The branch, master has been updated via a11ecbbff0c08f14fa1ce41e41578ff0ff85003a (commit) via c185e7a29c9d973a3916928903acc078c43b0d4f (commit) via 6c9caed48187a0d18becf59ab636af44cbe521b0 (commit) via 53765c81f726a8c056cc4e57004592dd489975c9 (commit) via 8a5d94e329e8ee2e7d4e03b9719188cb50bc4978 (commit) via ddcc355f2b5379884755827c20a1d1bfd1fd4d51 (commit) via 02ecdd8f292812b886ea3ae3d69d0e221346f9e7 (commit) via 7a54cd041e04f901af5e73b9e57b9cff4e182955 (commit) via 8ee7b4ce29b678ceb34680f556ab1a28a8bea9c5 (commit) via 0c771bfc70fecf25fbb4aa090bfdd14811b1f3bb (commit) via 34193cffc0900d8563822a9524f87b76d93ee80e (commit) via b57c8ff4400e5f2bd0776247496b34dab68bde97 (commit) via fa37dbf96024482e3b1a0269a940b6e722d550e4 (commit) via 0879cbaf2b88f44b66ae7cbc5eb042ab534142f3 (commit) via dbcd80ed0109072e0eda6ef3f7d52972403eadd9 (commit) via 4678d1c6f4de1af9144de37d6d4b35c6c39e254d (commit) via 86b50a0e6eacc14e157602811f30f11dccc471a8 (commit) via 0b4e9ce45aa6b9e90d4765c9caaaeed45dcd0de2 (commit) via 32062013c3dca1ae50d6e8f7a0ad3e3591b61d61 (commit) via d78cdc5fe2e45b5f447a3ed90d33a10f7cda831a (commit) via 1cee31f5889d7b7f8a365a83426b29e804684f9f (commit) via 53afa1adacb239fd942b3b58707c8e4c55639175 (commit) via baf7274fed2f1ae7a9e3a57160bf5471566e636c (commit) via 5095d7b1c84e7e37f553867d699a1983f74d4314 (commit) via eed0c4f6c9aac5a260f65c05cc809bf5f72cf210 (commit) via f23eea294a64fac3cc85609468703fc15f7e3187 (commit) via df8e1908ef9969ce95a5102959c27491fa7bfa03 (commit) via 27815a71a99f43a531f27427eeb32ab34b0aa642 (commit) via fe0f0e5670e878b8f8ddcb9f36681de69edd2025 (commit) via 7cff049e7eab769ed69296da41e74fa66be42698 (commit) via 6c8f7e400540421320e3cbd80f7e1a9551dfed14 (commit) via a19966375aeab5627308379219361de7053189fd (commit) via f28f113d8e76824b080359c90efd9c92de533740 (commit) via fd3be5c4e5e185115eec59752a22f7f354f860ca (commit) via 8e73b652f92795dcb35cd3826c88926e8072ea31 (commit) via 9feea7fa4c36e124a2d6f8711ee849b039a22f34 (commit) via 872cb0257c64f8c8682968565c3dfa608167a95d (commit) via 927a8b330435b4c959ad851e32b83d97a6e3001b (commit) from f493755aafacb128cb7b9148898f5ce1d02f6d69 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a11ecbbff0c08f14fa1ce41e41578ff0ff85003a Merge: c185e7a29c9d973a3916928903acc078c43b0d4f f493755aafacb128cb7b9148898f5ce1d02f6d69 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 17:19:45 2009 +0200 Merge branch 'master' of ssh://git.samba.org/data/git/samba into libcli-auth-merge-without-netlogond commit c185e7a29c9d973a3916928903acc078c43b0d4f Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 17:04:33 2009 +0200 Fix to use modified cli_rpc_pipe_open_schannel_with_key API commit 6c9caed48187a0d18becf59ab636af44cbe521b0 Merge: 53765c81f726a8c056cc4e57004592dd489975c9 31120c9eacafd93e0f2c6b0f906af21adadd318a Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 16:53:02 2009 +0200 Merge commit 'origin/master' into libcli-auth-merge-without-netlogond commit 53765c81f726a8c056cc4e57004592dd489975c9 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 16:50:49 2009 +0200 Remove use of talloc_reference in cli_rpc_pipe_open_schannel_with_key() commit 8a5d94e329e8ee2e7d4e03b9719188cb50bc4978 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 13:55:04 2009 +0200 libcli/auth Ensure we cancel the transaction when schannel not detected (found by jra on code review) Andrew Bartlett commit ddcc355f2b5379884755827c20a1d1bfd1fd4d51 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 11:55:49 2009 +0200 s3:ntlmssp Remove use of talloc(NULL) in NTLMSSP code commit 02ecdd8f292812b886ea3ae3d69d0e221346f9e7 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 10:54:57 2009 +0200 libcli/auth: Don't pass back lm_sess_key as the same pointer as user_sess_key This ensures that a talloc_free() of both pointers won't double-free (sharing pointers like this is evil anyway). Andrew Bartlett commit 7a54cd041e04f901af5e73b9e57b9cff4e182955 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Apr 19 21:50:46 2009 +0200 Remove unused headers commit 8ee7b4ce29b678ceb34680f556ab1a28a8bea9c5 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Apr 19 21:50:13 2009 +0200 s3:auth Fix segfault: Always initialise returned session keys commit 0c771bfc70fecf25fbb4aa090bfdd14811b1f3bb Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 20 05:19:48 2009 +1000 s3:ntlmssp Fix segfault: msrpc_gen now uses talloc() commit 34193cffc0900d8563822a9524f87b76d93ee80e Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 16 14:08:00 2009 +1000 Fix crash bug in NTLMSSP caused by msrpc_parse() moving to talloc commit b57c8ff4400e5f2bd0776247496b34dab68bde97 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 16 12:06:35 2009 +1000 Use an absolute path to ensure that we can always regenerate tables.c I had trouble building Samba3 in a merged build, perhaps because I was also building Samba4 in that tree. Andrew Bartlett commit fa37dbf96024482e3b1a0269a940b6e722d550e4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 16 10:17:57 2009 +1000 Fix building the now common msrpc_parse code commit 0879cbaf2b88f44b66ae7cbc5eb042ab534142f3 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 16 10:17:34 2009 +1000 Fix building the common libcli/samsync code commit dbcd80ed0109072e0eda6ef3f7d52972403eadd9 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 16 10:17:17 2009 +1000 Fix Samba4 build errors with common libcli/samsync commit 4678d1c6f4de1af9144de37d6d4b35c6c39e254d Merge: 86b50a0e6eacc14e157602811f30f11dccc471a8 92d321006d1748ac47cf9b52330212f4ae03f502 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Apr 15 14:36:13 2009 +1000 Merge branch 'master' of ssh://git.samba.org/data/git/samba into libcli-auth-merge-without-netlogond commit 86b50a0e6eacc14e157602811f30f11dccc471a8 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Apr 15 14:23:33 2009 +1000 Add missing header, remove generated header (This isn't a rename, honest :-) commit 0b4e9ce45aa6b9e90d4765c9caaaeed45dcd0de2 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Apr 15 14:00:24 2009 +1000 common:libcli/auth Add missing samsync config.mk commit 32062013c3dca1ae50d6e8f7a0ad3e3591b61d61 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Apr 14 19:33:04 2009 +1000 s3: Fix ntlm_auth and winbindd to use new common libcli/auth APIs commit d78cdc5fe2e45b5f447a3ed90d33a10f7cda831a Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 9 14:26:04 2009 +1000 Rework to use new API for common netlogon credential chaining commit 1cee31f5889d7b7f8a365a83426b29e804684f9f Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 9 14:25:50 2009 +1000 Link in the common samsync decryption code commit 53afa1adacb239fd942b3b58707c8e4c55639175 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 9 14:22:04 2009 +1000 libcli/auth Push schannel check into common libcli/auth This means we have a single choke point to ensure the remote client is using schannel. Andrew Bartlett commit baf7274fed2f1ae7a9e3a57160bf5471566e636c Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 6 22:56:13 2009 +1000 Make Samba3 use the new common libcli/auth code This is particuarly in the netlogon client (but not server at this stage) commit 5095d7b1c84e7e37f553867d699a1983f74d4314 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 6 22:54:44 2009 +1000 Rework Samba4 to use the new common libcli/auth code In particular, this is the rename from creds_ to netlogon_creds_, as well as other links to use the new common crypto. Andrew Bartlett commit eed0c4f6c9aac5a260f65c05cc809bf5f72cf210 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 6 22:53:01 2009 +1000 Rework netlogon