[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Jul 17 08:18:01 MDT 2012
The branch, master has been updated
via 2d1334e s3-autoconf: Fix the build.
via 98b9ef5 Enable AES in winbind.
via 33206b1 s3-rpc_client: Fix updating netlogon credentials.
via 572b549 s3-rpc_client: Add capabilities check for AES encrypted connections.
via 18692b0 s4-auth: Make sure we use the correct credential state.
via 197781a s4-librpc: Add capabilities check for AES encrypted connections.
via a3e8356 s4-torture: Improve samlogon test.
via 2c3dc04 s4-torture: Add DCERPC_SCHANNEL_AES tests.
via 5e25fc6 s3:rpc_server: add support for AES bases netlogon schannel
via 04d770a s4:rpc_server/netlogon: add support for AES based netlogon schannel
via 780006d s4:librpc/rpc: add DCERPC_SCHANNEL_AES support
via a7208de libcli/auth: add support for AES/HMAC-SHA256 to the netlogon schannel sign/seal
via 99e5241 libcli/auth: add support for AES/HMAC-SHA256 schannel session key support
via 9923118 s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for it
via e48aabc s4:rpc_server/netlogon: implement netr_LogonGetCapabilities
via 342a2e6 s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodc
via e7c7a91 s4:librpc/rpc/dcerpc_schannel: rework downgrade logic
from db33ef7 VERSION: Move on to beta5!
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2d1334e9924a0d37afa01fc302e76dad6564c197
Author: Günther Deschner <gd at samba.org>
Date: Wed Jun 27 18:17:34 2012 +0200
s3-autoconf: Fix the build.
Guenther
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jul 17 16:17:06 CEST 2012 on sn-devel-104
commit 98b9ef54f26e95c6c5502027cd6ab7855bf1e6ee
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 10 16:45:13 2012 +0100
Enable AES in winbind.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 33206b1e240e55acedad606aed4f1952f7496b35
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 10 16:38:16 2012 +0100
s3-rpc_client: Fix updating netlogon credentials.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 572b54906305edb4756f139c61a4d4db2f24eff1
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 2 18:54:47 2012 +0100
s3-rpc_client: Add capabilities check for AES encrypted connections.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 18692b060f098015bf2eee0835611eb7d95fd923
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 17 10:50:48 2012 +0200
s4-auth: Make sure we use the correct credential state.
If we create a copy of the credential state we miss updates to the
credentials.
To establish a netlogon schannel connection we create client credentials
and authenticate with them using
dcerpc_netr_ServerAuthenticate2()
For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.
After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.
After that we continue and need the client credentials to call
dcerpc_netr_LogonGetCapabilities()
to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.
The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.
dcerpc_netr_SamLogonWithFlags.
We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 197781a651d5be0b491a0aa51cc3756049a1e1d5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 2 18:22:25 2012 +0100
s4-librpc: Add capabilities check for AES encrypted connections.
Signed-off-by: Günther Deschner <gd at samba.org>
commit a3e835635cbdfdb6ec8ef6125f2ce53cfa5eba69
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 17 10:55:58 2012 +0200
s4-torture: Improve samlogon test.
commit 2c3dc04be26b5129e26aeae7aef3b8f5de7cb8c1
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 2 16:27:45 2012 +0100
s4-torture: Add DCERPC_SCHANNEL_AES tests.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 5e25fc66861a0961ae41b246645d49e57ba8997c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 29 09:29:00 2009 +0200
s3:rpc_server: add support for AES bases netlogon schannel
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 04d770adac531479ce1ea8a7b295a6382d718a92
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 29 09:47:51 2009 +0200
s4:rpc_server/netlogon: add support for AES based netlogon schannel
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 780006db9de7a55030ba07fc5236c85bee7b4961
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 23 15:20:26 2011 +0100
s4:librpc/rpc: add DCERPC_SCHANNEL_AES support
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit a7208de06a6b47ef0b6947d50b46efc79d1198ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 16 03:09:30 2009 +0200
libcli/auth: add support for AES/HMAC-SHA256 to the netlogon schannel sign/seal
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 99e5241d36bf5beda675b347b9223a38ff2b5d26
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 27 17:28:35 2009 +0200
libcli/auth: add support for AES/HMAC-SHA256 schannel session key support
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 99231181e319db797f33dc10d1a0886631b5cc64
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 29 09:47:51 2009 +0200
s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for it
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit e48aabc0063c957fb5590c4165997253f6021383
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 18 20:24:16 2009 +0200
s4:rpc_server/netlogon: implement netr_LogonGetCapabilities
This is also needed to support AES.
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 342a2e6181a07737e2f9cb7476fa86c39b0731ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 23 15:26:07 2011 +0100
s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodc
The RODC stuff doesn't depend on the schannel algorithm.
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit e7c7a911302fa6c3df70303a529e0ba362f9e838
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 23 15:22:06 2011 +0100
s4:librpc/rpc/dcerpc_schannel: rework downgrade logic
metze
Signed-off-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/credentials.c | 66 ++++++++-
libcli/auth/credentials.h | 2 -
libcli/auth/schannel_sign.c | 188 ++++++++++++++++++-------
librpc/rpc/rpc_common.h | 3 +
source3/Makefile.in | 14 +--
source3/rpc_client/cli_pipe.c | 164 +++++++++++++++++++++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 4 +
source3/winbindd/winbindd_cm.c | 2 +-
source4/auth/gensec/schannel.c | 7 +-
source4/librpc/rpc/dcerpc_schannel.c | 176 ++++++++++++++++++++++--
source4/rpc_server/netlogon/dcerpc_netlogon.c | 83 +++++++----
source4/torture/rpc/samlogon.c | 8 +
source4/torture/rpc/schannel.c | 6 +-
13 files changed, 611 insertions(+), 112 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 8130476..dfbfdb3 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -30,7 +30,17 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre
const struct netr_Credential *in,
struct netr_Credential *out)
{
- des_crypt112(out->data, in->data, creds->session_key, 1);
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+
+ AES_set_encrypt_key(creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+
+ aes_cfb8_encrypt(in->data, out->data, 8, &key, iv, AES_ENCRYPT);
+ } else {
+ des_crypt112(out->data, in->data, creds->session_key, 1);
+ }
}
/*
@@ -85,6 +95,34 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr
hmac_md5_final(creds->session_key, &ctx);
}
+/*
+ initialise the credentials state for AES/HMAC-SHA256-style 128 bit session keys
+
+ this call is made after the netr_ServerReqChallenge call
+*/
+static void netlogon_creds_init_hmac_sha256(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge,
+ const struct samr_Password *machine_password)
+{
+ struct HMACSHA256Context ctx;
+ uint8_t digest[SHA256_DIGEST_LENGTH];
+
+ ZERO_STRUCT(creds->session_key);
+
+ hmac_sha256_init(machine_password->hash,
+ sizeof(machine_password->hash),
+ &ctx);
+ hmac_sha256_update(client_challenge->data, 8, &ctx);
+ hmac_sha256_update(server_challenge->data, 8, &ctx);
+ hmac_sha256_final(digest, &ctx);
+
+ memcpy(creds->session_key, digest, sizeof(creds->session_key));
+
+ ZERO_STRUCT(digest);
+ ZERO_STRUCT(ctx);
+}
+
static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge)
@@ -227,7 +265,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
- if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_init_hmac_sha256(creds,
+ client_challenge,
+ server_challenge,
+ machine_password);
+ } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
} else {
netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
@@ -338,6 +381,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
creds->negotiate_flags = negotiate_flags;
creds->secure_channel_type = secure_channel_type;
+ dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
+ dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
+ dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
+
creds->computer_name = talloc_strdup(creds, client_computer_name);
if (!creds->computer_name) {
talloc_free(creds);
@@ -349,7 +396,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
return NULL;
}
- if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_init_hmac_sha256(creds,
+ client_challenge,
+ server_challenge,
+ machine_password);
+ } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
machine_password);
} else {
@@ -359,6 +411,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
netlogon_creds_first_step(creds, client_challenge, server_challenge);
+ dump_data_pw("Session key", creds->session_key, 16);
+ dump_data_pw("Client Credential ", creds->client.data, 8);
+ dump_data_pw("Server Credential ", creds->server.data, 8);
+
+ dump_data_pw("Credentials in", credentials_in->data, sizeof(credentials_in->data));
+
/* And before we leak information about the machine account
* password, check that they got the first go right */
if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
@@ -368,6 +426,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
*credentials_out = creds->server;
+ dump_data_pw("Credentials out", credentials_out->data, sizeof(credentials_out->data));
+
return creds;
}
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
index 47582ef..7b8fac6 100644
--- a/libcli/auth/credentials.h
+++ b/libcli/auth/credentials.h
@@ -68,5 +68,3 @@
#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
-#define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH)
-
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 29a97b9..ebd8f1c 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -31,10 +31,28 @@ static void netsec_offset_and_sizes(struct schannel_state *state,
uint32_t *_checksum_length,
uint32_t *_confounder_ofs)
{
- uint32_t min_sig_size = 24;
- uint32_t used_sig_size = 32;
- uint32_t checksum_length = 8;
- uint32_t confounder_ofs = 24;
+ uint32_t min_sig_size;
+ uint32_t used_sig_size;
+ uint32_t checksum_length;
+ uint32_t confounder_ofs;
+
+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ min_sig_size = 48;
+ used_sig_size = 56;
+ /*
+ * Note: windows has a bug here and uses the old values...
