[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Sun Dec 9 13:25:02 MST 2012
The branch, master has been updated
via ade5bfd s4-torture: call the s4u2self tests with arcfour and aes.
via d0bad6c s4-torture: precalculate expected session keys from samlogon in schannel test.
via f6cb804 libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
via be296a2 libcli/auth: remove trailing whitespace.
via f2d9589 s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
via c1fb595 s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
via 7f435bd s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
via 6452892 s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
via 7157263 s4-rpc_server: support AES encryption in interactive and generic samlogon.
via a52115c s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
via 6aec126 s4-torture: validate owf password hash and negotiate AES in forest trust test.
via 83b00af s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
via 306a78d s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
via fd70870 s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
via 4afb7dc s4-torture: exit early when join fails in samba3rpc tests.
via 5089442 s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
via d94f012 s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
via 3dffd29 s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
via 7ea9da0 s4-torture: remove trailing whitespace in smbtorture remote_pac test.
via c6f4745 s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
via 01e6970 s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
via 3dc8c20 s4-torture: add AES support for netr_ServerPasswordSet2 tests.
via 0a09160 s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
via d1f481f s4-torture: remove trailing whitespace from netlogon test.
via 1362d54 s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
via 6434501 s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
via ec06c81 s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
via 429600c libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
from b6e2be8 wafsamba: replace try:except: case with explicit comment about FIPS mode
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ade5bfd304cc806758a58f04b35834cd730dd9ba
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:51:10 2012 +0100
s4-torture: call the s4u2self tests with arcfour and aes.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104
commit d0bad6c3350698b26ba009bb0c91d0265cc22f60
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:57:18 2012 +0100
s4-torture: precalculate expected session keys from samlogon in schannel test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f6cb8049b2fe62054d254a006b8a39f000d1d1d5
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:38:16 2012 +0100
libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit be296a21fc509cacaedb5aad0c3ca4ccd44b4a62
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 01:05:00 2012 +0100
libcli/auth: remove trailing whitespace.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f2d9589b178c0e3374e1c1ad363639b9e2bdce5f
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 15:21:02 2012 +0100
s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c1fb595081c2b0bf66bce06c09750f53e8031311
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 14:54:25 2012 +0100
s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7f435bd649f0b313804f40807a38de9478478b6c
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 14:31:32 2012 +0100
s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 645289216eeb718eab1201dd3ad0a50fdf85753c
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 19:49:52 2012 +0100
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 71572632bd33dcb5c03a701bbb72a707e5642237
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:24:24 2012 +0100
s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a52115ce67c2e5bd1e478d7601483fd2490aea31
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 19:52:54 2012 +0100
s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
Sumit, please check.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6aec126566d01dd9ddbbd5488f73b61729094a52
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 18:06:54 2012 +0100
s4-torture: validate owf password hash and negotiate AES in forest trust test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 83b00afe9f2116ef04378c251070143595450a3e
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 17:59:12 2012 +0100
s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 306a78d97f2fdfaa81c58bafdebcfab0fb8f1636
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:37:02 2012 +0100
s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fd7087020344f7d24737e3be2f3afbd0417b0026
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 18:38:01 2012 +0100
s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4afb7dcb43c6903568c0fe2c2c2044706e9bd613
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:21:59 2012 +0100
s4-torture: exit early when join fails in samba3rpc tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5089442bfdbeff7314e589387c3702f9c401e12a
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:20:14 2012 +0100
s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d94f012f3fb428027709a9c8becf8edb85072463
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:23:34 2012 +0100
s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3dffd29904b3de145941a7420d56b30611f9616f
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:11:19 2012 +0100
s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf
Author: Günther Deschner <gd at samba.org>
Date: Tue Dec 4 23:11:10 2012 +0100
