If the gensec backend supports it there's no reason not sign the header.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
{"padcheck", DCERPC_DEBUG_PAD_CHECK},
{"bigendian", DCERPC_PUSH_BIGENDIAN},
{"smb2", DCERPC_SMB2},
- {"hdrsign", DCERPC_HEADER_SIGNING},
{"ndr64", DCERPC_NDR64},
{"localaddress", DCERPC_LOCALADDRESS}
};
/* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
#define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
-/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
#define DCERPC_HEADER_SIGNING (1<<20)
/* use NDR64 transport */
/* use aes schannel with hmac-sh256 session key */
#define DCERPC_SCHANNEL_AES (1<<24)
+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
+
/* The following definitions come from ../librpc/rpc/dcerpc_error.c */
const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
}
- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
}
- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
(pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
conn->flags |= DCERPC_HEADER_SIGNING;
}
pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
}
- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
- }
-
/* construct the NDR form of the packet */
status = ncacn_push_auth(&blob, mem_ctx,
&pkt,
pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
}
- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
- }
-
pkt.u.alter.max_xmit_frag = 5840;
pkt.u.alter.max_recv_frag = 5840;
pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
if (!composite_is_ok(c)) return;
- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
- }
-
if (state->credentials.length == 0) {
composite_done(c);
return;
TALLOC_FREE(subreq);
if (!composite_is_ok(c)) return;
+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+ struct dcecli_security *sec = &state->pipe->conn->security_state;
+
+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
+ }
+
if (!state->more_processing) {
/* The first gensec_update has not requested a second run, so
* we're done here. */
sec->auth_info->credentials = state->credentials;
+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
+ }
+
/* The first request always is a dcerpc_bind. The subsequent ones
* depend on gensec results */
subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,