diff options
| author | Simo Sorce <simo@redhat.com> | 2014-08-07 18:52:34 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-08-08 10:11:05 -0400 |
| commit | 500b252270f2e99ccd9a0888556fe64567edd2d9 (patch) | |
| tree | b9eb215f09a734135460be2d8f7d3f99ce8a069d | |
| parent | 1d17f438be02c564d932d3a1767fc8aa1fa2483e (diff) | |
| download | gss-ntlmssp-500b252270f2e99ccd9a0888556fe64567edd2d9.tar.gz gss-ntlmssp-500b252270f2e99ccd9a0888556fe64567edd2d9.tar.xz gss-ntlmssp-500b252270f2e99ccd9a0888556fe64567edd2d9.zip | |
Add helper to check for allowed ntlm versions
Also lower the default lm compat level to 3 for broader compatibility.
This allows NTLMv1 with no LM auth.
| -rw-r--r-- | src/gss_auth.c | 6 | ||||
| -rw-r--r-- | src/gss_ntlmssp.c | 37 | ||||
| -rw-r--r-- | src/gss_ntlmssp.h | 3 | ||||
| -rw-r--r-- | src/gss_sec_ctx.c | 10 |
4 files changed, 46 insertions, 10 deletions
diff --git a/src/gss_auth.c b/src/gss_auth.c index e48b1dd..91a231d 100644 --- a/src/gss_auth.c +++ b/src/gss_auth.c @@ -338,7 +338,7 @@ uint32_t gssntlm_srv_auth(uint32_t *minor, ntlm_v1 = is_ntlm_v1(nt_chal_resp); - if (ntlm_v1 && !(ctx->sec_req & (SEC_DC_LM_OK | SEC_DC_NTLM_OK))) { + if (ntlm_v1 && !gssntlm_sec_lm_ok(ctx) && !gssntlm_sec_ntlm_ok(ctx)) { *minor = EPERM; return GSS_S_FAILURE; } @@ -359,7 +359,7 @@ uint32_t gssntlm_srv_auth(uint32_t *minor, &cred->cred.user.nt_hash, ext_sec, ctx->server_chal, client_chal); - if (retmin && ctx->sec_req & SEC_DC_LM_OK) { + if (retmin && gssntlm_sec_lm_ok(ctx)) { retmin = ntlm_verify_lm_response(lm_chal_resp, &cred->cred.user.lm_hash, ext_sec, ctx->server_chal, @@ -387,7 +387,7 @@ uint32_t gssntlm_srv_auth(uint32_t *minor, retmin = ntlmv2_verify_nt_response(nt_chal_resp, &ntlmv2_key, ctx->server_chal); - if (retmin && ctx->sec_req & SEC_DC_LM_OK) { + if (retmin && gssntlm_sec_lm_ok(ctx)) { /* LMv2 Response */ retmin = ntlmv2_verify_lm_response(lm_chal_resp, &ntlmv2_key, diff --git a/src/gss_ntlmssp.c b/src/gss_ntlmssp.c index ba0f027..e4a6336 100644 --- a/src/gss_ntlmssp.c +++ b/src/gss_ntlmssp.c @@ -65,6 +65,39 @@ uint8_t gssntlm_required_security(int security_level, return resp; } +bool gssntlm_sec_lm_ok(struct gssntlm_ctx *ctx) +{ + switch (ctx->role) { + case GSSNTLM_CLIENT: + case GSSNTLM_SERVER: + return (ctx->sec_req & SEC_LM_OK); + case GSSNTLM_DOMAIN_SERVER: + return true; /* defer decision to DC */ + case GSSNTLM_DOMAIN_CONTROLLER: + return (ctx->sec_req & SEC_DC_LM_OK); + } + return false; +} + +bool gssntlm_sec_ntlm_ok(struct gssntlm_ctx *ctx) +{ + switch (ctx->role) { + case GSSNTLM_CLIENT: + case GSSNTLM_SERVER: + return (ctx->sec_req & SEC_NTLM_OK); + case GSSNTLM_DOMAIN_SERVER: + return true; /* defer decision to DC */ + case GSSNTLM_DOMAIN_CONTROLLER: + return (ctx->sec_req & SEC_DC_NTLM_OK); + } + return false; +} + +bool gssntlm_ext_sec_ok(struct gssntlm_ctx *ctx) +{ + return (ctx->sec_req & SEC_EXT_SEC_OK); +} + uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx, time_t *time_now) { time_t now; @@ -90,6 +123,6 @@ int gssntlm_get_lm_compatibility_level(void) return atoi(envvar); } - /* use the most secure setting by default */ - return SEC_LEVEL_MAX; + /* use 3 by default for better compatibility */ + return 3; } diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index 8c594aa..b382e47 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -158,6 +158,9 @@ struct gssntlm_ctx { uint8_t gssntlm_required_security(int security_level, enum gssntlm_role role); +bool gssntlm_sec_lm_ok(struct gssntlm_ctx *ctx); +bool gssntlm_sec_ntlm_ok(struct gssntlm_ctx *ctx); +bool gssntlm_ext_sec_ok(struct gssntlm_ctx *ctx); uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx, time_t *time_now); diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index fefbf6d..098d6eb 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -212,11 +212,11 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, retmaj = GSS_S_FAILURE; goto done; } - if (!(ctx->sec_req & SEC_LM_OK)) { + if (!gssntlm_sec_lm_ok(ctx)) { ctx->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; ctx->neg_flags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } - if (!(ctx->sec_req & SEC_EXT_SEC_OK)) { + if (!gssntlm_ext_sec_ok(ctx)) { ctx->neg_flags &= ~NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } @@ -322,7 +322,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, } /* mask unacceptable flags */ - if (!(ctx->sec_req & SEC_LM_OK)) { + if (!gssntlm_sec_lm_ok(ctx)) { in_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; } if (!(ctx->neg_flags & NTLMSSP_NEGOTIATE_56)) { @@ -606,11 +606,11 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ctx->neg_flags = NTLMSSP_DEFAULT_ALLOWED_SERVER_FLAGS; /* Fixme: How do we allow anonymous negotition ? */ - if ((ctx->sec_req & SEC_LM_OK) || (ctx->sec_req & SEC_DC_LM_OK)) { + if (gssntlm_sec_lm_ok(ctx)) { ctx->neg_flags |= NTLMSSP_REQUEST_NON_NT_SESSION_KEY; ctx->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (ctx->sec_req & SEC_EXT_SEC_OK) { + if (gssntlm_ext_sec_ok(ctx)) { ctx->neg_flags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY; } |