diff options
author | Stefan Metzmacher <metze@samba.org> | 2014-01-03 08:35:27 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-01-07 00:27:11 +0100 |
commit | 7db1dc13b0149441a2beebca65b75f6e11af13a3 (patch) | |
tree | 4f9a7e5ef5fa83a1689976a5a656ef1736c31fcc /source4/librpc | |
parent | e8eb47f6ee2b2dc128140e068ade0d22edc98518 (diff) | |
download | samba-7db1dc13b0149441a2beebca65b75f6e11af13a3.tar.gz samba-7db1dc13b0149441a2beebca65b75f6e11af13a3.tar.xz samba-7db1dc13b0149441a2beebca65b75f6e11af13a3.zip |
s4:librpc: always try to negotiate DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
If the gensec backend supports it there's no reason not sign the header.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/librpc')
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 12 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 14 |
2 files changed, 12 insertions, 14 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 56b821ecce0..2f6c8dd122e 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx, pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; } - if (p->binding->flags & DCERPC_HEADER_SIGNING) { + if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) { pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; } @@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq, conn->flags |= DCERPC_CONCURRENT_MULTIPLEX; } - if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) && + if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) && (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) { conn->flags |= DCERPC_HEADER_SIGNING; } @@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p, pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; } - if (p->binding->flags & DCERPC_HEADER_SIGNING) { - pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; - } - /* construct the NDR form of the packet */ status = ncacn_push_auth(&blob, mem_ctx, &pkt, @@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx, pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; } - if (p->binding->flags & DCERPC_HEADER_SIGNING) { - pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; - } - pkt.u.alter.max_xmit_frag = 5840; pkt.u.alter.max_recv_frag = 5840; pkt.u.alter.assoc_group_id = p->binding->assoc_group_id; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index d5e56206b04..9a5d04dfb95 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c) if (!composite_is_ok(c)) return; - if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) { - gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER); - } - if (state->credentials.length == 0) { composite_done(c); return; @@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq) TALLOC_FREE(subreq); if (!composite_is_ok(c)) return; + if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) { + struct dcecli_security *sec = &state->pipe->conn->security_state; + + gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER); + } + if (!state->more_processing) { /* The first gensec_update has not requested a second run, so * we're done here. */ @@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, sec->auth_info->credentials = state->credentials; + if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) { + state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING; + } + /* The first request always is a dcerpc_bind. The subsequent ones * depend on gensec results */ subreq = dcerpc_bind_send(state, p->conn->event_ctx, p, |