From 7e36c7e6075814c0b4eb6e37ece6ed4fd4ed09e2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Aug 2005 06:14:14 +0000 Subject: r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f) --- source4/auth/ntlmssp/ntlmssp.c | 49 +++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 22 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp.c') diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 339c219f62..82d6dd0e8f 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -185,25 +185,6 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, return status; } - gensec_ntlmssp_state->have_features = 0; - - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { - gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SIGN; - } - - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { - gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SEAL; - } - - if (gensec_ntlmssp_state->session_key.data) { - gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SESSION_KEY; - } - - /* only NTLMv2 can handle async replies */ - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_ASYNC_REPLIES; - } - return status; } @@ -317,10 +298,35 @@ static BOOL gensec_ntlmssp_have_feature(struct gensec_security *gensec_security, uint32_t feature) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; - if (gensec_ntlmssp_state->have_features & feature) { + if (feature & GENSEC_FEATURE_SIGN) { + if (!gensec_ntlmssp_state->session_key.length) { + return False; + } + if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { + return True; + } + } + if (feature & GENSEC_FEATURE_SEAL) { + if (!gensec_ntlmssp_state->session_key.length) { + return False; + } + if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { + return True; + } + } + if (feature & GENSEC_FEATURE_SESSION_KEY) { + if (gensec_ntlmssp_state->session_key.length) { + return True; + } + } + if (feature & GENSEC_FEATURE_DCE_STYLE) { return True; } - + if (feature & GENSEC_FEATURE_ASYNC_REPLIES) { + if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + return True; + } + } return False; } @@ -335,7 +341,6 @@ NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->auth_context = NULL; gensec_ntlmssp_state->server_info = NULL; - gensec_ntlmssp_state->have_features = 0; gensec_security->private_data = gensec_ntlmssp_state; return NT_STATUS_OK; -- cgit