r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back

into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
author: Andrew Bartlett <abartlet@samba.org> 2005-08-20 06:14:14 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:33:36 -0500
commit: 7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2 (patch)
tree: 987e6d15bb3cde5f568ff2b4d2430f67542677be /source4
parent: 40f56f63bec5a609229033dc4c0854bb4fb16f06 (diff)
download: samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.gz
samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.bz2
samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.zip
6 files changed, 160 insertions, 170 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index b500a09fdc..87c60da84f 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -210,6 +210,44 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
 
 
 /**
+ * Return OIDS from the security subsystems listed
+ */
+
+const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx, 
+						   const struct gensec_security_ops_wrapper *wops)
+{
+	int i;
+	int j = 0;
+	int k;
+	const char **oid_list;
+	if (!wops) {
+		return NULL;
+	}
+	oid_list = talloc_array(mem_ctx, const char *, 1);
+	if (!oid_list) {
+		return NULL;
+	}
+	
+	for (i=0; wops[i].op; i++) {
+		if (!wops[i].op->oid) {
+			continue;
+		}
+		
+		for (k = 0; wops[i].op->oid[k]; k++) {
+			oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
+			if (!oid_list) {
+				return NULL;
+			}
+			oid_list[j] = wops[i].op->oid[k];
+			j++;
+		}
+	}
+	oid_list[j] = NULL;
+	return oid_list;
+}
+
+
+/**
  * Return all the security subsystems currently enabled in GENSEC 
  */
 
@@ -366,6 +404,7 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
+	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
 		gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
 	} else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
@@ -463,15 +502,9 @@ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			return gensec_check_packet(gensec_security, mem_ctx, 
-						   data, length, 
-						   whole_pdu, pdu_length, 
-						   sig);
-		}
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-
+	
 	return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, 
 						   data, length, 
 						   whole_pdu, pdu_length, 
@@ -504,15 +537,9 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			return gensec_sign_packet(gensec_security, mem_ctx, 
-						  data, length, 
-						  whole_pdu, pdu_length, 
-						  sig);
-		}
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-
+	
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
 
@@ -572,6 +599,10 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->session_key) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
+		return NT_STATUS_NO_USER_SESSION_KEY;
+	}
+	
 	return gensec_security->ops->session_key(gensec_security, session_key);
 }
 
@@ -633,7 +664,12 @@ BOOL gensec_have_feature(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->have_feature) {
 		return False;
 	}
-	return gensec_security->ops->have_feature(gensec_security, feature);
+	
+	/* Can only 'have' a feature if you already 'want'ed it */
+	if (gensec_security->want_features & feature) {
+		return gensec_security->ops->have_feature(gensec_security, feature);
+	}
+	return False;
 }
 
 /** 
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index ed3e2caa2a..fc961d8eaa 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -236,6 +236,12 @@ static BOOL schannel_have_feature(struct gensec_security *gensec_security,
 		       GENSEC_FEATURE_SEAL)) {
 		return True;
 	}
+	if (feature & GENSEC_FEATURE_DCE_STYLE) {
+		return True;
+	}
+	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+		return True;
+	}
 	return False;
 }
 
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 2d1d779e43..1a7cb1f0ed 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -394,60 +394,74 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 	return NT_STATUS_INVALID_PARAMETER;
 }
 
-/** create a client negTokenInit 
+/** create a negTokenInit 
  *
- * This is the case, where the client is the first one who sends data
+ * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
 */
-
-static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security, 
+static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security, 
 						  struct spnego_state *spnego_state,
 						  TALLOC_CTX *out_mem_ctx, 
 						  const DATA_BLOB in, DATA_BLOB *out) 
 {
-	DATA_BLOB null_data_blob = data_blob(NULL, 0);
-	NTSTATUS nt_status;
+	int i;
+	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
+	DATA_BLOB null_data_blob = data_blob(NULL,0);
 	const char **mechTypes = NULL;
 	DATA_BLOB unwrapped_out = data_blob(NULL, 0);
 
