[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-1153-ga11ecbb
Andrew Bartlett
abartlet at samba.org
Mon Apr 20 15:20:30 GMT 2009
The branch, master has been updated
via a11ecbbff0c08f14fa1ce41e41578ff0ff85003a (commit)
via c185e7a29c9d973a3916928903acc078c43b0d4f (commit)
via 6c9caed48187a0d18becf59ab636af44cbe521b0 (commit)
via 53765c81f726a8c056cc4e57004592dd489975c9 (commit)
via 8a5d94e329e8ee2e7d4e03b9719188cb50bc4978 (commit)
via ddcc355f2b5379884755827c20a1d1bfd1fd4d51 (commit)
via 02ecdd8f292812b886ea3ae3d69d0e221346f9e7 (commit)
via 7a54cd041e04f901af5e73b9e57b9cff4e182955 (commit)
via 8ee7b4ce29b678ceb34680f556ab1a28a8bea9c5 (commit)
via 0c771bfc70fecf25fbb4aa090bfdd14811b1f3bb (commit)
via 34193cffc0900d8563822a9524f87b76d93ee80e (commit)
via b57c8ff4400e5f2bd0776247496b34dab68bde97 (commit)
via fa37dbf96024482e3b1a0269a940b6e722d550e4 (commit)
via 0879cbaf2b88f44b66ae7cbc5eb042ab534142f3 (commit)
via dbcd80ed0109072e0eda6ef3f7d52972403eadd9 (commit)
via 4678d1c6f4de1af9144de37d6d4b35c6c39e254d (commit)
via 86b50a0e6eacc14e157602811f30f11dccc471a8 (commit)
via 0b4e9ce45aa6b9e90d4765c9caaaeed45dcd0de2 (commit)
via 32062013c3dca1ae50d6e8f7a0ad3e3591b61d61 (commit)
via d78cdc5fe2e45b5f447a3ed90d33a10f7cda831a (commit)
via 1cee31f5889d7b7f8a365a83426b29e804684f9f (commit)
via 53afa1adacb239fd942b3b58707c8e4c55639175 (commit)
via baf7274fed2f1ae7a9e3a57160bf5471566e636c (commit)
via 5095d7b1c84e7e37f553867d699a1983f74d4314 (commit)
via eed0c4f6c9aac5a260f65c05cc809bf5f72cf210 (commit)
via f23eea294a64fac3cc85609468703fc15f7e3187 (commit)
via df8e1908ef9969ce95a5102959c27491fa7bfa03 (commit)
via 27815a71a99f43a531f27427eeb32ab34b0aa642 (commit)
via fe0f0e5670e878b8f8ddcb9f36681de69edd2025 (commit)
via 7cff049e7eab769ed69296da41e74fa66be42698 (commit)
via 6c8f7e400540421320e3cbd80f7e1a9551dfed14 (commit)
via a19966375aeab5627308379219361de7053189fd (commit)
via f28f113d8e76824b080359c90efd9c92de533740 (commit)
via fd3be5c4e5e185115eec59752a22f7f354f860ca (commit)
via 8e73b652f92795dcb35cd3826c88926e8072ea31 (commit)
via 9feea7fa4c36e124a2d6f8711ee849b039a22f34 (commit)
via 872cb0257c64f8c8682968565c3dfa608167a95d (commit)
via 927a8b330435b4c959ad851e32b83d97a6e3001b (commit)
from f493755aafacb128cb7b9148898f5ce1d02f6d69 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a11ecbbff0c08f14fa1ce41e41578ff0ff85003a
Merge: c185e7a29c9d973a3916928903acc078c43b0d4f f493755aafacb128cb7b9148898f5ce1d02f6d69
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 17:19:45 2009 +0200
Merge branch 'master' of ssh://git.samba.org/data/git/samba into libcli-auth-merge-without-netlogond
commit c185e7a29c9d973a3916928903acc078c43b0d4f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 17:04:33 2009 +0200
Fix to use modified cli_rpc_pipe_open_schannel_with_key API
commit 6c9caed48187a0d18becf59ab636af44cbe521b0
Merge: 53765c81f726a8c056cc4e57004592dd489975c9 31120c9eacafd93e0f2c6b0f906af21adadd318a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 16:53:02 2009 +0200
Merge commit 'origin/master' into libcli-auth-merge-without-netlogond
commit 53765c81f726a8c056cc4e57004592dd489975c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 16:50:49 2009 +0200
Remove use of talloc_reference in cli_rpc_pipe_open_schannel_with_key()
commit 8a5d94e329e8ee2e7d4e03b9719188cb50bc4978
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 13:55:04 2009 +0200
libcli/auth Ensure we cancel the transaction when schannel not detected
(found by jra on code review)
Andrew Bartlett
