s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the server

This is changed so that the callers ask for the additional flags
that they need, starting with no additional flags.

This helps to create a proper abstraction layer in
ntlmssp_wrap/auth_ntlmssp.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c
index 3e40d15569f90f710597d89a76883a0a065c9ae3..3222d0b7efa116cf28d0657e9cfd41659e10ab80 100644 (file)
--- a/source3/librpc/crypto/cli_spnego.c
+++ b/source3/librpc/crypto/cli_spnego.c
@@ -21,6 +21,7 @@
 #include "../libcli/auth/spnego.h"
 #include "include/ntlmssp_wrap.h"
 #include "librpc/gen_ndr/ntlmssp.h"
+#include "libcli/auth/ntlmssp.h"
 #include "librpc/crypto/gse.h"
 #include "librpc/crypto/spnego.h"
 

diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 87362c284070eb3d29457ed231bec14140a45218..9436ca1c3f8f0088edfaa7e0c3742c9567f734d7 100644 (file)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -333,9 +333,7 @@ NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
                NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
                NTLMSSP_NEGOTIATE_NTLM |
                NTLMSSP_NEGOTIATE_NTLM2 |
-               NTLMSSP_NEGOTIATE_KEY_EXCH |
-               NTLMSSP_NEGOTIATE_SIGN |
-               NTLMSSP_NEGOTIATE_SEAL;
+               NTLMSSP_NEGOTIATE_KEY_EXCH;
 
        ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
        if (!ntlmssp_state->server.netbios_name) {

diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c
index 87c8e0becea7ebdaf2d17f4eec066de6e16cd218..fd5b820143538a4b4ca1f0aee06c71e599dbae0a 100644 (file)
--- a/source3/rpc_server/dcesrv_ntlmssp.c
+++ b/source3/rpc_server/dcesrv_ntlmssp.c
@@ -43,17 +43,12 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
                return status;
        }
 
-       /* Clear flags, then set them according to requested flags */
-       auth_ntlmssp_and_flags(a, ~(NTLMSSP_NEGOTIATE_SIGN |
-                                       NTLMSSP_NEGOTIATE_SEAL));
-
        if (do_sign) {
-               auth_ntlmssp_or_flags(a, NTLMSSP_NEGOTIATE_SIGN);
+               auth_ntlmssp_want_feature(a, NTLMSSP_FEATURE_SIGN);
        }
        if (do_seal) {
                /* Always implies both sign and seal for ntlmssp */
-               auth_ntlmssp_or_flags(a, NTLMSSP_NEGOTIATE_SIGN |
-                                        NTLMSSP_NEGOTIATE_SEAL);
+               auth_ntlmssp_want_feature(a, NTLMSSP_FEATURE_SEAL);
        }
 
        status = auth_ntlmssp_update(a, mem_ctx, *token_in, token_out);

diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 5481e52fe04015e09c87f26f866bf84917a03443..12672681fe0514f8dd453f5e4099a9b9f7c02f06 100644 (file)
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -92,6 +92,8 @@ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
                return nt_status_squash(status);
        }
 
+       auth_ntlmssp_want_feature(ec->auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+
        /*
         * We must remember to update the pointer copy for the common
         * functions after any auth_ntlmssp_start/auth_ntlmssp_end.

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b1fed41e8e5d4d17c929e2e5cc0408164a37c345..1eb4708994725c180e311d035c0dafffd0e6ca4d 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -633,8 +633,10 @@ static void reply_spnego_negotiate(struct smb_request *req,
                return;
        }
 
+       auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
        status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
-                                    secblob, &chal);
+                                       secblob, &chal);
 
        data_blob_free(&secblob);
 

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 320a7077581f1ab5aef7062958edaa51ac24c273..40f98ce45fd7068037776a602ff6876d420c437b 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -392,6 +392,8 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
                        goto out;
                }
 
+               auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
                status = auth_ntlmssp_update(session->auth_ntlmssp_state,
                                             talloc_tos(),
                                             secblob_in,

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3a99a8c1bfc63412bc3d688a21a64ac41e394f37..9cd47d0611e39fca9bd652279b58b332bc7cb9d3 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -737,6 +737,10 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_st
                return status;
        }
 
+       (*ntlmssp_state)->neg_flags |=
+               (NTLMSSP_NEGOTIATE_SIGN |
+                NTLMSSP_NEGOTIATE_SEAL);
+
        /* Have we been given a local password, or should we ask winbind? */
        if (opt_password) {
                (*ntlmssp_state)->check_password = local_pw_check;