diff options
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp.h | 2 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 6 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_sign.c | 2 | ||||
-rw-r--r-- | source4/torture/auth/ntlmssp.c | 14 |
4 files changed, 14 insertions, 10 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h index 9d6b827fbc..36d12a9820 100644 --- a/source4/auth/ntlmssp/ntlmssp.h +++ b/source4/auth/ntlmssp/ntlmssp.h @@ -87,8 +87,6 @@ struct gensec_ntlmssp_state BOOL allow_lm_key; /* The LM_KEY code is not functional at this point, and it's not very secure anyway */ - BOOL server_use_session_keys; /* Set to 'False' for authentication only, - that will never return a session key */ BOOL server_multiple_authentications; /* Set to 'True' to allow squid 2.5 style 'challenge caching' */ diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index db169684d6..bbe9b213f9 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -560,11 +560,12 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security, /* Finally, actually ask if the password is OK */ if (!NT_STATUS_IS_OK(nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state, - &user_session_key, &lm_session_key))) { + &user_session_key, &lm_session_key))) { return nt_status; } - if (gensec_ntlmssp_state->server_use_session_keys) { + if (gensec_security->want_features + & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY)) { return ntlmssp_server_postauth(gensec_security, &user_session_key, &lm_session_key); } else { gensec_ntlmssp_state->session_key = data_blob(NULL, 0); @@ -715,7 +716,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth() && lp_parm_bool(-1, "ntlmssp_server", "allow_lm_key", False)); - gensec_ntlmssp_state->server_use_session_keys = True; gensec_ntlmssp_state->server_multiple_authentications = False; gensec_ntlmssp_state->neg_flags = diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index d8a5a0f909..960841ecf2 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -137,7 +137,7 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security, } if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) { - DEBUG(3, ("GENSEC Signing not requested - cannot seal packet!\n")); + DEBUG(3, ("GENSEC Signing not requested - cannot sign packet!\n")); return NT_STATUS_INVALID_PARAMETER; } diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c index 644d502d99..48deb4e73a 100644 --- a/source4/torture/auth/ntlmssp.c +++ b/source4/torture/auth/ntlmssp.c @@ -39,9 +39,13 @@ BOOL torture_ntlmssp_self_check(void) gensec_set_credentials(gensec_security, cmdline_credentials); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { + printf("Failed to start GENSEC for NTLMSSP\n"); return False; } @@ -52,8 +56,7 @@ BOOL torture_ntlmssp_self_check(void) gensec_ntlmssp_state->session_key.data, gensec_ntlmssp_state->session_key.length); - gensec_ntlmssp_state->server_use_session_keys = True; - gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_NTLM2; + gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_NTLM2; if (!NT_STATUS_IS_OK(status = ntlmssp_sign_init(gensec_ntlmssp_state))) { printf("Failed to sign_init: %s\n", nt_errstr(status)); @@ -83,11 +86,15 @@ BOOL torture_ntlmssp_self_check(void) status = gensec_client_start(NULL, &gensec_security); if (!NT_STATUS_IS_OK(status)) { + printf("Failed to start GENSEC for NTLMSSP\n"); return False; } gensec_set_credentials(gensec_security, cmdline_credentials); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { @@ -101,8 +108,7 @@ BOOL torture_ntlmssp_self_check(void) gensec_ntlmssp_state->session_key.data, gensec_ntlmssp_state->session_key.length); - gensec_ntlmssp_state->server_use_session_keys = True; - gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_KEY_EXCH; + gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_KEY_EXCH; if (!NT_STATUS_IS_OK(status = ntlmssp_sign_init(gensec_ntlmssp_state))) { printf("Failed to sign_init: %s\n", nt_errstr(status)); |