commit ddcc355f2b5379884755827c20a1d1bfd1fd4d51
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 11:55:49 2009 +0200
s3:ntlmssp Remove use of talloc(NULL) in NTLMSSP code
commit 02ecdd8f292812b886ea3ae3d69d0e221346f9e7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 10:54:57 2009 +0200
libcli/auth: Don't pass back lm_sess_key as the same pointer as user_sess_key
This ensures that a talloc_free() of both pointers won't double-free
(sharing pointers like this is evil anyway).
Andrew Bartlett
commit 7a54cd041e04f901af5e73b9e57b9cff4e182955
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 19 21:50:46 2009 +0200
Remove unused headers
commit 8ee7b4ce29b678ceb34680f556ab1a28a8bea9c5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 19 21:50:13 2009 +0200
s3:auth Fix segfault: Always initialise returned session keys
commit 0c771bfc70fecf25fbb4aa090bfdd14811b1f3bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 05:19:48 2009 +1000
s3:ntlmssp Fix segfault: msrpc_gen now uses talloc()
commit 34193cffc0900d8563822a9524f87b76d93ee80e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 16 14:08:00 2009 +1000
Fix crash bug in NTLMSSP caused by msrpc_parse() moving to talloc
commit b57c8ff4400e5f2bd0776247496b34dab68bde97
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 16 12:06:35 2009 +1000
Use an absolute path to ensure that we can always regenerate tables.c
I had trouble building Samba3 in a merged build, perhaps because I was
also building Samba4 in that tree.
Andrew Bartlett
commit fa37dbf96024482e3b1a0269a940b6e722d550e4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 16 10:17:57 2009 +1000
Fix building the now common msrpc_parse code
commit 0879cbaf2b88f44b66ae7cbc5eb042ab534142f3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 16 10:17:34 2009 +1000
Fix building the common libcli/samsync code
commit dbcd80ed0109072e0eda6ef3f7d52972403eadd9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 16 10:17:17 2009 +1000
Fix Samba4 build errors with common libcli/samsync
commit 4678d1c6f4de1af9144de37d6d4b35c6c39e254d
Merge: 86b50a0e6eacc14e157602811f30f11dccc471a8 92d321006d1748ac47cf9b52330212f4ae03f502
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 15 14:36:13 2009 +1000
Merge branch 'master' of ssh://git.samba.org/data/git/samba into libcli-auth-merge-without-netlogond
commit 86b50a0e6eacc14e157602811f30f11dccc471a8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 15 14:23:33 2009 +1000
Add missing header, remove generated header
(This isn't a rename, honest :-)
commit 0b4e9ce45aa6b9e90d4765c9caaaeed45dcd0de2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 15 14:00:24 2009 +1000
common:libcli/auth Add missing samsync config.mk
commit 32062013c3dca1ae50d6e8f7a0ad3e3591b61d61
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 14 19:33:04 2009 +1000
s3: Fix ntlm_auth and winbindd to use new common libcli/auth APIs
commit d78cdc5fe2e45b5f447a3ed90d33a10f7cda831a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 9 14:26:04 2009 +1000
Rework to use new API for common netlogon credential chaining
commit 1cee31f5889d7b7f8a365a83426b29e804684f9f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 9 14:25:50 2009 +1000
Link in the common samsync decryption code
commit 53afa1adacb239fd942b3b58707c8e4c55639175
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 9 14:22:04 2009 +1000
libcli/auth Push schannel check into common libcli/auth
This means we have a single choke point to ensure the remote client is
using schannel.
