r10153: This patch adds a new parameter to gensec_sig_size(), the size of the

data to be signed/sealed.  We can use this to split the data from the
signature portion of the resultant wrapped packet.

This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).

This fixes one of the krb5 issues in my list.

Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)

1 files changed, 4 insertions, 3 deletions

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index c8feec11bd..a2ba709f56 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -394,8 +394,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 		return False;
 	}
 
-	/* pad to 8 byte multiple */
-	dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
+	/* pad to 16 byte multiple, match win2k3 */
+	dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16);
 	ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
 
 	payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
@@ -409,7 +409,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 	} else {
 		dce_conn->auth_state.auth_info->credentials
 			= data_blob_talloc(call, NULL, 
-					   gensec_sig_size(dce_conn->auth_state.gensec_security));
+					   gensec_sig_size(dce_conn->auth_state.gensec_security, 
+							   payload_length));
 	}
 
 	/* add the auth verifier */