 	mechTypes = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
 
-	if (!mechTypes) {
-		DEBUG(1, ("no GENSEC OID backends available\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	nt_status = gensec_subcontext_start(spnego_state, 
-					    gensec_security, 
-					    &spnego_state->sub_sec_security);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-	/* select our preferred mech */
-	nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
-					     mechTypes[0]);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(spnego_state->sub_sec_security);
-		spnego_state->sub_sec_security = NULL;
-		return nt_status;
-	}
-	nt_status = gensec_update(spnego_state->sub_sec_security,
-				  out_mem_ctx, in, &unwrapped_out);
-	if (NT_STATUS_IS_OK(nt_status) || NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+	const struct gensec_security_ops_wrapper *all_sec
+		= gensec_security_by_oid_list(out_mem_ctx, 
+					      mechTypes,
+					      GENSEC_OID_SPNEGO);
+	for (i=0; all_sec && all_sec[i].op; i++) {
 		struct spnego_data spnego_out;
+		nt_status = gensec_subcontext_start(spnego_state,
+						    gensec_security,
+						    &spnego_state->sub_sec_security);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			return nt_status;
+		}
+		/* select the sub context */
+		nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+						     all_sec[i].op);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(spnego_state->sub_sec_security);
+			spnego_state->sub_sec_security = NULL;
+			continue;
+		}
+
+		nt_status = gensec_update(spnego_state->sub_sec_security,
+					  out_mem_ctx, 
+					  null_data_blob,
+					  &unwrapped_out);
+
+		if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
+		    && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) 
+		    && !NT_STATUS_IS_OK(nt_status)) {
+			DEBUG(3, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", 
+				  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+			talloc_free(spnego_state->sub_sec_security);
+			spnego_state->sub_sec_security = NULL;
+			/* Pretend we never started it (lets the first run find some incompatible demand) */
+
+			continue;
+		}
 		spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
-		spnego_out.negTokenInit.mechTypes = mechTypes;
+		spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx, 
+											  &all_sec[i]);
 		spnego_out.negTokenInit.reqFlags = 0;
 		spnego_out.negTokenInit.mechListMIC = null_data_blob;
 		spnego_out.negTokenInit.mechToken = unwrapped_out;
 		
 		if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-			DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
+			DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
 				return NT_STATUS_INVALID_PARAMETER;
 		}
 		
 		/* set next state */
 		spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
-		spnego_state->state_position = SPNEGO_CLIENT_TARG;
 		
 		if (NT_STATUS_IS_OK(nt_status)) {
 			spnego_state->no_response_expected = True;
@@ -535,8 +549,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 				     out_mem_ctx, in, out);
 	case SPNEGO_SERVER_START:
 	{
+		NTSTATUS nt_status;
 		if (in.length) {
-			NTSTATUS nt_status;
 
 			len = spnego_read_data(in, &spnego);
 			if (len == -1) {
@@ -571,25 +585,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			
 			return nt_status;
 		} else {
-			const char **mechlist = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
-
-			spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
-			spnego_out.negTokenInit.mechTypes = mechlist;
-			spnego_out.negTokenInit.reqFlags = 0;
-			spnego_out.negTokenInit.mechListMIC
-				= data_blob_string_const(talloc_asprintf(out_mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()));
-			spnego_out.negTokenInit.mechToken = data_blob(NULL, 0);
-			
-			if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
-				DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
-				return NT_STATUS_INVALID_PARAMETER;
-			}
-			
-			/* set next state */
-			spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 			spnego_state->state_position = SPNEGO_SERVER_TARG;
-			
-			return NT_STATUS_MORE_PROCESSING_REQUIRED;
+			return gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
+								 out_mem_ctx, in, out);
 		}
 	}
 	