Andrew Bartlett
commit baf7274fed2f1ae7a9e3a57160bf5471566e636c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 6 22:56:13 2009 +1000
Make Samba3 use the new common libcli/auth code
This is particuarly in the netlogon client (but not server at this
stage)
commit 5095d7b1c84e7e37f553867d699a1983f74d4314
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 6 22:54:44 2009 +1000
Rework Samba4 to use the new common libcli/auth code
In particular, this is the rename from creds_ to netlogon_creds_, as
well as other links to use the new common crypto.
Andrew Bartlett
commit eed0c4f6c9aac5a260f65c05cc809bf5f72cf210
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 6 22:53:01 2009 +1000
Rework netlogon credentials for the top level
This makes constructor functions that return the allocated structure,
rather than having the caller pass them in, and makes the server init
function also check the first credential.
The rename of creds_ to netlogon_creds should make it more clear what
this code works with.
Andrew Bartlett
commit f23eea294a64fac3cc85609468703fc15f7e3187
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 6 22:51:32 2009 +1000
Push schannel_state.c into the top level.
This is the server side state for netlogon credential chaining
Andrew Bartlett
commit df8e1908ef9969ce95a5102959c27491fa7bfa03
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 27 12:16:17 2009 +1100
Use common samsync delta decryption functions in libnet_samsync.c
Andrew Bartlett
commit 27815a71a99f43a531f27427eeb32ab34b0aa642
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 20:08:31 2009 +1100
More work to adapt to merged libcli/auth function prototypes
commit fe0f0e5670e878b8f8ddcb9f36681de69edd2025
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 20:06:46 2009 +1100
Adapt to common crypto functions: sam_pwd_hash() -> sam_rid_crypt()
commit 7cff049e7eab769ed69296da41e74fa66be42698
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 20:03:32 2009 +1100
libcli/auth Don't compile against un-needed Samba4 headers
commit 6c8f7e400540421320e3cbd80f7e1a9551dfed14
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 14:03:02 2009 +1100
Port Samba4 to the new combined libcli/auth functions
For example, some of the new shared functionality was previously in the wkssvc
torture test.
Andrew Bartlett
commit a19966375aeab5627308379219361de7053189fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 17 10:02:45 2009 +1100
Move ntlm_check.h into the common libcli/auth
commit f28f113d8e76824b080359c90efd9c92de533740
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 21:27:58 2009 +1100
Rework Samba3 to use new libcli/auth code (partial)
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
commit fd3be5c4e5e185115eec59752a22f7f354f860ca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 21:19:10 2009 +1100
Merge smbencrypt.c between Samba3 and Samba4
commit 8e73b652f92795dcb35cd3826c88926e8072ea31
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 21:17:29 2009 +1100
Rework trivial msrpc parser to use convert_string_talloc()
Also avoid still string conversions when trying to match NTLMSSP in
the header of the NTLMSSP packet.
This also changes a few things to avoid const warnings.
