summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-11 11:19:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:38:04 -0500
commit5edbeca14108a9b2c3badafce0b0b3447a8280f6 (patch)
tree55129f66d1eff5ab537fea11c0be494be6f08230 /source4
parentcfdcc32f8480e538246ca1771e58e9a4835f22b6 (diff)
downloadsamba-5edbeca14108a9b2c3badafce0b0b3447a8280f6.tar.gz
samba-5edbeca14108a9b2c3badafce0b0b3447a8280f6.tar.bz2
samba-5edbeca14108a9b2c3badafce0b0b3447a8280f6.zip
r10153: This patch adds a new parameter to gensec_sig_size(), the size of the
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec.c4
-rw-r--r--source4/auth/gensec/gensec.h2
-rw-r--r--source4/auth/gensec/gensec_gssapi.c55
-rw-r--r--source4/auth/gensec/schannel.c2
-rw-r--r--source4/auth/gensec/spnego.c4
-rw-r--r--source4/auth/ntlmssp/ntlmssp_sign.c2
-rw-r--r--source4/heimdal/lib/gssapi/arcfour.c31
-rw-r--r--source4/heimdal/lib/gssapi/arcfour.h9
-rwxr-xr-xsource4/heimdal/lib/gssapi/cfx.c34
-rwxr-xr-xsource4/heimdal/lib/gssapi/cfx.h5
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h9
-rw-r--r--source4/heimdal/lib/gssapi/wrap.c95
-rw-r--r--source4/librpc/rpc/dcerpc.c13
-rw-r--r--source4/rpc_server/dcesrv_auth.c7
14 files changed, 224 insertions, 48 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 87c60da84f..f0256b9668 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -559,7 +559,7 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
-size_t gensec_sig_size(struct gensec_security *gensec_security)
+size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
if (!gensec_security->ops->sig_size) {
return 0;
@@ -568,7 +568,7 @@ size_t gensec_sig_size(struct gensec_security *gensec_security)
return 0;
}
- return gensec_security->ops->sig_size(gensec_security);
+ return gensec_security->ops->sig_size(gensec_security, data_size);
}
NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index f55e5354ad..4ff09d2066 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -73,7 +73,7 @@ struct gensec_security_ops {
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig);
- size_t (*sig_size)(struct gensec_security *gensec_security);
+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index c3f7c52085..69f219fe07 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -480,10 +480,38 @@ static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
-static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security)
+static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
- /* not const but work for DCERPC packets and arcfour */
- return 45;
+ struct gensec_gssapi_state *gensec_gssapi_state = gensec_security->private_data;
+ OM_uint32 maj_stat, min_stat;
+ OM_uint32 output_size;
+ if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
+ || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
+ gensec_gssapi_state->gss_oid->length) != 0)) {
+ DEBUG(1, ("NO sig size available for this mech\n"));
+ return 0;
+ }
+
+ maj_stat = gsskrb5_wrap_size(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
+ GSS_C_QOP_DEFAULT,
+ data_size,
+ &output_size);
+ if (GSS_ERROR(maj_stat)) {
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ DEBUG(1, ("gensec_gssapi_seal_packet: determinaing signature size with gss_wrap_size_limit failed: %s\n",
+ gssapi_error_string(mem_ctx, maj_stat, min_stat)));
+ talloc_free(mem_ctx);
+ return 0;
+ }
+
+ if (output_size < data_size) {
+ return 0;
+ }
+
+ /* The difference between the max output and the max input must be the signature */
+ return output_size - data_size;
}
static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security,
@@ -496,7 +524,7 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
OM_uint32 maj_stat, min_stat;
gss_buffer_desc input_token, output_token;
int conf_state;
- ssize_t sig_length = 0;
+ ssize_t sig_length;
input_token.length = length;
input_token.value = data;
@@ -514,12 +542,15 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
return NT_STATUS_ACCESS_DENIED;
}
- if (output_token.length < length) {
+ sig_length = gensec_gssapi_sig_size(gensec_security, length);
+
+ /* Caller must pad to right boundary */
+ if (output_token.length != (length + sig_length)) {
+ DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%d] does not match caller length [%d] plus sig size [%d] = [%d]\n",
+ output_token.length, length, sig_length, length + sig_length));
return NT_STATUS_INTERNAL_ERROR;
}
- sig_length = 45;
-
memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
@@ -618,9 +649,15 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit
return NT_STATUS_INTERNAL_ERROR;
}
- sig_length = 45;
+ sig_length = gensec_gssapi_sig_size(gensec_security, length);
+
+ /* Caller must pad to right boundary */
+ if (output_token.length != (length + sig_length)) {
+ DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%d] does not match caller length [%d] plus sig size [%d] = [%d]\n",
+ output_token.length, length, sig_length, length + sig_length));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
- /*memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);*/
*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index fc961d8eaa..a4561ee996 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -26,7 +26,7 @@
#include "auth/auth.h"
#include "auth/gensec/schannel.h"
-static size_t schannel_sig_size(struct gensec_security *gensec_security)
+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
return 32;
}
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 3efbf65a3d..133530833b 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -198,7 +198,7 @@ static NTSTATUS gensec_spnego_unwrap(struct gensec_security *gensec_security,
mem_ctx, in, out);
}
-static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security)
+static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
struct spnego_state *spnego_state = gensec_security->private_data;
@@ -207,7 +207,7 @@ static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security)
return 0;
}
- return gensec_sig_size(spnego_state->sub_sec_security);
+ return gensec_sig_size(spnego_state->sub_sec_security, data_size);
}
static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security,
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 8f6c94463c..41075cd25b 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -431,7 +431,7 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
return NT_STATUS_OK;
}
-size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security)
+size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
return NTLMSSP_SIG_SIZE;
}
diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c
index 5edcee08ec..52bb2ecf1b 100644
--- a/source4/heimdal/lib/gssapi/arcfour.c
+++ b/source4/heimdal/lib/gssapi/arcfour.c
@@ -326,6 +326,37 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
}
OM_uint32
+_gssapi_wrap_size_arcfour(OM_uint32 * minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 req_input_size,
+ OM_uint32 * output_size,
+ OM_uint32 * padlen,
+ krb5_keyblock *key)
+{
+ size_t len, total_len, datalen;
+ *padlen = 0;
+ datalen = req_input_size;
+ len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+ /* if GSS_C_DCE_STYLE is in use:
+ * - we only need to encapsulate the WRAP token
+ * - we should not add padding
+ */
+ if (!(context_handle->flags & GSS_C_DCE_STYLE)) {
+ datalen += 1 /* padding */;
+ len += datalen;
+ }
+ _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+ if (context_handle->flags & GSS_C_DCE_STYLE) {
+ total_len += datalen;
+ }
+
+ *output_size = total_len;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
diff --git a/source4/heimdal/lib/gssapi/arcfour.h b/source4/heimdal/lib/gssapi/arcfour.h
index 5acfcad29d..0406b64b09 100644
--- a/source4/heimdal/lib/gssapi/arcfour.h
+++ b/source4/heimdal/lib/gssapi/arcfour.h
@@ -70,5 +70,14 @@ OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status,
gss_qop_t *qop_state,
krb5_keyblock *key,
char *type);
+OM_uint32
+_gssapi_wrap_size_arcfour(OM_uint32 * minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 req_input_size,
+ OM_uint32 * output_size,
+ OM_uint32 * padlen,
+ krb5_keyblock *key);
#endif /* GSSAPI_ARCFOUR_H_ */
diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/cfx.c
index 75b6a8bcfa..1cc510d6fc 100755
--- a/source4/heimdal/lib/gssapi/cfx.c
+++ b/source4/heimdal/lib/gssapi/cfx.c
@@ -48,7 +48,8 @@ wrap_length_cfx(krb5_crypto crypto,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
- u_int16_t *padlength)
+ u_int16_t *padlength,
+ size_t *padsize)
{
krb5_error_code ret;
krb5_cksumtype type;
@@ -68,18 +69,17 @@ wrap_length_cfx(krb5_crypto crypto,
}
if (conf_req_flag) {
- size_t padsize;
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
- ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, &padsize);
+ ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, padsize);
if (ret) {
return ret;
}