s4-torture: remove trailing whitespace in smbtorture remote_pac test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c6f4745c5670e8da77078e19f2d6a3a485e7adc6
Author: Günther Deschner <gd at samba.org>
Date: Sat Dec 1 00:59:44 2012 +0100
s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 01e69703fb8c58ab1940bb560e34f6c3f10e0ae9
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:47:40 2012 +0100
s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3dc8c20b8a94063c6578b60750757c5a40d7db38
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:47:19 2012 +0100
s4-torture: add AES support for netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0a091604a45b4b143745a20fa842878ceb745c39
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:44:33 2012 +0100
s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d1f481ffe17ce84ffddbedf1bd7efb0654e2807e
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:24:37 2012 +0100
s4-torture: remove trailing whitespace from netlogon test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1362d542df715aa31e9b818ee8783b5ee35f8870
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:35:04 2012 +0100
s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 64345018cda744d16b123d6ef5c4a982340484dc
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:34:36 2012 +0100
s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ec06c81db313f2862544c972cbf582a07bb844c2
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:30:24 2012 +0100
s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 429600c5f3079c8433d5a542383908d6ff61fe60
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:23:30 2012 +0100
libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/credentials.c | 118 +++++++----
libcli/auth/proto.h | 2 +
source3/auth/auth_util.c | 34 +---
source3/auth/check_samsec.c | 2 +-
source3/auth/proto.h | 9 +-
source3/auth/server_info.c | 30 ---
source3/rpc_client/cli_netlogon.c | 7 +-
source3/rpc_client/init_netlogon.c | 12 +-
source3/rpc_client/init_netlogon.h | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 110 ++++++---
source3/torture/pdbtest.c | 2 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 35 +++-
source4/torture/rpc/forest_trust.c | 13 +-
source4/torture/rpc/netlogon.c | 296 +++++++++++++++----------
source4/torture/rpc/remote_pac.c | 226 +++++++++++++------
source4/torture/rpc/samba3rpc.c | 19 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/samr.c | 7 +-
source4/torture/rpc/samsync.c | 2 +-
source4/torture/rpc/schannel.c | 122 ++++++++++-
20 files changed, 677 insertions(+), 375 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index dfbfdb3..63407e7 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
code to manipulate domain credentials
Copyright (C) Andrew Tridgell 1997-2003
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -85,7 +85,7 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr
memset(zero, 0, sizeof(zero));
- hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
+ hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
MD5Init(&md5);
MD5Update(&md5, zero, sizeof(zero));
MD5Update(&md5, client_challenge->data, 8);
@@ -142,7 +142,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
{
struct netr_Credential time_cred;
- DEBUG(5,("\tseed %08x:%08x\n",
+ DEBUG(5,("\tseed %08x:%08x\n",
IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
@@ -152,18 +152,18 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
netlogon_creds_step_crypt(creds, &time_cred, &creds->client);
- DEBUG(5,("\tCLIENT %08x:%08x\n",
+ DEBUG(5,("\tCLIENT %08x:%08x\n",
IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
- DEBUG(5,("\tseed+time+1 %08x:%08x\n",
+ DEBUG(5,("\tseed+time+1 %08x:%08x\n",
IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
netlogon_creds_step_crypt(creds, &time_cred, &creds->server);
- DEBUG(5,("\tSERVER %08x:%08x\n",
+ DEBUG(5,("\tSERVER %08x:%08x\n",
IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
creds->seed = time_cred;
@@ -222,6 +222,34 @@ void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
data_blob_free(&session_key);
}
+/*
+ AES encrypt a password buffer using the session key
+*/
+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+{
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+
+ AES_set_encrypt_key(creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+
+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
+}
+
+/*
+ AES decrypt a password buffer using the session key
+*/
+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+{
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+
+ AES_set_encrypt_key(creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+
+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
+}
+
/*****************************************************************
The above functions are common to the client and server interface
next comes the client specific functions
@@ -231,10 +259,10 @@ next comes the client specific functions
initialise the credentials chain and return the first client
credentials
*/
-
-struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
+
+struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
const char *client_account,
- const char *client_computer_name,
+ const char *client_computer_name,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
const struct samr_Password *machine_password,
@@ -242,11 +270,11 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
uint32_t negotiate_flags)
{
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
+
if (!creds) {
return NULL;
}
-
+
creds->sequence = time(NULL);
creds->negotiate_flags = negotiate_flags;
@@ -289,7 +317,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
initialise the credentials structure with only a session key. The caller better know what they are doing!