Andrew Bartlett
commit 9feea7fa4c36e124a2d6f8711ee849b039a22f34
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 18:08:15 2009 +1100
Move MSRPC-PARSE into the common libcli/auth
This is a depenceny of smbencrypt.c
commit 872cb0257c64f8c8682968565c3dfa608167a95d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 15:20:28 2009 +1100
Move DRSUAPI per-attribute decryption into a common file
This file (contining metze's decryption routines) is now also be used by
Samba3's DRSUAPI implementation
Andrew Bartlett
commit 927a8b330435b4c959ad851e32b83d97a6e3001b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 16 13:26:38 2009 +1100
Move libcli/auth to the top level
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/config.mk | 31 +
libcli/auth/credentials.c | 446 +++++++++++
libcli/auth/credentials.h | 84 +++
libcli/auth/libcli_auth.h | 32 +
libcli/auth/msrpc_parse.c | 368 ++++++++++
libcli/auth/ntlm_check.c | 596 +++++++++++++++
{source4/auth/ntlm => libcli/auth}/ntlm_check.h | 0
libcli/auth/schannel_state.c | 321 ++++++++
libcli/auth/schannel_state.h | 24 +
{source4/libcli => libcli}/auth/session.c | 0
{source4/libcli => libcli}/auth/smbdes.c | 0
libcli/auth/smbencrypt.c | 782 ++++++++++++++++++++
libcli/drsuapi/config.mk | 8 +
libcli/drsuapi/drsuapi.h | 33 +
libcli/drsuapi/repl_decrypt.c | 188 +++++
libcli/samsync/config.mk | 10 +
libcli/samsync/decrypt.c | 174 +++++
nsswitch/wbinfo.c | 7 +-
source3/Makefile.in | 17 +-
source3/auth/auth_domain.c | 1 +
source3/auth/auth_netlogond.c | 7 +-
source3/auth/auth_sam.c | 53 ++-
source3/auth/auth_util.c | 5 +-
source3/include/client.h | 4 +-
source3/include/ntlmssp.h | 5 -
source3/include/proto.h | 152 +----
source3/include/rpc_dce.h | 45 --
source3/lib/charcnv.c | 38 +
source3/lib/netapi/joindomain.c | 1 +
source3/libnet/libnet_dssync.c | 76 +--
source3/libnet/libnet_join.c | 3 +-
source3/libnet/libnet_samsync.c | 162 +----
source3/libsmb/cliconnect.c | 9 +-
source3/libsmb/clirap.c | 3 +-
source3/libsmb/credentials.c | 86 +--
source3/libsmb/ntlm_check.c | 470 ------------
source3/libsmb/ntlmssp.c | 110 +--
source3/libsmb/ntlmssp_parse.c | 384 ----------
source3/libsmb/ntlmssp_sign.c | 5 +-
source3/libsmb/smbdes.c | 421 -----------
source3/libsmb/smbencrypt.c | 898 -----------------------
source3/libsmb/trusts_util.c | 1 +
source3/passdb/passdb.c | 1 +
source3/passdb/pdb_get_set.c | 1 +
source3/passdb/pdb_ldap.c | 1 +
source3/passdb/secrets.c | 2 +-
source3/rpc_client/cli_netlogon.c | 156 ++---
source3/rpc_client/cli_pipe.c | 17 +-
source3/rpc_client/cli_samr.c | 9 +-
source3/rpc_client/init_netlogon.c | 7 +-
source3/rpc_client/init_samr.c | 5 +-
source3/rpc_parse/parse_prs.c | 12 +-
source3/rpc_server/srv_netlog_nt.c | 1 +
source3/rpc_server/srv_samr_nt.c | 19 +-
source3/rpc_server/srv_wkssvc_nt.c | 1 +
source3/rpcclient/cmd_lsarpc.c | 22 +-
source3/rpcclient/cmd_netlogon.c | 9 +-
source3/rpcclient/cmd_samr.c | 1 +
source3/rpcclient/rpcclient.c | 1 +
source3/smbd/chgpasswd.c | 7 +-
source3/smbd/trans2.c | 1 +
source3/utils/net_rpc.c | 9 +-
source3/utils/net_rpc_join.c | 5 +-
source3/utils/ntlm_auth.c | 13 +-
source3/utils/ntlm_auth_diagnostics.c | 11 +-
source3/winbindd/winbindd_cache.c | 1 +
source3/winbindd/winbindd_cm.c | 21 +-
source3/winbindd/winbindd_cred_cache.c | 1 +
source3/winbindd/winbindd_creds.c | 1 +
source3/winbindd/winbindd_pam.c | 7 +-
source4/auth/credentials/credentials.c | 4 +-
source4/auth/credentials/credentials.h | 6 +-
source4/auth/gensec/config.mk | 2 +-
