diff options
-rw-r--r-- | source4/ldap_server/ldap_server.c | 12 | ||||
-rw-r--r-- | source4/libcli/auth/gensec.c | 27 | ||||
-rw-r--r-- | source4/libcli/auth/gensec.h | 7 | ||||
-rw-r--r-- | source4/libcli/auth/gensec_ntlmssp.c | 31 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_client.c | 2 | ||||
-rw-r--r-- | source4/smb_server/sesssetup.c | 2 |
6 files changed, 49 insertions, 32 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 9f256b0b8b..ea1b8cb9b4 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -195,8 +195,8 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) size_t nread; if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) { + !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return read_into_buf(sock, &conn->in_buffer); } @@ -254,7 +254,7 @@ static BOOL ldapsrv_read_buf(struct ldapsrv_connection *conn) tmp_blob.data = buf + (4 + creds.length); tmp_blob.length = (4 + sasl_length) - (4 + creds.length); - if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) { + if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { status = gensec_unseal_packet(conn->gensec, mem_ctx, tmp_blob.data, tmp_blob.length, tmp_blob.data, tmp_blob.length, @@ -320,8 +320,8 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) TALLOC_CTX *mem_ctx; if (!conn->gensec || !conn->session_info || - !(gensec_have_feature(conn->gensec, GENSEC_WANT_SIGN) && - gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL))) { + !(gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && + gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL))) { return write_from_buf(sock, &conn->out_buffer); } @@ -338,7 +338,7 @@ static BOOL ldapsrv_write_buf(struct ldapsrv_connection *conn) goto nodata; } - if (gensec_have_feature(conn->gensec, GENSEC_WANT_SEAL)) { + if (gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { status = gensec_seal_packet(conn->gensec, mem_ctx, tmp_blob.data, tmp_blob.length, tmp_blob.data, tmp_blob.length, diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c index 7243222b6d..147d1b12df 100644 --- a/source4/libcli/auth/gensec.c +++ b/source4/libcli/auth/gensec.c @@ -137,6 +137,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct gensec_security **gense (*gensec_security)->subcontext = False; (*gensec_security)->want_features = 0; + (*gensec_security)->have_features = 0; return NT_STATUS_OK; } @@ -232,11 +233,11 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - gensec_want_feature(gensec_security, GENSEC_WANT_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); } if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - gensec_want_feature(gensec_security, GENSEC_WANT_SIGN); - gensec_want_feature(gensec_security, GENSEC_WANT_SEAL); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); } return gensec_start_mech(gensec_security); @@ -310,8 +311,8 @@ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->unseal_packet) { return NT_STATUS_NOT_IMPLEMENTED; } - if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) { - if (gensec_security->want_features & GENSEC_WANT_SIGN) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return gensec_check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, @@ -335,7 +336,7 @@ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->check_packet) { return NT_STATUS_NOT_IMPLEMENTED; } - if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_PARAMETER; } @@ -351,8 +352,8 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->seal_packet) { return NT_STATUS_NOT_IMPLEMENTED; } - if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) { - if (gensec_security->want_features & GENSEC_WANT_SIGN) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return gensec_sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, @@ -373,7 +374,7 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->sign_packet) { return NT_STATUS_NOT_IMPLEMENTED; } - if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_PARAMETER; } @@ -385,7 +386,7 @@ size_t gensec_sig_size(struct gensec_security *gensec_security) if (!gensec_security->ops->sig_size) { return 0; } - if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return 0; } @@ -398,10 +399,6 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, if (!gensec_security->ops->session_key) { return NT_STATUS_NOT_IMPLEMENTED; } - if (!(gensec_security->want_features & GENSEC_WANT_SESSION_KEY)) { - return NT_STATUS_INVALID_PARAMETER; - } - return gensec_security->ops->session_key(gensec_security, session_key); } @@ -474,7 +471,7 @@ void gensec_want_feature(struct gensec_security *gensec_security, BOOL gensec_have_feature(struct gensec_security *gensec_security, uint32 feature) { - if (gensec_security->want_features & feature) { + if (gensec_security->have_features & feature) { return True; } diff --git a/source4/libcli/auth/gensec.h b/source4/libcli/auth/gensec.h index f8b7e292e8..3d645bee82 100644 --- a/source4/libcli/auth/gensec.h +++ b/source4/libcli/auth/gensec.h @@ -41,9 +41,9 @@ struct gensec_target { const char *service; }; -#define GENSEC_WANT_SESSION_KEY 0x1 -#define GENSEC_WANT_SIGN 0x2 -#define GENSEC_WANT_SEAL 0x4 +#define GENSEC_FEATURE_SESSION_KEY 0x00000001 +#define GENSEC_FEATURE_SIGN 0x00000002 +#define GENSEC_FEATURE_SEAL 0x00000004 /* GENSEC mode */ enum gensec_role @@ -99,6 +99,7 @@ struct gensec_security { enum gensec_role gensec_role; BOOL subcontext; uint32 want_features; + uint32 have_features; }; /* this structure is used by backends to determine the size of some critical types */ diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c index 147e2359f4..07dacfb5e0 100644 --- a/source4/libcli/auth/gensec_ntlmssp.c +++ b/source4/libcli/auth/gensec_ntlmssp.c @@ -178,10 +178,10 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur return nt_status; } - if (gensec_security->want_features & GENSEC_WANT_SIGN) { + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } - if (gensec_security->want_features & GENSEC_WANT_SEAL) { + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } @@ -219,7 +219,7 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur return status; } - if (gensec_security->want_features & GENSEC_WANT_SESSION_KEY) { + if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { /* * We need to set this to allow a later SetPassword * via the SAMR pipe to succeed. Strange.... We could @@ -231,10 +231,10 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur */ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } - if (gensec_security->want_features & GENSEC_WANT_SIGN) { + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } - if (gensec_security->want_features & GENSEC_WANT_SEAL) { + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } @@ -343,8 +343,27 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, T const DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; + NTSTATUS status; + + status = ntlmssp_update(gensec_ntlmssp_state->ntlmssp_state, out_mem_ctx, in, out); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { + return status; + } + + if (gensec_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + gensec_security->have_features |= GENSEC_FEATURE_SIGN; + } + + if (gensec_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + gensec_security->have_features |= GENSEC_FEATURE_SEAL; + } - return ntlmssp_update(gensec_ntlmssp_state->ntlmssp_state, out_mem_ctx, in, out); + if (gensec_ntlmssp_state->ntlmssp_state->session_key.data) { + gensec_security->have_features |= GENSEC_FEATURE_SESSION_KEY; + } + + return status; } /** diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 88c84d880b..a9b20b4ea8 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -382,7 +382,7 @@ int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const cha return result; } - gensec_want_feature(conn->gensec, GENSEC_WANT_SIGN | GENSEC_WANT_SEAL); + gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); status = gensec_set_domain(conn->gensec, domain); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c index 453f296c78..d8dde02c12 100644 --- a/source4/smb_server/sesssetup.c +++ b/source4/smb_server/sesssetup.c @@ -238,7 +238,7 @@ static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup return status; } - gensec_want_feature(gensec_ctx, GENSEC_WANT_SESSION_KEY); + gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO); if (!NT_STATUS_IS_OK(status)) { |