Allow ntlm_seal even withon NEGOTIATE_SEAL

So according to Issue #77 we have an interop issue if we prevent the use
of gss_wrap when sealing has not been negotiated. On the technical side,
whether we negotiate sealing or not we always create a seal handle with
RC4.

Change behavior to allow applications to still wrap/unwrap data if they
want, even though the negotiation marked sealing as not selected.
The worst thing that can happen is that the peer application does no
like sealed content and bails.

Applications that need to avoid seeling should already just use
gss_get_mic() anyway and they can check the returned GSS flags to see if
sealing was negotiated (returned as GSS_CONF_FLAG), so applications
still have all they need to make their choice and be compatible with
whatever peer they need to speak to.

Thanks to Filip Navara for finding this.

Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/ntlm_crypto.c

@@ -860,9 +860,8 @@ int ntlm_seal(uint32_t flags,
 
     h = &state->send;
 
-    if (!(flags & NTLMSSP_NEGOTIATE_SEAL) ||
-        (h->seal_handle == NULL)) {
-        return ENOTSUP;
+    if (h->seal_handle == NULL) {
+        return EINVAL;
     }
 
     ret = RC4_UPDATE(h->seal_handle, message, output);
@@ -902,9 +901,8 @@ int ntlm_unseal(uint32_t flags,
         h = &state->recv;
     }
 
-    if (!(flags & NTLMSSP_NEGOTIATE_SEAL) ||
-        (h->seal_handle == NULL)) {
-        return ENOTSUP;
+    if (h->seal_handle == NULL) {
+        return EINVAL;
     }
 
     ret = RC4_UPDATE(h->seal_handle, message, output);

tests/ntlmssptest.c

@@ -1730,100 +1730,80 @@ int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal, bool use_cs)
 
     gss_release_buffer(&retmin, &srv_token);
 
-    if (no_seal) {
-        retmaj = gssntlm_wrap(&retmin, cli_ctx, 1, 0, &message, NULL,
-                              &cli_token);
-        if ((retmaj != GSS_S_FAILURE) && (retmin != ENOTSUP)) {
-            fprintf(stderr, "WARN: gssntlm_wrap(cli) did not fail!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
-
-        retmaj = gssntlm_wrap(&retmin, srv_ctx, 1, 0, &message, NULL,
-                              &srv_token);
-        if ((retmaj != GSS_S_FAILURE) && (retmin != ENOTSUP)) {
-            fprintf(stderr, "WARN: gssntlm_wrap(srv) did not fail!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
-    } else {
-        retmaj = gssntlm_wrap(&retmin, cli_ctx, 1, 0, &message, &conf_state,
-                              &cli_token);
-        if (retmaj != GSS_S_COMPLETE) {
-            print_gss_error("gssntlm_wrap(cli) failed!",
-                            retmaj, retmin);
-            ret = EINVAL;
-            goto done;
-        }
-        if (conf_state == 0) {
-            fprintf(stderr, "WARN: gssntlm_wrap(cli) gave 0 conf_state!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
-
-        retmaj = gssntlm_unwrap(&retmin, srv_ctx,
-                                &cli_token, &srv_token, &conf_state, NULL);
-        if (retmaj != GSS_S_COMPLETE) {
-            print_gss_error("gssntlm_unwrap(srv) failed!",
-                            retmaj, retmin);
-            ret = EINVAL;
-            goto done;
-        }
-        if (conf_state == 0) {
-            fprintf(stderr, "WARN: gssntlm_wrap(srv) gave 0 conf_state!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
+    retmaj = gssntlm_wrap(&retmin, cli_ctx, 1, 0, &message, &conf_state,
+                          &cli_token);
+    if (retmaj != GSS_S_COMPLETE) {
+        print_gss_error("gssntlm_wrap(cli) failed!",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
+    }
+    if (conf_state == 0) {
+        fprintf(stderr, "WARN: gssntlm_wrap(cli) gave 0 conf_state!\n");
+        fflush(stderr);
+        ret = EINVAL;
+        goto done;
+    }
 
