diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-05-25 14:06:28 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:56:14 -0500 |
| commit | 5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3 (patch) | |
| tree | 78f843cb6a9ff745f9ac5ef35de53bccbf1ccbd8 /source4/rpc_server/dcesrv_auth.c | |
| parent | 579c13da43d5b40ac6d6c1436399fbc1d8dfd054 (diff) | |
| download | samba-5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3.tar.gz samba-5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3.tar.bz2 samba-5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3.zip | |
r874: This patch is a pile of work on NTLMSSP:
Samba's NTLMSSP code is now fully talloc based, which should go a long
way to cleaning up the memory leaks in this code. This also avoids a
lot of extra copies of data, as we now allocate the 'return' blobs on
a caller-supplied context.
I have also been doing a lot of work towards NTLM2 signing and
sealing. I have this working for sealing, but not for the verifier
(MD5 integrity check on the stream) which is still incorrect.
(I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the
data arrives intact, but the signature check fails. It does however
match the test values I have...).
The new torture test is cludged in - when we get a unit test suite
back, I'll happliy put it in the 'right' place....
Andrew Bartlett
(This used to be commit 399e2e2b1149b8d1c070aa7f0d5131c0b577d2b9)
Diffstat (limited to 'source4/rpc_server/dcesrv_auth.c')
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a117f08445..48792180c6 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -66,6 +66,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("Failed to start NTLMSSP subsystem!\n")); return False; } @@ -85,10 +86,12 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status))); return False; } @@ -131,20 +134,14 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { + DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status))); return False; } - switch (dce_conn->auth_state.auth_info->auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* setup for signing */ - status = ntlmssp_sign_init(dce_conn->auth_state.ntlmssp_state->ntlmssp_state); - break; - } - return True; } @@ -197,6 +194,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -204,6 +202,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -262,6 +261,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); @@ -269,6 +269,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); |