diff options
| -rw-r--r-- | source4/auth/gensec/gensec.c | 4 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.h | 2 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 55 | ||||
| -rw-r--r-- | source4/auth/gensec/schannel.c | 2 | ||||
| -rw-r--r-- | source4/auth/gensec/spnego.c | 4 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_sign.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/arcfour.c | 31 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/arcfour.h | 9 | ||||
| -rwxr-xr-x | source4/heimdal/lib/gssapi/cfx.c | 34 | ||||
| -rwxr-xr-x | source4/heimdal/lib/gssapi/cfx.h | 5 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/gssapi.h | 9 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/wrap.c | 95 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc.c | 13 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 7 |
14 files changed, 224 insertions, 48 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 87c60da84f..f0256b9668 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -559,7 +559,7 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); } -size_t gensec_sig_size(struct gensec_security *gensec_security) +size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size) { if (!gensec_security->ops->sig_size) { return 0; @@ -568,7 +568,7 @@ size_t gensec_sig_size(struct gensec_security *gensec_security) return 0; } - return gensec_security->ops->sig_size(gensec_security); + return gensec_security->ops->sig_size(gensec_security, data_size); } NTSTATUS gensec_wrap(struct gensec_security *gensec_security, diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index f55e5354ad..4ff09d2066 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -73,7 +73,7 @@ struct gensec_security_ops { const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig); - size_t (*sig_size)(struct gensec_security *gensec_security); + size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c3f7c52085..69f219fe07 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -480,10 +480,38 @@ static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, return NT_STATUS_OK; } -static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security) +static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size) { - /* not const but work for DCERPC packets and arcfour */ - return 45; + struct gensec_gssapi_state *gensec_gssapi_state = gensec_security->private_data; + OM_uint32 maj_stat, min_stat; + OM_uint32 output_size; + if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length) + || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, + gensec_gssapi_state->gss_oid->length) != 0)) { + DEBUG(1, ("NO sig size available for this mech\n")); + return 0; + } + + maj_stat = gsskrb5_wrap_size(&min_stat, + gensec_gssapi_state->gssapi_context, + gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), + GSS_C_QOP_DEFAULT, + data_size, + &output_size); + if (GSS_ERROR(maj_stat)) { + TALLOC_CTX *mem_ctx = talloc_new(NULL); + DEBUG(1, ("gensec_gssapi_seal_packet: determinaing signature size with gss_wrap_size_limit failed: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat))); + talloc_free(mem_ctx); + return 0; + } + + if (output_size < data_size) { + return 0; + } + + /* The difference between the max output and the max input must be the signature */ + return output_size - data_size; } static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security, @@ -496,7 +524,7 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit OM_uint32 maj_stat, min_stat; gss_buffer_desc input_token, output_token; int conf_state; - ssize_t sig_length = 0; + ssize_t sig_length; input_token.length = length; input_token.value = data; @@ -514,12 +542,15 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit return NT_STATUS_ACCESS_DENIED; } - if (output_token.length < length) { + sig_length = gensec_gssapi_sig_size(gensec_security, length); + + /* Caller must pad to right boundary */ + if (output_token.length != (length + sig_length)) { + DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%d] does not match caller length [%d] plus sig size [%d] = [%d]\n", + output_token.length, length, sig_length, length + sig_length)); return NT_STATUS_INTERNAL_ERROR; } - sig_length = 45; - memcpy(data, ((uint8_t *)output_token.value) + sig_length, length); *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length); @@ -618,9 +649,15 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit