[PATCH] add and use netlogon_creds_encrypt_samlogon_validation
Guenther Deschner
gd at samba.org
Fri Dec 14 06:37:35 MST 2012
Hi *,
this merges all our netlogon samlogon validation encrpytion in the same
manner we already did for the decryption path in our netlogon client code.
If someone could add his reviewed-by...
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-------------- next part --------------
From 8e14914d8cf6aebf958b58cfd1709435fa1d3ba6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Fri, 14 Dec 2012 14:17:22 +0100
Subject: [PATCH 1/4] libcli/auth: rename netlogon_creds_decrypt_samlogon() to
netlogon_creds_decrypt_samlogon_validation().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
---
libcli/auth/credentials.c | 9 ++++++---
libcli/auth/proto.h | 6 +++---
source3/rpc_client/cli_netlogon.c | 6 ++++--
source4/torture/rpc/samlogon.c | 12 +++++++++---
source4/winbind/wb_sam_logon.c | 6 +++---
5 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 63407e7..d5bf1a6 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -485,9 +485,9 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
}
}
-void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation)
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
{
static const char zeros[16];
@@ -521,6 +521,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
if (validation_level == 6) {
/* they aren't encrypted! */
} else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
netlogon_creds_aes_decrypt(creds,
@@ -535,6 +536,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
sizeof(base->LMSessKey.key));
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
netlogon_creds_arcfour_crypt(creds,
@@ -549,6 +551,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
sizeof(base->LMSessKey.key));
}
} else {
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
netlogon_creds_des_decrypt_LMKey(creds,
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index b9d91d0..15900d4 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -57,9 +57,9 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator) ;
-void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation) ;
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation);
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a0a9457..66a50a8 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -467,7 +467,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
return result;
}
- netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
+ netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+ &validation);
result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
if (!NT_STATUS_IS_OK(result)) {
@@ -575,7 +576,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
return result;
}
- netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
+ netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+ &validation);
result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
if (!NT_STATUS_IS_OK(result)) {
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 8d13a63..bd85c22 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -176,7 +176,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r->out.validation);
switch (validation_level) {
case 2:
@@ -208,7 +210,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_ex->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r_ex->out.validation);
switch (validation_level) {
case 2:
@@ -248,7 +252,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_flags->in.validation_level;
- netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation);
+ netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
+ validation_level,
+ r_flags->out.validation);
switch (validation_level) {
case 2:
diff --git a/source4/winbind/wb_sam_logon.c b/source4/winbind/wb_sam_logon.c
index 32fddd2..e940082 100644
--- a/source4/winbind/wb_sam_logon.c
+++ b/source4/winbind/wb_sam_logon.c
@@ -208,9 +208,9 @@ static void wb_sam_logon_recv_samlogon(struct tevent_req *subreq)
/* Decrypt the session keys before we reform the info3, so the
* person on the other end of winbindd pipe doesn't have to.
