Refine LM compatibility level logic

Fix a bug with level 4 not allowing NTLMv2
Rename the V2 flag to give the right meaning.

Fix LM Challenger Response geneation, I realized the artifical
NoLMResponseNTLMv1 boolean in MS-NLMP documents just refers to
compatibility level 2 where NTLMv1 is used but LM is not.

Add one call to check for v2 usage helper instead of doing raw checks
on ctx flags outside of gss_ntlmssp.c Contextually make flags private,
to gss_ntlmssp.c so helpers must be used.

Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/gss_auth.c

@@ -41,7 +41,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status,
             lm_chal_resp.data[0] = 0;
             lm_chal_resp.length = 1;
 
-        } else if (ctx->sec_req & SEC_V2_ONLY) {
+        } else if (gssntlm_sec_v2_ok(ctx)) {
 
             /* ### NTLMv2 ### */
             uint8_t client_chal[8];
@@ -159,7 +159,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status,
             uint8_t client_chal[8];
             struct ntlm_buffer cli_chal = { client_chal, 8 };
             struct ntlm_key session_base_key = { .length = 16 };
-            bool NoLMResponseNTLMv1 = true; /* FIXME: get from conf/env */
+            bool NoLMResponseNTLMv1 = !gssntlm_sec_lm_ok(ctx);
             bool ext_sec;
 
             nt_chal_resp.length = 24;

src/gss_ntlmssp.c

@@ -23,6 +23,17 @@
 #include "gssapi_ntlmssp.h"
 #include "gss_ntlmssp.h"
 
+#define SEC_LEVEL_MIN 0
+#define SEC_LEVEL_MAX 5
+
+#define SEC_LM_OK 0x01
+#define SEC_NTLM_OK 0x02
+#define SEC_EXT_SEC_OK 0x04
+#define SEC_V2_OK 0x08
+#define SEC_DC_LM_OK 0x10
+#define SEC_DC_NTLM_OK 0x20
+#define SEC_DC_V2_OK 0x40
+
 const gss_OID_desc gssntlm_oid = {
     .length = GSS_NTLMSSP_OID_LENGTH,
     .elements = discard_const(GSS_NTLMSSP_OID_STRING)
@@ -46,15 +57,15 @@ uint8_t gssntlm_required_security(int security_level, struct gssntlm_ctx *ctx)
         resp |= SEC_NTLM_OK | SEC_EXT_SEC_OK;
         break;
     case 3:
-        resp |= SEC_V2_ONLY | SEC_EXT_SEC_OK;
+        resp |= SEC_V2_OK | SEC_EXT_SEC_OK;
         break;
     case 4:
-        resp |= SEC_NTLM_OK | SEC_EXT_SEC_OK;
         if (ctx->role == GSSNTLM_DOMAIN_CONTROLLER) resp &= ~SEC_DC_LM_OK;
+        resp |= SEC_V2_OK | SEC_EXT_SEC_OK;
         break;
     case 5:
         if (ctx->role == GSSNTLM_DOMAIN_CONTROLLER) resp = SEC_DC_V2_OK;
-        resp |= SEC_V2_ONLY | SEC_EXT_SEC_OK;
+        resp |= SEC_V2_OK | SEC_EXT_SEC_OK;
         break;
     default:
         resp = 0xff;
@@ -135,6 +146,20 @@ bool gssntlm_sec_ntlm_ok(struct gssntlm_ctx *ctx)
     return false;
 }
 
+bool gssntlm_sec_v2_ok(struct gssntlm_ctx *ctx)
+{
+    switch (ctx->role) {
+    case GSSNTLM_CLIENT:
+    case GSSNTLM_SERVER:
+        return (ctx->sec_req & SEC_V2_OK);
+    case GSSNTLM_DOMAIN_SERVER:
+        return true; /* defer decision to DC */
+    case GSSNTLM_DOMAIN_CONTROLLER:
+        return (ctx->sec_req & SEC_DC_V2_OK);
+    }
+    return false;
+}
+
 bool gssntlm_ext_sec_ok(struct gssntlm_ctx *ctx)
 {
     return (ctx->sec_req & SEC_EXT_SEC_OK);

src/gss_ntlmssp.h

@@ -26,17 +26,6 @@
 #define DEF_NB_DOMAIN "WORKSTATION"
 #define MAX_CHALRESP_LIFETIME 36 * 60 * 60 /* 36 hours in seconds */
 
-#define SEC_LEVEL_MIN 0
-#define SEC_LEVEL_MAX 5
-
-#define SEC_LM_OK 0x01
-#define SEC_NTLM_OK 0x02
-#define SEC_EXT_SEC_OK 0x04
-#define SEC_V2_ONLY 0x08
-#define SEC_DC_LM_OK 0x10
-#define SEC_DC_NTLM_OK 0x20
-#define SEC_DC_V2_OK 0x40
-
 #define NTLMSSP_DEFAULT_CLIENT_FLAGS ( \
                 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | \
                 NTLMSSP_NEGOTIATE_128 | \
@@ -182,6 +171,7 @@ bool gssntlm_role_is_domain_member(struct gssntlm_ctx *ctx);
 
 bool gssntlm_sec_lm_ok(struct gssntlm_ctx *ctx);
 bool gssntlm_sec_ntlm_ok(struct gssntlm_ctx *ctx);
+bool gssntlm_sec_v2_ok(struct gssntlm_ctx *ctx);
 bool gssntlm_ext_sec_ok(struct gssntlm_ctx *ctx);
 
 uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx,