summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source4/auth/gensec/gensec.c66
-rw-r--r--source4/auth/gensec/schannel.c6
-rw-r--r--source4/auth/gensec/spnego.c101
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c49
-rw-r--r--source4/auth/ntlmssp/ntlmssp.h1
-rw-r--r--source4/auth/ntlmssp/ntlmssp_sign.c107
6 files changed, 160 insertions, 170 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index b500a09fdc..87c60da84f 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -210,6 +210,44 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
/**
+ * Return OIDS from the security subsystems listed
+ */
+
+const char **gensec_security_oids_from_ops_wrapped(TALLOC_CTX *mem_ctx,
+ const struct gensec_security_ops_wrapper *wops)
+{
+ int i;
+ int j = 0;
+ int k;
+ const char **oid_list;
+ if (!wops) {
+ return NULL;
+ }
+ oid_list = talloc_array(mem_ctx, const char *, 1);
+ if (!oid_list) {
+ return NULL;
+ }
+
+ for (i=0; wops[i].op; i++) {
+ if (!wops[i].op->oid) {
+ continue;
+ }
+
+ for (k = 0; wops[i].op->oid[k]; k++) {
+ oid_list = talloc_realloc(mem_ctx, oid_list, const char *, j + 2);
+ if (!oid_list) {
+ return NULL;
+ }
+ oid_list[j] = wops[i].op->oid[k];
+ j++;
+ }
+ }
+ oid_list[j] = NULL;
+ return oid_list;
+}
+
+
+/**
* Return all the security subsystems currently enabled in GENSEC
*/
@@ -366,6 +404,7 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
} else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
@@ -463,15 +502,9 @@ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NOT_IMPLEMENTED;
}
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- return gensec_check_packet(gensec_security, mem_ctx,
- data, length,
- whole_pdu, pdu_length,
- sig);
- }
return NT_STATUS_INVALID_PARAMETER;
}
-
+
return gensec_security->ops->unseal_packet(gensec_security, mem_ctx,
data, length,
whole_pdu, pdu_length,
@@ -504,15 +537,9 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NOT_IMPLEMENTED;
}
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- return gensec_sign_packet(gensec_security, mem_ctx,
- data, length,
- whole_pdu, pdu_length,
- sig);
- }
return NT_STATUS_INVALID_PARAMETER;
}
-
+
return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
@@ -572,6 +599,10 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
if (!gensec_security->ops->session_key) {
return NT_STATUS_NOT_IMPLEMENTED;
}
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
return gensec_security->ops->session_key(gensec_security, session_key);
}
@@ -633,7 +664,12 @@ BOOL gensec_have_feature(struct gensec_security *gensec_security,
if (!gensec_security->ops->have_feature) {
return False;
}
- return gensec_security->ops->have_feature(gensec_security, feature);
+
+ /* Can only 'have' a feature if you already 'want'ed it */
+ if (gensec_security->want_features & feature) {
+ return gensec_security->ops->have_feature(gensec_security, feature);
+ }
+ return False;
}
/**
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index ed3e2caa2a..fc961d8eaa 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -236,6 +236,12 @@ static BOOL schannel_have_feature(struct gensec_security *gensec_security,
GENSEC_FEATURE_SEAL)) {
return True;
}
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
+ return True;
+ }
+ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+ return True;
+ }
return False;
}
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 2d1d779e43..1a7cb1f0ed 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -394,60 +394,74 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return NT_STATUS_INVALID_PARAMETER;
}
-/** create a client negTokenInit
+/** create a negTokenInit
*
- * This is the case, where the client is the first one who sends data
+ * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
*/
-
-static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,
+static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
- DATA_BLOB null_data_blob = data_blob(NULL, 0);
- NTSTATUS nt_status;
+ int i;
+ NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
+ DATA_BLOB null_data_blob = data_blob(NULL,0);
const char **mechTypes = NULL;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
mechTypes = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
- if (!mechTypes) {
- DEBUG(1, ("no GENSEC OID backends available\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select our preferred mech */
- nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
- mechTypes[0]);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
- return nt_status;
- }
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx, in, &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status) || NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ const struct gensec_security_ops_wrapper *all_sec
+ = gensec_security_by_oid_list(out_mem_ctx,
+ mechTypes,
+ GENSEC_OID_SPNEGO);
+ for (i=0; all_sec && all_sec[i].op; i++) {
struct spnego_data spnego_out;