@@ -602,7 +600,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 
 		if (!in.length) {
 			/* client to produce negTokenInit */
-			return gensec_spnego_client_negTokenInit(gensec_security, spnego_state, 
+			spnego_state->state_position = SPNEGO_CLIENT_TARG;
+			return gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
 								 out_mem_ctx, in, out);
 		}
 		
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 339c219f62..82d6dd0e8f 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -185,25 +185,6 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 		return status;
 	}
 	
-	gensec_ntlmssp_state->have_features = 0;
-
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
-		gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SIGN;
-	}
-
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
-		gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SEAL;
-	}
-
-	if (gensec_ntlmssp_state->session_key.data) {
-		gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SESSION_KEY;
-	}
-
-	/* only NTLMv2 can handle async replies */
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-		gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_ASYNC_REPLIES;
-	}
-
 	return status;
 }
 
@@ -317,10 +298,35 @@ static BOOL gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
 					uint32_t feature)
 {
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
-	if (gensec_ntlmssp_state->have_features & feature) {
+	if (feature & GENSEC_FEATURE_SIGN) {
+		if (!gensec_ntlmssp_state->session_key.length) {
+			return False;
+		}
+		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+			return True;
+		}
+	}
+	if (feature & GENSEC_FEATURE_SEAL) {
+		if (!gensec_ntlmssp_state->session_key.length) {
+			return False;
+		}
+		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+			return True;
+		}
+	}
+	if (feature & GENSEC_FEATURE_SESSION_KEY) {
+		if (gensec_ntlmssp_state->session_key.length) {
+			return True;
+		}
+	}
+	if (feature & GENSEC_FEATURE_DCE_STYLE) {
 		return True;
 	}
-
+	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+			return True;
+		}
+	}
 	return False;
 }
 
@@ -335,7 +341,6 @@ NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security)
 
 	gensec_ntlmssp_state->auth_context = NULL;
 	gensec_ntlmssp_state->server_info = NULL;
-	gensec_ntlmssp_state->have_features = 0;
 
 	gensec_security->private_data = gensec_ntlmssp_state;
 	return NT_STATUS_OK;
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 36d12a9820..2ee069bada 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -180,7 +180,6 @@ struct gensec_ntlmssp_state
 
 	struct auth_context *auth_context;
 	struct auth_serversupplied_info *server_info;
-	uint32_t have_features;
 };
 
 
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 960841ecf2..75c6cf845b 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -49,7 +49,7 @@ static void calc_ntlmv2_key(TALLOC_CTX *mem_ctx,
 	*subkey = data_blob_talloc(mem_ctx, NULL, 16);
 	MD5Init(&ctx3);
 	MD5Update(&ctx3, session_key.data, session_key.length);
-	MD5Update(&ctx3, constant, strlen(constant)+1);
+	MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
 	MD5Final(subkey->data, &ctx3);
 }
 
@@ -131,21 +131,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 {
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 
-	if (!gensec_ntlmssp_state->session_key.length) {
-		DEBUG(3, ("NO session key, cannot check sign packet\n"));
-		return NT_STATUS_NO_USER_SESSION_KEY;
-	}
-	
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) {
-		DEBUG(3, ("GENSEC Signing not requested - cannot sign packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
-		DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	
 	return ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 
 					     data, length, 
 					     whole_pdu, pdu_length, 
@@ -173,11 +158,6 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & (GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SIGN))) {
-		DEBUG(3, ("GENSEC Signing/Sealing not requested - cannot check packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	if (sig->length < 8) {
 		DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", 
 			  (unsigned long)sig->length));
@@ -244,17 +224,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
-		DEBUG(3, ("GENSEC Sealing not requested - cannot seal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
-		DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-
 	DEBUG(10,("ntlmssp_seal_data: seal\n"));
 	dump_data_pw("ntlmssp clear data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -317,43 +286,14 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
-	if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
-		DEBUG(3, ("GENSEC Sealing not requested - cannot unseal packet!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	dump_data_pw("ntlmssp sealed data\n", data, length);
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length);
-
-		nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 
-							  data, length, 
-							  whole_pdu, pdu_length, 
-							  NTLMSSP_RECEIVE, &local_sig, True);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-
-		if (local_sig.length != sig->length ||
-		    memcmp(local_sig.data, 
-			   sig->data, sig->length) != 0) {
-			DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
-			dump_data(5, local_sig.data, local_sig.length);
-			
-			DEBUG(5, ("BAD SIG: got signature of\n"));
-			dump_data(5, sig->data, sig->length);
-			
-			DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
-			return NT_STATUS_ACCESS_DENIED;
-		}
-
-		dump_data_pw("ntlmssp clear data\n", data, length);
-		return NT_STATUS_OK;
 	} else {
 		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
-		dump_data_pw("ntlmssp clear data\n", data, length);
-		return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
 	}
+	dump_data_pw("ntlmssp clear data\n", data, length);
+	return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
 
