From 778bf87d8dbae333bfeea3b0d904fd2b17782745 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Jul 2011 12:10:30 +1000
Subject: s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the server

This is changed so that the callers ask for the additional flags
that they need, starting with no additional flags.

This helps to create a proper abstraction layer in
ntlmssp_wrap/auth_ntlmssp.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
---
 source3/librpc/crypto/cli_spnego.c  | 1 +
 source3/libsmb/ntlmssp.c            | 4 +---
 source3/rpc_server/dcesrv_ntlmssp.c | 9 ++-------
 source3/smbd/seal.c                 | 2 ++
 source3/smbd/sesssetup.c            | 4 +++-
 source3/smbd/smb2_sesssetup.c       | 2 ++
 source3/utils/ntlm_auth.c           | 4 ++++
 7 files changed, 15 insertions(+), 11 deletions(-)

(limited to 'source3')

diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c
index 3e40d15569..3222d0b7ef 100644
--- a/source3/librpc/crypto/cli_spnego.c
+++ b/source3/librpc/crypto/cli_spnego.c
@@ -21,6 +21,7 @@
 #include "../libcli/auth/spnego.h"
 #include "include/ntlmssp_wrap.h"
 #include "librpc/gen_ndr/ntlmssp.h"
+#include "libcli/auth/ntlmssp.h"
 #include "librpc/crypto/gse.h"
 #include "librpc/crypto/spnego.h"
 
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 87362c2840..9436ca1c3f 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -333,9 +333,7 @@ NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
 		NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
 		NTLMSSP_NEGOTIATE_NTLM |
 		NTLMSSP_NEGOTIATE_NTLM2 |
-		NTLMSSP_NEGOTIATE_KEY_EXCH |
-		NTLMSSP_NEGOTIATE_SIGN |
-		NTLMSSP_NEGOTIATE_SEAL;
+		NTLMSSP_NEGOTIATE_KEY_EXCH;
 
 	ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
 	if (!ntlmssp_state->server.netbios_name) {
diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c
index 87c8e0bece..fd5b820143 100644
--- a/source3/rpc_server/dcesrv_ntlmssp.c
+++ b/source3/rpc_server/dcesrv_ntlmssp.c
@@ -43,17 +43,12 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	/* Clear flags, then set them according to requested flags */
-	auth_ntlmssp_and_flags(a, ~(NTLMSSP_NEGOTIATE_SIGN |
-					NTLMSSP_NEGOTIATE_SEAL));
-
 	if (do_sign) {
-		auth_ntlmssp_or_flags(a, NTLMSSP_NEGOTIATE_SIGN);
+		auth_ntlmssp_want_feature(a, NTLMSSP_FEATURE_SIGN);
 	}
 	if (do_seal) {
 		/* Always implies both sign and seal for ntlmssp */
-		auth_ntlmssp_or_flags(a, NTLMSSP_NEGOTIATE_SIGN |
-					 NTLMSSP_NEGOTIATE_SEAL);
+		auth_ntlmssp_want_feature(a, NTLMSSP_FEATURE_SEAL);
 	}
 
 	status = auth_ntlmssp_update(a, mem_ctx, *token_in, token_out);
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 5481e52fe0..12672681fe 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -92,6 +92,8 @@ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
 		return nt_status_squash(status);
 	}
 
+	auth_ntlmssp_want_feature(ec->auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+
 	/*
 	 * We must remember to update the pointer copy for the common
 	 * functions after any auth_ntlmssp_start/auth_ntlmssp_end.
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b1fed41e8e..1eb4708994 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -633,8 +633,10 @@ static void reply_spnego_negotiate(struct smb_request *req,
 		return;
 	}
 
+	auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
 	status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
-				     secblob, &chal);
+					secblob, &chal);
 
 	data_blob_free(&secblob);
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 320a707758..40f98ce45f 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -392,6 +392,8 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 			goto out;
 		}
 
+		auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
 		status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 					     talloc_tos(),
 					     secblob_in,
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3a99a8c1bf..9cd47d0611 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -737,6 +737,10 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_st
 		return status;
 	}
 
+	(*ntlmssp_state)->neg_flags |=
+		(NTLMSSP_NEGOTIATE_SIGN |
+		 NTLMSSP_NEGOTIATE_SEAL);
+
 	/* Have we been given a local password, or should we ask winbind? */
 	if (opt_password) {
 		(*ntlmssp_state)->check_password = local_pw_check;
-- 
cgit