From 5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 May 2004 14:06:28 +0000 Subject: r874: This patch is a pile of work on NTLMSSP: Samba's NTLMSSP code is now fully talloc based, which should go a long way to cleaning up the memory leaks in this code. This also avoids a lot of extra copies of data, as we now allocate the 'return' blobs on a caller-supplied context. I have also been doing a lot of work towards NTLM2 signing and sealing. I have this working for sealing, but not for the verifier (MD5 integrity check on the stream) which is still incorrect. (I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the data arrives intact, but the signature check fails. It does however match the test values I have...). The new torture test is cludged in - when we get a unit test suite back, I'll happliy put it in the 'right' place.... Andrew Bartlett (This used to be commit 399e2e2b1149b8d1c070aa7f0d5131c0b577d2b9) --- source4/rpc_server/dcesrv_auth.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a117f08445..48792180c6 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -66,6 +66,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("Failed to start NTLMSSP subsystem!\n")); return False; } @@ -85,10 +86,12 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status))); return False; } @@ -131,20 +134,14 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { + DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status))); return False; } - switch (dce_conn->auth_state.auth_info->auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* setup for signing */ - status = ntlmssp_sign_init(dce_conn->auth_state.ntlmssp_state->ntlmssp_state); - break; - } - return True; } @@ -197,6 +194,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -204,6 +202,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -262,6 +261,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); @@ -269,6 +269,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); -- cgit