8rYtZUBO5ht0UixqNdYXaqrJBJF 3QBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lyqYJijj14SanfJS8R76Ep6LaB9qcrzjMw1GpNwlwCk=; b=DXjLlYzl9ZI2dq4vXeC1kdPL4SnRhZID1OFlqPUvAnaO3XxXBFw/Bp+RKZ7vCPrDex xk4A+4DFtlJZ2rosaIzI/d/UUY3sRLGoQnNbDQs678IYUMrhiilwpF2gG283N+5tD8bP L33+XqW6ojhtmZ80+jy/pfCJOoN6QqgYy8FDTI9S4psW1K08pj3DzBy4N/jyH/vQPwsD TnK4eAjPeQ1ApJwb/w0J8+UHFLYl6NE5mr9phedIlB0W2TnyJXAujlaI2R23KsQ21chd zYbskp2zJVMYoxmHI8XzbUA/rYiUovEy09yHtUmaopM3M50et49sMXCL66woD9dnV6Yt Em3w== X-Gm-Message-State: AOAM533IE3djFA/MROxUOX16zzFFu1be1311/X8PmsM+kA+F91wSd2g+ mJJvgOL8f5lifvfDT/4jP0VQZxqZsG/BO7nUFLQ= X-Google-Smtp-Source: ABdhPJz0whR3K3gNNHXUAxqSyvLVeWtDJISolxY2Q8QHDF24kEL+Cqz0rtRggOZxwQT4gbSDAtLDRcoDupuEGfOMYQg= X-Received: by 2002:a19:c796:: with SMTP id x144mr13298652lff.395.1629439729499; Thu, 19 Aug 2021 23:08:49 -0700 (PDT) MIME-Version: 1.0 References: <20210819103459.1291412-1-lsahlber@redhat.com> <20210819103459.1291412-2-lsahlber@redhat.com> In-Reply-To: <20210819103459.1291412-2-lsahlber@redhat.com> From: Steve French Date: Fri, 20 Aug 2021 01:08:38 -0500 Message-ID: Subject: Re: [PATCH 1/2] cifs: remove support for NTLM and weaker authentication algorithms To: Ronnie Sahlberg Cc: linux-cifs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org tentatively merged into cifs-2.6.git for-next, along with followon patch, pending additional review and testing On Thu, Aug 19, 2021 at 5:35 AM Ronnie Sahlberg wrote: > > for SMB1. > This removes the dependency to DES. > > Signed-off-by: Ronnie Sahlberg > --- > fs/cifs/Kconfig | 28 ----- > fs/cifs/cifs_debug.c | 11 -- > fs/cifs/cifs_swn.c | 2 - > fs/cifs/cifsencrypt.c | 81 -------------- > fs/cifs/cifsfs.c | 6 - > fs/cifs/cifsglob.h | 32 +----- > fs/cifs/cifspdu.h | 28 ----- > fs/cifs/cifsproto.h | 10 -- > fs/cifs/cifssmb.c | 106 +----------------- > fs/cifs/connect.c | 32 ------ > fs/cifs/fs_context.c | 14 --- > fs/cifs/fs_context.h | 3 - > fs/cifs/sess.c | 255 +----------------------------------------- > fs/cifs/smbencrypt.c | 117 +------------------ > 14 files changed, 5 insertions(+), 720 deletions(-) > > diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig > index 7364950a9ef4..2e8b132efdbc 100644 > --- a/fs/cifs/Kconfig > +++ b/fs/cifs/Kconfig > @@ -16,7 +16,6 @@ config CIFS > select CRYPTO_GCM > select CRYPTO_ECB > select CRYPTO_AES > - select CRYPTO_LIB_DES > select KEYS > select DNS_RESOLVER > select ASN1 > @@ -85,33 +84,6 @@ config CIFS_ALLOW_INSECURE_LEGACY > > If unsure, say Y. > > -config CIFS_WEAK_PW_HASH > - bool "Support legacy servers which use weaker LANMAN security" > - depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY > - help > - Modern CIFS servers including Samba and most Windows versions > - (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) > - security mechanisms. These hash the password more securely > - than the mechanisms used in the older LANMAN version of the > - SMB protocol but LANMAN based authentication is needed to > - establish sessions with some old SMB servers. > - > - Enabling this option allows the cifs module to mount to older > - LANMAN based servers such as OS/2 and Windows 95, but such > - mounts may be less secure than mounts using NTLM or more recent > - security mechanisms if you are on a public network. Unless you > - have a need to access old SMB servers (and are on a private > - network) you probably want to say N. Even if this support > - is enabled in the kernel build, LANMAN authentication will not be > - used automatically. At runtime LANMAN mounts are disabled but > - can be set to required (or optional) either in > - /proc/fs/cifs (see Documentation/admin-guide/cifs/usage.rst for > - more detail) or via an option on the mount command. This support > - is disabled by default in order to reduce the possibility of a > - downgrade attack. > - > - If unsure, say N. > - > config CIFS_UPCALL > bool "Kerberos/SPNEGO advanced session setup" > depends on CIFS > diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c > index 8857ac7e7a14..51a824fc926a 100644 > --- a/fs/cifs/cifs_debug.c > +++ b/fs/cifs/cifs_debug.c > @@ -250,9 +250,6 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) > #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY > seq_printf(m, ",ALLOW_INSECURE_LEGACY"); > #endif > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - seq_printf(m, ",WEAK_PW_HASH"); > -#endif > #ifdef CONFIG_CIFS_POSIX > seq_printf(m, ",CIFS_POSIX"); > #endif > @@ -929,14 +926,6 @@ cifs_security_flags_handle_must_flags(unsigned