source4/auth/gensec/gensec.h | 4 +-
source4/auth/gensec/schannel.c | 31 +-
source4/auth/gensec/schannel.h | 7 +-
source4/auth/gensec/schannel_sign.c | 6 +-
source4/auth/gensec/schannel_state.c | 283 -------
source4/auth/ntlm/auth_sam.c | 2 +-
source4/auth/ntlm/config.mk | 5 -
source4/auth/ntlm/ntlm_check.c | 603 ---------------
source4/auth/ntlmssp/config.mk | 6 -
source4/auth/ntlmssp/ntlmssp.c | 4 +-
source4/auth/ntlmssp/ntlmssp.h | 5 -
source4/auth/ntlmssp/ntlmssp_client.c | 3 +-
source4/auth/ntlmssp/ntlmssp_parse.c | 368 ----------
source4/auth/ntlmssp/ntlmssp_server.c | 4 +-
source4/auth/ntlmssp/ntlmssp_sign.c | 4 +-
source4/dsdb/config.mk | 3 +-
source4/dsdb/repl/replicated_objects.c | 160 +----
source4/libcli/auth/config.mk | 17 -
source4/libcli/auth/credentials.c | 375 ----------
source4/libcli/auth/credentials.h | 46 --
source4/libcli/auth/libcli_auth.h | 24 -
source4/libcli/auth/smbencrypt.c | 595 ---------------
source4/libcli/config.mk | 1 -
source4/libnet/config.mk | 2 +-
source4/libnet/libnet_samdump.c | 1 -
source4/libnet/libnet_samdump_keytab.c | 1 -
source4/libnet/libnet_samsync.c | 150 +----
source4/libnet/libnet_samsync.h | 1 -
source4/libnet/libnet_samsync_ldb.c | 1 -
source4/librpc/idl-deps.pl | 2 +
source4/librpc/rpc/dcerpc_schannel.c | 18 +-
source4/main.mk | 3 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 212 +++---
source4/torture/config.mk | 2 +-
source4/torture/rpc/dssync.c | 125 +---
source4/torture/rpc/netlogon.c | 173 +++---
source4/torture/rpc/netlogon.h | 2 +-
source4/torture/rpc/remote_pac.c | 27 +-
source4/torture/rpc/samba3rpc.c | 51 +-
source4/torture/rpc/samlogon.c | 34 +-
source4/torture/rpc/samr.c | 8 +-
source4/torture/rpc/samsync.c | 30 +-
source4/torture/rpc/schannel.c | 12 +-
source4/torture/rpc/wkssvc.c | 45 +-
source4/utils/ntlm_auth.c | 1 -
source4/winbind/wb_sam_logon.c | 14 +-
119 files changed, 3818 insertions(+), 6067 deletions(-)
create mode 100644 libcli/auth/config.mk
create mode 100644 libcli/auth/credentials.c
create mode 100644 libcli/auth/credentials.h
create mode 100644 libcli/auth/libcli_auth.h
create mode 100644 libcli/auth/msrpc_parse.c
create mode 100644 libcli/auth/ntlm_check.c
rename {source4/auth/ntlm => libcli/auth}/ntlm_check.h (100%)
create mode 100644 libcli/auth/schannel_state.c
create mode 100644 libcli/auth/schannel_state.h
rename {source4/libcli => libcli}/auth/session.c (100%)
rename {source4/libcli => libcli}/auth/smbdes.c (100%)
create mode 100644 libcli/auth/smbencrypt.c
create mode 100644 libcli/drsuapi/config.mk
create mode 100644 libcli/drsuapi/drsuapi.h
create mode 100644 libcli/drsuapi/repl_decrypt.c
create mode 100644 libcli/samsync/config.mk
create mode 100644 libcli/samsync/decrypt.c
delete mode 100644 source3/libsmb/ntlm_check.c
delete mode 100644 source3/libsmb/ntlmssp_parse.c
delete mode 100644 source3/libsmb/smbdes.c
delete mode 100644 source3/libsmb/smbencrypt.c
delete mode 100644 source4/auth/ntlm/ntlm_check.c
delete mode 100644 source4/auth/ntlmssp/ntlmssp_parse.c
delete mode 100644 source4/libcli/auth/config.mk
delete mode 100644 source4/libcli/auth/credentials.c
delete mode 100644 source4/libcli/auth/credentials.h
delete mode 100644 source4/libcli/auth/libcli_auth.h
delete mode 100644 source4/libcli/auth/smbencrypt.c
Changeset truncated at 500 lines:
diff --git a/libcli/auth/config.mk b/libcli/auth/config.mk
new file mode 100644
index 0000000..1034020
--- /dev/null
+++ b/libcli/auth/config.mk
@@ -0,0 +1,31 @@
+[SUBSYSTEM::ntlm_check]
+PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL
+
+ntlm_check_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, ntlm_check.o)
+
+[SUBSYSTEM::MSRPC_PARSE]
+
+MSRPC_PARSE_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, msrpc_parse.o)
+
+$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/msrpc_parse.h,$(MSRPC_PARSE_OBJ_FILES:.o=.c)))
+
+[SUBSYSTEM::LIBCLI_AUTH]
+PUBLIC_DEPENDENCIES = \
+ MSRPC_PARSE \
+ LIBSAMBA-HOSTCONFIG
+
+LIBCLI_AUTH_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, \
+ credentials.o \
+ session.o \
+ smbencrypt.o \
+ smbdes.o)
+
+PUBLIC_HEADERS += ../libcli/auth/credentials.h
+$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/proto.h,$(LIBCLI_AUTH_OBJ_FILES:.o=.c)))
+
+[SUBSYSTEM::COMMON_SCHANNELDB]
+PRIVATE_DEPENDENCIES = LDB_WRAP
+
+COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state.o)
+$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/schannel_state_proto.h,$(COMMON_SCHANNELDB_OBJ_FILES:.o=.c)))
+
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
new file mode 100644
index 0000000..dc84ffb
--- /dev/null
+++ b/libcli/auth/credentials.c
@@ -0,0 +1,446 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ code to manipulate domain credentials
+
+ Copyright (C) Andrew Tridgell 1997-2003
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/time.h"
+#include "../lib/crypto/crypto.h"
+#include "libcli/auth/libcli_auth.h"
+
+/*
+ initialise the credentials state for old-style 64 bit session keys
+
+ this call is made after the netr_ServerReqChallenge call
+*/
+static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge,
+ const struct samr_Password *machine_password)
+{
+ uint32_t sum[2];
+ uint8_t sum2[8];
+
+ sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
+ sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
+
+ SIVAL(sum2,0,sum[0]);
+ SIVAL(sum2,4,sum[1]);
+
+ ZERO_STRUCT(creds->session_key);
+
+ des_crypt128(creds->session_key, sum2, machine_password->hash);
+
+ des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
+ des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
+
+ creds->seed = creds->client;
+}
+
+/*
+ initialise the credentials state for ADS-style 128 bit session keys
+
+ this call is made after the netr_ServerReqChallenge call
+*/
+static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge,
+ const struct samr_Password *machine_password)
+{
+ unsigned char zero[4], tmp[16];
+ HMACMD5Context ctx;
+ struct MD5Context md5;
+
+ ZERO_STRUCT(creds->session_key);
+
+ memset(zero, 0, sizeof(zero));
+
+ hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
+ MD5Init(&md5);
+ MD5Update(&md5, zero, sizeof(zero));
+ MD5Update(&md5, client_challenge->data, 8);
+ MD5Update(&md5, server_challenge->data, 8);
+ MD5Final(tmp, &md5);
+ hmac_md5_update(tmp, sizeof(tmp), &ctx);
+ hmac_md5_final(creds->session_key, &ctx);
+
+ creds->client = *client_challenge;
+ creds->server = *server_challenge;
+
+ des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
+ des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
+
+ creds->seed = creds->client;
+}
+
+
+/*
+ step the credentials to the next element in the chain, updating the
+ current client and server credentials and the seed
+*/
+static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
+{
+ struct netr_Credential time_cred;
+
+ DEBUG(5,("\tseed %08x:%08x\n",
+ IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
+
+ SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
+ SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
