s3:auth add hooks to indicate if signing or sealing is desired with NTLMSSP

This allows the right hooks to be called in GENSEC when s3compat
implements the auth_ntlmssp interface.  Otherwise, we can't do the
signing or sealing as we have not negoitated it's use.

Andrew Bartlett

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 1b48ba022db57dac1e2a0b42cba24b2cd1ddc38d..7184fa6b95a1e3ea001071c2585f1751f49d32ae 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -74,6 +74,16 @@ bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
        return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
 }
 
+void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
+{
+
+}
+
+void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
+{
+
+}
+
 NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
                                  struct auth_ntlmssp_state *auth_ntlmssp_state,
                                  struct auth_serversupplied_info **_server_info)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 268e2b50aacde9908bfb7ef281aabf089d45898f..9582884c2fe465c7351d764fbd28389e377b5d1b 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -63,6 +63,8 @@ const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_stat
 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state);
 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state);
 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state);
+void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state);
+void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state);
 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state);
 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state);
 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0f60cdff1c6ab93f50302b4ca7eafde669a6a129..4678aeb6986507af16ca5e26bd12cb59e1b5f41a 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1189,6 +1189,16 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_
                        goto err;
                }
 
+               switch (auth_info.auth_level) {
+                       case DCERPC_AUTH_LEVEL_INTEGRITY:
+                               auth_ntlmssp_want_sign(a);
+                               break;
+                       case DCERPC_AUTH_LEVEL_PRIVACY:
+                               auth_ntlmssp_want_seal(a);
+                               break;
+                       default:
+                               break;
+               }
                /*
                 * Pass the first security blob of data to it.
                 * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
@@ -1524,6 +1534,17 @@ static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
                goto err;
        }
 
+       switch (pauth_info->auth_level) {
+       case DCERPC_AUTH_LEVEL_INTEGRITY:
+               auth_ntlmssp_want_sign(a);
+               break;
+       case DCERPC_AUTH_LEVEL_PRIVACY:
+               auth_ntlmssp_want_seal(a);
+               break;
+       default:
+               break;
+       }
+
        status = auth_ntlmssp_update(a, blob, &response);
        if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",