+ *
+ * checksum_length = 32;
+ * confounder_ofs = 48;
+ */
+ checksum_length = 8;
+ confounder_ofs = 24;
+ } else {
+ min_sig_size = 24;
+ used_sig_size = 32;
+ checksum_length = 8;
+ confounder_ofs = 24;
+ }
if (do_seal) {
min_sig_size += 8;
@@ -65,13 +83,25 @@ static void netsec_do_seq_num(struct schannel_state *state,
uint32_t checksum_length,
uint8_t seq_num[8])
{
- static const uint8_t zeros[4];
- uint8_t sequence_key[16];
- uint8_t digest1[16];
+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
- hmac_md5(digest1, checksum, checksum_length, sequence_key);
- arcfour_crypt(seq_num, sequence_key, 8);
+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
+ ZERO_STRUCT(iv);
+ memcpy(iv+0, checksum, 8);
+ memcpy(iv+8, checksum, 8);
+
+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
+ } else {
+ static const uint8_t zeros[4];
+ uint8_t sequence_key[16];
+ uint8_t digest1[16];
+
+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
+ arcfour_crypt(seq_num, sequence_key, 8);
+ }
state->seq_num++;
}
@@ -79,23 +109,48 @@ static void netsec_do_seq_num(struct schannel_state *state,
static void netsec_do_seal(struct schannel_state *state,
const uint8_t seq_num[8],
uint8_t confounder[8],
- uint8_t *data, uint32_t length)
+ uint8_t *data, uint32_t length,
+ bool forward)
{
- uint8_t sealing_key[16];
- static const uint8_t zeros[4];
- uint8_t digest2[16];
- uint8_t sess_kf0[16];
- int i;
-
- for (i = 0; i < 16; i++) {
- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
- }
+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ AES_KEY key;
+ uint8_t iv[AES_BLOCK_SIZE];
+ uint8_t sess_kf0[16];
+ int i;
+
+ for (i = 0; i < 16; i++) {
+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+ }
+
+ AES_set_encrypt_key(sess_kf0, 128, &key);
+ ZERO_STRUCT(iv);
+ memcpy(iv+0, seq_num, 8);
+ memcpy(iv+8, seq_num, 8);
+
+ if (forward) {
+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
+ } else {
+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
+ }
+ } else {
+ uint8_t sealing_key[16];
+ static const uint8_t zeros[4];
+ uint8_t digest2[16];
+ uint8_t sess_kf0[16];
+ int i;
+
+ for (i = 0; i < 16; i++) {
+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+ }
- hmac_md5(sess_kf0, zeros, 4, digest2);
- hmac_md5(digest2, seq_num, 8, sealing_key);
+ hmac_md5(sess_kf0, zeros, 4, digest2);
+ hmac_md5(digest2, seq_num, 8, sealing_key);
- arcfour_crypt(confounder, sealing_key, 8);
- arcfour_crypt(data, sealing_key, length);
+ arcfour_crypt(confounder, sealing_key, 8);
+ arcfour_crypt(data, sealing_key, length);
+ }
}
/*******************************************************************
@@ -104,38 +159,67 @@ static void netsec_do_seal(struct schannel_state *state,
********************************************************************/
static void netsec_do_sign(struct schannel_state *state,
const uint8_t *confounder,
- const uint8_t *data, size_t data_len,
+ const uint8_t *data, size_t length,
uint8_t header[8],
uint8_t *checksum)
{
- uint8_t packet_digest[16];
- static const uint8_t zeros[4];
- struct MD5Context ctx;
+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ struct HMACSHA256Context ctx;