+
+ DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
+
+ des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1);
+
+ DEBUG(5,("\tCLIENT %08x:%08x\n",
+ IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
+
+ SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
+ SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
+
+ DEBUG(5,("\tseed+time+1 %08x:%08x\n",
+ IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
+
+ des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1);
+
+ DEBUG(5,("\tSERVER %08x:%08x\n",
+ IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
+
+ creds->seed = time_cred;
+}
+
+
+/*
+ DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
+*/
+void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+{
+ struct netr_LMSessionKey tmp;
+ des_crypt56(tmp.key, key->key, creds->session_key, 1);
+ *key = tmp;
+}
+
+/*
+ DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
+*/
+void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+{
+ struct netr_LMSessionKey tmp;
+ des_crypt56(tmp.key, key->key, creds->session_key, 0);
+ *key = tmp;
+}
+
+/*
+ DES encrypt a 16 byte password buffer using the session key
+*/
+void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+{
+ struct samr_Password tmp;
+ des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
+ *pass = tmp;
+}
+
+/*
+ DES decrypt a 16 byte password buffer using the session key
+*/
+void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+{
+ struct samr_Password tmp;
+ des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
+ *pass = tmp;
+}
+
+/*
+ ARCFOUR encrypt/decrypt a password buffer using the session key
+*/
+void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+{
+ DATA_BLOB session_key = data_blob(creds->session_key, 16);
+
+ arcfour_crypt_blob(data, len, &session_key);
+
+ data_blob_free(&session_key);
+}
+
+/*****************************************************************
+The above functions are common to the client and server interface
+next comes the client specific functions
+******************************************************************/
+
+/*
+ initialise the credentials chain and return the first client
+ credentials
+*/
+
+struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
+ const char *client_account,
+ const char *client_computer_name,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge,
+ const struct samr_Password *machine_password,
+ struct netr_Credential *initial_credential,
+ uint32_t negotiate_flags)
+{
+ struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
+
+ if (!creds) {
+ return NULL;
+ }
+
+ creds->sequence = time(NULL);
+ creds->negotiate_flags = negotiate_flags;
+
+ creds->computer_name = talloc_strdup(creds, client_computer_name);
+ if (!creds->computer_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->account_name = talloc_strdup(creds, client_account);
+ if (!creds->account_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
+ dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
+ dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
+
+ if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
+ } else {
+ netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
+ }
+
+ dump_data_pw("Session key", creds->session_key, 16);
+ dump_data_pw("Credential ", creds->client.data, 8);
+
+ *initial_credential = creds->client;
+ return creds;
+}
+
+/*
+ initialise the credentials structure with only a session key. The caller better know what they are doing!