*/
-struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
+struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
const uint8_t session_key[16])
{
struct netlogon_creds_CredentialState *creds;
@@ -298,7 +326,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
if (!creds) {
return NULL;
}
-
+
memcpy(creds->session_key, session_key, 16);
return creds;
@@ -308,12 +336,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
- produce the next authenticator in the sequence ready to send to
+ produce the next authenticator in the sequence ready to send to
the server
*/
void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *next)
-{
+{
creds->sequence += 2;
netlogon_creds_step(creds);
@@ -327,7 +355,7 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *
bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
const struct netr_Credential *received_credentials)
{
- if (!received_credentials ||
+ if (!received_credentials ||
memcmp(received_credentials->data, creds->server.data, 8) != 0) {
DEBUG(2,("credentials check failed\n"));
return false;
@@ -360,9 +388,9 @@ static bool netlogon_creds_server_check_internal(const struct netlogon_creds_Cre
initialise the credentials chain and return the first server
credentials
*/
-struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
+struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
const char *client_account,
- const char *client_computer_name,
+ const char *client_computer_name,
uint16_t secure_channel_type,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
@@ -371,13 +399,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
struct netr_Credential *credentials_out,
uint32_t negotiate_flags)
{
-
+
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
+
if (!creds) {
return NULL;
}
-
+
creds->negotiate_flags = negotiate_flags;
creds->secure_channel_type = secure_channel_type;
@@ -402,10 +430,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
server_challenge,
machine_password);
} else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
- netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
+ netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
machine_password);
} else {
- netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
+ netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
machine_password);
}
@@ -433,7 +461,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator)
+ struct netr_Authenticator *return_authenticator)
{
if (!received_authenticator || !return_authenticator) {
return NT_STATUS_INVALID_PARAMETER;
@@ -459,7 +487,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation *validation)
+ union netr_Validation *validation)
{
static const char zeros[16];
@@ -492,28 +520,42 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
/* find and decyrpt the session keys, return in parameters above */
if (validation_level == 6) {
/* they aren't encrypted! */
+ } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ if (memcmp(base->key.key, zeros,
+ sizeof(base->key.key)) != 0) {
+ netlogon_creds_aes_decrypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
+
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+ netlogon_creds_aes_decrypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- if (memcmp(base->key.key, zeros,
+ if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
- netlogon_creds_arcfour_crypt(creds,
- base->key.key,
+ netlogon_creds_arcfour_crypt(creds,
+ base->key.key,
sizeof(base->key.key));
}
-
- if (memcmp(base->LMSessKey.key, zeros,
+
+ if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_arcfour_crypt(creds,
- base->LMSessKey.key,
+ netlogon_creds_arcfour_crypt(creds,
+ base->LMSessKey.key,
sizeof(base->LMSessKey.key));
}
} else {
- if (memcmp(base->LMSessKey.key, zeros,
+ if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_des_decrypt_LMKey(creds,
+ netlogon_creds_des_decrypt_LMKey(creds,
&base->LMSessKey);
}
}
-}
+}
/*
copy a netlogon_creds_CredentialState struct
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 37c87b4..b9d91d0 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -16,6 +16,8 @@ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *cre
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
/*****************************************************************
The above functions are common to the client and server interface
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 83c95a9..b75a390 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
- const uchar nt_interactive_pwd[16],
- const uchar *dc_sess_key)
+ const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
struct samr_Password nt_pwd;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
- unsigned char key[16];
-
- memcpy(key, dc_sess_key, 16);
if (lm_interactive_pwd)
memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
@@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
if (nt_interactive_pwd)
memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("key:"));
- dump_data(100, key, sizeof(key));
-
- DEBUG(100,("lm owf password:"));
- dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
-
- DEBUG(100,("nt owf password:"));
- dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
-#endif
-
- if (lm_interactive_pwd)
- arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
-
- if (nt_interactive_pwd)
- arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("decrypt of lm owf password:"));
- dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
-
- DEBUG(100,("decrypt of nt owf password:"));
- dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
-#endif
-
if (lm_interactive_pwd)
SMBOWFencrypt(lm_pwd.hash, chal,
local_lm_response);
@@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
SMBOWFencrypt(nt_pwd.hash, chal,
local_nt_response);
- /* Password info paranoia */
- ZERO_STRUCT(key);
-
{
bool ret;
NTSTATUS nt_status;
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 2d3cb65..7ed8cc2 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge,
goto done;
}
- status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+ status = serverinfo_to_SamInfo3(server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
nt_errstr(status)));
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 98b48df..76661fc 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
- const uchar nt_interactive_pwd[16],
- const uchar *dc_sess_key);
+ const uchar nt_interactive_pwd[16]);
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
@@ -277,16 +276,10 @@ struct netr_SamInfo6;
struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2);
NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3);
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 216e5e3..3f4f708 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2)
{
struct netr_SamInfo3 *info3;
@@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
server_info->session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.key.key,
- pipe_session_key, 16);
- }
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.LMSessKey.key,
- pipe_session_key, 8);
- }
}
sam2->base = info3->base;
@@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3)
{
struct netr_SamInfo3 *info3;
@@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
server_info->session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.key.key,
- pipe_session_key, 16);
- }
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.LMSessKey.key,
- pipe_session_key, 8);
- }
}
sam3->base = info3->base;
@@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6)
{
struct pdb_domain_info *dominfo;
@@ -176,20 +154,12 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
server_info->session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.key.key,
- pipe_session_key, 16);
- }
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.LMSessKey.key,
- pipe_session_key, 8);
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list