From 661fe3cf890b91f8750872b0f5a09da536f76ae2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 3 Jan 2014 08:39:12 +0100 Subject: s4:rpc_server: support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default If the gensec backend supports it there's no reason to disable it. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source4/rpc_server/dcerpc_server.c | 6 ------ source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++----- 2 files changed, 32 insertions(+), 11 deletions(-) (limited to 'source4/rpc_server') diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 10e711b37d3..5ce73397bea 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag); } - if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) && - lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) { - call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; - extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; - } - /* handle any authentication that is being requested */ if (!dcesrv_auth_bind(call)) { talloc_free(call->context); diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index c891cc62b7a..152715bd517 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) { - gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER); - } - return true; } @@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + bool want_header_signing = false; if (!call->conn->auth_state.gensec_security) { return NT_STATUS_OK; } + if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { + want_header_signing = true; + } + + if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) { + want_header_signing = false; + } + status = gensec_update(dce_conn->auth_state.gensec_security, call, call->event_ctx, dce_conn->auth_state.auth_info->credentials, @@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe return status; } - if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) { + if (!gensec_have_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER)) + { + want_header_signing = false; + } + + if (want_header_signing) { gensec_want_feature(dce_conn->auth_state.gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER); + call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; + pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; } /* Now that we are authenticated, go back to the generic session key... */ @@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; + + if (!gensec_have_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER)) + { + want_header_signing = false; + } + + if (want_header_signing) { + gensec_want_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING; + pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; + } + return NT_STATUS_OK; } else { DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n", -- cgit