Add option to set the default NEGOTIATE flags

simo5 · simo5 · commit fe9ff7916348 · 2022-06-23T07:24:47.000-04:00
This requires to explicitly acquire credentials before calling into
the ISC or ASC functions. Then setting the new default flags on the
credntial. It is not elegant to mix credentials and context flags,
but it is the only way to do it in GSSAPI currently, and there is
precedent in other mechanisms like KRB5.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/gss_creds.c b/src/gss_creds.c
@@ -717,11 +717,57 @@ uint32_t gssntlm_inquire_cred_by_mech(uint32_t *minor_status,
     return GSSERRS(0, GSS_S_COMPLETE);
 }
 
+gss_OID_desc gssntlm_neg_flags_oid = {
+    GSS_NTLMSSP_NEG_FLAGS_OID_LENGTH,
+    discard_const(GSS_NTLMSSP_NEG_FLAGS_OID_STRING)
+};
+
+static uint32_t gssntlm_set_cred_neg_flags(uint32_t *minor_status,
+                                           struct gssntlm_cred *cred,
+                                           const gss_buffer_t value)
+{
+
+    if (cred == NULL || value == NULL) {
+        *minor_status = EINVAL;
+        return GSS_S_CALL_INACCESSIBLE_READ;
+    }
+    if (value->length == 0) {
+        /* special to reset to library defaults */
+        if (cred->type == GSSNTLM_CRED_SERVER) {
+            cred->neg_flags = NTLMSSP_DEFAULT_SERVER_FLAGS;
+        } else {
+            cred->neg_flags = NTLMSSP_DEFAULT_CLIENT_FLAGS;
+        }
+    } else if (value->length == sizeof(uint32_t)) {
+        cred->neg_flags = *(uint32_t *)value->value;
+    } else {
+        *minor_status = EINVAL;
+        return GSS_S_FAILURE;
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
 uint32_t gssntlm_set_cred_option(uint32_t *minor_status,
                                  gss_cred_id_t *cred_handle,
                                  const gss_OID desired_object,
                                  const gss_buffer_t value)
 {
+    struct gssntlm_cred *cred;
+
+    if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE;
+    *minor_status = 0;
+
+    if (cred_handle == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE;
+    cred = (struct gssntlm_cred *)*cred_handle;
+
+    if (desired_object == GSS_C_NO_OID) return GSS_S_CALL_INACCESSIBLE_READ;
+
+    if (gss_oid_equal(desired_object, &gssntlm_neg_flags_oid)) {
+        return gssntlm_set_cred_neg_flags(minor_status, cred, value);
+    }
+
     *minor_status = EINVAL;
     return GSS_S_UNAVAILABLE;
 }
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h
@@ -95,6 +95,12 @@ struct gssntlm_cred {
             bool creds_in_cache;
         } external;
     } cred;
+
+    /* set cred options provided default flags
+     * this is currently intentionally not imported/exported
+     * as it is considered an ephemeral local status
+     */
+    uint32_t neg_flags;
 };
 
 struct gssntlm_ctx {
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
@@ -116,6 +116,10 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status,
         ctx->gss_flags = req_flags;
 
         ctx->neg_flags = NTLMSSP_DEFAULT_CLIENT_FLAGS;
+        /* override neg_flags default if requested */
+        if (cred->neg_flags) {
+            ctx->neg_flags = cred->neg_flags;
+        }
 
         /*
          * we ignore unsupported flags for now
@@ -635,6 +639,11 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
         ctx->neg_flags = NTLMSSP_DEFAULT_SERVER_FLAGS;
         /* Fixme: How do we allow anonymous negotition ? */
 
+        /* override neg_flags default if requested */
+        if (cred->neg_flags) {
+            ctx->neg_flags = cred->neg_flags;
+        }
+
         if (gssntlm_sec_lm_ok(ctx)) {
             ctx->neg_flags |= NTLMSSP_REQUEST_NON_NT_SESSION_KEY;
             ctx->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
diff --git a/src/gssapi_ntlmssp.h b/src/gssapi_ntlmssp.h
@@ -59,6 +59,12 @@ extern "C" {
 #define GSS_NTLMSSP_DEBUG_OID_STRING GSS_NTLMSSP_BASE_OID_STRING "\x04"
 #define GSS_NTLMSSP_DEBUG_OID_LENGTH GSS_NTLMSSP_BASE_OID_LENGTH + 1
 
+/* Set Default Neg Flags Cred Option OID
+ * Use this with gss_set_cred_option to provide a set of NEGOTIATE flags
+ * to override the default selection on context initialization.
+ */
+#define GSS_NTLMSSP_NEG_FLAGS_OID_STRING GSS_NTLMSSP_BASE_OID_STRING "\x05"
+#define GSS_NTLMSSP_NEG_FLAGS_OID_LENGTH GSS_NTLMSSP_BASE_OID_LENGTH + 1
 
 
 #define GSS_NTLMSSP_CS_DOMAIN "ntlmssp_domain"
