summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/ldap_server/ldap_server.c12
-rw-r--r--source4/libcli/auth/gensec.c27
-rw-r--r--source4/libcli/auth/gensec.h7
-rw-r--r--source4/libcli/auth/gensec_ntlmssp.c31
-rw-r--r--source4/libcli/ldap/ldap_client.c2
-rw-r--r--source4/smb_server/sesssetup.c2
6 files changed, 49 insertions, 32 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 9f256b0b8b..ea1b8cb9b4 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -195,8 +195,8 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
size_t nread;
if (!conn->gensec || !conn->session_info ||
- !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) &&
- gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) {
+ !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
+ gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
return read_into_buf(sock, &conn->in_buffer);
}
@@ -254,7 +254,7 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn)
tmp_blob.data = buf + (4 + creds.length);
tmp_blob.length = (4 + sasl_length) - (4 + creds.length);
- if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) {
+ if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
status = gensec_unseal_packet(conn->gensec, mem_ctx,
tmp_blob.data, tmp_blob.length,
tmp_blob.data, tmp_blob.length,
@@ -320,8 +320,8 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
TALLOC_CTX *mem_ctx;
if (!conn->gensec || !conn->session_info ||
- !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) &&
- gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) {
+ !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
+ gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) {
return write_from_buf(sock, &conn->out_buffer);
}
@@ -338,7 +338,7 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn)
goto nodata;
}
- if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) {
+ if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
status = gensec_seal_packet(conn->gensec, mem_ctx,
tmp_blob.data, tmp_blob.length,
tmp_blob.data, tmp_blob.length,
diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c
index 7243222b6d..147d1b12df 100644
--- a/source4/libcli/auth/gensec.c
+++ b/source4/libcli/auth/gensec.c
@@ -137,6 +137,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct gensec_security **gense
(*gensec_security)->subcontext = False;
(*gensec_security)->want_features = 0;
+ (*gensec_security)->have_features = 0;
return NT_STATUS_OK;
}
@@ -232,11 +233,11 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
}
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
- gensec_want_feature(gensec_security, GENSEC_WANT_SEAL);
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
}
return gensec_start_mech(gensec_security);
@@ -310,8 +311,8 @@ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
if (!gensec_security->ops->unseal_packet) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) {
- if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return gensec_check_packet(gensec_security, mem_ctx,
data, length,
whole_pdu, pdu_length,
@@ -335,7 +336,7 @@ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
if (!gensec_security->ops->check_packet) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -351,8 +352,8 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
if (!gensec_security->ops->seal_packet) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) {
- if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return gensec_sign_packet(gensec_security, mem_ctx,
data, length,
whole_pdu, pdu_length,
@@ -373,7 +374,7 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
if (!gensec_security->ops->sign_packet) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -385,7 +386,7 @@ size_t gensec_sig_size(struct gensec_security *gensec_security)
if (!gensec_security->ops->sig_size) {
return 0;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return 0;
}
@@ -398,10 +399,6 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
if (!gensec_security->ops->session_key) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (!(gensec_security->want_features & GENSEC_WANT_SESSION_KEY)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
return gensec_security->ops->session_key(gensec_security, session_key);
}
@@ -474,7 +471,7 @@ void gensec_want_feature(struct gensec_security *gensec_security,
BOOL gensec_have_feature(struct gensec_security *gensec_security,
uint32 feature)
{
- if (gensec_security->want_features & feature) {
+ if (gensec_security->have_features & feature) {
return True;
}
diff --git a/source4/libcli/auth/gensec.h b/source4/libcli/auth/gensec.h
index f8b7e292e8..3d645bee82 100644
--- a/source4/libcli/auth/gensec.h
+++ b/source4/libcli/auth/gensec.h
@@ -41,9 +41,9 @@ struct gensec_target {
const char *service;
};
-#define GENSEC_WANT_SESSION_KEY 0x1
-#define GENSEC_WANT_SIGN 0x2
-#define GENSEC_WANT_SEAL 0x4
+#define GENSEC_FEATURE_SESSION_KEY 0x00000001
+#define GENSEC_FEATURE_SIGN 0x00000002
+#define GENSEC_FEATURE_SEAL 0x00000004
/* GENSEC mode */
enum gensec_role
@@ -99,6 +99,7 @@ struct gensec_security {
enum gensec_role gensec_role;
BOOL subcontext;
uint32 want_features;
+ uint32 have_features;
};
/* this structure is used by backends to determine the size of some critical types */
diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c
index 147e2359f4..07dacfb5e0 100644
--- a/source4/libcli/auth/gensec_ntlmssp.c
+++ b/source4/libcli/auth/gensec_ntlmssp.c
@@ -178,10 +178,10 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur
return nt_status;
}
- if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
- if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
@@ -219,7 +219,7 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur
return status;
}
- if (gensec_security->want_features & GENSEC_WANT_SESSION_KEY) {
+ if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
/*
* We need to set this to allow a later SetPassword
* via the SAMR pipe to succeed. Strange.... We could
@@ -231,10 +231,10 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur
*/
gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
- if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
- if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
@@ -343,8 +343,27 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, T
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
+ NTSTATUS status;
+
+ status = ntlmssp_update(gensec_ntlmssp_state->ntlmssp_state, out_mem_ctx, in, out);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (gensec_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ gensec_security->have_features |= GENSEC_FEATURE_SIGN;
+ }
+
+ if (gensec_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ gensec_security->have_features |= GENSEC_FEATURE_SEAL;
+ }
- return ntlmssp_update(gensec_ntlmssp_state->ntlmssp_state, out_mem_ctx, in, out);
+ if (gensec_ntlmssp_state->ntlmssp_state->session_key.data) {
+ gensec_security->have_features |= GENSEC_FEATURE_SESSION_KEY;
+ }
+
+ return status;
}
/**
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 88c84d880b..a9b20b4ea8 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -382,7 +382,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha
return result;
}
- gensec_want_feature(conn->gensec, GENSEC_WANT_SIGN | GENSEC_WANT_SEAL);
+ gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
status = gensec_set_domain(conn->gensec, domain);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c
index 453f296c78..d8dde02c12 100644
--- a/source4/smb_server/sesssetup.c
+++ b/source4/smb_server/sesssetup.c
@@ -238,7 +238,7 @@ static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup
return status;
}
- gensec_want_feature(gensec_ctx, GENSEC_WANT_SESSION_KEY);
+ gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {