r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.

The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags.  If we don't negotiate sealing, we can't use it.

We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.

Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)

1 files changed, 7 insertions, 20 deletions

diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 43b2212d60..6ae6a80596 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -44,7 +44,7 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
 	return status;
 }
 
-NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
 			  const char *uuid, uint_t version)
 {
 	NTSTATUS status;
@@ -63,7 +63,7 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
 			return status;
 		}
 
-		status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+		status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type, auth_level);
 
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
@@ -77,19 +77,12 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
 	}
 
 	p->security_state.auth_info->auth_type = auth_type;
+	p->security_state.auth_info->auth_level = auth_level;
 	p->security_state.auth_info->auth_pad_length = 0;
 	p->security_state.auth_info->auth_reserved = 0;
 	p->security_state.auth_info->auth_context_id = random();
 	p->security_state.auth_info->credentials = null_data_blob;
 
-	if (p->flags & DCERPC_SEAL) {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-	} else if (p->flags & DCERPC_SIGN) {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-	} else {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
-	}
-
 	status = gensec_update(p->security_state.generic_state, mem_ctx,
 			       null_data_blob,
 			       &credentials);
@@ -126,7 +119,7 @@ done:
 	return status;
 }
 
-NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
 			  const char *uuid, uint_t version)
 {
 	NTSTATUS status;
@@ -145,7 +138,8 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
 			return status;
 		}
 
-		status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+		status = gensec_start_mech_by_authtype(p->security_state.generic_state, 
+						       auth_type, auth_level);
 
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
@@ -159,19 +153,12 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
 	}
 
 	p->security_state.auth_info->auth_type = auth_type;
+	p->security_state.auth_info->auth_level = auth_level;
 	p->security_state.auth_info->auth_pad_length = 0;
 	p->security_state.auth_info->auth_reserved = 0;
 	p->security_state.auth_info->auth_context_id = random();
 	p->security_state.auth_info->credentials = null_data_blob;
 
-	if (p->flags & DCERPC_SEAL) {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-	} else if (p->flags & DCERPC_SIGN) {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-	} else {
-		p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
-	}
-
 	status = gensec_update(p->security_state.generic_state, mem_ctx,
 			       null_data_blob,
 			       &credentials);