r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back

into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
author: Andrew Bartlett <abartlet@samba.org> 2005-08-20 06:14:14 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:33:36 -0500
commit: 7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2 (patch)
tree: 987e6d15bb3cde5f568ff2b4d2430f67542677be /source4/auth/gensec/gensec.c
parent: 40f56f63bec5a609229033dc4c0854bb4fb16f06 (diff)
download: samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.gz
samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.bz2
samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.zip
1 files changed, 51 insertions, 15 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index b500a09fdc..87c60da84f 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -210,6 +210,44 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
 
 
 /**
+ * Return OIDS from the security subsystems listed
+ */
+
+const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, 
+						   const struct gensec_security_ops_wrapper *wops)
+{
+	int i;
+	int j = 0;
+	int k;
+	const char **oid_list;
+	if (!wops) {
+		return NULL;
+	}
+	oid_list = talloc_array(mem_ctx, const char *, 1);
+	if (!oid_list) {
+		return NULL;
+	}
+	
+	for (i=0; wops[i].op; i++) {
+		if (!wops[i].op->oid) {
+			continue;
+		}
+		
+		for (k = 0; wops[i].op->oid[k]; k++) {
+			oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
+			if (!oid_list) {
+				return NULL;
+			}
+			oid_list[j] = wops[i].op->oid[k];
+			j++;
+		}
+	}
+	oid_list[j] = NULL;
+	return oid_list;
+}
+
+
+/**
  * Return all the security subsystems currently enabled in GENSEC 
  */
 
@@ -366,6 +404,7 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
+	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
 		gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
 	} else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
@@ -463,15 +502,9 @@ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			return gensec_check_packet(gensec_security, mem_ctx, 
-						   data, length, 
-						   whole_pdu, pdu_length, 
-						   sig);
-		}
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-
+	
 	return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, 
 						   data, length, 
 						   whole_pdu, pdu_length, 
@@ -504,15 +537,9 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			return gensec_sign_packet(gensec_security, mem_ctx, 
-						  data, length, 
-						  whole_pdu, pdu_length, 
-						  sig);
-		}
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-
+	
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
 
@@ -572,6 +599,10 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->session_key) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
+		return NT_STATUS_NO_USER_SESSION_KEY;
+	}
+	
 	return gensec_security->ops->session_key(gensec_security, session_key);
 }
 
@@ -633,7 +664,12 @@ BOOL gensec_have_feature(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->have_feature) {
 		return False;
 	}
-	return gensec_security->ops->have_feature(gensec_security, feature);
+	
+	/* Can only 'have' a feature if you already 'want'ed it */
+	if (gensec_security->want_features & feature) {
+		return gensec_security->ops->have_feature(gensec_security, feature);
+	}
+	return False;
 }
 
 /**
author	Andrew Bartlett <abartlet@samba.org>	2005-08-20 06:14:14 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:33:36 -0500
commit	7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2 (patch)
tree	987e6d15bb3cde5f568ff2b4d2430f67542677be /source4/auth/gensec/gensec.c
parent	40f56f63bec5a609229033dc4c0854bb4fb16f06 (diff)
download	samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.gz samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.bz2 samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.zip