3 files changed, 72 insertions, 15 deletions

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index df9c1face4..3868bfdf45 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -135,11 +135,30 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
 		return status;
 	}
 
-	/* check the signature */
-	status = ntlmssp_check_packet(p->ntlmssp_state, 
-				      pkt->u.response.stub_and_verifier.data, 
-				      pkt->u.response.stub_and_verifier.length, 
-				      &auth.credentials);
+
+	/* check signature or unseal the packet */
+	switch (p->auth_info->auth_level) {
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		status = ntlmssp_unseal_packet(p->ntlmssp_state, 
+					       pkt->u.response.stub_and_verifier.data, 
+					       pkt->u.response.stub_and_verifier.length, 
+					       &auth.credentials);
+		break;
+
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		status = ntlmssp_check_packet(p->ntlmssp_state, 
+					      pkt->u.response.stub_and_verifier.data, 
+					      pkt->u.response.stub_and_verifier.length, 
+					      &auth.credentials);
+		break;
+
+	case DCERPC_AUTH_LEVEL_NONE:
+		break;
+
+	default:
+		status = NT_STATUS_INVALID_LEVEL;
+		break;
+	}
 
 	/* remove the indicated amount of paddiing */
 	if (pkt->u.response.stub_and_verifier.length < auth.auth_pad_length) {
@@ -221,11 +240,31 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
 	p->auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
 	ndr_push_zero(ndr, p->auth_info->auth_pad_length);
 
-	/* sign the packet */
-	status = ntlmssp_sign_packet(p->ntlmssp_state, 
-				     ndr->data + DCERPC_REQUEST_LENGTH, 
-				     ndr->offset - DCERPC_REQUEST_LENGTH,
-				     &p->auth_info->credentials);
+	/* sign or seal the packet */
+	switch (p->auth_info->auth_level) {
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		status = ntlmssp_seal_packet(p->ntlmssp_state, 
+					     ndr->data + DCERPC_REQUEST_LENGTH, 
+					     ndr->offset - DCERPC_REQUEST_LENGTH,
+					     &p->auth_info->credentials);
+		break;
+
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		status = ntlmssp_sign_packet(p->ntlmssp_state, 
+					     ndr->data + DCERPC_REQUEST_LENGTH, 
+					     ndr->offset - DCERPC_REQUEST_LENGTH,
+					     &p->auth_info->credentials);
+		break;
+
+	case DCERPC_AUTH_LEVEL_NONE:
+		p->auth_info->credentials = data_blob(NULL, 0);
+		break;
+
+	default:
+		status = NT_STATUS_INVALID_LEVEL;
+		break;
+	}
+
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}	
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index e41b998d90..906f613593 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -51,14 +51,17 @@ struct dcerpc_pipe {
 };
 
 /* dcerpc pipe flags */
-#define DCERPC_DEBUG_PRINT_IN  1
-#define DCERPC_DEBUG_PRINT_OUT 2
+#define DCERPC_DEBUG_PRINT_IN  (1<<0)
+#define DCERPC_DEBUG_PRINT_OUT (1<<1)
 #define DCERPC_DEBUG_PRINT_BOTH (DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT)
 
 #define DCERPC_DEBUG_VALIDATE_IN  4
 #define DCERPC_DEBUG_VALIDATE_OUT 8
 #define DCERPC_DEBUG_VALIDATE_BOTH (DCERPC_DEBUG_VALIDATE_IN | DCERPC_DEBUG_VALIDATE_OUT)
 
+#define DCERPC_SIGN            16
+#define DCERPC_SEAL            32
+
 /*
   this is used to find pointers to calls
 */
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 103a3c70d8..5850ec6979 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -68,7 +68,17 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
 	}
 
 	p->auth_info->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
-	p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+	
+	if (p->flags & DCERPC_SEAL) {
+		p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+		state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL;
+	} else if (p->flags & DCERPC_SIGN) {
+		state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+		p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+	} else {
+		state->neg_flags &= ~(NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL);
+		p->auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
+	}
 	p->auth_info->auth_pad_length = 0;
 	p->auth_info->auth_reserved = 0;
 	p->auth_info->auth_context_id = random();
@@ -113,8 +123,13 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
 
 	p->ntlmssp_state = state;
 
-	/* setup for signing */
-	status = ntlmssp_sign_init(state);
+	switch (p->auth_info->auth_level) {
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		/* setup for signing */
+		status = ntlmssp_sign_init(state);
+		break;
+	}
 
 done:
 	talloc_destroy(mem_ctx);