diff options
| author | Stefan Metzmacher <metze@samba.org> | 2014-01-03 08:39:12 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-01-07 00:27:11 +0100 |
| commit | 661fe3cf890b91f8750872b0f5a09da536f76ae2 (patch) | |
| tree | ddc4cea35499e6f8718800e3912cd54893fb66e5 /source4/rpc_server | |
| parent | 7db1dc13b0149441a2beebca65b75f6e11af13a3 (diff) | |
| download | samba-661fe3cf890b91f8750872b0f5a09da536f76ae2.tar.gz samba-661fe3cf890b91f8750872b0f5a09da536f76ae2.tar.xz samba-661fe3cf890b91f8750872b0f5a09da536f76ae2.zip | |
s4:rpc_server: support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
If the gensec backend supports it there's no reason to disable it.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/dcerpc_server.c | 6 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 37 |
2 files changed, 32 insertions, 11 deletions
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 10e711b37d3..5ce73397bea 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag); } - if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) && - lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) { - call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; - extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; - } - /* handle any authentication that is being requested */ if (!dcesrv_auth_bind(call)) { talloc_free(call->context); diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index c891cc62b7a..152715bd517 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) { - gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER); - } - return true; } @@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + bool want_header_signing = false; if (!call->conn->auth_state.gensec_security) { return NT_STATUS_OK; } + if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { + want_header_signing = true; + } + + if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) { + want_header_signing = false; + } + status = gensec_update(dce_conn->auth_state.gensec_security, call, call->event_ctx, dce_conn->auth_state.auth_info->credentials, @@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe return status; } - if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) { + if (!gensec_have_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER)) + { + want_header_signing = false; + } + + if (want_header_signing) { gensec_want_feature(dce_conn->auth_state.gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER); + call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; + pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; } /* Now that we are authenticated, go back to the generic session key... */ @@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; + + if (!gensec_have_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER)) + { + want_header_signing = false; + } + + if (want_header_signing) { + gensec_want_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; + pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; + } + return NT_STATUS_OK; } else { DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n", |