 /**
@@ -406,11 +346,18 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 		NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
 
 		/**
-		   Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
+		   Weaken NTLMSSP keys to cope with down-level
+		   clients, servers and export restrictions.
 		   
-		   We probably should have some parameters to control this, once we get NTLM2 working.
+		   We probably should have some parameters to control
+		   this, once we get NTLM2 working.
 		*/
 
+		/* Key weakening was not performed on the master key
+		 * for NTLM2 (in ntlmssp_weaken_keys()), but must be
+		 * done on the encryption subkeys only.  That is why
+		 * we don't have this code for the ntlmv1 case.
+		 */
 
 		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
 			
@@ -500,35 +447,34 @@ NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
 	DATA_BLOB sig;
 	NTSTATUS nt_status;
 
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 
 		*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
-
+		
 	        nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx, 
 						       out->data + NTLMSSP_SIG_SIZE, 
 						       out->length - NTLMSSP_SIG_SIZE, 
 						       out->data + NTLMSSP_SIG_SIZE, 
 						       out->length - NTLMSSP_SIG_SIZE, 
 						       &sig);
-
+		
 		if (NT_STATUS_IS_OK(nt_status)) {
 			memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
 		}
 		return nt_status;
 
-	} else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) 
-		   || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 
 		*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
 
 	        nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx, 
-						out->data + NTLMSSP_SIG_SIZE, 
-						out->length - NTLMSSP_SIG_SIZE, 
-						out->data + NTLMSSP_SIG_SIZE, 
-						out->length - NTLMSSP_SIG_SIZE, 
-						&sig);
+						       out->data + NTLMSSP_SIG_SIZE, 
+						       out->length - NTLMSSP_SIG_SIZE, 
+						       out->data + NTLMSSP_SIG_SIZE, 
+						       out->length - NTLMSSP_SIG_SIZE, 
+						       &sig);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
@@ -550,7 +496,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
 	DATA_BLOB sig;
 
-	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		if (in->length < NTLMSSP_SIG_SIZE) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -564,8 +510,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 						    out->data, out->length, 
 						    &sig);
 						  
-	} else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) 
-		   || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		if (in->length < NTLMSSP_SIG_SIZE) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -575,9 +520,9 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 		*out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
 		
 	        return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, 
-					    out->data, out->length, 
-					    out->data, out->length, 
-					    &sig);
+						   out->data, out->length, 
+						   out->data, out->length, 
+						   &sig);
 	} else {
 		*out = *in;
 		return NT_STATUS_OK;
author	Andrew Bartlett <abartlet@samba.org>	2005-08-20 06:14:14 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:33:36 -0500
commit	7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2 (patch)
tree	987e6d15bb3cde5f568ff2b4d2430f67542677be /source4
parent	40f56f63bec5a609229033dc4c0854bb4fb16f06 (diff)
download	samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.gz samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.tar.bz2 samba-7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2.zip