if (padsize > 1) {
/* XXX check this */
- *padlength = padsize - (input_length % padsize);
+ *padlength = *padsize - (input_length % *padsize);
}
/* We add the pad ourselves (noted here for completeness only) */
@@ -90,6 +90,7 @@ wrap_length_cfx(krb5_crypto crypto,
} else {
/* Checksum is concatenated with data */
*output_length += input_length + *cksumsize;
+ *padsize = 0;
}
assert(*output_length > input_length);
@@ -101,13 +102,15 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
- OM_uint32 req_output_size,
- OM_uint32 *max_input_size,
+ OM_uint32 req_input_size,
+ OM_uint32 *output_len,
+ OM_uint32 *padsize,
krb5_keyblock *key)
{
krb5_error_code ret;
krb5_crypto crypto;
- u_int16_t padlength;
+ u_int16_t pad_length;
+ size_t pad_size;
size_t output_length, cksumsize;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
@@ -118,8 +121,8 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
}
ret = wrap_length_cfx(crypto, conf_req_flag,
- req_output_size,
- &output_length, &cksumsize, &padlength);
+ req_input_size,
+ &output_length, &cksumsize, &pad_length, &pad_size);
if (ret != 0) {
gssapi_krb5_set_error_string();
*minor_status = ret;
@@ -127,13 +130,8 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- if (output_length < req_output_size) {
- *max_input_size = (req_output_size - output_length);
- *max_input_size -= padlength;
- } else {
- /* Should this return an error? */
- *max_input_size = 0;
- }
+ *output_len = output_length;
+ *padsize = pad_size;
krb5_crypto_destroy(gssapi_krb5_context, crypto);
@@ -201,7 +199,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
krb5_data cipher;
size_t wrapped_len, cksumsize;
u_int16_t padlength, rrc = 0;
- OM_uint32 seq_number;
+ OM_uint32 seq_number, padsize;
u_char *p;
ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
@@ -213,7 +211,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = wrap_length_cfx(crypto, conf_req_flag,
input_message_buffer->length,
- &wrapped_len, &cksumsize, &padlength);
+ &wrapped_len, &cksumsize, &padlength, &padsize);
if (ret != 0) {
gssapi_krb5_set_error_string();
*minor_status = ret;
diff --git a/source4/heimdal/lib/gssapi/cfx.h b/source4/heimdal/lib/gssapi/cfx.h
index a587cb9d97..d9bdd9da19 100755
--- a/source4/heimdal/lib/gssapi/cfx.h
+++ b/source4/heimdal/lib/gssapi/cfx.h
@@ -66,8 +66,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
- OM_uint32 req_output_size,
- OM_uint32 *max_input_size,
+ OM_uint32 req_input_size,
+ OM_uint32 *output_len,
+ OM_uint32 *padlen,
krb5_keyblock *key);
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index 4ee988b020..4bf6780daa 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -628,6 +628,15 @@ OM_uint32 gss_inquire_context (
int * /*open_context*/
);
+OM_uint32 gsskrb5_wrap_size (
+ OM_uint32 * /*minor_status*/,
+ const gss_ctx_id_t /*context_handle*/,
+ int /*conf_req_flag*/,
+ gss_qop_t /*qop_req*/,
+ OM_uint32 /*req_input_size*/,
+ OM_uint32 * /*output_size*/
+ );
+
OM_uint32 gss_wrap_size_limit (
OM_uint32 * /*minor_status*/,
const gss_ctx_id_t /*context_handle*/,
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c
index bdb09e633b..50249d2d7f 100644
--- a/source4/heimdal/lib/gssapi/wrap.c
+++ b/source4/heimdal/lib/gssapi/wrap.c
@@ -120,7 +120,7 @@ gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
}
static OM_uint32
-sub_wrap_size (
+sub_wrap_size_limit (
OM_uint32 req_output_size,
OM_uint32 * max_input_size,
int blocksize,
@@ -156,6 +156,8 @@ gss_wrap_size_limit (
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
+ OM_uint32 output_size;
+ OM_uint32 blocksize;
ret = gss_krb5_get_subkey(context_handle, &key);
if (ret) {
@@ -167,17 +169,102 @@ gss_wrap_size_limit (
switch (keytype) {
case KEYTYPE_DES :
+ ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 22);
+ break;
+ case KEYTYPE_DES3 :
+ ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 34);
+ break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
- ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+ ret = _gssapi_wrap_size_arcfour(minor_status, context_handle,
+ conf_req_flag, qop_req,
+ req_output_size, &output_size,
+ &blocksize, key);
+
+ if (output_size > req_output_size) {
+ *max_input_size = req_output_size - (output_size - req_output_size);
+ (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
+ } else {
+ *max_input_size = 0;
+ }
+ break;
+ default :
+ ret = _gssapi_wrap_size_cfx(minor_status, context_handle,