return NT_STATUS_INTERNAL_ERROR; } - sig_length = 45; + sig_length = gensec_gssapi_sig_size(gensec_security, length); + + /* Caller must pad to right boundary */ + if (output_token.length != (length + sig_length)) { + DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%d] does not match caller length [%d] plus sig size [%d] = [%d]\n", + output_token.length, length, sig_length, length + sig_length)); + return NT_STATUS_INTERNAL_ERROR; + } - /*memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);*/ *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length); dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index fc961d8eaa..a4561ee996 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -26,7 +26,7 @@ #include "auth/auth.h" #include "auth/gensec/schannel.h" -static size_t schannel_sig_size(struct gensec_security *gensec_security) +static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size) { return 32; } diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 3efbf65a3d..133530833b 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -198,7 +198,7 @@ static NTSTATUS gensec_spnego_unwrap(struct gensec_security *gensec_security, mem_ctx, in, out); } -static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security) +static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security, size_t data_size) { struct spnego_state *spnego_state = gensec_security->private_data; @@ -207,7 +207,7 @@ static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security) return 0; } - return gensec_sig_size(spnego_state->sub_sec_security); + return gensec_sig_size(spnego_state->sub_sec_security, data_size); } static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security, diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index 8f6c94463c..41075cd25b 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -431,7 +431,7 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) return NT_STATUS_OK; } -size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security) +size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) { return NTLMSSP_SIG_SIZE; } diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c index 5edcee08ec..52bb2ecf1b 100644 --- a/source4/heimdal/lib/gssapi/arcfour.c +++ b/source4/heimdal/lib/gssapi/arcfour.c @@ -326,6 +326,37 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, } OM_uint32 +_gssapi_wrap_size_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_input_size, + OM_uint32 * output_size, + OM_uint32 * padlen, + krb5_keyblock *key) +{ + size_t len, total_len, datalen; + *padlen = 0; + datalen = req_input_size; + len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; + /* if GSS_C_DCE_STYLE is in use: + * - we only need to encapsulate the WRAP token + * - we should not add padding + */ + if (!(context_handle->flags & GSS_C_DCE_STYLE)) { + datalen += 1 /* padding */; + len += datalen; + } + _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); + if (context_handle->flags & GSS_C_DCE_STYLE) { + total_len += datalen; + } + + *output_size = total_len; + return GSS_S_COMPLETE; +} + +OM_uint32 _gssapi_wrap_arcfour(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, diff --git a/source4/heimdal/lib/gssapi/arcfour.h b/source4/heimdal/lib/gssapi/arcfour.h index 5acfcad29d..0406b64b09 100644 --- a/source4/heimdal/lib/gssapi/arcfour.h +++ b/source4/heimdal/lib/gssapi/arcfour.h @@ -70,5 +70,14 @@ OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, gss_qop_t *qop_state, krb5_keyblock *key, char *type); +OM_uint32 +_gssapi_wrap_size_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_input_size, + OM_uint32 * output_size, + OM_uint32 * padlen, + krb5_keyblock *key); #endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/cfx.c index 75b6a8bcfa..1cc510d6fc 100755 --- a/source4/heimdal/lib/gssapi/cfx.c +++ b/source4/heimdal/lib/gssapi/cfx.c @@ -48,7 +48,8 @@ wrap_length_cfx(krb5_crypto crypto, size_t input_length, size_t *output_length, size_t *cksumsize, - u_int16_t *padlength) + u_int16_t *padlength, + size_t *padsize) { krb5_error_code ret; krb5_cksumtype type; @@ -68,18 +69,17 @@ wrap_length_cfx(krb5_crypto crypto, } if (conf_req_flag) { - size_t padsize; /* Header is concatenated with data before encryption */ input_length += sizeof(gss_cfx_wrap_token_desc); - ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, &padsize); + ret = krb5_crypto_getpadsize(gssapi_krb5_context, crypto, padsize); if (ret) { return ret; } if (padsize > 1) { /* XXX check this */ - *padlength = padsize - (input_length % padsize); + *padlength = *padsize - (input_length % *padsize); } /* We add the pad ourselves (noted here for completeness only) */ @@ -90,6 +90,7 @@ wrap_length_cfx(krb5_crypto crypto, } else { /* Checksum is concatenated with data */ *output_length += input_length + *cksumsize; + *padsize = 0; } assert(*output_length > input_length); @@ -101,13 +102,15 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, + OM_uint32 req_input_size, + OM_uint32 *output_len, + OM_uint32 *padsize, krb5_keyblock *key) { krb5_error_code ret; krb5_crypto crypto; - u_int16_t padlength; + u_int16_t pad_length; + size_t pad_size; size_t output_length, cksumsize; ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); @@ -118,8 +121,8 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, } ret = wrap_length_cfx(crypto, conf_req_flag, - req_output_size, - &output_length, &cksumsize, &padlength); + req_input_size, + &output_length, &cksumsize, &pad_length, &pad_size); if (ret != 0) { gssapi_krb5_set_error_string(); *minor_status = ret; @@ -127,13 +130,8 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, return GSS_S_FAILURE; } - if (output_length < req_output_size) { - *max_input_size = (req_output_size - output_length); - *max_input_size -= padlength; - } else { - /* Should this return an error? */ - *max_input_size = 0; - } + *output_len = output_length; + *padsize = pad_size; krb5_crypto_destroy(gssapi_krb5_context, crypto); @@ -201,7 +199,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, krb5_data cipher; size_t wrapped_len, cksumsize; u_int16_t padlength, rrc = 0; - OM_uint32 seq_number; + OM_uint32 seq_number, padsize; u_char *p; ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); @@ -213,7 +211,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, ret = wrap_length_cfx(crypto, conf_req_flag, input_message_buffer->length, - &wrapped_len, &cksumsize, &padlength); + &wrapped_len, &cksumsize, &padlength, &padsize); if (ret != 0) { gssapi_krb5_set_error_string(); *minor_status = ret; diff --git a/source4/heimdal/lib/gssapi/cfx.h b/source4/heimdal/lib/gssapi/cfx.h index a587cb9d97..d9bdd9da19 100755 --- a/source4/heimdal/lib/gssapi/cfx.h +++ b/source4/heimdal/lib/gssapi/cfx.h @@ -66,8 +66,9 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, const gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size, + OM_uint32 req_input_size, + OM_uint32 *output_len, + OM_uint32 *padlen, krb5_keyblock *key); OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index 4ee988b020..4bf6780daa 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -628,6 +628,15 @@ OM_uint32 gss_inquire_context ( int * /*open_context*/ ); +OM_uint32 gsskrb5_wrap_size ( + OM_uint32 * /*minor_status*/, + const gss_ctx_id_t /*context_handle*/, + int /*conf_req_flag*/, + gss_qop_t /*qop_req*/, + OM_uint32 /*req_input_size*/, + OM_uint32 * /*output_size*/ + ); + OM_uint32 gss_wrap_size_limit ( OM_uint32 * /*minor_status*/, const gss_ctx_id_t /*context_handle*/, diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c index bdb09e633b..50249d2d7f 100644 --- a/source4/heimdal/lib/gssapi/wrap.c +++ b/source4/heimdal/lib/gssapi/wrap.c @@ -120,7 +120,7 @@ gss_krb5_get_subkey(const gss_ctx_id_t context_handle, } static OM_uint32 -sub_wrap_size ( +sub_wrap_size_limit ( OM_uint32 req_output_size, OM_uint32 * max_input_size, int blocksize, @@ -156,6 +156,8 @@ gss_wrap_size_limit ( krb5_keyblock *key; OM_uint32 ret; krb5_keytype keytype; + OM_uint32 output_size; + OM_uint32 blocksize; ret = gss_krb5_get_subkey(context_handle, &key); if (ret) { @@ -167,17 +169,102 @@ gss_wrap_size_limit ( switch (keytype) { case KEYTYPE_DES : + ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 22); + break; + case KEYTYPE_DES3 : + ret = sub_wrap_size_limit(req_output_size, max_input_size, 8, 34); + break; case KEYTYPE_ARCFOUR: case KEYTYPE_ARCFOUR_56: - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); + ret = _gssapi_wrap_size_arcfour(minor_status, context_handle, + conf_req_flag, qop_req, + req_output_size, &output_size, + &blocksize, key); + + if (output_size > req_output_size) { + *max_input_size = req_output_size - (output_size - req_output_size); + (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); + } else { + *max_input_size = 0; + } + break; + default : + ret = _gssapi_wrap_size_cfx(minor_status, context_handle, + conf_req_flag, qop_req, + req_output_size, &output_size, + &blocksize, key); + if (output_size > req_output_size) { + *max_input_size = req_output_size - (output_size - req_output_size); + (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); + } else { + *max_input_size = 0; + } + break; + } + krb5_free_keyblock (gssapi_krb5_context, key); + *minor_status = 0; + return ret; +} + +static OM_uint32 +sub_wrap_size ( + OM_uint32 req_input_size, + OM_uint32 * output_size, + int blocksize, + int extrasize + ) +{ + size_t len, total_len, padlength, datalen; + + padlength = blocksize - (req_input_size % blocksize); + datalen = req_input_size + padlength + 8; + len = datalen + extrasize; + gssapi_krb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM); + + *output_size = total_len; + + return GSS_S_COMPLETE; +} + +OM_uint32 +gsskrb5_wrap_size ( + OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_input_size, + OM_uint32 * output_size + ) +{ + krb5_keyblock *key; + OM_uint32 ret, padlen; + krb5_keytype keytype; + + ret = gss_krb5_get_subkey(context_handle, &key); + if (ret) { + gssapi_krb5_set_error_string (); + *minor_status = ret; + return GSS_S_FAILURE; + } + krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); + + switch (keytype) { + case KEYTYPE_DES : + ret = sub_wrap_size(req_input_size, output_size, 8, 22); break; case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); + ret = sub_wrap_size(req_input_size, output_size, 8, 34); + break; + case KEYTYPE_ARCFOUR: + case KEYTYPE_ARCFOUR_56: + ret = _gssapi_wrap_size_arcfour(minor_status, context_handle, + conf_req_flag, qop_req, + req_input_size, output_size, &padlen, key); break; default : ret = _gssapi_wrap_size_cfx(minor_status, context_handle, conf_req_flag, qop_req, - req_output_size, max_input_size, key); + req_input_size, output_size, &padlen, key); break; } krb5_free_keyblock (gssapi_krb5_context, key); diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 3d0176845b..352972b0b7 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -369,6 +369,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, NTSTATUS status; struct ndr_push *ndr; DATA_BLOB creds2; + size_t payload_length; /* non-signed packets are simpler */ if (!c->security_state.auth_info || @@ -400,12 +401,16 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15; ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length); + payload_length = pkt->u.request.stub_and_verifier.length + + c->security_state.auth_info->auth_pad_length; + /* sign or seal the packet */ switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: c->security_state.auth_info->credentials - = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state)); + = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state, + payload_length)); data_blob_clear(&c->security_state.auth_info->credentials); break; @@ -447,8 +452,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, status = gensec_seal_packet(c->security_state.generic_state, mem_ctx, blob->data + DCERPC_REQUEST_LENGTH, - pkt->u.request.stub_and_verifier.length + - c->security_state.auth_info->auth_pad_length, + payload_length, blob->data, blob->length - c->security_state.auth_info->credentials.length, @@ -463,8 +467,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, status = gensec_sign_packet(c->security_state.generic_state, mem_ctx, blob->data + DCERPC_REQUEST_LENGTH, - pkt->u.request.stub_and_verifier.length + - c->security_state.auth_info->auth_pad_length, + payload_length, blob->data, blob->length - c->security_state.auth_info->credentials.length, diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index c8feec11bd..a2ba709f56 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -394,8 +394,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } - /* pad to 8 byte multiple */ - dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); + /* pad to 16 byte multiple, match win2k3 */ + dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16); ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; @@ -409,7 +409,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, } else { dce_conn->auth_state.auth_info->credentials = data_blob_talloc(call, NULL, - gensec_sig_size(dce_conn->auth_state.gensec_security)); + gensec_sig_size(dce_conn->auth_state.gensec_security, + payload_length)); } /* add the auth verifier */ |