int *flags) > *flags = CIFSSEC_MUST_NTLMSSP; > else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2) > *flags = CIFSSEC_MUST_NTLMV2; > - else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM) > - *flags = CIFSSEC_MUST_NTLM; > - else if (CIFSSEC_MUST_LANMAN && > - (*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN) > - *flags = CIFSSEC_MUST_LANMAN; > - else if (CIFSSEC_MUST_PLNTXT && > - (*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT) > - *flags = CIFSSEC_MUST_PLNTXT; > > *flags |= signflags; > } > diff --git a/fs/cifs/cifs_swn.c b/fs/cifs/cifs_swn.c > index 93b47818c6c2..12bde7bfda86 100644 > --- a/fs/cifs/cifs_swn.c > +++ b/fs/cifs/cifs_swn.c > @@ -147,8 +147,6 @@ static int cifs_swn_send_register_message(struct cifs_swn_reg *swnreg) > goto nlmsg_fail; > } > break; > - case LANMAN: > - case NTLM: > case NTLMv2: > case RawNTLMSSP: > ret = cifs_swn_auth_info_ntlm(swnreg->tcon, skb); > diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c > index ecf15d845dbd..7680e0a9bea3 100644 > --- a/fs/cifs/cifsencrypt.c > +++ b/fs/cifs/cifsencrypt.c > @@ -250,87 +250,6 @@ int cifs_verify_signature(struct smb_rqst *rqst, > > } > > -/* first calculate 24 bytes ntlm response and then 16 byte session key */ > -int setup_ntlm_response(struct cifs_ses *ses, const struct nls_table *nls_cp) > -{ > - int rc = 0; > - unsigned int temp_len = CIFS_SESS_KEY_SIZE + CIFS_AUTH_RESP_SIZE; > - char temp_key[CIFS_SESS_KEY_SIZE]; > - > - if (!ses) > - return -EINVAL; > - > - ses->auth_key.response = kmalloc(temp_len, GFP_KERNEL); > - if (!ses->auth_key.response) > - return -ENOMEM; > - > - ses->auth_key.len = temp_len; > - > - rc = SMBNTencrypt(ses->password, ses->server->cryptkey, > - ses->auth_key.response + CIFS_SESS_KEY_SIZE, nls_cp); > - if (rc) { > - cifs_dbg(FYI, "%s Can't generate NTLM response, error: %d\n", > - __func__, rc); > - return rc; > - } > - > - rc = E_md4hash(ses->password, temp_key, nls_cp); > - if (rc) { > - cifs_dbg(FYI, "%s Can't generate NT hash, error: %d\n", > - __func__, rc); > - return rc; > - } > - > - rc = mdfour(ses->auth_key.response, temp_key, CIFS_SESS_KEY_SIZE); > - if (rc) > - cifs_dbg(FYI, "%s Can't generate NTLM session key, error: %d\n", > - __func__, rc); > - > - return rc; > -} > - > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -int calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt, > - char *lnm_session_key) > -{ > - int i, len; > - int rc; > - char password_with_pad[CIFS_ENCPWD_SIZE] = {0}; > - > - if (password) { > - for (len = 0; len < CIFS_ENCPWD_SIZE; len++) > - if (!password[len]) > - break; > - > - memcpy(password_with_pad, password, len); > - } > - > - if (!encrypt && global_secflags & CIFSSEC_MAY_PLNTXT) { > - memcpy(lnm_session_key, password_with_pad, > - CIFS_ENCPWD_SIZE); > - return 0; > - } > - > - /* calculate old style session key */ > - /* calling toupper is less broken than repeatedly > - calling nls_toupper would be since that will never > - work for UTF8, but neither handles multibyte code pages > - but the only alternative would be converting to UCS-16 (Unicode) > - (using a routine something like UniStrupr) then > - uppercasing and then converting back from Unicode - which > - would only worth doing it if we knew it were utf8. Basically > - utf8 and other multibyte codepages each need their own strupper > - function since a byte at a time will ont work. */ > - > - for (i = 0; i < CIFS_ENCPWD_SIZE; i++) > - password_with_pad[i] = toupper(password_with_pad[i]); > - > - rc = SMBencrypt(password_with_pad, cryptkey, lnm_session_key); > - > - return rc; > -} > -#endif /* CIFS_WEAK_PW_HASH */ > - > /* Build a proper attribute value/target info pairs blob. > * Fill in netbios and dns domain name and workstation name > * and client time (total five av pairs and + one end of fields indicator. > diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c > index 64b71c4e2a9d..85c884db909d 100644 > --- a/fs/cifs/cifsfs.c > +++ b/fs/cifs/cifsfs.c > @@ -438,15 +438,9 @@ cifs_show_security(struct seq_file *s, struct cifs_ses *ses) > seq_puts(s, ",sec="); > > switch (ses->sectype) { > - case LANMAN: > - seq_puts(s, "lanman"); > - break; > case NTLMv2: > seq_puts(s, "ntlmv2"); > break; > - case NTLM: > - seq_puts(s, "ntlm"); > - break; > case Kerberos: > seq_puts(s, "krb5"); > break; > diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h > index de687a554545..0b821ccfe09f 100644 > --- a/fs/cifs/cifsglob.h > +++ b/fs/cifs/cifsglob.h > @@ -114,8 +114,6 @@ enum statusEnum { > > enum securityEnum { > Unspecified = 0, /* not specified */ > - LANMAN, /* Legacy LANMAN auth */ > - NTLM, /* Legacy NTLM012 auth with NTLM hash */ > NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ > RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */ > Kerberos, /* Kerberos via SPNEGO */ > @@ -634,7 +632,6 @@ struct TCP_Server_Info { > struct session_key session_key; > unsigned long lstrp; /* when we got last response from this server */ > struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */ > -#define CIFS_NEGFLAVOR_LANMAN 0 /* wct == 13, LANMAN */ > #define CIFS_NEGFLAVOR_UNENCAP 1 /* wct == 17, but no ext_sec */ > #define CIFS_NEGFLAVOR_EXTENDED 2 /* wct == 17, ext_sec bit set */ > char negflavor; /* NEGOTIATE response flavor */ > @@ -1734,16 +1731,8 @@ static inline bool is_retryable_error(int error) > > /* Security Flags: indicate type of session setup needed */ > #define CIFSSEC_MAY_SIGN 0x00001 > -#define CIFSSEC_MAY_NTLM 0x00002 > #define CIFSSEC_MAY_NTLMV2 0x00004 > #define CIFSSEC_MAY_KRB5 0x00008 > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -#define CIFSSEC_MAY_LANMAN 0x00010 > -#define CIFSSEC_MAY_PLNTXT 0x00020 > -#else > -#define CIFSSEC_MAY_LANMAN 0 > -#define CIFSSEC_MAY_PLNTXT 0 > -#endif /* weak passwords */ > #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ > #define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ > > @@ -1751,32 +1740,19 @@ static inline bool is_retryable_error(int error) > /* note that only one of the following can be set so the > result of setting MUST flags more than once will be to > require use of the stronger protocol */ > -#define CIFSSEC_MUST_NTLM 0x02002 > #define CIFSSEC_MUST_NTLMV2 0x04004 > #define CIFSSEC_MUST_KRB5 0x08008 > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -#define CIFSSEC_MUST_LANMAN 0x10010 > -#define CIFSSEC_MUST_PLNTXT 0x20020 > -#ifdef CONFIG_CIFS_UPCALL > -#define CIFSSEC_MASK 0xBF0BF /* allows weak security but also krb5 */ > -#else > -#define CIFSSEC_MASK 0xB70B7 /* current flags supported if weak */ > -#endif /* UPCALL */ > -#else /* do not allow weak pw hash */ > -#define CIFSSEC_MUST_LANMAN 0 > -#define CIFSSEC_MUST_PLNTXT 0 > #ifdef CONFIG_CIFS_UPCALL > #define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ > #else > #define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ > #endif /* UPCALL */ > -#endif /* WEAK_PW_HASH */ > #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ > #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ > > #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) > -#define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) > -#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) > +#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2) > +#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) > /* > ***************************************************************** > * All constants go here > @@ -1940,10 +1916,6 @@ static inline char *get_security_type_str(enum securityEnum sectype) > return "Kerberos"; > case NTLMv2: > return "NTLMv2"; > - case NTLM: > - return "NTLM"; > - case LANMAN: > - return "LANMAN"; > default: > return "Unknown"; > } > diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h > index f6e235001358..dc920e206336 100644 > --- a/fs/cifs/cifspdu.h > +++ b/fs/cifs/cifspdu.h > @@ -14,13 +14,7 @@ > #include > #include "smbfsctl.h" > > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -#define LANMAN_PROT 0 > -#define LANMAN2_PROT 1 > -#define CIFS_PROT 2 > -#else > #define CIFS_PROT 0 > -#endif > #define POSIX_PROT (CIFS_PROT+1) > #define BAD_PROT 0xFFFF > > @@ -505,30 +499,8 @@ typedef struct negotiate_req { > unsigned char DialectsArray[1]; > } __attribute__((packed)) NEGOTIATE_REQ; > > -/* Dialect index is 13 for LANMAN */ > - > #define MIN_TZ_ADJ (15 * 60) /* minimum grid for timezones in seconds */ > > -typedef struct lanman_neg_rsp { > - struct smb_hdr hdr; /* wct = 13 */ > - __le16 DialectIndex; > - __le16 SecurityMode; > - __le16 MaxBufSize; > - __le16 MaxMpxCount; > - __le16 MaxNumberVcs; > - __le16 RawMode; > - __le32 SessionKey; > - struct { > - __le16 Time; > - __le16 Date; > - } __attribute__((packed)) SrvTime; > - __le16 ServerTimeZone; > - __le16 EncryptionKeyLength; > - __le16 Reserved; > - __u16 ByteCount; > - unsigned char EncryptionKey[1]; > -} __attribute__((packed)) LANMAN_NEG_RSP; > - > #define READ_RAW_ENABLE 1 > #define WRITE_RAW_ENABLE 2 > #define RAW_ENABLE (READ_RAW_ENABLE | WRITE_RAW_ENABLE) > diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h > index e0def0f0714b..f9740c21ca3d 100644 > --- a/fs/cifs/cifsproto.h > +++ b/fs/cifs/cifsproto.h > @@ -498,19 +498,12 @@ extern int cifs_sign_smb(struct smb_hdr *, struct TCP_Server_Info *, __u32 *); > extern int cifs_verify_signature(struct smb_rqst *rqst, > struct TCP_Server_Info *server, > __u32 expected_sequence_number); > -extern int SMBNTencrypt(unsigned char *, unsigned char *, unsigned char *, > - const struct nls_table *); > -extern int setup_ntlm_response(struct cifs_ses *, const struct nls_table *); > extern int setup_ntlmv2_rsp(struct cifs_ses *, const struct nls_table *); > extern void cifs_crypto_secmech_release(struct TCP_Server_Info *server); > extern int calc_seckey(struct cifs_ses *); > extern int generate_smb30signingkey(struct cifs_ses *); > extern int generate_smb311signingkey(struct cifs_ses *); > > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -extern int calc_lanman_hash(const char *password, const char *cryptkey, > - bool encrypt, char *lnm_session_key); > -#endif /* CIFS_WEAK_PW_HASH */ > extern int CIFSSMBCopy(unsigned int xid, > struct cifs_tcon *source_tcon, > const char *fromName, > @@ -547,11 +540,8 @@ extern int check_mf_symlink(unsigned int xid, struct cifs_tcon *tcon, > struct cifs_sb_info *cifs_sb, > struct cifs_fattr *fattr, > const unsigned char *path); > -extern int mdfour(unsigned char *, unsigned char *, int); > extern int E_md4hash(const unsigned char *passwd, unsigned char *p16, > const struct nls_table *codepage); > -extern int SMBencrypt(unsigned char *passwd, const unsigned char *c8, > - unsigned char *p24); > > extern int > cifs_setup_volume_info(struct smb3_fs_context *ctx, const char *mntopts, const char *devname); > diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c > index 6ab6cf669438..40187d25140f 100644 > --- a/fs/cifs/cifssmb.c > +++ b/fs/cifs/cifssmb.c > @@ -42,10 +42,6 @@ static struct { > int index; > char *name; > } protocols[] = { > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - {LANMAN_PROT, "\2LM1.2X002"}, > - {LANMAN2_PROT, "\2LANMAN2.1"}, > -#endif /* weak password hashing for legacy clients */ > {CIFS_PROT, "\2NT LM 0.12"}, > {POSIX_PROT, "\2POSIX 2"}, > {BAD_PROT, "\2"} > @@ -55,10 +51,6 @@ static struct { > int index; > char *name; > } protocols[] = { > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - {LANMAN_PROT, "\2LM1.2X002"}, > - {LANMAN2_PROT, "\2LANMAN2.1"}, > -#endif /* weak password hashing for legacy clients */ > {CIFS_PROT, "\2NT LM 0.12"}, > {BAD_PROT, "\2"} > }; > @@ -66,17 +58,9 @@ static struct { > > /* define the number of elements in the cifs dialect array */ > #ifdef CONFIG_CIFS_POSIX > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -#define CIFS_NUM_PROT 4 > -#else > #define CIFS_NUM_PROT 2 > -#endif /* CIFS_WEAK_PW_HASH */ > #else /* not posix */ > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -#define CIFS_NUM_PROT 3 > -#else > #define CIFS_NUM_PROT 1 > -#endif /* CONFIG_CIFS_WEAK_PW_HASH */ > #endif /* CIFS_POSIX */ > > /* > @@ -475,89 +459,6 @@ cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required) > return 0; > } > > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -static int > -decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr) > -{ > - __s16 tmp; > - struct lanman_neg_rsp *rsp = (struct lanman_neg_rsp *)pSMBr; > - > - if (server->dialect != LANMAN_PROT && server->dialect != LANMAN2_PROT) > - return -EOPNOTSUPP; > - > - server->sec_mode = le16_to_cpu(rsp->SecurityMode); > - server->maxReq = min_t(unsigned int, > - le16_to_cpu(rsp->MaxMpxCount), > - cifs_max_pending); > - set_credits(server, server->maxReq); > - server->maxBuf = le16_to_cpu(rsp->MaxBufSize); > - /* set up max_read for readpages check */ > - server->max_read = server->maxBuf; > - /* even though we do not use raw we might as well set this > - accurately, in case we ever find a need for it */ > - if ((le16_to_cpu(rsp->RawMode) & RAW_ENABLE) == RAW_ENABLE) { > - server->max_rw = 0xFF00; > - server->capabilities = CAP_MPX_MODE | CAP_RAW_MODE; > - } else { > - server->max_rw = 0;/* do not need to use raw anyway */ > - server->capabilities = CAP_MPX_MODE; > - } > - tmp = (__s16)le16_to_cpu(rsp->ServerTimeZone); > - if (tmp == -1) { > - /* OS/2 often does not set timezone therefore > - * we must use server time to calc time zone. > - * Could deviate slightly from the right zone. > - * Smallest defined timezone difference is 15 minutes > - * (i.e. Nepal). Rounding