[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Mon Dec 10 03:57:04 MST 2012
The branch, v4-0-test has been updated
via 9eab38b WHATSNEW: Update changes since rc6.
via ad987df s4-torture: call the s4u2self tests with arcfour and aes.
via e057dea s4-torture: precalculate expected session keys from samlogon in schannel test.
via f84b881 libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
via db81ad1 libcli/auth: remove trailing whitespace.
via 9de38fc s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
via 751b152 s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
via 32f8265 s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
via 012937c s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
via 1dbf3ac s4-rpc_server: support AES encryption in interactive and generic samlogon.
via 119b15c s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
via 0996946 s4-torture: validate owf password hash and negotiate AES in forest trust test.
via 9a9d2f2 s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
via a63d67b s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
via 65f75fc s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
via 967705d s4-torture: exit early when join fails in samba3rpc tests.
via 12e3fed s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
via a517808 s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
via da08243 s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
via 2b1646e s4-torture: remove trailing whitespace in smbtorture remote_pac test.
via 7aa26fd s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
via 5217de0 s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
via 7d84230 s4-torture: add AES support for netr_ServerPasswordSet2 tests.
via 9c82385 s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
via 32bb7c0 s4-torture: remove trailing whitespace from netlogon test.
via 7a8205a s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
via aed9bf6 s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
via a4b1dda s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
via d4dedc7 libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
from 71df5a6 WHATSNEW: Add changes since rc6.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 9eab38be55e51315e545d07449c6f23d673848b1
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Dec 10 10:12:59 2012 +0100
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Mon Dec 10 11:56:00 CET 2012 on sn-devel-104
commit ad987df7134b0e001c5f1d5d47bb6da6f64f1397
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:51:10 2012 +0100
s4-torture: call the s4u2self tests with arcfour and aes.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104
(cherry picked from commit ade5bfd304cc806758a58f04b35834cd730dd9ba)
The last 28 patches address bug #9438 - netr_ServerPasswordSet2,
netr_LogonSamLogon with netlogon AES broken.
commit e057dea8eca28dd4d2536535649b0233be4147df
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:57:18 2012 +0100
s4-torture: precalculate expected session keys from samlogon in schannel test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d0bad6c3350698b26ba009bb0c91d0265cc22f60)
commit f84b881598c4107f51a14ee6d9469c84bf09a5ff
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 12:38:16 2012 +0100
libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f6cb8049b2fe62054d254a006b8a39f000d1d1d5)
commit db81ad10a929c379862cd7f067a723ea728a4d4c
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 7 01:05:00 2012 +0100
libcli/auth: remove trailing whitespace.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit be296a21fc509cacaedb5aad0c3ca4ccd44b4a62)
commit 9de38fc3ad56ad63587f5d33edc8fd6749fe1d9e
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 15:21:02 2012 +0100
s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f2d9589b178c0e3374e1c1ad363639b9e2bdce5f)
commit 751b1520a1e6959e901c02dc3daaa7d727ae3d1f
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 14:54:25 2012 +0100
s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c1fb595081c2b0bf66bce06c09750f53e8031311)
commit 32f826527f32e6424b36a4d889ce0e7a11e19b06
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 6 14:31:32 2012 +0100
s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7f435bd649f0b313804f40807a38de9478478b6c)
commit 012937c1f64a0d9d5a5c6df0f3195180967fbde5
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 19:49:52 2012 +0100
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 645289216eeb718eab1201dd3ad0a50fdf85753c)
commit 1dbf3ac486d41e32808a6c4982d6b33d317b155f
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:24:24 2012 +0100
s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 71572632bd33dcb5c03a701bbb72a707e5642237)
commit 119b15c9891ea4188f58c5c9a07187f57c3bc8d6
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 19:52:54 2012 +0100
s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
Sumit, please check.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a52115ce67c2e5bd1e478d7601483fd2490aea31)
commit 09969469b8ca3d8127acff361f2c6731ba9024cf
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 18:06:54 2012 +0100
