r874: This patch is a pile of work on NTLMSSP:

Samba's NTLMSSP code is now fully talloc based, which should go a long
way to cleaning up the memory leaks in this code.  This also avoids a
lot of extra copies of data, as we now allocate the 'return' blobs on
a caller-supplied context.

I have also been doing a lot of work towards NTLM2 signing and
sealing.  I have this working for sealing, but not for the verifier
(MD5 integrity check on the stream) which is still incorrect.

(I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the
data arrives intact, but the signature check fails.  It does however
match the test values I have...).

The new torture test is cludged in - when we get a unit test suite
back, I'll happliy put it in the 'right' place....

Andrew Bartlett
(This used to be commit 399e2e2b1149b8d1c070aa7f0d5131c0b577d2b9)

5 files changed, 45 insertions, 34 deletions

diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 2e3049ac78..6d81a4cb6f 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -499,7 +499,15 @@
 
 
 	/* Function:    0x2d */
-	NTSTATUS UNK_GET_CONNUSER ();
+	NTSTATUS UNK_GET_CONNUSER (
+		[in]  unistr *system_name,
+		[in]  uint32 unknown1,
+		[in]  uint32 unknown2,
+		[in]  uint32 unknown3,
+		[out] unistr *username,
+		[out] unistr *domain_name
+		);
+
 	/* Function:          0x2e */
 	NTSTATUS QUERYINFO2 ();
 }
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 21340e4f63..e4c5174af3 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -183,6 +183,7 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
 	switch (p->auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = p->security_state->unseal_packet(p->security_state, 
+							  mem_ctx, 
 							  pkt->u.response.stub_and_verifier.data, 
 							  pkt->u.response.stub_and_verifier.length, 
 							  &auth.credentials);
@@ -190,6 +191,7 @@ static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
 
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 		status = p->security_state->check_packet(p->security_state, 
+							 mem_ctx, 
 							 pkt->u.response.stub_and_verifier.data, 
 							 pkt->u.response.stub_and_verifier.length, 
 							 &auth.credentials);
@@ -250,6 +252,7 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
 	switch (p->auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = p->security_state->seal_packet(p->security_state, 
+							mem_ctx, 
 							ndr->data + DCERPC_REQUEST_LENGTH, 
 							ndr->offset - DCERPC_REQUEST_LENGTH,
 							&p->auth_info->credentials);
@@ -257,6 +260,7 @@ static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
 
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 		status = p->security_state->sign_packet(p->security_state, 
+							mem_ctx, 
 							ndr->data + DCERPC_REQUEST_LENGTH, 
 							ndr->offset - DCERPC_REQUEST_LENGTH,
 							&p->auth_info->credentials);
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 5c7f01c658..25c2029f34 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -28,12 +28,16 @@ enum dcerpc_transport_t {NCACN_NP, NCACN_IP_TCP};
 struct dcerpc_security {
 	void *private;
 	NTSTATUS (*unseal_packet)(struct dcerpc_security *, 
+				  TALLOC_CTX *mem_ctx, 
 				  uchar *data, size_t length, DATA_BLOB *sig);
 	NTSTATUS (*check_packet)(struct dcerpc_security *, 
+				 TALLOC_CTX *mem_ctx, 
 				 const uchar *data, size_t length, const DATA_BLOB *sig);
 	NTSTATUS (*seal_packet)(struct dcerpc_security *, 
-				 uchar *data, size_t length, DATA_BLOB *sig);
+				TALLOC_CTX *mem_ctx, 
+				uchar *data, size_t length, DATA_BLOB *sig);
 	NTSTATUS (*sign_packet)(struct dcerpc_security *, 
+				TALLOC_CTX *mem_ctx, 
 				const uchar *data, size_t length, DATA_BLOB *sig);
 	NTSTATUS (*session_key)(struct dcerpc_security *, DATA_BLOB *session_key);
 	void (*security_end)(struct dcerpc_security *);
diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c
index fa4232c94a..1a216e9885 100644
--- a/source4/librpc/rpc/dcerpc_ntlm.c
+++ b/source4/librpc/rpc/dcerpc_ntlm.c
@@ -26,34 +26,38 @@
   wrappers for the ntlmssp_*() functions
 */
 static NTSTATUS ntlm_unseal_packet(struct dcerpc_security *dcerpc_security, 
-				  uchar *data, size_t length, DATA_BLOB *sig)
+				   TALLOC_CTX *mem_ctx, 
+				   uchar *data, size_t length, DATA_BLOB *sig)
 {
 	struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
-	return ntlmssp_unseal_packet(ntlmssp_state, data, length, sig);
+	return ntlmssp_unseal_packet(ntlmssp_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS ntlm_check_packet(struct dcerpc_security *dcerpc_security, 
+				  TALLOC_CTX *mem_ctx, 
 				  const uchar *data, size_t length, 
 				  const DATA_BLOB *sig)
 {
 	struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
-	return ntlmssp_check_packet(ntlmssp_state, data, length, sig);
+	return ntlmssp_check_packet(ntlmssp_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS ntlm_seal_packet(struct dcerpc_security *dcerpc_security, 
+				 TALLOC_CTX *mem_ctx, 
 				 uchar *data, size_t length, 
 				 DATA_BLOB *sig)
 {
 	struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
-	return ntlmssp_seal_packet(ntlmssp_state, data, length, sig);
+	return ntlmssp_seal_packet(ntlmssp_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS ntlm_sign_packet(struct dcerpc_security *dcerpc_security, 
+				 TALLOC_CTX *mem_ctx, 
 				 const uchar *data, size_t length, 
 				 DATA_BLOB *sig)
 {
 	struct ntlmssp_state *ntlmssp_state = dcerpc_security->private;
-	return ntlmssp_sign_packet(ntlmssp_state, data, length, sig);
+	return ntlmssp_sign_packet(ntlmssp_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS ntlm_session_key(struct dcerpc_security *dcerpc_security, 
@@ -137,35 +141,30 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
 	p->auth_info->credentials = data_blob(NULL, 0);
 	p->security_state = NULL;
 