up/down is done to match > - * this requirement. > - */ > - int val, seconds, remain, result; > - struct timespec64 ts; > - time64_t utc = ktime_get_real_seconds(); > - ts = cnvrtDosUnixTm(rsp->SrvTime.Date, > - rsp->SrvTime.Time, 0); > - cifs_dbg(FYI, "SrvTime %lld sec since 1970 (utc: %lld) diff: %lld\n", > - ts.tv_sec, utc, > - utc - ts.tv_sec); > - val = (int)(utc - ts.tv_sec); > - seconds = abs(val); > - result = (seconds / MIN_TZ_ADJ) * MIN_TZ_ADJ; > - remain = seconds % MIN_TZ_ADJ; > - if (remain >= (MIN_TZ_ADJ / 2)) > - result += MIN_TZ_ADJ; > - if (val < 0) > - result = -result; > - server->timeAdj = result; > - } else { > - server->timeAdj = (int)tmp; > - server->timeAdj *= 60; /* also in seconds */ > - } > - cifs_dbg(FYI, "server->timeAdj: %d seconds\n", server->timeAdj); > - > - > - /* BB get server time for time conversions and add > - code to use it and timezone since this is not UTC */ > - > - if (rsp->EncryptionKeyLength == > - cpu_to_le16(CIFS_CRYPTO_KEY_SIZE)) { > - memcpy(server->cryptkey, rsp->EncryptionKey, > - CIFS_CRYPTO_KEY_SIZE); > - } else if (server->sec_mode & SECMODE_PW_ENCRYPT) { > - return -EIO; /* need cryptkey unless plain text */ > - } > - > - cifs_dbg(FYI, "LANMAN negotiated\n"); > - return 0; > -} > -#else > -static inline int > -decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr) > -{ > - cifs_dbg(VFS, "mount failed, cifs module not built with CIFS_WEAK_PW_HASH support\n"); > - return -EOPNOTSUPP; > -} > -#endif > - > static bool > should_set_ext_sec_flag(enum securityEnum sectype) > { > @@ -626,16 +527,12 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses) > server->dialect = le16_to_cpu(pSMBr->DialectIndex); > cifs_dbg(FYI, "Dialect: %d\n", server->dialect); > /* Check wct = 1 error case */ > - if ((pSMBr->hdr.WordCount < 13) || (server->dialect == BAD_PROT)) { > + if ((pSMBr->hdr.WordCount <= 13) || (server->dialect == BAD_PROT)) { > /* core returns wct = 1, but we do not ask for core - otherwise > small wct just comes when dialect index is -1 indicating we > could not negotiate a common dialect */ > rc = -EOPNOTSUPP; > goto neg_err_exit; > - } else if (pSMBr->hdr.WordCount == 13) { > - server->negflavor = CIFS_NEGFLAVOR_LANMAN; > - rc = decode_lanman_negprot_rsp(server, pSMBr); > - goto signing_check; > } else if (pSMBr->hdr.WordCount != 17) { > /* unknown wct */ > rc = -EOPNOTSUPP; > @@ -677,7 +574,6 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses) > server->capabilities &= ~CAP_EXTENDED_SECURITY; > } > > -signing_check: > if (!rc) > rc = cifs_enable_signing(server, ses->sign); > neg_err_exit: > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index 3781eee9360a..0db344807ef1 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -3684,38 +3684,6 @@ CIFSTCon(const unsigned int xid, struct cifs_ses *ses, > *bcc_ptr = 0; /* password is null byte */ > bcc_ptr++; /* skip password */ > /* already aligned so no need to do it below */ > - } else { > - pSMB->PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE); > - /* BB FIXME add code to fail this if NTLMv2 or Kerberos > - specified as required (when that support is added to > - the vfs in the future) as only NTLM or the much > - weaker LANMAN (which we do not send by default) is accepted > - by Samba (not sure whether other servers allow > - NTLMv2 password here) */ > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - if ((global_secflags & CIFSSEC_MAY_LANMAN) && > - (ses->sectype == LANMAN)) > - calc_lanman_hash(tcon->password, ses->server->cryptkey, > - ses->server->sec_mode & > - SECMODE_PW_ENCRYPT ? true : false, > - bcc_ptr); > - else > -#endif /* CIFS_WEAK_PW_HASH */ > - rc = SMBNTencrypt(tcon->password, ses->server->cryptkey, > - bcc_ptr, nls_codepage); > - if (rc) { > - cifs_dbg(FYI, "%s Can't generate NTLM rsp. Error: %d\n", > - __func__, rc); > - cifs_buf_release(smb_buffer); > - return rc; > - } > - > - bcc_ptr += CIFS_AUTH_RESP_SIZE; > - if (ses->capabilities & CAP_UNICODE) { > - /* must align unicode strings */ > - *bcc_ptr = 0; /* null byte password */ > - bcc_ptr++; > - } > } > > if (ses->server->sign) > diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c > index eed59bc1d913..4515a0883262 100644 > --- a/fs/cifs/fs_context.c > +++ b/fs/cifs/fs_context.c > @@ -57,12 +57,9 @@ static const match_table_t cifs_secflavor_tokens = { > { Opt_sec_krb5p, "krb5p" }, > { Opt_sec_ntlmsspi, "ntlmsspi" }, > { Opt_sec_ntlmssp, "ntlmssp" }, > - { Opt_ntlm, "ntlm" }, > - { Opt_sec_ntlmi, "ntlmi" }, > { Opt_sec_ntlmv2, "nontlm" }, > { Opt_sec_ntlmv2, "ntlmv2" }, > { Opt_sec_ntlmv2i, "ntlmv2i" }, > - { Opt_sec_lanman, "lanman" }, > { Opt_sec_none, "none" }, > > { Opt_sec_err, NULL } > @@ -221,23 +218,12 @@ cifs_parse_security_flavors(struct fs_context *fc, char *value, struct smb3_fs_c > case Opt_sec_ntlmssp: > ctx->sectype = RawNTLMSSP; > break; > - case Opt_sec_ntlmi: > - ctx->sign = true; > - fallthrough; > - case Opt_ntlm: > - ctx->sectype = NTLM; > - break; > case Opt_sec_ntlmv2i: > ctx->sign = true; > fallthrough; > case Opt_sec_ntlmv2: > ctx->sectype = NTLMv2; > break; > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - case Opt_sec_lanman: > - ctx->sectype = LANMAN; > - break; > -#endif > case Opt_sec_none: > ctx->nullauth = 1; > break; > diff --git a/fs/cifs/fs_context.h b/fs/cifs/fs_context.h > index b6243972edf3..a42ba71d7a81 100644 > --- a/fs/cifs/fs_context.h > +++ b/fs/cifs/fs_context.h > @@ -47,11 +47,8 @@ enum cifs_sec_param { > Opt_sec_krb5p, > Opt_sec_ntlmsspi, > Opt_sec_ntlmssp, > - Opt_ntlm, > - Opt_sec_ntlmi, > Opt_sec_ntlmv2, > Opt_sec_ntlmv2i, > - Opt_sec_lanman, > Opt_sec_none, > > Opt_sec_err > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c > index c5785fd3f52e..bb4a838eef71 100644 > --- a/fs/cifs/sess.c > +++ b/fs/cifs/sess.c > @@ -799,30 +799,16 @@ cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) > } > case CIFS_NEGFLAVOR_UNENCAP: > switch (requested) { > - case NTLM: > case NTLMv2: > return requested; > case Unspecified: > if (global_secflags & CIFSSEC_MAY_NTLMV2) > return NTLMv2; > - if (global_secflags & CIFSSEC_MAY_NTLM) > - return NTLM; > break; > default: > break; > } > - fallthrough; /* to attempt LANMAN authentication next */ > - case CIFS_NEGFLAVOR_LANMAN: > - switch (requested) { > - case LANMAN: > - return requested; > - case Unspecified: > - if (global_secflags & CIFSSEC_MAY_LANMAN) > - return LANMAN; > - fallthrough; > - default: > - return Unspecified; > - } > + fallthrough; > default: > return Unspecified; > } > @@ -947,230 +933,6 @@ sess_sendreceive(struct sess_data *sess_data) > return rc; > } > > -/* > - * LANMAN and plaintext are less secure and off by default. > - * So we make this explicitly be turned on in kconfig (in the > - * build) and turned on at runtime (changed from the default) > - * in proc/fs/cifs or via mount parm. Unfortunately this is > - * needed for old Win (e.g. Win95), some obscure NAS and OS/2 > - */ > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > -static void > -sess_auth_lanman(struct sess_data *sess_data) > -{ > - int rc = 0; > - struct smb_hdr *smb_buf; > - SESSION_SETUP_ANDX *pSMB; > - char *bcc_ptr; > - struct cifs_ses *ses = sess_data->ses; > - char lnm_session_key[CIFS_AUTH_RESP_SIZE]; > - __u16 bytes_remaining; > - > - /* lanman 2 style sessionsetup */ > - /* wct = 10 */ > - rc = sess_alloc_buffer(sess_data, 10); > - if (rc) > - goto out; > - > - pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; > - bcc_ptr = sess_data->iov[2].iov_base; > - (void)cifs_ssetup_hdr(ses, pSMB); > - > - pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE; > - > - if (ses->user_name != NULL) { > - /* no capabilities flags in old lanman negotiation */ > - pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE); > - > - /* Calculate hash with password and copy into bcc_ptr. > - * Encryption Key (stored as in cryptkey) gets used if the > - * security mode bit in Negotiate Protocol response states > - * to use challenge/response method (i.e. Password bit is 1). > - */ > - rc = calc_lanman_hash(ses->password, ses->server->cryptkey, > - ses->server->sec_mode & SECMODE_PW_ENCRYPT ? > - true : false, lnm_session_key); > - if (rc) > - goto out; > - > - memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE); > - bcc_ptr += CIFS_AUTH_RESP_SIZE; > - } else { > - pSMB->old_req.PasswordLength = 0; > - } > - > - /* > - * can not sign if LANMAN negotiated so no need > - * to calculate signing key? but what if server > - * changed to do higher than lanman dialect and > - * we reconnected would we ever calc signing_key? > - */ > - > - cifs_dbg(FYI, "Negotiating LANMAN setting up strings\n"); > - /* Unicode not allowed for LANMAN dialects */ > - ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); > - > - sess_data->iov[2].iov_len = (long) bcc_ptr - > - (long) sess_data->iov[2].iov_base; > - > - rc = sess_sendreceive(sess_data); > - if (rc) > - goto out; > - > - pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; > - smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; > - > - /* lanman response has a word count of 3 */ > - if (smb_buf->WordCount != 3) { > - rc = -EIO; > - cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); > - goto out; > - } > - > - if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) > - cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ > - > - ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ > - cifs_dbg(FYI, "UID = %llu\n", ses->Suid); > - > - bytes_remaining = get_bcc(smb_buf); > - bcc_ptr = pByteArea(smb_buf); > - > - /* BB check if Unicode and decode strings */ > - if (bytes_remaining == 0) { > - /* no string area to decode, do nothing */ > - } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { > - /* unicode string area must be word-aligned */ > - if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { > - ++bcc_ptr; > - --bytes_remaining; > - } > - decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, > - sess_data->nls_cp); > - } else { > - decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, > - sess_data->nls_cp); > - } > - > - rc = sess_establish_session(sess_data); > -out: > - sess_data->result = rc; > - sess_data->func = NULL; > - sess_free_buffer(sess_data); > -} > - > -#endif > - > -static void > -sess_auth_ntlm(struct sess_data *sess_data) > -{ > - int rc = 0; > - struct smb_hdr *smb_buf; > - SESSION_SETUP_ANDX *pSMB; > - char *bcc_ptr; > - struct cifs_ses *ses = sess_data->ses; > - __u32 capabilities; > - __u16 bytes_remaining; > - > - /* old style NTLM sessionsetup */ > - /* wct = 13 */ > - rc = sess_alloc_buffer(sess_data, 13); > - if (rc) > - goto out; > - > - pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; > - bcc_ptr = sess_data->iov[2].iov_base; > - capabilities = cifs_ssetup_hdr(ses, pSMB); > - > - pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); > - if (ses->user_name != NULL) { > - pSMB->req_no_secext.CaseInsensitivePasswordLength = > - cpu_to_le16(CIFS_AUTH_RESP_SIZE); > - pSMB->req_no_secext.CaseSensitivePasswordLength = > - cpu_to_le16(CIFS_AUTH_RESP_SIZE); > - > - /* calculate ntlm response and session key */ > - rc = setup_ntlm_response(ses, sess_data->nls_cp); > - if (rc) { > - cifs_dbg(VFS, "Error %d during NTLM authentication\n", > - rc); > - goto out; > - } > - > - /* copy ntlm response */ > - memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, > - CIFS_AUTH_RESP_SIZE); > - bcc_ptr += CIFS_AUTH_RESP_SIZE; > - memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, > - CIFS_AUTH_RESP_SIZE); > - bcc_ptr += CIFS_AUTH_RESP_SIZE; > - } else { > - pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; > - pSMB->req_no_secext.CaseSensitivePasswordLength = 0; > - } > - > - if (ses->capabilities & CAP_UNICODE) { > - /* unicode strings must be word aligned */ > - if (sess_data->iov[0].iov_len % 2) { > - *bcc_ptr = 0; > - bcc_ptr++; > - } > - unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); > - } else { > - ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); > - } > - > - > - sess_data->iov[2].iov_len = (long) bcc_ptr - > - (long) sess_data->iov[2].iov_base; > - > - rc = sess_sendreceive(sess_data); > - if (rc) > - goto out; > - > - pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; > - smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; > - > - if (smb_buf->WordCount != 3) { > - rc = -EIO; > - cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); > - goto out; > - } > - > - if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) > - cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ > - > - ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ > - cifs_dbg(FYI, "UID = %llu\n", ses->Suid); > - > - bytes_remaining = get_bcc(smb_buf); > - bcc_ptr = pByteArea(smb_buf); > - > - /* BB check if Unicode and decode strings */ > - if (bytes_remaining == 0) { > - /* no string area to decode, do nothing */ > - } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { > - /* unicode string area must be word-aligned */ > - if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { > - ++bcc_ptr; > - --bytes_remaining; > - } > - decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, > - sess_data->nls_cp); > - } else { > - decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, > - sess_data->nls_cp); > - } > - > - rc = sess_establish_session(sess_data); > -out: > - sess_data->result = rc; > - sess_data->func = NULL; > - sess_free_buffer(sess_data); > - kfree(ses->auth_key.response); > - ses->auth_key.response = NULL; > -} > - > static