-        gss_release_buffer(&retmin, &cli_token);
-        gss_release_buffer(&retmin, &srv_token);
+    retmaj = gssntlm_unwrap(&retmin, srv_ctx,
+                            &cli_token, &srv_token, &conf_state, NULL);
+    if (retmaj != GSS_S_COMPLETE) {
+        print_gss_error("gssntlm_unwrap(srv) failed!",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
+    }
+    if (!no_seal && conf_state == 0) {
+        fprintf(stderr, "WARN: gssntlm_wrap(srv) gave 0 conf_state!\n");
+        fflush(stderr);
+        ret = EINVAL;
+        goto done;
+    }
 
-        retmaj = gssntlm_wrap(&retmin, srv_ctx, 1, 0, &message, &conf_state,
-                              &srv_token);
-        if (retmaj != GSS_S_COMPLETE) {
-            print_gss_error("gssntlm_wrap(srv) failed!",
-                            retmaj, retmin);
-            ret = EINVAL;
-            goto done;
-        }
-        if (conf_state == 0) {
-            fprintf(stderr, "WARN: gssntlm_wrap(srv) gave 0 conf_state!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
+    gss_release_buffer(&retmin, &cli_token);
+    gss_release_buffer(&retmin, &srv_token);
 
-        retmaj = gssntlm_unwrap(&retmin, cli_ctx,
-                                &srv_token, &cli_token, &conf_state, NULL);
-        if (retmaj != GSS_S_COMPLETE) {
-            print_gss_error("gssntlm_unwrap(cli) failed!",
-                            retmaj, retmin);
-            ret = EINVAL;
-            goto done;
-        }
-        if (conf_state == 0) {
-            fprintf(stderr, "WARN: gssntlm_wrap(cli) gave 0 conf_state!\n");
-            fflush(stderr);
-            ret = EINVAL;
-            goto done;
-        }
+    retmaj = gssntlm_wrap(&retmin, srv_ctx, 1, 0, &message, &conf_state,
+                          &srv_token);
+    if (retmaj != GSS_S_COMPLETE) {
+        print_gss_error("gssntlm_wrap(srv) failed!",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
+    }
+    if (conf_state == 0) {
+        fprintf(stderr, "WARN: gssntlm_wrap(srv) gave 0 conf_state!\n");
+        fflush(stderr);
+        ret = EINVAL;
+        goto done;
+    }
 
-        if (memcmp(message.value, cli_token.value, cli_token.length) != 0) {
-            print_gss_error("sealing and unsealing failed to return the "
-                            "same result",
-                            retmaj, retmin);
-            ret = EINVAL;
-            goto done;
-        }
+    retmaj = gssntlm_unwrap(&retmin, cli_ctx,
+                            &srv_token, &cli_token, &conf_state, NULL);
+    if (retmaj != GSS_S_COMPLETE) {
+        print_gss_error("gssntlm_unwrap(cli) failed!",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
+    }
+    if (!no_seal && conf_state == 0) {
+        fprintf(stderr, "WARN: gssntlm_wrap(cli) gave 0 conf_state!\n");
+        fflush(stderr);
+        ret = EINVAL;
+        goto done;
+    }
 
-        gss_release_buffer(&retmin, &cli_token);
-        gss_release_buffer(&retmin, &srv_token);
+    if (memcmp(message.value, cli_token.value, cli_token.length) != 0) {
+        print_gss_error("sealing and unsealing failed to return the "
+                        "same result",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
     }
 
+    gss_release_buffer(&retmin, &cli_token);
+    gss_release_buffer(&retmin, &srv_token);
+
     gssntlm_release_name(&retmin, &gss_username);
     gssntlm_release_name(&retmin, &gss_srvname);