The branch, master has been updated via 6ab9164 s3:rpc_client: send a dcerpc_sec_verification_trailer if needed via f0532fe s3:rpc_client: fill alloc_hint with the remaining data not the total data. via c0dc2fb dcerpc.idl: add dcerpc_sec_verification_trailer via 66c3942 dcerpc.idl: add documentation references via b62308e librpc/ndr: add LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES via 523d616 s3:rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN via 61bdbc2 s3:rpc_client: implement DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN via f7bf7e70 s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as any other gensec backend via 4d3376e s3:rpc_client: add some const to rpc_api_pipe_req_send() via 946e29d s3:rpc_client: make rpc_api_pipe_req_send/recv static via 5b39a35 s3:rpc_client: talloc_zero pipe_auth_data via 03006d0 auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.c via 616cd00 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c via 54b5b30 s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing via 14f6c41 s4:auth/gensec_gssapi: handle GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature() via 64fc015 auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is always supported via 661fe3c s4:rpc_server: support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default via 7db1dc1 s4:librpc: always try to negotiate DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN from e8eb47f docs: Add num-children to smbcontrol manpage
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6ab9164c74e0ad57bdde8abb568953026b644e27 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 08:12:45 2014 +0100 s3:rpc_client: send a dcerpc_sec_verification_trailer if needed Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104 commit f0532fe0cd69aeb161088ca990d376f119102e61 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 07:57:51 2014 +0100 s3:rpc_client: fill alloc_hint with the remaining data not the total data. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jan 2 11:18:38 2014 +0100 dcerpc.idl: add dcerpc_sec_verification_trailer See [MS-RPCE] 2.2.2.13 Verification Trailer for details. Pair-Programmed-With: Gregor Beck <gb...@sernet.de> Signed-off-by: Gregor Beck <gb...@sernet.de> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 66c39420e29e7c257d9cdc5d04c061472bbefd19 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 15:06:23 2014 +0100 dcerpc.idl: add documentation references To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE]. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b62308ed994e9734dfd934d230531010d9e7cefa Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 09:25:23 2014 +0100 librpc/ndr: add LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES This lets ndr_pull_subcontext_end() make sure that all subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 523d616268af5f94e11c863f9acdebabace80608 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 22:56:03 2014 +0100 s3:rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN If the backend supports it there's no reason to avoid it. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 22:41:33 2014 +0100 s3:rpc_client: implement DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f7bf7e705e704d2f1702e42a8e400baff9521066 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 08:26:15 2014 +0100 s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as any other gensec backend Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4d3376e919b5c33f272b3a584d8172729a7468e0 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 07:56:20 2014 +0100 s3:rpc_client: add some const to rpc_api_pipe_req_send() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 06:31:44 2014 +0100 s3:rpc_client: make rpc_api_pipe_req_send/recv static Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jan 5 06:16:03 2014 +0100 s3:rpc_client: talloc_zero pipe_auth_data Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 03006d0e4471465f071517097145806fbe46fdba Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 31 10:11:18 2013 +0100 auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER in schannel.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 616cd009955b1722e6749019e2c1cac8bbb94e52 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 31 09:42:36 2013 +0100 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 15:30:46 2014 +0100 s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing If header signing is requested we should error out instead of silently ignoring it, our peer would hopefully reject it, but we should also do that. TODO: we should implement header signing using gss_wrap_iov(). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 14f6c41754960d73f46aca1bade2266b7e934d03 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 31 09:54:54 2013 +0100 s4:auth/gensec_gssapi: handle GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 64fc015a85f9b5ed74f3dabe05dbdff185093278 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 31 09:53:55 2013 +0100 auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is always supported Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 661fe3cf890b91f8750872b0f5a09da536f76ae2 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 08:39:12 2014 +0100 s4:rpc_server: support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default If the gensec backend supports it there's no reason to disable it. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7db1dc13b0149441a2beebca65b75f6e11af13a3 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 3 08:35:27 2014 +0100 s4:librpc: always try to negotiate DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN If the gensec backend supports it there's no reason not sign the header. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/gensec/schannel.c | 428 ++++++++++++++++++++++++++++++++++- auth/ntlmssp/gensec_ntlmssp.c | 4 + libcli/auth/schannel_proto.h | 14 -- libcli/auth/schannel_sign.c | 404 --------------------------------- libcli/auth/wscript_build | 2 +- librpc/idl/dcerpc.idl | 80 +++++++- librpc/idl/idl_types.h | 2 + librpc/ndr/libndr.h | 6 + librpc/ndr/ndr.c | 20 ++ librpc/ndr/ndr_dcerpc.c | 66 ++++++ librpc/rpc/binding.c | 1 - librpc/rpc/rpc_common.h | 5 +- librpc/wscript_build | 2 +- source3/librpc/rpc/dcerpc.h | 5 +- source3/rpc_client/cli_pipe.c | 264 +++++++++++++++++++-- source3/rpc_client/cli_pipe.h | 10 - source3/rpc_client/rpc_client.h | 1 + source3/rpc_server/srv_pipe.c | 25 ++- source4/auth/gensec/gensec_gssapi.c | 24 ++ source4/librpc/rpc/dcerpc.c | 12 +- source4/librpc/rpc/dcerpc_auth.c | 14 +- source4/rpc_server/dcerpc_server.c | 6 - source4/rpc_server/dcesrv_auth.c | 37 +++- 23 files changed, 938 insertions(+), 494 deletions(-) delete mode 100644 libcli/auth/schannel_sign.c create mode 100644 librpc/ndr/ndr_dcerpc.c Changeset truncated at 500 lines: diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index eb2e100..3d30e83 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -31,6 +31,413 @@ #include "librpc/gen_ndr/dcerpc.h" #include "param/param.h" #include "auth/gensec/gensec_toplevel_proto.h" +#include "lib/crypto/crypto.h" + +struct schannel_state { + struct gensec_security *gensec; + uint64_t seq_num; + bool initiator; + struct netlogon_creds_CredentialState *creds; +}; + +#define SETUP_SEQNUM(state, buf, initiator) do { \ + uint8_t *_buf = buf; \ + uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \ + uint32_t _seq_num_high = (state)->seq_num >> 32; \ + if (initiator) { \ + _seq_num_high |= 0x80000000; \ + } \ + RSIVAL(_buf, 0, _seq_num_low); \ + RSIVAL(_buf, 4, _seq_num_high); \ +} while(0) + +static struct schannel_state *netsec_create_state( + struct gensec_security *gensec, + struct netlogon_creds_CredentialState *creds, + bool initiator) +{ + struct schannel_state *state; + + state = talloc(gensec, struct schannel_state); + if (state == NULL) { + return NULL; + } + + state->gensec = gensec; + state->initiator = initiator; + state->seq_num = 0; + state->creds = netlogon_creds_copy(state, creds); + if (state->creds == NULL) { + talloc_free(state); + return NULL; + } + + gensec->private_data = state; + + return state; +} + +static void netsec_offset_and_sizes(struct schannel_state *state, + bool do_seal, + uint32_t *_min_sig_size, + uint32_t *_used_sig_size, + uint32_t *_checksum_length, + uint32_t *_confounder_ofs) +{ + uint32_t min_sig_size; + uint32_t used_sig_size; + uint32_t checksum_length; + uint32_t confounder_ofs; + + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + min_sig_size = 48; + used_sig_size = 56; + /* + * Note: windows has a bug here and uses the old values... + * + * checksum_length = 32; + * confounder_ofs = 48; + */ + checksum_length = 8; + confounder_ofs = 24; + } else { + min_sig_size = 24; + used_sig_size = 32; + checksum_length = 8; + confounder_ofs = 24; + } + + if (do_seal) { + min_sig_size += 8; + } + + if (_min_sig_size) { + *_min_sig_size = min_sig_size; + } + + if (_used_sig_size) { + *_used_sig_size = used_sig_size; + } + + if (_checksum_length) { + *_checksum_length = checksum_length; + } + + if (_confounder_ofs) { + *_confounder_ofs = confounder_ofs; + } +} + +/******************************************************************* + Encode or Decode the sequence number (which is symmetric) + ********************************************************************/ +static void netsec_do_seq_num(struct schannel_state *state, + const uint8_t *checksum, + uint32_t checksum_length, + uint8_t seq_num[8]) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + + AES_set_encrypt_key(state->creds->session_key, 128, &key); + ZERO_STRUCT(iv); + memcpy(iv+0, checksum, 8); + memcpy(iv+8, checksum, 8); + + aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT); + } else { + static const uint8_t zeros[4]; + uint8_t sequence_key[16]; + uint8_t digest1[16]; + + hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1); + hmac_md5(digest1, checksum, checksum_length, sequence_key); + arcfour_crypt(seq_num, sequence_key, 8); + } + + state->seq_num++; +} + +static void netsec_do_seal(struct schannel_state *state, + const uint8_t seq_num[8], + uint8_t confounder[8], + uint8_t *data, uint32_t length, + bool forward) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + uint8_t sess_kf0[16]; + int i; + + for (i = 0; i < 16; i++) { + sess_kf0[i] = state->creds->session_key[i] ^ 0xf0; + } + + AES_set_encrypt_key(sess_kf0, 128, &key); + ZERO_STRUCT(iv); + memcpy(iv+0, seq_num, 8); + memcpy(iv+8, seq_num, 8); + + if (forward) { + aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT); + aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT); + } else { + aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT); + aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT); + } + } else { + uint8_t sealing_key[16]; + static const uint8_t zeros[4]; + uint8_t digest2[16]; + uint8_t sess_kf0[16]; + int i; + + for (i = 0; i < 16; i++) { + sess_kf0[i] = state->creds->session_key[i] ^ 0xf0; + } + + hmac_md5(sess_kf0, zeros, 4, digest2); + hmac_md5(digest2, seq_num, 8, sealing_key); + + arcfour_crypt(confounder, sealing_key, 8); + arcfour_crypt(data, sealing_key, length); + } +} + +/******************************************************************* + Create a digest over the entire packet (including the data), and + MD5 it with the session key. + ********************************************************************/ +static void netsec_do_sign(struct schannel_state *state, + const uint8_t *confounder, + const uint8_t *data, size_t length, + uint8_t header[8], + uint8_t *checksum) +{ + if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + struct HMACSHA256Context ctx; + + hmac_sha256_init(state->creds->session_key, + sizeof(state->creds->session_key), + &ctx); + + if (confounder) { + SSVAL(header, 0, NL_SIGN_HMAC_SHA256); + SSVAL(header, 2, NL_SEAL_AES128); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + hmac_sha256_update(header, 8, &ctx); + hmac_sha256_update(confounder, 8, &ctx); + } else { + SSVAL(header, 0, NL_SIGN_HMAC_SHA256); + SSVAL(header, 2, NL_SEAL_NONE); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + hmac_sha256_update(header, 8, &ctx); + } + + hmac_sha256_update(data, length, &ctx); + + hmac_sha256_final(checksum, &ctx); + } else { + uint8_t packet_digest[16]; + static const uint8_t zeros[4]; + MD5_CTX ctx; + + MD5Init(&ctx); + MD5Update(&ctx, zeros, 4); + if (confounder) { + SSVAL(header, 0, NL_SIGN_HMAC_MD5); + SSVAL(header, 2, NL_SEAL_RC4); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + MD5Update(&ctx, header, 8); + MD5Update(&ctx, confounder, 8); + } else { + SSVAL(header, 0, NL_SIGN_HMAC_MD5); + SSVAL(header, 2, NL_SEAL_NONE); + SSVAL(header, 4, 0xFFFF); + SSVAL(header, 6, 0x0000); + + MD5Update(&ctx, header, 8); + } + MD5Update(&ctx, data, length); + MD5Final(packet_digest, &ctx); + + hmac_md5(state->creds->session_key, + packet_digest, sizeof(packet_digest), + checksum); + } +} + +static NTSTATUS netsec_incoming_packet(struct schannel_state *state, + bool do_unseal, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + uint32_t min_sig_size = 0; + uint8_t header[8]; + uint8_t checksum[32]; + uint32_t checksum_length = sizeof(checksum_length); + uint8_t _confounder[8]; + uint8_t *confounder = NULL; + uint32_t confounder_ofs = 0; + uint8_t seq_num[8]; + int ret; + const uint8_t *sign_data = NULL; + size_t sign_length = 0; + + netsec_offset_and_sizes(state, + do_unseal, + &min_sig_size, + NULL, + &checksum_length, + &confounder_ofs); + + if (sig->length < min_sig_size) { + return NT_STATUS_ACCESS_DENIED; + } + + if (do_unseal) { + confounder = _confounder; + memcpy(confounder, sig->data+confounder_ofs, 8); + } else { + confounder = NULL; + } + + SETUP_SEQNUM(state, seq_num, !state->initiator); + + if (do_unseal) { + netsec_do_seal(state, seq_num, + confounder, + data, length, + false); + } + + if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + sign_data = whole_pdu; + sign_length = pdu_length; + } else { + sign_data = data; + sign_length = length; + } + + netsec_do_sign(state, confounder, + sign_data, sign_length, + header, checksum); + + ret = memcmp(checksum, sig->data+16, checksum_length); + if (ret != 0) { + dump_data_pw("calc digest:", checksum, checksum_length); + dump_data_pw("wire digest:", sig->data+16, checksum_length); + return NT_STATUS_ACCESS_DENIED; + } + + netsec_do_seq_num(state, checksum, checksum_length, seq_num); + + ret = memcmp(seq_num, sig->data+8, 8); + if (ret != 0) { + dump_data_pw("calc seq num:", seq_num, 8); + dump_data_pw("wire seq num:", sig->data+8, 8); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} + +static uint32_t netsec_outgoing_sig_size(struct schannel_state *state) +{ + uint32_t sig_size = 0; + + netsec_offset_and_sizes(state, + true, + NULL, + &sig_size, + NULL, + NULL); + + return sig_size; +} + +static NTSTATUS netsec_outgoing_packet(struct schannel_state *state, + TALLOC_CTX *mem_ctx, + bool do_seal, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + uint32_t min_sig_size = 0; + uint32_t used_sig_size = 0; + uint8_t header[8]; + uint8_t checksum[32]; + uint32_t checksum_length = sizeof(checksum_length); + uint8_t _confounder[8]; + uint8_t *confounder = NULL; + uint32_t confounder_ofs = 0; + uint8_t seq_num[8]; + const uint8_t *sign_data = NULL; + size_t sign_length = 0; + + netsec_offset_and_sizes(state, + do_seal, + &min_sig_size, + &used_sig_size, + &checksum_length, + &confounder_ofs); + + SETUP_SEQNUM(state, seq_num, state->initiator); + + if (do_seal) { + confounder = _confounder; + generate_random_buffer(confounder, 8); + } else { + confounder = NULL; + } + + if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + sign_data = whole_pdu; + sign_length = pdu_length; + } else { + sign_data = data; + sign_length = length; + } + + netsec_do_sign(state, confounder, + sign_data, sign_length, + header, checksum); + + if (do_seal) { + netsec_do_seal(state, seq_num, + confounder, + data, length, + true); + } + + netsec_do_seq_num(state, checksum, checksum_length, seq_num); + + (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size); + + memcpy(sig->data, header, 8); + memcpy(sig->data+8, seq_num, 8); + memcpy(sig->data+16, checksum, checksum_length); + + if (confounder) { + memcpy(sig->data+confounder_ofs, confounder, 8); + } + + dump_data_pw("signature:", sig->data+ 0, 8); + dump_data_pw("seq_num :", sig->data+ 8, 8); + dump_data_pw("digest :", sig->data+16, checksum_length); + dump_data_pw("confound :", sig->data+confounder_ofs, 8); + + return NT_STATUS_OK; +} _PUBLIC_ NTSTATUS gensec_schannel_init(void); @@ -77,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ if (state == NULL) { return NT_STATUS_NO_MEMORY; } - gensec_security->private_data = state; bind_schannel.MessageType = NL_NEGOTIATE_REQUEST; #if 0 @@ -173,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ if (state == NULL) { return NT_STATUS_NO_MEMORY; } - gensec_security->private_data = state; bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE; bind_schannel_ack.Flags = 0; @@ -228,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security, if (feature & GENSEC_FEATURE_DCE_STYLE) { return true; } + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + return true; + } return false; } @@ -245,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, return netsec_incoming_packet(state, true, discard_const_p(uint8_t, data), - length, sig); + length, + whole_pdu, pdu_length, + sig); } /* @@ -262,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security, return netsec_incoming_packet(state, false, discard_const_p(uint8_t, data), - length, sig); + length, + whole_pdu, pdu_length, + sig); } /* seal a packet @@ -278,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security, struct schannel_state); return netsec_outgoing_packet(state, mem_ctx, true, - data, length, sig); + data, length, + whole_pdu, pdu_length, + sig); } /* @@ -296,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security, return netsec_outgoing_packet(state, mem_ctx, false, discard_const_p(uint8_t, data), - length, sig); + length, + whole_pdu, pdu_length, + sig); } static const struct gensec_security_ops gensec_schannel_security_ops = { diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c index 654c0e3..5672589 100644 --- a/auth/ntlmssp/gensec_ntlmssp.c +++ b/auth/ntlmssp/gensec_ntlmssp.c @@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security, return true; } } + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + return true; + } + -- Samba Shared Repository