void > sess_auth_ntlmv2(struct sess_data *sess_data) > { > @@ -1675,21 +1437,6 @@ static int select_sec(struct cifs_ses *ses, struct sess_data *sess_data) > } > > switch (type) { > - case LANMAN: > - /* LANMAN and plaintext are less secure and off by default. > - * So we make this explicitly be turned on in kconfig (in the > - * build) and turned on at runtime (changed from the default) > - * in proc/fs/cifs or via mount parm. Unfortunately this is > - * needed for old Win (e.g. Win95), some obscure NAS and OS/2 */ > -#ifdef CONFIG_CIFS_WEAK_PW_HASH > - sess_data->func = sess_auth_lanman; > - break; > -#else > - return -EOPNOTSUPP; > -#endif > - case NTLM: > - sess_data->func = sess_auth_ntlm; > - break; > case NTLMv2: > sess_data->func = sess_auth_ntlmv2; > break; > diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c > index 39a938443e3e..5da7eea3323f 100644 > --- a/fs/cifs/smbencrypt.c > +++ b/fs/cifs/smbencrypt.c > @@ -18,7 +18,6 @@ > #include > #include > #include > -#include > #include "cifs_fs_sb.h" > #include "cifs_unicode.h" > #include "cifspdu.h" > @@ -38,74 +37,8 @@ > #define SSVALX(buf,pos,val) (CVAL(buf,pos)=(val)&0xFF,CVAL(buf,pos+1)=(val)>>8) > #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((__u16)(val))) > > -static void > -str_to_key(unsigned char *str, unsigned char *key) > -{ > - int i; > - > - key[0] = str[0] >> 1; > - key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2); > - key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3); > - key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4); > - key[4] = ((str[3] & 0x0F) << 3) | (str[4] >> 5); > - key[5] = ((str[4] & 0x1F) << 2) | (str[5] >> 6); > - key[6] = ((str[5] & 0x3F) << 1) | (str[6] >> 7); > - key[7] = str[6] & 0x7F; > - for (i = 0; i < 8; i++) > - key[i] = (key[i] << 1); > -} > - > -static int > -smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) > -{ > - unsigned char key2[8]; > - struct des_ctx ctx; > - > - str_to_key(key, key2); > - > - if (fips_enabled) { > - cifs_dbg(VFS, "FIPS compliance enabled: DES not permitted\n"); > - return -ENOENT; > - } > - > - des_expand_key(&ctx, key2, DES_KEY_SIZE); > - des_encrypt(&ctx, out, in); > - memzero_explicit(&ctx, sizeof(ctx)); > - > - return 0; > -} > - > -static int > -E_P16(unsigned char *p14, unsigned char *p16) > -{ > - int rc; > - unsigned char sp8[8] = > - { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 }; > - > - rc = smbhash(p16, sp8, p14); > - if (rc) > - return rc; > - rc = smbhash(p16 + 8, sp8, p14 + 7); > - return rc; > -} > - > -static int > -E_P24(unsigned char *p21, const unsigned char *c8, unsigned char *p24) > -{ > - int rc; > - > - rc = smbhash(p24, c8, p21); > - if (rc) > - return rc; > - rc = smbhash(p24 + 8, c8, p21 + 7); > - if (rc) > - return rc; > - rc = smbhash(p24 + 16, c8, p21 + 14); > - return rc; > -} > - > /* produce a md4 message digest from data of length n bytes */ > -int > +static int > mdfour(unsigned char *md4_hash, unsigned char *link_str, int link_len) > { > int rc; > @@ -135,32 +68,6 @@ mdfour(unsigned char *md4_hash, unsigned char *link_str, int link_len) > return rc; > } > > -/* > - This implements the X/Open SMB password encryption > - It takes a password, a 8 byte "crypt key" and puts 24 bytes of > - encrypted password into p24 */ > -/* Note that password must be uppercased and null terminated */ > -int > -SMBencrypt(unsigned char *passwd, const unsigned char *c8, unsigned char *p24) > -{ > - int rc; > - unsigned char p14[14], p16[16], p21[21]; > - > - memset(p14, '\0', 14); > - memset(p16, '\0', 16); > - memset(p21, '\0', 21); > - > - memcpy(p14, passwd, 14); > - rc = E_P16(p14, p16); > - if (rc) > - return rc; > - > - memcpy(p21, p16, 16); > - rc = E_P24(p21, c8, p24); > - > - return rc; > -} > - > /* > * Creates the MD4 Hash of the users password in NT UNICODE. > */ > @@ -186,25 +93,3 @@ E_md4hash(const unsigned char *passwd, unsigned char *p16, > > return rc; > } > - > -/* Does the NT MD4 hash then des encryption. */ > -int > -SMBNTencrypt(unsigned char *passwd, unsigned char *c8, unsigned char *p24, > - const struct nls_table *codepage) > -{ > - int rc; > - unsigned char p16[16], p21[21]; > - > - memset(p16, '\0', 16); > - memset(p21, '\0', 21); > - > - rc = E_md4hash(passwd, p16, codepage); > - if (rc) { > - cifs_dbg(FYI, "%s Can't generate NT hash, error: %d\n", > - __func__, rc); > - return rc; > - } > - memcpy(p21, p16, 16); > - rc = E_P24(p21, c8, p24); > - return rc; > -} > -- > 2.30.2 > -- Thanks, Steve