diff options
-rw-r--r-- | source3/include/ntlmssp.h | 1 | ||||
-rw-r--r-- | source3/libsmb/ntlmssp.c | 20 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 18 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 23 |
4 files changed, 57 insertions, 5 deletions
diff --git a/source3/include/ntlmssp.h b/source3/include/ntlmssp.h index 30a37e06c3..a2dac7dc0b 100644 --- a/source3/include/ntlmssp.h +++ b/source3/include/ntlmssp.h @@ -60,6 +60,7 @@ enum NTLM_MESSAGE_TYPE #define NTLMSSP_CHAL_NON_NT_SESSION_KEY 0x00040000 #define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 #define NTLMSSP_CHAL_TARGET_INFO 0x00800000 +#define NTLMSSP_UNKNOWN_02000000 0x02000000 #define NTLMSSP_NEGOTIATE_128 0x20000000 /* 128-bit encryption */ #define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 #define NTLMSSP_NEGOTIATE_56 0x80000000 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index e1ef69aed9..986fa8cce9 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -363,9 +363,6 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; - if (neg_flags & NTLMSSP_NEGOTIATE_56) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; - } } if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { @@ -376,10 +373,23 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; } + if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + } + + if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + + /* Woop Woop - unknown flag for Windows compatibility... + What does this really do ? JRA. */ + if (!(neg_flags & NTLMSSP_UNKNOWN_02000000)) { + ntlmssp_state->neg_flags &= ~NTLMSSP_UNKNOWN_02000000; + } + if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; } - } /** @@ -840,6 +850,8 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state) (*ntlmssp_state)->neg_flags = NTLMSSP_NEGOTIATE_128 | + NTLMSSP_NEGOTIATE_56 | + NTLMSSP_UNKNOWN_02000000 | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2 | NTLMSSP_NEGOTIATE_KEY_EXCH | diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 37b1b2a671..11eb21df44 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2141,6 +2141,24 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, return NT_STATUS_INVALID_INFO_CLASS; } + /* For NTLMSSP ensure the server gave us the auth_level we wanted. */ + if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { + if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) { + if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n")); + prs_mem_free(&rbuf); + return NT_STATUS_INVALID_PARAMETER; + } + } + if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) { + if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n")); + prs_mem_free(&rbuf); + return NT_STATUS_INVALID_PARAMETER; + } + } + } + /* Pipe is bound - set up auth_type and auth_level data. */ cli->auth.auth_type = auth_type; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 9b6fcb2f15..72298520e3 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -606,7 +606,7 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) NTSTATUS status; AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; - DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n")); + DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name)); ZERO_STRUCT(reply); @@ -629,6 +629,27 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) return False; } + /* Finally - if the pipe negotiated integrity (sign) or privacy (seal) + ensure the underlying NTLMSSP flags are also set. If not we should + refuse the bind. */ + + if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) { + if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested " + "but client declined signing.\n", + p->name )); + return False; + } + } + if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) { + if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested " + "but client declined sealing.\n", + p->name )); + return False; + } + } + fstrcpy(p->user_name, a->ntlmssp_state->user); fstrcpy(p->pipe_user_name, a->server_info->unix_name); fstrcpy(p->domain, a->ntlmssp_state->domain); |