+ nt_status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ /* select the sub context */
+ nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ all_sec[i].op);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(spnego_state->sub_sec_security);
+ spnego_state->sub_sec_security = NULL;
+ continue;
+ }
+
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ null_data_blob,
+ &unwrapped_out);
+
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
+ && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+ && !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(3, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ talloc_free(spnego_state->sub_sec_security);
+ spnego_state->sub_sec_security = NULL;
+ /* Pretend we never started it (lets the first run find some incompatible demand) */
+
+ continue;
+ }
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = mechTypes;
+ spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
+ &all_sec[i]);
spnego_out.negTokenInit.reqFlags = 0;
spnego_out.negTokenInit.mechListMIC = null_data_blob;
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
+ DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* set next state */
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->no_response_expected = True;
@@ -535,8 +549,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
out_mem_ctx, in, out);
case SPNEGO_SERVER_START:
{
+ NTSTATUS nt_status;
if (in.length) {
- NTSTATUS nt_status;
len = spnego_read_data(in, &spnego);
if (len == -1) {
@@ -571,25 +585,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return nt_status;
} else {
- const char **mechlist = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
-
- spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = mechlist;
- spnego_out.negTokenInit.reqFlags = 0;
- spnego_out.negTokenInit.mechListMIC
- = data_blob_string_const(talloc_asprintf(out_mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()));
- spnego_out.negTokenInit.mechToken = data_blob(NULL, 0);
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* set next state */
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_SERVER_TARG;
-
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ return gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
+ out_mem_ctx, in, out);
}
}
@@ -602,7 +600,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (!in.length) {
/* client to produce negTokenInit */
- return gensec_spnego_client_negTokenInit(gensec_security, spnego_state,
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ return gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
out_mem_ctx, in, out);
}
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 339c219f62..82d6dd0e8f 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -185,25 +185,6 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
return status;
}
- gensec_ntlmssp_state->have_features = 0;
-
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SIGN;
- }
-
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SEAL;
- }
-
- if (gensec_ntlmssp_state->session_key.data) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SESSION_KEY;
- }
-
- /* only NTLMv2 can handle async replies */
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_ASYNC_REPLIES;
- }
-
return status;
}
@@ -317,10 +298,35 @@ static BOOL gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
- if (gensec_ntlmssp_state->have_features & feature) {
+ if (feature & GENSEC_FEATURE_SIGN) {
+ if (!gensec_ntlmssp_state->session_key.length) {
+ return False;
+ }
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_SEAL) {
+ if (!gensec_ntlmssp_state->session_key.length) {
+ return False;
+ }
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_SESSION_KEY) {
+ if (gensec_ntlmssp_state->session_key.length) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
return True;
}
-
+ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ return True;
+ }
+ }
return False;
}
@@ -335,7 +341,6 @@ NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->auth_context = NULL;
gensec_ntlmssp_state->server_info = NULL;
- gensec_ntlmssp_state->have_features = 0;
gensec_security->private_data = gensec_ntlmssp_state;
return NT_STATUS_OK;
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 36d12a9820..2ee069bada 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -180,7 +180,6 @@ struct gensec_ntlmssp_state
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
- uint32_t have_features;
};
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 960841ecf2..75c6cf845b 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -49,7 +49,7 @@ static void calc_ntlmv2_key(TALLOC_CTX *mem_ctx,
*subkey = data_blob_talloc(mem_ctx, NULL, 16);
MD5Init(&ctx3);
MD5Update(&ctx3, session_key.data, session_key.length);
- MD5Update(&ctx3, constant, strlen(constant)+1);
+ MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
MD5Final(subkey->data, &ctx3);
}
