s3:auth add hooks to indicate if signing or sealing is desired with NTLMSSP

This allows the right hooks to be called in GENSEC when s3compat
implements the auth_ntlmssp interface.  Otherwise, we can't do the
signing or sealing as we have not negoitated it's use.

Andrew Bartlett

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 938ddb798c5f347ede941cebeef2f3952c711fef..ab8fdf47b05d2bf1be6ff2ad28641841147c551a 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -74,6 +74,16 @@ bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
        return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
 }
 
+void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
+{
+
+}
+
+void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
+{
+
+}
+
 NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
                                  struct auth_ntlmssp_state *auth_ntlmssp_state, 
                                  struct auth_serversupplied_info **_server_info)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 6dda7742d8ccfd4c7563dd0d74b00aa04ed8b01d..1f27170e7f406e6f75caa02f8d212c31598e9264 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -64,6 +64,8 @@ const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_stat
 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state);
 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state);
 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state);
+void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state);
+void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state);
 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state);
 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state);
 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ba96ed0d20e5f730eb8173c4f3970d7f500d1c09..5f522ee0419bad2d189783315cb83fe8c9ff6a0c 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1272,7 +1272,17 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_
                if (!NT_STATUS_IS_OK(status)) {
                        goto err;
                }
-
+               
+               switch (auth_info.auth_level) {
+                       case DCERPC_AUTH_LEVEL_INTEGRITY:
+                               auth_ntlmssp_want_sign(a);
+                               break;
+                       case DCERPC_AUTH_LEVEL_PRIVACY:
+                               auth_ntlmssp_want_seal(a);
+                               break;
+                       default:
+                               break;
+               }
                /*
                 * Pass the first security blob of data to it.
                 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
@@ -1608,6 +1618,17 @@ static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
                goto err;
        }
 
+       switch (pauth_info->auth_level) {
+       case DCERPC_AUTH_LEVEL_INTEGRITY:
+               auth_ntlmssp_want_sign(a);
+               break;
+       case DCERPC_AUTH_LEVEL_PRIVACY:
+               auth_ntlmssp_want_seal(a);
+               break;
+       default:
+               break;
+       }
+
        status = auth_ntlmssp_update(a, blob, &response);
        if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",