- MD5Init(&ctx);
- MD5Update(&ctx, zeros, 4);
- if (confounder) {
- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
- SSVAL(header, 2, NL_SEAL_RC4);
- SSVAL(header, 4, 0xFFFF);
- SSVAL(header, 6, 0x0000);
+ hmac_sha256_init(state->creds->session_key,
+ sizeof(state->creds->session_key),
+ &ctx);
- MD5Update(&ctx, header, 8);
- MD5Update(&ctx, confounder, 8);
- } else {
- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
- SSVAL(header, 2, NL_SEAL_NONE);
- SSVAL(header, 4, 0xFFFF);
- SSVAL(header, 6, 0x0000);
+ if (confounder) {
+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+ SSVAL(header, 2, NL_SEAL_AES128);
+ SSVAL(header, 4, 0xFFFF);
+ SSVAL(header, 6, 0x0000);
- MD5Update(&ctx, header, 8);
- }
- MD5Update(&ctx, data, data_len);
- MD5Final(packet_digest, &ctx);
+ hmac_sha256_update(header, 8, &ctx);
+ hmac_sha256_update(confounder, 8, &ctx);
+ } else {
+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+ SSVAL(header, 2, NL_SEAL_NONE);
+ SSVAL(header, 4, 0xFFFF);
+ SSVAL(header, 6, 0x0000);
- hmac_md5(state->creds->session_key,
- packet_digest, sizeof(packet_digest),
- checksum);
+ hmac_sha256_update(header, 8, &ctx);
+ }
+
+ hmac_sha256_update(data, length, &ctx);
+
+ hmac_sha256_final(checksum, &ctx);
+ } else {
+ uint8_t packet_digest[16];
+ static const uint8_t zeros[4];
+ struct MD5Context ctx;
+
+ MD5Init(&ctx);
+ MD5Update(&ctx, zeros, 4);
+ if (confounder) {
+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+ SSVAL(header, 2, NL_SEAL_RC4);
+ SSVAL(header, 4, 0xFFFF);
+ SSVAL(header, 6, 0x0000);
+
+ MD5Update(&ctx, header, 8);
+ MD5Update(&ctx, confounder, 8);
+ } else {
+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+ SSVAL(header, 2, NL_SEAL_NONE);
+ SSVAL(header, 4, 0xFFFF);
+ SSVAL(header, 6, 0x0000);
+
+ MD5Update(&ctx, header, 8);
+ }
+ MD5Update(&ctx, data, length);
+ MD5Final(packet_digest, &ctx);
+
+ hmac_md5(state->creds->session_key,
+ packet_digest, sizeof(packet_digest),
+ checksum);
+ }
}
NTSTATUS netsec_incoming_packet(struct schannel_state *state,
@@ -177,7 +261,8 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
if (do_unseal) {
netsec_do_seal(state, seq_num,
confounder,
- data, length);
+ data, length,
+ false);
}
netsec_do_sign(state, confounder,
@@ -257,7 +342,8 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
if (do_seal) {
netsec_do_seal(state, seq_num,
confounder,
- data, length);
+ data, length,
+ true);
}
netsec_do_seq_num(state, checksum, checksum_length, seq_num);
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index a28835f..e2b3755 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -110,6 +110,9 @@ struct dcerpc_binding {
/* handle upgrades or downgrades automatically */
#define DCERPC_SCHANNEL_AUTO (1<<23)
+/* use aes schannel with hmac-sh256 session key */
+#define DCERPC_SCHANNEL_AES (1<<24)
+
/* The following definitions come from ../librpc/rpc/dcerpc_error.c */
const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 39efd99..672f2ac 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -383,7 +383,8 @@ LIBCLI_SAMR_OBJ = autoconf/librpc/gen_ndr/ndr_samr_c.o \
LIBCLI_NETLOGON_OBJ = autoconf/librpc/gen_ndr/ndr_netlogon_c.o \
rpc_client/cli_netlogon.o \
- rpc_client/util_netlogon.o
+ rpc_client/util_netlogon.o \
+ rpc_client/init_netlogon.o
LIBCLI_EPMAPPER_OBJ = autoconf/librpc/gen_ndr/ndr_epmapper_c.o
@@ -649,6 +650,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
LIBMSRPC_OBJ = $(SCHANNEL_OBJ) \
rpc_client/cli_pipe.o \
+ $(LIBCLI_NETLOGON_OBJ) \
librpc/crypto/gse_krb5.o \
librpc/crypto/gse.o \
../auth/kerberos/gssapi_pac.o \
@@ -802,12 +804,10 @@ RPC_SERVER_OBJ = $(RPC_LSARPC_OBJ) $(RPC_WINREG_OBJ) $(RPC_INITSHUTDOWN_OBJ) \
$(LIBCLI_SRVSVC_OBJ) \
$(LIBCLI_LSA_OBJ) \
$(LIBCLI_SAMR_OBJ) \
- $(LIBCLI_NETLOGON_OBJ) \
$(RPC_SERVER_REGISTER_OBJ) \
$(RPC_CLIENT_SCHANNEL_OBJ) \
rpc_server/rpc_sock_helper.o \
rpc_server/rpc_service_setup.o \
- rpc_client/init_netlogon.o \
rpc_client/init_samr.o
RPC_CLIENT_SCHANNEL_OBJ = rpc_client/cli_pipe_schannel.o
@@ -1131,10 +1131,8 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
$(LIBCLI_LSA_OBJ) \
$(LIBCLI_SAMR_OBJ) \
$(LIBCLI_WINREG_OBJ) \
- $(LIBCLI_NETLOGON_OBJ) \
$(LIBCLI_FSRVP_OBJ) \
$(RPC_CLIENT_SCHANNEL_OBJ) \
- rpc_client/init_netlogon.o \
rpc_client/init_samr.o
PAM_WINBIND_OBJ = ../nsswitch/pam_winbind.o $(WBCOMMON_OBJ) \
@@ -1243,9 +1241,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_help.o \
$(LIBCLI_SRVSVC_OBJ) \
$(LIBCLI_LSA_OBJ) \
$(LIBCLI_SAMR_OBJ) \
- $(LIBCLI_NETLOGON_OBJ) \
$(RPC_CLIENT_SCHANNEL_OBJ) \
- rpc_client/init_netlogon.o \
rpc_client/init_samr.o \
registry/reg_parse.o registry/reg_format.o \
registry/reg_import.o \
@@ -1522,8 +1518,6 @@ WINBINDD_OBJ = \
$(LIBCLI_DSSETUP_OBJ) \
$(LIBCLI_LSA_OBJ) \
$(LIBCLI_SAMR_OBJ) \
- $(LIBCLI_NETLOGON_OBJ) \
- rpc_client/init_netlogon.o \
rpc_client/init_samr.o \
$(PAM_ERRORS_OBJ)
@@ -2327,9 +2321,7 @@ LIBNETAPI_OBJ = $(LIBNETAPI_OBJ0) $(LIBNET_OBJ) \
$(LIBCLI_SRVSVC_OBJ) \
$(LIBCLI_LSA_OBJ) \
$(LIBCLI_SAMR_OBJ) \
- $(LIBCLI_NETLOGON_OBJ) \
$(RPC_CLIENT_SCHANNEL_OBJ) \
- rpc_client/init_netlogon.o \
rpc_client/init_samr.o
LIBNETAPI_SHARED_TARGET=@LIBNETAPI_SHARED_TARGET@
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 6b052f9..8b9e513 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -29,6 +29,7 @@
#include "../auth/ntlmssp/ntlmssp.h"
#include "auth_generic.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/rpc/dcerpc.h"
#include "rpc_dce.h"
#include "cli_pipe.h"
@@ -1544,9 +1545,15 @@ struct rpc_pipe_bind_state {
DATA_BLOB rpc_out;
bool auth3;
uint32_t rpc_call_id;
+ struct netr_Authenticator auth;
+ struct netr_Authenticator return_auth;
+ struct netlogon_creds_CredentialState *creds;
+ union netr_Capabilities capabilities;
+ struct netr_LogonGetCapabilities r;
};
static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
+static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
struct rpc_pipe_bind_state *state,
DATA_BLOB *credentials);
@@ -1649,11 +1656,14 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
case DCERPC_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
- case DCERPC_AUTH_TYPE_SCHANNEL:
/* Bind complete. */
tevent_req_done(req);
return;
--
Samba Shared Repository
More information about the samba-cvs
mailing list