svn commit: samba r15130 - in trunk/source: include libsmb rpc_client rpc_server

jra at samba.org jra at samba.org
Tue Apr 18 18:01:04 GMT 2006


Author: jra
Date: 2006-04-18 18:01:00 +0000 (Tue, 18 Apr 2006)
New Revision: 15130

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15130

Log:
Separate out mechanism and policy for NTLMSSP auth/sign/seal.
With this change (and setting lanman auth = no in smb.conf)
we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth.
Jeremy

Modified:
   trunk/source/include/ntlmssp.h
   trunk/source/libsmb/ntlmssp.c
   trunk/source/rpc_client/cli_pipe.c
   trunk/source/rpc_server/srv_pipe.c


Changeset:
Modified: trunk/source/include/ntlmssp.h
===================================================================
--- trunk/source/include/ntlmssp.h	2006-04-18 18:00:57 UTC (rev 15129)
+++ trunk/source/include/ntlmssp.h	2006-04-18 18:01:00 UTC (rev 15130)
@@ -60,6 +60,7 @@
 #define NTLMSSP_CHAL_NON_NT_SESSION_KEY    0x00040000
 #define NTLMSSP_NEGOTIATE_NTLM2            0x00080000
 #define NTLMSSP_CHAL_TARGET_INFO           0x00800000
+#define NTLMSSP_UNKNOWN_02000000	   0x02000000
 #define NTLMSSP_NEGOTIATE_128              0x20000000 /* 128-bit encryption */
 #define NTLMSSP_NEGOTIATE_KEY_EXCH         0x40000000
 #define NTLMSSP_NEGOTIATE_56               0x80000000

Modified: trunk/source/libsmb/ntlmssp.c
===================================================================
--- trunk/source/libsmb/ntlmssp.c	2006-04-18 18:00:57 UTC (rev 15129)
+++ trunk/source/libsmb/ntlmssp.c	2006-04-18 18:01:00 UTC (rev 15130)
@@ -363,9 +363,6 @@
 
 	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
-		if (neg_flags & NTLMSSP_NEGOTIATE_56) {
-			ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
-		}
 	}
 
 	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
@@ -376,10 +373,23 @@
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
 	}
 
+	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+	}
+
+	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+	}
+
+	/* Woop Woop - unknown flag for Windows compatibility...
+	   What does this really do ? JRA. */
+	if (!(neg_flags & NTLMSSP_UNKNOWN_02000000)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_UNKNOWN_02000000;
+	}
+
 	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
 	}
-	
 }
 
 /**
@@ -840,6 +850,8 @@
 
 	(*ntlmssp_state)->neg_flags = 
 		NTLMSSP_NEGOTIATE_128 |
+		NTLMSSP_NEGOTIATE_56 |
+		NTLMSSP_UNKNOWN_02000000 |
 		NTLMSSP_NEGOTIATE_NTLM |
 		NTLMSSP_NEGOTIATE_NTLM2 |
 		NTLMSSP_NEGOTIATE_KEY_EXCH |

Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c	2006-04-18 18:00:57 UTC (rev 15129)
+++ trunk/source/rpc_client/cli_pipe.c	2006-04-18 18:01:00 UTC (rev 15130)
@@ -2141,6 +2141,24 @@
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
+	/* For NTLMSSP ensure the server gave us the auth_level we wanted. */
+	if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+		if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+			if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+				DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
+				prs_mem_free(&rbuf);
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+		}
+		if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+			if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+				DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
+				prs_mem_free(&rbuf);
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+		}
+	}
+
 	/* Pipe is bound - set up auth_type and auth_level data. */
 
 	cli->auth.auth_type = auth_type;

Modified: trunk/source/rpc_server/srv_pipe.c
===================================================================
--- trunk/source/rpc_server/srv_pipe.c	2006-04-18 18:00:57 UTC (rev 15129)
+++ trunk/source/rpc_server/srv_pipe.c	2006-04-18 18:01:00 UTC (rev 15130)
@@ -606,7 +606,7 @@
 	NTSTATUS status;
 	AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
 
-	DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n"));
+	DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
 
 	ZERO_STRUCT(reply);
 
@@ -629,6 +629,27 @@
 		return False;
 	}
 
+	/* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
+	   ensure the underlying NTLMSSP flags are also set. If not we should
+	   refuse the bind. */
+
+	if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+		if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+			DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
+				"but client declined signing.\n",
+					p->name ));
+			return False;
+		}
+	}
+	if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
+		if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+			DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
+				"but client declined sealing.\n",
+					p->name ));
+			return False;
+		}
+	}
+	
 	fstrcpy(p->user_name, a->ntlmssp_state->user);
 	fstrcpy(p->pipe_user_name, a->server_info->unix_name);
 	fstrcpy(p->domain, a->ntlmssp_state->domain);



More information about the samba-cvs mailing list