-	status = ntlmssp_update(state, 
+	status = ntlmssp_update(state, mem_ctx,
 				p->auth_info->credentials,
 				&credentials);
+
 	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		goto done;
 	}
 
-	p->auth_info->credentials = data_blob_talloc(mem_ctx, 
-						     credentials.data, 
-						     credentials.length);
-	data_blob_free(&credentials);
+	p->auth_info->credentials = credentials;
 
 	status = dcerpc_bind_byuuid(p, mem_ctx, uuid, version);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
-
-	status = ntlmssp_update(state, 
+	status = ntlmssp_update(state, mem_ctx,
 				p->auth_info->credentials, 
 				&credentials);
+
 	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		goto done;
 	}
 
-	p->auth_info->credentials = data_blob_talloc(mem_ctx, 
-						     credentials.data, 
-						     credentials.length);
-	data_blob_free(&credentials);
+	p->auth_info->credentials = credentials;
 
 	status = dcerpc_auth3(p, mem_ctx);
 
@@ -187,14 +186,6 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
 	p->security_state->session_key = ntlm_session_key;
 	p->security_state->security_end = ntlm_security_end;
 
-	switch (p->auth_info->auth_level) {
-	case DCERPC_AUTH_LEVEL_PRIVACY:
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
-		/* setup for signing */
-		status = ntlmssp_sign_init(state);
-		break;
-	}
-
 done:
 	talloc_destroy(mem_ctx);
 
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index a88d3c1b3e..f368ce30b3 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -26,34 +26,38 @@
   wrappers for the schannel_*() functions
 */
 static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security, 
-				  uchar *data, size_t length, DATA_BLOB *sig)
+				    TALLOC_CTX *mem_ctx, 
+				    uchar *data, size_t length, DATA_BLOB *sig)
 {
 	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_unseal_packet(schannel_state, data, length, sig);
+	return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security, 
-				  const uchar *data, size_t length, 
-				  const DATA_BLOB *sig)
+				   TALLOC_CTX *mem_ctx, 
+				   const uchar *data, size_t length, 
+				   const DATA_BLOB *sig)
 {
 	struct schannel_state *schannel_state = dcerpc_security->private;
 	return schannel_check_packet(schannel_state, data, length, sig);
 }
 
 static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security, 
-				 uchar *data, size_t length, 
-				 DATA_BLOB *sig)
+				  TALLOC_CTX *mem_ctx, 
+				  uchar *data, size_t length, 
+				  DATA_BLOB *sig)
 {
 	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_seal_packet(schannel_state, data, length, sig);
+	return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security, 
+				 TALLOC_CTX *mem_ctx, 
 				 const uchar *data, size_t length, 
 				 DATA_BLOB *sig)
 {
 	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_sign_packet(schannel_state, data, length, sig);
+	return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
 }
 
 static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,