r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back

into Samba3.

The NTLMSSP sign/seal code now assumes that GENSEC has already checked
to see if SIGN or SEAL should be permitted.  This simplfies the code
ensures that no matter what the mech, the correct code paths have been
set in place.

Also remove duplication caused by the NTLMv2 code's history, and
document why some of the things a bit funny.

In SPNEGO, create a new routine to handle the negTokenInit creation.
We no longer send an OID for a mech we can't start (like kerberos on
the server without a valid trust account).

Andrew Bartlett
(This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)

1 files changed, 26 insertions, 81 deletions

diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 960841ecf2..75c6cf845b 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -49,7 +49,7 @@ static void calc_ntlmv2_key(TALLOC_CTX *mem_ctx,
 	*subkey = data_blob_talloc(mem_ctx, NULL, 16);
 	MD5Init(&ctx3);
 	MD5Update(&ctx3, session_key.data, session_key.length);
-	MD5Update(&ctx3, constant, strlen(constant)+1);
+	MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
 	MD5Final(subkey->data, &ctx3);
 }
 
@@ -131,21 +131,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 {
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 
-	if (!gensec_ntlmssp_state->session_key.length) {
-		DEBUG(3, ("NO session key, cannot check sign packet\n"));
-		return NT_STATUS_NO_USER_SESSION_KEY;
-	}
-	
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) {
-		DEBUG(3, ("GENSEC Signing not requested - cannot sign packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
-		DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	
 	return ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 
 					     data, length, 
 					     whole_pdu, pdu_length, 
@@ -173,11 +158,6 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & (GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SIGN))) {
-		DEBUG(3, ("GENSEC Signing/Sealing not requested - cannot check packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	if (sig->length < 8) {
 		DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", 
 			  (unsigned long)sig->length));
@@ -244,17 +224,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
-		DEBUG(3, ("GENSEC Sealing not requested - cannot seal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
-		DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-
 	DEBUG(10,("ntlmssp_seal_data: seal\n"));
 	dump_data_pw("ntlmssp clear data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -317,43 +286,14 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
-		DEBUG(3, ("GENSEC Sealing not requested - cannot unseal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	dump_data_pw("ntlmssp sealed data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length);
-
-		nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 
-							  data, length, 
-							  whole_pdu, pdu_length, 
-							  NTLMSSP_RECEIVE, &local_sig, True);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-
-		if (local_sig.length != sig->length ||
-		    memcmp(local_sig.data, 
-			   sig->data, sig->length) != 0) {
-			DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
-			dump_data(5, local_sig.data, local_sig.length);
-			
-			DEBUG(5, ("BAD SIG: got signature of\n"));
-			dump_data(5, sig->data, sig->length);
-			
-			DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
-			return NT_STATUS_ACCESS_DENIED;
-		}
-
-		dump_data_pw("ntlmssp clear data\n", data, length);
-		return NT_STATUS_OK;
 	} else {
 		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
-		dump_data_pw("ntlmssp clear data\n", data, length);
-		return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
 	}
+	dump_data_pw("ntlmssp clear data\n", data, length);
+	return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
 
 /**
@@ -406,11 +346,18 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
 
 		/**
-		   Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
+		   Weaken NTLMSSP keys to cope with down-level
+		   clients, servers and export restrictions.
 		   
-		   We probably should have some parameters to control this, once we get NTLM2 working.
+		   We probably should have some parameters to control
+		   this, once we get NTLM2 working.
 		*/
 
+		/* Key weakening was not performed on the master key
+		 * for NTLM2 (in ntlmssp_weaken_keys()), but must be
+		 * done on the encryption subkeys only.  That is why
+		 * we don't have this code for the ntlmv1 case.
+		 */
 
 		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
 			
@@ -500,35 +447,34 @@ NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
 	DATA_BLOB sig;
 	NTSTATUS nt_status;
 
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 
 		*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
-
+		
 	        nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx, 
 						       out->data + NTLMSSP_SIG_SIZE, 
 						       out->length - NTLMSSP_SIG_SIZE, 
 						       out->data + NTLMSSP_SIG_SIZE, 
 						       out->length - NTLMSSP_SIG_SIZE, 
 						       &sig);
-
+		
 		if (NT_STATUS_IS_OK(nt_status)) {
 			memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
 		}
 		return nt_status;
 
-	} else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) 
-		   || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 
 		*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
 
 	        nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx, 
-						out->data + NTLMSSP_SIG_SIZE, 
-						out->length - NTLMSSP_SIG_SIZE, 
-						out->data + NTLMSSP_SIG_SIZE, 
-						out->length - NTLMSSP_SIG_SIZE, 
-						&sig);
+						       out->data + NTLMSSP_SIG_SIZE, 
+						       out->length - NTLMSSP_SIG_SIZE, 
+						       out->data + NTLMSSP_SIG_SIZE, 
+						       out->length - NTLMSSP_SIG_SIZE, 
+						       &sig);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
@@ -550,7 +496,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 	DATA_BLOB sig;
 
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		if (in->length < NTLMSSP_SIG_SIZE) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -564,8 +510,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 						    out->data, out->length, 
 						    &sig);
 						  
-	} else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) 
-		   || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		if (in->length < NTLMSSP_SIG_SIZE) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -575,9 +520,9 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 		*out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
 		
 	        return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, 
-					    out->data, out->length, 
-					    out->data, out->length, 
-					    &sig);
+						   out->data, out->length, 
+						   out->data, out->length, 
+						   &sig);
 	} else {
 		*out = *in;
 		return NT_STATUS_OK;