+ conf_req_flag, qop_req,
+ req_output_size, &output_size,
+ &blocksize, key);
+ if (output_size > req_output_size) {
+ *max_input_size = req_output_size - (output_size - req_output_size);
+ (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
+ } else {
+ *max_input_size = 0;
+ }
+ break;
+ }
+ krb5_free_keyblock (gssapi_krb5_context, key);
+ *minor_status = 0;
+ return ret;
+}
+
+static OM_uint32
+sub_wrap_size (
+ OM_uint32 req_input_size,
+ OM_uint32 * output_size,
+ int blocksize,
+ int extrasize
+ )
+{
+ size_t len, total_len, padlength, datalen;
+
+ padlength = blocksize - (req_input_size % blocksize);
+ datalen = req_input_size + padlength + 8;
+ len = datalen + extrasize;
+ gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+ *output_size = total_len;
+
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gsskrb5_wrap_size (
+ OM_uint32 * minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ OM_uint32 req_input_size,
+ OM_uint32 * output_size
+ )
+{
+ krb5_keyblock *key;
+ OM_uint32 ret, padlen;
+ krb5_keytype keytype;
+
+ ret = gss_krb5_get_subkey(context_handle, &key);
+ if (ret) {
+ gssapi_krb5_set_error_string ();
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+ krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+ switch (keytype) {
+ case KEYTYPE_DES :
+ ret = sub_wrap_size(req_input_size, output_size, 8, 22);
break;
case KEYTYPE_DES3 :
- ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
+ ret = sub_wrap_size(req_input_size, output_size, 8, 34);
+ break;
+ case KEYTYPE_ARCFOUR:
+ case KEYTYPE_ARCFOUR_56:
+ ret = _gssapi_wrap_size_arcfour(minor_status, context_handle,
+ conf_req_flag, qop_req,
+ req_input_size, output_size, &padlen, key);
break;
default :
ret = _gssapi_wrap_size_cfx(minor_status, context_handle,
conf_req_flag, qop_req,
- req_output_size, max_input_size, key);
+ req_input_size, output_size, &padlen, key);
break;
}
krb5_free_keyblock (gssapi_krb5_context, key);
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 3d0176845b..352972b0b7 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -369,6 +369,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
NTSTATUS status;
struct ndr_push *ndr;
DATA_BLOB creds2;
+ size_t payload_length;
/* non-signed packets are simpler */
if (!c->security_state.auth_info ||
@@ -400,12 +401,16 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
(16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length);
+ payload_length = pkt->u.request.stub_and_verifier.length +
+ c->security_state.auth_info->auth_pad_length;
+
/* sign or seal the packet */
switch (c->security_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
c->security_state.auth_info->credentials
- = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state));
+ = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state,
+ payload_length));
data_blob_clear(&c->security_state.auth_info->credentials);
break;
@@ -447,8 +452,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
status = gensec_seal_packet(c->security_state.generic_state,
mem_ctx,
blob->data + DCERPC_REQUEST_LENGTH,
- pkt->u.request.stub_and_verifier.length +
- c->security_state.auth_info->auth_pad_length,
+ payload_length,
blob->data,
blob->length -
c->security_state.auth_info->credentials.length,
@@ -463,8 +467,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
status = gensec_sign_packet(c->security_state.generic_state,
mem_ctx,
blob->data + DCERPC_REQUEST_LENGTH,
- pkt->u.request.stub_and_verifier.length +
- c->security_state.auth_info->auth_pad_length,
+ payload_length,
blob->data,
blob->length -
c->security_state.auth_info->credentials.length,
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index c8feec11bd..a2ba709f56 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -394,8 +394,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
return False;
}
- /* pad to 8 byte multiple */
- dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
+ /* pad to 16 byte multiple, match win2k3 */
+ dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16);
ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
@@ -409,7 +409,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
} else {
dce_conn->auth_state.auth_info->credentials
= data_blob_talloc(call, NULL,
- gensec_sig_size(dce_conn->auth_state.gensec_security));
+ gensec_sig_size(dce_conn->auth_state.gensec_security,
+ payload_length));
}
/* add the auth verifier */