s4:librpc: always try to negotiate DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN

If the gensec backend supports it there's no reason not sign the header.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
index 49651e8796b692f22907f92314ef622684dd3e4f..52122cfdae66e38f199aba5aa8631506965f8ca3 100644 (file)
--- a/librpc/rpc/binding.c
+++ b/librpc/rpc/binding.c
@@ -88,7 +88,6 @@ static const struct {
        {"padcheck", DCERPC_DEBUG_PAD_CHECK},
        {"bigendian", DCERPC_PUSH_BIGENDIAN},
        {"smb2", DCERPC_SMB2},
-       {"hdrsign", DCERPC_HEADER_SIGNING},
        {"ndr64", DCERPC_NDR64},
        {"localaddress", DCERPC_LOCALADDRESS}
 };

diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index 978229ef24a0feec88bf2953daf4924b40a2f5b0..93d3bb493d12776d20d212d5407a35008922a7f7 100644 (file)
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -98,7 +98,7 @@ struct dcerpc_binding {
 /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
 #define DCERPC_CONCURRENT_MULTIPLEX     (1<<19)
 
-/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
 #define DCERPC_HEADER_SIGNING          (1<<20)
 
 /* use NDR64 transport */
@@ -113,6 +113,9 @@ struct dcerpc_binding {
 /* use aes schannel with hmac-sh256 session key */
 #define DCERPC_SCHANNEL_AES            (1<<24)
 
+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+#define DCERPC_PROPOSE_HEADER_SIGNING          (1<<25)
+
 /* The following definitions come from ../librpc/rpc/dcerpc_error.c  */
 
 const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 56b821ecce09c23dc0bbae330ffa8ed424221e48..2f6c8dd122efa494d9db2a59f183609078765403 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
                pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
        }
 
-       if (p->binding->flags & DCERPC_HEADER_SIGNING) {
+       if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
                pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
        }
 
@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
                conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
        }
 
-       if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
+       if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
            (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
                conn->flags |= DCERPC_HEADER_SIGNING;
        }
@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
                pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
        }
 
-       if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-               pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-       }
-
        /* construct the NDR form of the packet */
        status = ncacn_push_auth(&blob, mem_ctx,
                                 &pkt,
@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
                pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
        }
 
-       if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-               pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-       }
-
        pkt.u.alter.max_xmit_frag = 5840;
        pkt.u.alter.max_recv_frag = 5840;
        pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;

diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index d5e56206b0416d01818a5f8c215d241a0cf401f2..9a5d04dfb95d28ddd127c68a7b8d4873d2490f7f 100644 (file)
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
 
        if (!composite_is_ok(c)) return;
 
-       if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
-               gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
-       }
-
        if (state->credentials.length == 0) {
                composite_done(c);
                return;
@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
        TALLOC_FREE(subreq);
        if (!composite_is_ok(c)) return;
 
+       if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+               struct dcecli_security *sec = &state->pipe->conn->security_state;
+
+               gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
+       }
+
        if (!state->more_processing) {
                /* The first gensec_update has not requested a second run, so
                 * we're done here. */
@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 
        sec->auth_info->credentials = state->credentials;
 
+       if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
+               state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
+       }
+
        /* The first request always is a dcerpc_bind. The subsequent ones
         * depend on gensec results */
        subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,