sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-26 01:49:31 +03:00
Code Activity

auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE

Browse Source 
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.

This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f3dbe19e14)
This commit is contained in:
Stefan Metzmacher
2015-12-09 14:48:14 +01:00
parent 6d08a2ae7a
commit 294ef7306d
4 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
auth/ntlmssp/gensec_ntlmssp_server.c
View File

@ -152,6 +152,15 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;

2
auth/ntlmssp/ntlmssp.h
View File

@ -94,6 +94,8 @@ struct ntlmssp_state
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
bool force_wrap_seal;
union ntlmssp_crypt_state *crypt;
};

9
auth/ntlmssp/ntlmssp_client.c
View File

@ -639,6 +639,15 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;

16
auth/ntlmssp/ntlmssp_sign.c
View File

@ -558,6 +558,22 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
return NT_STATUS_NO_MEMORY;
}
if (ntlmssp_state->force_wrap_seal &&
(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
{
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*
* The negotiation of flags (and authentication)
* is completed when ntlmssp_sign_init() is called
* so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
* was negotiated.
*/
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
DATA_BLOB weak_session_key = ntlmssp_state->session_key;
const char *send_sign_const;