* They won't have the encryption key anyway */
- netlogon_creds_decrypt_samlogon(state->creds_state,
- state->r.in.validation_level,
- state->r.out.validation);
+ netlogon_creds_decrypt_samlogon_validation(state->creds_state,
+ state->r.in.validation_level,
+ state->r.out.validation);
/*
* we do not need the netlogon_creds lock anymore
--
1.7.11.7
From f7555671208f2f3d100e59ba2becf7a510a5b5b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Fri, 14 Dec 2012 14:18:40 +0100
Subject: [PATCH 2/4] libcli/auth: add
netlogon_creds_encrypt_samlogon_validation().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
---
libcli/auth/credentials.c | 47 +++++++++++++++++++++++++++++++++++++++++------
libcli/auth/proto.h | 3 +++
2 files changed, 44 insertions(+), 6 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index d5bf1a6..9d3df9f 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -485,9 +485,10 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
}
}
-void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
- uint16_t validation_level,
- union netr_Validation *validation)
+static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ bool encrypt)
{
static const char zeros[16];
@@ -524,16 +525,29 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->key.key, zeros,
sizeof(base->key.key)) != 0) {
- netlogon_creds_aes_decrypt(creds,
+ if (encrypt) {
+ netlogon_creds_aes_encrypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ } else {
+ netlogon_creds_aes_decrypt(creds,
base->key.key,
sizeof(base->key.key));
+ }
}
if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_aes_decrypt(creds,
+ if (encrypt) {
+ netlogon_creds_aes_encrypt(creds,
base->LMSessKey.key,
sizeof(base->LMSessKey.key));
+
+ } else {
+ netlogon_creds_aes_decrypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
@@ -554,12 +568,33 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (memcmp(base->LMSessKey.key, zeros,
sizeof(base->LMSessKey.key)) != 0) {
- netlogon_creds_des_decrypt_LMKey(creds,
+ if (encrypt) {
+ netlogon_creds_des_encrypt_LMKey(creds,
&base->LMSessKey);
+ } else {
+ netlogon_creds_des_decrypt_LMKey(creds,
+ &base->LMSessKey);
+ }
}
}
}
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+ validation, false);
+}
+
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+ validation, true);
+}
+
/*
copy a netlogon_creds_CredentialState struct
*/
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 15900d4..89a732e 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -60,6 +60,9 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
uint16_t validation_level,
union netr_Validation *validation);
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation);
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
--
1.7.11.7
From 0ef4bff5144c33b67e38d4637118886e7916b60d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Tue, 11 Dec 2012 23:52:59 +0100
Subject: [PATCH 3/4] s3-rpc_server: use netlogon_creds_encrypt_samlogon().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++--------------------
1 file changed, 3 insertions(+), 20 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index ec2269d..96e1c87 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1466,7 +1466,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
struct auth_serversupplied_info *server_info = NULL;
struct auth_context *auth_context = NULL;
const char *fn;
- struct netr_SamBaseInfo *base;
switch (p->opnum) {
case NDR_NETR_LOGONSAMLOGON:
@@ -1693,17 +1692,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
case 2:
status = serverinfo_to_SamInfo2(server_info,
r->out.validation->sam2);
- base = &r->out.validation->sam2->base;
break;
case 3:
status = serverinfo_to_SamInfo3(server_info,
r->out.validation->sam3);
- base = &r->out.validation->sam3->base;
break;
case 6:
status = serverinfo_to_SamInfo6(server_info,
r->out.validation->sam6);
- base = &r->out.validation->sam6->base;
break;
}
@@ -1713,22 +1709,9 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
return status;
}
- if (r->in.validation_level == 6) {
- /* no further crypto to be applied - gd */
- return NT_STATUS_OK;
- }
-
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds, base->key.key, 16);
- netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8);
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds, base->key.key, 16);
- netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8);
- } else {
- /* key is unencrypted when neither AES nor RC4 bits are set */
- netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey);
- }
-
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
return NT_STATUS_OK;
}
--
1.7.11.7
From f9821e30c5299e46228884d43b4506227b825d3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Tue, 11 Dec 2012 23:53:22 +0100
Subject: [PATCH 4/4] s4-rpc_server: use netlogon_creds_encrypt_samlogon().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++------------------------
1 file changed, 3 insertions(+), 33 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 3eaf0d4..3d90d0d 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -817,39 +817,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
return NT_STATUS_INVALID_INFO_CLASS;
}
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
- /* This key is sent unencrypted without the ARCFOUR or AES flag set */
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds,
- sam->key.key,
- sizeof(sam->key.key));
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->key.key,
- sizeof(sam->key.key));
- }
- }
-
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds,
- sam->LMSessKey.key,
- sizeof(sam->LMSessKey.key));
- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->LMSessKey.key,
- sizeof(sam->LMSessKey.key));
- } else {
- netlogon_creds_des_encrypt_LMKey(creds,
- &sam->LMSessKey);
- }
- }
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
/* TODO: Describe and deal with these flags */
*r->out.flags = 0;
--
1.7.11.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121214/74dc721d/attachment.pgp>
More information about the samba-technical
mailing list