[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Sat Dec 15 17:35:02 MST 2012
The branch, master has been updated
via d846199 s4-rpc_server: use netlogon_creds_encrypt_samlogon().
via be43456 s3-rpc_server: use netlogon_creds_encrypt_samlogon().
via 301f69b libcli/auth: add netlogon_creds_encrypt_samlogon_validation().
via 563cc67 libcli/auth: rename netlogon_creds_decrypt_samlogon() to netlogon_creds_decrypt_samlogon_validation().
from 6127ba8 s3fs: make the log warning go away
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d8461992dbc6005f02240cf1eae8a56ba4c55148
Author: Günther Deschner <gd at samba.org>
Date: Tue Dec 11 23:53:22 2012 +0100
s4-rpc_server: use netlogon_creds_encrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Sun Dec 16 01:34:01 CET 2012 on sn-devel-104
commit be43456c94d0ed3786020223aac31e1908028caf
Author: Günther Deschner <gd at samba.org>
Date: Tue Dec 11 23:52:59 2012 +0100
s3-rpc_server: use netlogon_creds_encrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 301f69b0ca72e55556ac2c7b5fbf940821b41766
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 14 14:18:40 2012 +0100
libcli/auth: add netlogon_creds_encrypt_samlogon_validation().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 563cc67ac65c2061971c4b02ac7037e00f1f9ae8
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 14 14:17:22 2012 +0100
libcli/auth: rename netlogon_creds_decrypt_samlogon() to netlogon_creds_decrypt_samlogon_validation().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/credentials.c | 50 ++++++++++++++++++++++---
libcli/auth/proto.h | 9 +++-
source3/rpc_client/cli_netlogon.c | 6 ++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +----------
source4/rpc_server/netlogon/dcerpc_netlogon.c | 37 +-----------------
source4/torture/rpc/samlogon.c | 12 ++++-
source4/winbind/wb_sam_logon.c | 6 +-
7 files changed, 72 insertions(+), 71 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 63407e7..9d3df9f 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -485,9 +485,10 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
}
}
-void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation)
+static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ bool encrypt)
{
static const char zeros[16];
@@ -521,20 +522,35 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
if (validation_level == 6) {
/* they aren't encrypted! */
} else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
- netlogon_creds_aes_decrypt(creds,
+ if (encrypt) {
+ netlogon_creds_aes_encrypt(creds,
base->key.key,
sizeof(base->key.key));
+ } else {
+ netlogon_creds_aes_decrypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
}
if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_aes_decrypt(creds,
+ if (encrypt) {
+ netlogon_creds_aes_encrypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+
+ } else {
+ netlogon_creds_aes_decrypt(creds,
base->LMSessKey.key,
sizeof(base->LMSessKey.key));
+ }
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
netlogon_creds_arcfour_crypt(creds,
@@ -549,14 +565,36 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
sizeof(base->LMSessKey.key));
}
} else {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_des_decrypt_LMKey(creds,
+ if (encrypt) {
+ netlogon_creds_des_encrypt_LMKey(creds,
+ &base->LMSessKey);
+ } else {
+ netlogon_creds_des_decrypt_LMKey(creds,
&base->LMSessKey);
+ }
}
}
}
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+ validation, false);
+}
+
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+ validation, true);
+}
+
/*
copy a netlogon_creds_CredentialState struct
*/
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index b9d91d0..89a732e 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -57,9 +57,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator) ;
-void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation) ;
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation);
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation);
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a0a9457..66a50a8 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -467,7 +467,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
return result;
}
- netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
+ netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+ &validation);
result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
if (!NT_STATUS_IS_OK(result)) {
@@ -575,7 +576,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
return result;
}
- netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
+ netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+ &validation);
result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 9b50655..cfd91c2 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1466,7 +1466,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
struct auth_serversupplied_info *server_info = NULL;
struct auth_context *auth_context = NULL;
const char *fn;
- struct netr_SamBaseInfo *base;
switch (p->opnum) {
case NDR_NETR_LOGONSAMLOGON:
@@ -1693,17 +1692,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
case 2:
status = serverinfo_to_SamInfo2(server_info,
r->out.validation->sam2);
- base = &r->out.validation->sam2->base;
break;
case 3:
status = serverinfo_to_SamInfo3(server_info,
r->out.validation->sam3);
- base = &r->out.validation->sam3->base;
break;
case 6:
status = serverinfo_to_SamInfo6(server_info,
r->out.validation->sam6);
- base = &r->out.validation->sam6->base;
break;
}
@@ -1713,22 +1709,9 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
return status;
}
- if (r->in.validation_level == 6) {
- /* no further crypto to be applied - gd */
- return NT_STATUS_OK;
- }
-
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds, base->key.key, 16);
- netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8);
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds, base->key.key, 16);
- netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8);
- } else {
- /* key is unencrypted when neither AES nor RC4 bits are set */
- netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey);
- }
-
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
return NT_STATUS_OK;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 3eaf0d4..d463e85 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -619,7 +619,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
struct auth_usersupplied_info *user_info;
struct auth_user_info_dc *user_info_dc;
NTSTATUS nt_status;
- static const char zeros[16];
struct netr_SamBaseInfo *sam;
struct netr_SamInfo2 *sam2;
struct netr_SamInfo3 *sam3;
@@ -817,39 +816,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
return NT_STATUS_INVALID_INFO_CLASS;
}
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
- /* This key is sent unencrypted without the ARCFOUR or AES flag set */
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds,
- sam->key.key,
- sizeof(sam->key.key));
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->key.key,
- sizeof(sam->key.key));
- }
- }
-
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds,
- sam->LMSessKey.key,
- sizeof(sam->LMSessKey.key));
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->LMSessKey.key,
- sizeof(sam->LMSessKey.key));
- } else {
- netlogon_creds_des_encrypt_LMKey(creds,
- &sam->LMSessKey);
- }
- }
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
/* TODO: Describe and deal with these flags */
*r->out.flags = 0;
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 8d13a63..bd85c22 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -176,7 +176,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r->out.validation);
switch (validation_level) {
case 2:
@@ -208,7 +210,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_ex->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r_ex->out.validation);
switch (validation_level) {
case 2:
@@ -248,7 +252,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_flags->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r_flags->out.validation);
switch (validation_level) {
case 2:
diff --git a/source4/winbind/wb_sam_logon.c b/source4/winbind/wb_sam_logon.c
index 32fddd2..e940082 100644
--- a/source4/winbind/wb_sam_logon.c
+++ b/source4/winbind/wb_sam_logon.c
@@ -208,9 +208,9 @@ static void wb_sam_logon_recv_samlogon(struct tevent_req *subreq)
/* Decrypt the session keys before we reform the info3, so the
* person on the other end of winbindd pipe doesn't have to.
* They won't have the encryption key anyway */
- netlogon_creds_decrypt_samlogon(state->creds_state,
- state->r.in.validation_level,
- state->r.out.validation);
+ netlogon_creds_decrypt_samlogon_validation(state->creds_state,
+ state->r.in.validation_level,
+ state->r.out.validation);
/*
* we do not need the netlogon_creds lock anymore
--
Samba Shared Repository
More information about the samba-cvs
mailing list