s4-torture: validate owf password hash and negotiate AES in forest trust test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 6aec126566d01dd9ddbbd5488f73b61729094a52)
commit 9a9d2f2cd1f3d7e9e750e7d61e3eb18023322e7d
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 17:59:12 2012 +0100
s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 83b00afe9f2116ef04378c251070143595450a3e)
commit a63d67b843906e73875471f1943cc6574463167e
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:37:02 2012 +0100
s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 306a78d97f2fdfaa81c58bafdebcfab0fb8f1636)
commit 65f75fc568bb2ee22d7532741fe0460787629670
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 18:38:01 2012 +0100
s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit fd7087020344f7d24737e3be2f3afbd0417b0026)
commit 967705d611a1a0b2c6bf94af0774d034df545cf6
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:21:59 2012 +0100
s4-torture: exit early when join fails in samba3rpc tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 4afb7dcb43c6903568c0fe2c2c2044706e9bd613)
commit 12e3fed97ea2872093fd57fa95115401be472cad
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:20:14 2012 +0100
s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5089442bfdbeff7314e589387c3702f9c401e12a)
commit a5178080727d051f31de5bfe0480bc5a5967151b
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:23:34 2012 +0100
s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d94f012f3fb428027709a9c8becf8edb85072463)
commit da0824341678762a1989af339c2bcec4ba1f6840
Author: Günther Deschner <gd at samba.org>
Date: Wed Dec 5 16:11:19 2012 +0100
s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 3dffd29904b3de145941a7420d56b30611f9616f)
commit 2b1646ecb9b497a16fb46ab83a93e334838e8dce
Author: Günther Deschner <gd at samba.org>
Date: Tue Dec 4 23:11:10 2012 +0100
s4-torture: remove trailing whitespace in smbtorture remote_pac test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf)
commit 7aa26fdc2b2f20e71e25d50cc9b325c51de1341e
Author: Günther Deschner <gd at samba.org>
Date: Sat Dec 1 00:59:44 2012 +0100
s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c6f4745c5670e8da77078e19f2d6a3a485e7adc6)
commit 5217de05d2b9b93521fa5a5fb615b7645d4406cb
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:47:40 2012 +0100
s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 01e69703fb8c58ab1940bb560e34f6c3f10e0ae9)
commit 7d8423021042455a0d2f7f6d185be624cd8e5a42
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:47:19 2012 +0100
s4-torture: add AES support for netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 3dc8c20b8a94063c6578b60750757c5a40d7db38)
commit 9c82385c9f0495c008d4b81c218b762a09ad284e
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:44:33 2012 +0100
s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 0a091604a45b4b143745a20fa842878ceb745c39)
commit 32bb7c0fb6a8204f5b5b5dfb6d28f1055fe0d9d8
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 22:24:37 2012 +0100
s4-torture: remove trailing whitespace from netlogon test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d1f481ffe17ce84ffddbedf1bd7efb0654e2807e)
commit 7a8205a8342b89b0a6368b3eb5318aa2c9f486a2
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:35:04 2012 +0100
s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 1362d542df715aa31e9b818ee8783b5ee35f8870)
commit aed9bf6cbd85d5a2f8e1121d111b3d9e58fcfab7
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:34:36 2012 +0100
s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 64345018cda744d16b123d6ef5c4a982340484dc)
commit a4b1dda1428171459a054620d6cacf204419f58a
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:30:24 2012 +0100
s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ec06c81db313f2862544c972cbf582a07bb844c2)
commit d4dedc7513d2e3637baf6a746ec8a3c0075a3dbd
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 29 21:23:30 2012 +0100
libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 429600c5f3079c8433d5a542383908d6ff61fe60)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 5 +
libcli/auth/credentials.c | 118 +++++++----
libcli/auth/proto.h | 2 +
source3/auth/auth_util.c | 34 +---
source3/auth/check_samsec.c | 2 +-
source3/auth/proto.h | 9 +-
source3/auth/server_info.c | 30 ---
source3/rpc_client/cli_netlogon.c | 7 +-
source3/rpc_client/init_netlogon.c | 12 +-
source3/rpc_client/init_netlogon.h | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 110 ++++++---
source3/torture/pdbtest.c | 2 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 35 +++-
source4/torture/rpc/forest_trust.c | 13 +-
source4/torture/rpc/netlogon.c | 296 +++++++++++++++----------
source4/torture/rpc/remote_pac.c | 226 +++++++++++++------
source4/torture/rpc/samba3rpc.c | 19 +-
source4/torture/rpc/samlogon.c | 4 +-
source4/torture/rpc/samr.c | 7 +-
source4/torture/rpc/samsync.c | 2 +-
source4/torture/rpc/schannel.c | 122 ++++++++++-
21 files changed, 682 insertions(+), 375 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 004c252..bcf90de 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -201,6 +201,11 @@ o Alexander Bokovoy <ab at samba.org>
* BUG 9479: Support FIPS mode when building Samba.