+ */
+
+struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
+ const uint8_t session_key[16])
+{
+ struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
+
+ if (!creds) {
+ return NULL;
+ }
+
+ memcpy(creds->session_key, session_key, 16);
+
+ return creds;
+}
+
+/*
+ step the credentials to the next element in the chain, updating the
+ current client and server credentials and the seed
+
+ produce the next authenticator in the sequence ready to send to
+ the server
+*/
+void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
+ struct netr_Authenticator *next)
+{
+ creds->sequence += 2;
+ netlogon_creds_step(creds);
+
+ next->cred = creds->client;
+ next->timestamp = creds->sequence;
+}
+
+/*
+ check that a credentials reply from a server is correct
+*/
+bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *received_credentials)
+{
+ if (!received_credentials ||
+ memcmp(received_credentials->data, creds->server.data, 8) != 0) {
+ DEBUG(2,("credentials check failed\n"));
+ return false;
+ }
+ return true;
+}
+
+
+/*****************************************************************
+The above functions are common to the client and server interface
+next comes the server specific functions
+******************************************************************/
+
+/*
+ check that a credentials reply from a server is correct
+*/
+static bool netlogon_creds_server_check_internal(const struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *received_credentials)
+{
+ if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
+ DEBUG(2,("credentials check failed\n"));
+ dump_data_pw("client creds", creds->client.data, 8);
+ dump_data_pw("calc creds", received_credentials->data, 8);
+ return false;
+ }
+ return true;
+}
+
+/*
+ initialise the credentials chain and return the first server
+ credentials
+*/
+struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
+ const char *client_account,
+ const char *client_computer_name,
+ uint16_t secure_channel_type,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge,
+ const struct samr_Password *machine_password,
+ struct netr_Credential *credentials_in,
+ struct netr_Credential *credentials_out,
+ uint32_t negotiate_flags)
+{
+
+ struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+
+ if (!creds) {
+ return NULL;
+ }
+
+ creds->negotiate_flags = negotiate_flags;
+
+ creds->computer_name = talloc_strdup(creds, client_computer_name);
+ if (!creds->computer_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+ creds->account_name = talloc_strdup(creds, client_account);
+ if (!creds->account_name) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
+ machine_password);
+ } else {
+ netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
+ machine_password);
+ }
+
+ /* And before we leak information about the machine account
+ * password, check that they got the first go right */
+ if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ *credentials_out = creds->server;
+
+ return creds;
+}
+
+NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
+ struct netr_Authenticator *received_authenticator,
+ struct netr_Authenticator *return_authenticator)
+{
+ if (!received_authenticator || !return_authenticator) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!creds) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /* TODO: this may allow the a replay attack on a non-signed
+ connection. Should we check that this is increasing? */
+ creds->sequence = received_authenticator->timestamp;
+ netlogon_creds_step(creds);
+ if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
+ return_authenticator->cred = creds->server;
+ return_authenticator->timestamp = creds->sequence;
+ return NT_STATUS_OK;
+ } else {
+ ZERO_STRUCTP(return_authenticator);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+}
+
+void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ static const char zeros[16];
+
+ struct netr_SamBaseInfo *base = NULL;
+ switch (validation_level) {
+ case 2:
+ if (validation->sam2) {
+ base = &validation->sam2->base;
+ }
+ break;
+ case 3:
+ if (validation->sam3) {
+ base = &validation->sam3->base;
+ }
+ break;
+ case 6:
+ if (validation->sam6) {
+ base = &validation->sam6->base;
+ }
+ break;
+ default:
+ /* If we can't find it, we can't very well decrypt it */
+ return;
+ }
+
+ if (!base) {
+ return;
+ }
+
+ /* find and decyrpt the session keys, return in parameters above */
+ if (validation_level == 6) {
+ /* they aren't encrypted! */
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ if (memcmp(base->key.key, zeros,
+ sizeof(base->key.key)) != 0) {
+ netlogon_creds_arcfour_crypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
+
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+ netlogon_creds_arcfour_crypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
+ } else {
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+ netlogon_creds_des_decrypt_LMKey(creds,
+ &base->LMSessKey);
+ }
+ }
+}
+
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
new file mode 100644
index 0000000..b84b902
--- /dev/null
+++ b/libcli/auth/credentials.h
@@ -0,0 +1,84 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ code to manipulate domain credentials
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list