From fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 25 Aug 2004 02:25:20 +0000 Subject: r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server. The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c) --- source4/libcli/auth/gensec.c | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) (limited to 'source4/libcli/auth/gensec.c') diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c index 24c2c18877..8188701558 100644 --- a/source4/libcli/auth/gensec.c +++ b/source4/libcli/auth/gensec.c @@ -145,6 +145,7 @@ static NTSTATUS gensec_start(struct gensec_security **gensec_security) (*gensec_security)->default_user.realm = talloc_strdup(mem_ctx, lp_realm()); (*gensec_security)->subcontext = False; + (*gensec_security)->want_features = 0; return NT_STATUS_OK; } @@ -232,13 +233,20 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) */ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, - uint8_t authtype) + uint8_t auth_type, uint8_t auth_level) { - gensec_security->ops = gensec_security_by_authtype(authtype); + gensec_security->ops = gensec_security_by_authtype(auth_type); if (!gensec_security->ops) { - DEBUG(3, ("Could not find GENSEC backend for authtype=%d\n", (int)authtype)); + DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type)); return NT_STATUS_INVALID_PARAMETER; } + if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + gensec_want_feature(gensec_security, GENSEC_WANT_SIGN); + } + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + gensec_want_feature(gensec_security, GENSEC_WANT_SIGN); + gensec_want_feature(gensec_security, GENSEC_WANT_SEAL); + } return gensec_start_mech(gensec_security); } @@ -308,6 +316,10 @@ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->check_packet) { return NT_STATUS_NOT_IMPLEMENTED; } + if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, sig); } @@ -319,6 +331,10 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->seal_packet) { return NT_STATUS_NOT_IMPLEMENTED; } + if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) { + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, sig); } @@ -330,6 +346,10 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->sign_packet) { return NT_STATUS_NOT_IMPLEMENTED; } + if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, sig); } @@ -339,6 +359,10 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, if (!gensec_security->ops->session_key) { return NT_STATUS_NOT_IMPLEMENTED; } + if (!(gensec_security->want_features & GENSEC_WANT_SESSION_KEY)) { + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_security->ops->session_key(gensec_security, session_key); } @@ -392,6 +416,17 @@ void gensec_end(struct gensec_security **gensec_security) gensec_security = NULL; } +/** + * Set the requirement for a certain feature on the connection + * + */ + +void gensec_want_feature(struct gensec_security *gensec_security, + uint32 feature) +{ + gensec_security->want_features |= feature; +} + /** * Set a username on a GENSEC context - ensures it is talloc()ed * -- cgit