+o Günther Deschner <gd at samba.org>
+ * BUG 9438: Fix netr_ServerPasswordSet2, netr_LogonSamLogon with netlogon
+ AES.
+
+
o Tsukasa Hamano <hamano at osstech.co.jp>
* BUG 9471: Fix SEGV when using second vfs module.
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index dfbfdb3..63407e7 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
code to manipulate domain credentials
Copyright (C) Andrew Tridgell 1997-2003
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -85,7 +85,7 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr
memset(zero, 0, sizeof(zero));
- hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
+ hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
MD5Init(&md5);
MD5Update(&md5, zero, sizeof(zero));
MD5Update(&md5, client_challenge->data, 8);
@@ -142,7 +142,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
{
struct netr_Credential time_cred;
- DEBUG(5,("\tseed %08x:%08x\n",
+ DEBUG(5,("\tseed %08x:%08x\n",
IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
@@ -152,18 +152,18 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
netlogon_creds_step_crypt(creds, &time_cred, &creds->client);
- DEBUG(5,("\tCLIENT %08x:%08x\n",
+ DEBUG(5,("\tCLIENT %08x:%08x\n",
IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
- DEBUG(5,("\tseed+time+1 %08x:%08x\n",
+ DEBUG(5,("\tseed+time+1 %08x:%08x\n",
IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
netlogon_creds_step_crypt(creds, &time_cred, &creds->server);
- DEBUG(5,("\tSERVER %08x:%08x\n",
+ DEBUG(5,("\tSERVER %08x:%08x\n",
IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
creds->seed = time_cred;
@@ -222,6 +222,34 @@ void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
data_blob_free(&session_key);
}
+/*
+ AES encrypt a password buffer using the session key
+*/
+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+{
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+
+ AES_set_encrypt_key(creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+
+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
+}
+
+/*
+ AES decrypt a password buffer using the session key
+*/
+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+{
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+
+ AES_set_encrypt_key(creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+
+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
+}
+
/*****************************************************************
The above functions are common to the client and server interface
next comes the client specific functions
@@ -231,10 +259,10 @@ next comes the client specific functions
initialise the credentials chain and return the first client
credentials
*/
-
-struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
+
+struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
const char *client_account,
- const char *client_computer_name,
+ const char *client_computer_name,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
const struct samr_Password *machine_password,
@@ -242,11 +270,11 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
uint32_t negotiate_flags)
{
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
+
if (!creds) {
return NULL;
}
-
+
creds->sequence = time(NULL);
creds->negotiate_flags = negotiate_flags;
@@ -289,7 +317,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
initialise the credentials structure with only a session key. The caller better know what they are doing!
*/
-struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
+struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
const uint8_t session_key[16])
{
struct netlogon_creds_CredentialState *creds;
@@ -298,7 +326,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
if (!creds) {
return NULL;
}
-
+
memcpy(creds->session_key, session_key, 16);
return creds;
@@ -308,12 +336,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
- produce the next authenticator in the sequence ready to send to
+ produce the next authenticator in the sequence ready to send to
the server
*/
void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *next)
-{
+{
creds->sequence += 2;
netlogon_creds_step(creds);
@@ -327,7 +355,7 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *
bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
const struct netr_Credential *received_credentials)
{
- if (!received_credentials ||
+ if (!received_credentials ||
memcmp(received_credentials->data, creds->server.data, 8) != 0) {
DEBUG(2,("credentials check failed\n"));
return false;
@@ -360,9 +388,9 @@ static bool netlogon_creds_server_check_internal(const struct netlogon_creds_Cre
initialise the credentials chain and return the first server
credentials
*/
-struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
+struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
const char *client_account,
- const char *client_computer_name,
+ const char *client_computer_name,
uint16_t secure_channel_type,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
@@ -371,13 +399,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
struct netr_Credential *credentials_out,
uint32_t negotiate_flags)
{
-
+
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
+
if (!creds) {
return NULL;
}
-
+
creds->negotiate_flags = negotiate_flags;
creds->secure_channel_type = secure_channel_type;
@@ -402,10 +430,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
server_challenge,
machine_password);
} else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
- netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
+ netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
machine_password);
} else {
- netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
+ netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
machine_password);
}
@@ -433,7 +461,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator)
+ struct netr_Authenticator *return_authenticator)
{
if (!received_authenticator || !return_authenticator) {
return NT_STATUS_INVALID_PARAMETER;
@@ -459,7 +487,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
- union netr_Validation *validation)
+ union netr_Validation *validation)
{
static const char zeros[16];
@@ -492,28 +520,42 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
/* find and decyrpt the session keys, return in parameters above */
if (validation_level == 6) {
/* they aren't encrypted! */
+ } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ if (memcmp(base->key.key, zeros,
+ sizeof(base->key.key)) != 0) {
+ netlogon_creds_aes_decrypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
+
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+ netlogon_creds_aes_decrypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- if (memcmp(base->key.key, zeros,
+ if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
- netlogon_creds_arcfour_crypt(creds,
- base->key.key,
+ netlogon_creds_arcfour_crypt(creds,
+ base->key.key,
sizeof(base->key.key));
}
-
- if (memcmp(base->LMSessKey.key, zeros,
+
+ if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_arcfour_crypt(creds,
- base->LMSessKey.key,
+ netlogon_creds_arcfour_crypt(creds,
+ base->LMSessKey.key,
sizeof(base->LMSessKey.key));
}
} else {
- if (memcmp(base->LMSessKey.key, zeros,
+ if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_des_decrypt_LMKey(creds,
+ netlogon_creds_des_decrypt_LMKey(creds,
&base->LMSessKey);
}
}
-}
+}
/*
copy a netlogon_creds_CredentialState struct
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 37c87b4..b9d91d0 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -16,6 +16,8 @@ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *cre
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
/*****************************************************************
The above functions are common to the client and server interface
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 83c95a9..b75a390 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
- const uchar nt_interactive_pwd[16],
- const uchar *dc_sess_key)
+ const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
struct samr_Password nt_pwd;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
- unsigned char key[16];
-
- memcpy(key, dc_sess_key, 16);
if (lm_interactive_pwd)
memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
@@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
if (nt_interactive_pwd)
memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("key:"));
- dump_data(100, key, sizeof(key));
-
- DEBUG(100,("lm owf password:"));
- dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
-
- DEBUG(100,("nt owf password:"));
- dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
-#endif
-
- if (lm_interactive_pwd)
- arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
-
- if (nt_interactive_pwd)
- arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("decrypt of lm owf password:"));
- dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
-
- DEBUG(100,("decrypt of nt owf password:"));
- dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
-#endif
-
if (lm_interactive_pwd)
SMBOWFencrypt(lm_pwd.hash, chal,
local_lm_response);
@@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
SMBOWFencrypt(nt_pwd.hash, chal,
local_nt_response);
- /* Password info paranoia */
- ZERO_STRUCT(key);
-
{
bool ret;
NTSTATUS nt_status;
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 2d3cb65..7ed8cc2 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge,
goto done;
}
- status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+ status = serverinfo_to_SamInfo3(server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
nt_errstr(status)));
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 98b48df..76661fc 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
- const uchar nt_interactive_pwd[16],
- const uchar *dc_sess_key);
+ const uchar nt_interactive_pwd[16]);
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
@@ -277,16 +276,10 @@ struct netr_SamInfo6;
struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2);
NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3);
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 216e5e3..3f4f708 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2)
{
struct netr_SamInfo3 *info3;
@@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
server_info->session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.key.key,
- pipe_session_key, 16);
- }
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.LMSessKey.key,
- pipe_session_key, 8);
- }
}
sam2->base = info3->base;
@@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3)
{
struct netr_SamInfo3 *info3;
@@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
server_info->session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.key.key,
- pipe_session_key, 16);
- }
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
- if (pipe_session_key) {
- arcfour_crypt(info3->base.LMSessKey.key,
- pipe_session_key, 8);
- }
}
sam3->base = info3->base;
@@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6)
{
struct pdb_domain_info *dominfo;
@@ -176,20 +154,12 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
server_info->session_key.data,
--
Samba Shared Repository
More information about the samba-cvs
mailing list