diff options
author | Simo Sorce <simo@redhat.com> | 2014-08-04 16:33:17 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-08-07 12:44:46 -0400 |
commit | e212afb93ad332ae773a387ff66052b2ebdaa6d8 (patch) | |
tree | 95e39e9080ea81f8ee4fc4874866702965f090df | |
parent | ea3853bc1146299617e334592c0bbd25ad33376c (diff) | |
download | gss-ntlmssp-e212afb93ad332ae773a387ff66052b2ebdaa6d8.tar.gz gss-ntlmssp-e212afb93ad332ae773a387ff66052b2ebdaa6d8.tar.xz gss-ntlmssp-e212afb93ad332ae773a387ff66052b2ebdaa6d8.zip |
Move sec_req flags in the context handler
-rw-r--r-- | src/gss_ntlmssp.h | 2 | ||||
-rw-r--r-- | src/gss_sec_ctx.c | 38 | ||||
-rw-r--r-- | src/gss_serialize.c | 12 |
3 files changed, 22 insertions, 30 deletions
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index 7d45d41..08401b0 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -127,6 +127,8 @@ struct gssntlm_ctx { NTLMSSP_STAGE_DONE } stage; + uint8_t sec_req; + char *workstation; struct ntlm_ctx *ntlm; diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 265d24e..3fe0b36 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -67,7 +67,6 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, uint32_t tmpmin; uint32_t retmin = 0; uint32_t retmaj = 0; - uint8_t sec_req; bool key_exch; bool add_mic = false; bool protect; @@ -223,16 +222,16 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, ctx->neg_flags |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED; lm_compat_lvl = gssntlm_get_lm_compatibility_level(); - sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); - if (sec_req == 0xff) { + ctx->sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); + if (ctx->sec_req == 0xff) { retmaj = GSS_S_FAILURE; goto done; } - if (!(sec_req & SEC_LM_OK)) { + if (!(ctx->sec_req & SEC_LM_OK)) { ctx->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; ctx->neg_flags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } - if (!(sec_req & SEC_EXT_SEC_OK)) { + if (!(ctx->sec_req & SEC_EXT_SEC_OK)) { ctx->neg_flags &= ~NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } @@ -334,15 +333,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, goto done; } - lm_compat_lvl = gssntlm_get_lm_compatibility_level(); - sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); - if (sec_req == 0xff) { - retmaj = GSS_S_FAILURE; - goto done; - } - /* mask unacceptable flags */ - if (!(sec_req & SEC_LM_OK)) { + if (!(ctx->sec_req & SEC_LM_OK)) { in_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } if (!(ctx->neg_flags & NTLMSSP_NEGOTIATE_56)) { @@ -415,7 +407,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, lm_chal_resp.data[0] = 0; lm_chal_resp.length = 1; - } else if (sec_req & SEC_V2_ONLY) { + } else if (ctx->sec_req & SEC_V2_ONLY) { /* ### NTLMv2 ### */ uint8_t client_chal[8]; @@ -816,7 +808,6 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, uint32_t av_flags = 0; struct ntlm_buffer unhashed_cb = { 0 }; struct ntlm_buffer av_cb = { 0 }; - uint8_t sec_req; if (context_handle == NULL) return GSS_S_CALL_INACCESSIBLE_READ; if (output_token == GSS_C_NO_BUFFER) { @@ -863,8 +854,8 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ctx->role = GSSNTLM_SERVER; lm_compat_lvl = gssntlm_get_lm_compatibility_level(); - sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); - if (sec_req == 0xff) { + ctx->sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); + if (ctx->sec_req == 0xff) { retmaj = GSS_S_FAILURE; goto done; } @@ -872,11 +863,11 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ctx->neg_flags = NTLMSSP_DEFAULT_ALLOWED_SERVER_FLAGS; /* Fixme: How do we allow anonymous negotition ? */ - if ((sec_req & SEC_LM_OK) || (sec_req & SEC_DC_LM_OK)) { + if ((ctx->sec_req & SEC_LM_OK) || (ctx->sec_req & SEC_DC_LM_OK)) { ctx->neg_flags |= NTLMSSP_REQUEST_NON_NT_SESSION_KEY; ctx->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (sec_req & SEC_EXT_SEC_OK) { + if (ctx->sec_req & SEC_EXT_SEC_OK) { ctx->neg_flags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } @@ -1114,13 +1105,6 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, goto done; } - lm_compat_lvl = gssntlm_get_lm_compatibility_level(); - sec_req = gssntlm_required_security(lm_compat_lvl, ctx->role); - if (sec_req == 0xff) { - retmaj = GSS_S_FAILURE; - goto done; - } - if (((usr_name == NULL) || (usr_name[0] == '\0')) && (nt_chal_resp.length == 0) && (((lm_chal_resp.length == 1) && (lm_chal_resp.data[0] == '\0')) || @@ -1132,7 +1116,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, goto done; } - if (sec_req & SEC_V2_ONLY) { + if (ctx->sec_req & SEC_V2_ONLY) { /* ### NTLMv2 ### */ char useratdom[1024]; diff --git a/src/gss_serialize.c b/src/gss_serialize.c index fb26b94..aa5da3c 100644 --- a/src/gss_serialize.c +++ b/src/gss_serialize.c @@ -44,10 +44,12 @@ struct export_keys { uint32_t seq_num; }; +#define EXPORT_CTX_VER 0x0002 struct export_ctx { - uint16_t version; /* 0x00 0x01 */ + uint16_t version; uint8_t role; uint8_t stage; + uint8_t sec_req; struct relmem workstation; @@ -277,7 +279,7 @@ uint32_t gssntlm_export_sec_context(uint32_t *minor_status, state.exp_len = state.exp_data; state.exp_ptr = 0; - ectx->version = htole16(1); + ectx->version = htole16(EXPORT_CTX_VER); switch(ctx->role) { case GSSNTLM_CLIENT: @@ -312,6 +314,8 @@ uint32_t gssntlm_export_sec_context(uint32_t *minor_status, break; } + ectx->sec_req = ctx->sec_req; + if (!ctx->workstation) { ectx->workstation.ptr = 0; ectx->workstation.len = 0; @@ -595,7 +599,7 @@ uint32_t gssntlm_import_sec_context(uint32_t *minor_status, state.exp_data = (char *)ectx->data - (char *)ectx; state.exp_ptr = 0; - if (ectx->version != le16toh(1)) { + if (ectx->version != le16toh(EXPORT_CTX_VER)) { maj = GSS_S_DEFECTIVE_TOKEN; goto done; } @@ -639,6 +643,8 @@ uint32_t gssntlm_import_sec_context(uint32_t *minor_status, goto done; } + ctx->sec_req = ectx->sec_req; + dest = NULL; if (ectx->workstation.len > 0) { maj = import_data_buffer(minor_status, &state, &dest, NULL, |