@@ -131,21 +131,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
- if (!gensec_ntlmssp_state->session_key.length) {
- DEBUG(3, ("NO session key, cannot check sign packet\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
- }
-
- if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GENSEC Signing not requested - cannot sign packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
- DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
return ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx,
data, length,
whole_pdu, pdu_length,
@@ -173,11 +158,6 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & (GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SIGN))) {
- DEBUG(3, ("GENSEC Signing/Sealing not requested - cannot check packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (sig->length < 8) {
DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
(unsigned long)sig->length));
@@ -244,17 +224,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GENSEC Sealing not requested - cannot seal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
- DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-
DEBUG(10,("ntlmssp_seal_data: seal\n"));
dump_data_pw("ntlmssp clear data\n", data, length);
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -317,43 +286,14 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GENSEC Sealing not requested - cannot unseal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
dump_data_pw("ntlmssp sealed data\n", data, length);
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length);
-
- nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx,
- data, length,
- whole_pdu, pdu_length,
- NTLMSSP_RECEIVE, &local_sig, True);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- if (local_sig.length != sig->length ||
- memcmp(local_sig.data,
- sig->data, sig->length) != 0) {
- DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
- dump_data(5, local_sig.data, local_sig.length);
-
- DEBUG(5, ("BAD SIG: got signature of\n"));
- dump_data(5, sig->data, sig->length);
-
- DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- dump_data_pw("ntlmssp clear data\n", data, length);
- return NT_STATUS_OK;
} else {
arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
- dump_data_pw("ntlmssp clear data\n", data, length);
- return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
+ dump_data_pw("ntlmssp clear data\n", data, length);
+ return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
/**
@@ -406,11 +346,18 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
/**
- Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
+ Weaken NTLMSSP keys to cope with down-level
+ clients, servers and export restrictions.
- We probably should have some parameters to control this, once we get NTLM2 working.
+ We probably should have some parameters to control
+ this, once we get NTLM2 working.
*/
+ /* Key weakening was not performed on the master key
+ * for NTLM2 (in ntlmssp_weaken_keys()), but must be
+ * done on the encryption subkeys only. That is why
+ * we don't have this code for the ntlmv1 case.
+ */
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
@@ -500,35 +447,34 @@ NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
DATA_BLOB sig;
NTSTATUS nt_status;
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
-
+
nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx,
out->data + NTLMSSP_SIG_SIZE,
out->length - NTLMSSP_SIG_SIZE,
out->data + NTLMSSP_SIG_SIZE,
out->length - NTLMSSP_SIG_SIZE,
&sig);
-
+
if (NT_STATUS_IS_OK(nt_status)) {
memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
}
return nt_status;
- } else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)
- || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx,
- out->data + NTLMSSP_SIG_SIZE,
- out->length - NTLMSSP_SIG_SIZE,
- out->data + NTLMSSP_SIG_SIZE,
- out->length - NTLMSSP_SIG_SIZE,
- &sig);
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ &sig);
if (NT_STATUS_IS_OK(nt_status)) {
memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
@@ -550,7 +496,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
DATA_BLOB sig;
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
if (in->length < NTLMSSP_SIG_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -564,8 +510,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
out->data, out->length,
&sig);
- } else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)
- || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
if (in->length < NTLMSSP_SIG_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -575,9 +520,9 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
*out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx,
- out->data, out->length,
- out->data, out->length,
- &sig);
+ out->data, out->length,
+ out->data, out->length,
+ &sig);
} else {
*out = *in;
return NT_STATUS_OK;
generated by cgit (git 2.34.1) at 2024-11-10 23:47:29 +0000