sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-07 20:23:50 +03:00
Code Activity

r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal.

Browse Source 
With this change (and setting lanman auth = no in smb.conf)
we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth.
Jeremy
This commit is contained in:
Jeremy Allison
2006-04-18 18:00:57 +00:00
committed by Gerald (Jerry) Carter
parent 22b6875897
commit 93ca3eee55
4 changed files with 57 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
source/include/ntlmssp.h
View File

@@ -60,6 +60,7 @@ enum NTLM_MESSAGE_TYPE
#define NTLMSSP_CHAL_NON_NT_SESSION_KEY 0x00040000 #define NTLMSSP_CHAL_NON_NT_SESSION_KEY 0x00040000
#define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 #define NTLMSSP_NEGOTIATE_NTLM2 0x00080000
#define NTLMSSP_CHAL_TARGET_INFO 0x00800000 #define NTLMSSP_CHAL_TARGET_INFO 0x00800000
#define NTLMSSP_UNKNOWN_02000000 0x02000000
#define NTLMSSP_NEGOTIATE_128 0x20000000 /* 128-bit encryption */ #define NTLMSSP_NEGOTIATE_128 0x20000000 /* 128-bit encryption */
#define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 #define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000
#define NTLMSSP_NEGOTIATE_56 0x80000000 #define NTLMSSP_NEGOTIATE_56 0x80000000

20
source/libsmb/ntlmssp.c
View File

@@ -363,9 +363,6 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) { if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
if (neg_flags & NTLMSSP_NEGOTIATE_56) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
}
} }
if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) { if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
@@ -376,10 +373,23 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
} }
if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
}
if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
}
/* Woop Woop - unknown flag for Windows compatibility...
What does this really do ? JRA. */
if (!(neg_flags & NTLMSSP_UNKNOWN_02000000)) {
ntlmssp_state->neg_flags &= ~NTLMSSP_UNKNOWN_02000000;
}
if ((neg_flags & NTLMSSP_REQUEST_TARGET)) { if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET; ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
} }
} }
/** /**
@@ -840,6 +850,8 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
(*ntlmssp_state)->neg_flags = (*ntlmssp_state)->neg_flags =
NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_56 |
NTLMSSP_UNKNOWN_02000000 |
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_NEGOTIATE_NTLM2 | NTLMSSP_NEGOTIATE_NTLM2 |
NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_KEY_EXCH |

18
source/rpc_client/cli_pipe.c
View File

@@ -2141,6 +2141,24 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
return NT_STATUS_INVALID_INFO_CLASS; return NT_STATUS_INVALID_INFO_CLASS;
} }
/* For NTLMSSP ensure the server gave us the auth_level we wanted. */
if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
prs_mem_free(&rbuf);
return NT_STATUS_INVALID_PARAMETER;
}
}
if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
prs_mem_free(&rbuf);
return NT_STATUS_INVALID_PARAMETER;
}
}
}
/* Pipe is bound - set up auth_type and auth_level data. */ /* Pipe is bound - set up auth_type and auth_level data. */
cli->auth.auth_type = auth_type; cli->auth.auth_type = auth_type;

23
source/rpc_server/srv_pipe.c
View File

@@ -606,7 +606,7 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
NTSTATUS status; NTSTATUS status;
AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state; AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n")); DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
ZERO_STRUCT(reply); ZERO_STRUCT(reply);
@@ -629,6 +629,27 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
return False; return False;
} }
/* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
ensure the underlying NTLMSSP flags are also set. If not we should
refuse the bind. */
if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
"but client declined signing.\n",
p->name ));
return False;
}
}
if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
"but client declined sealing.\n",
p->name ));
return False;
}
}
fstrcpy(p->user_name, a->ntlmssp_state->user); fstrcpy(p->user_name, a->ntlmssp_state->user);
fstrcpy(p->pipe_user_name, a->server_info->unix_name); fstrcpy(p->pipe_user_name, a->server_info->unix_name);
fstrcpy(p->domain, a->ntlmssp_state->domain); fstrcpy(p->domain, a->ntlmssp_state->domain);