credentials for the top level This makes constructor functions that return the allocated structure, rather than having the caller pass them in, and makes the server init function also check the first credential. The rename of creds_ to netlogon_creds should make it more clear what this code works with. Andrew Bartlett commit f23eea294a64fac3cc85609468703fc15f7e3187 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Apr 6 22:51:32 2009 +1000 Push schannel_state.c into the top level. This is the server side state for netlogon credential chaining Andrew Bartlett commit df8e1908ef9969ce95a5102959c27491fa7bfa03 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 27 12:16:17 2009 +1100 Use common samsync delta decryption functions in libnet_samsync.c Andrew Bartlett commit 27815a71a99f43a531f27427eeb32ab34b0aa642 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 20:08:31 2009 +1100 More work to adapt to merged libcli/auth function prototypes commit fe0f0e5670e878b8f8ddcb9f36681de69edd2025 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 20:06:46 2009 +1100 Adapt to common crypto functions: sam_pwd_hash() -> sam_rid_crypt() commit 7cff049e7eab769ed69296da41e74fa66be42698 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 20:03:32 2009 +1100 libcli/auth Don't compile against un-needed Samba4 headers commit 6c8f7e400540421320e3cbd80f7e1a9551dfed14 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 14:03:02 2009 +1100 Port Samba4 to the new combined libcli/auth functions For example, some of the new shared functionality was previously in the wkssvc torture test. Andrew Bartlett commit a19966375aeab5627308379219361de7053189fd Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 17 10:02:45 2009 +1100 Move ntlm_check.h into the common libcli/auth commit f28f113d8e76824b080359c90efd9c92de533740 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 21:27:58 2009 +1100 Rework Samba3 to use new libcli/auth code (partial) This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett commit fd3be5c4e5e185115eec59752a22f7f354f860ca Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 21:19:10 2009 +1100 Merge smbencrypt.c between Samba3 and Samba4 commit 8e73b652f92795dcb35cd3826c88926e8072ea31 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 21:17:29 2009 +1100 Rework trivial msrpc parser to use convert_string_talloc() Also avoid still string conversions when trying to match NTLMSSP in the header of the NTLMSSP packet. This also changes a few things to avoid const warnings. Andrew Bartlett commit 9feea7fa4c36e124a2d6f8711ee849b039a22f34 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 18:08:15 2009 +1100 Move MSRPC-PARSE into the common libcli/auth This is a depenceny of smbencrypt.c commit 872cb0257c64f8c8682968565c3dfa608167a95d Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 15:20:28 2009 +1100 Move DRSUAPI per-attribute decryption into a common file This file (contining metze's decryption routines) is now also be used by Samba3's DRSUAPI implementation Andrew Bartlett commit 927a8b330435b4c959ad851e32b83d97a6e3001b Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 16 13:26:38 2009 +1100 Move libcli/auth to the top level ----------------------------------------------------------------------- Summary of changes: libcli/auth/config.mk | 31 + libcli/auth/credentials.c | 446 +++++++++++ libcli/auth/credentials.h | 84 +++ libcli/auth/libcli_auth.h | 32 + libcli/auth/msrpc_parse.c | 368 ++++++++++ libcli/auth/ntlm_check.c | 596 +++++++++++++++ {source4/auth/ntlm => libcli/auth}/ntlm_check.h | 0 libcli/auth/schannel_state.c | 321 ++++++++ libcli/auth/schannel_state.h | 24 + {source4/libcli => libcli}/auth/session.c | 0 {source4/libcli => libcli}/auth/smbdes.c | 0 libcli/auth/smbencrypt.c | 782 ++++++++++++++++++++ libcli/drsuapi/config.mk | 8 + libcli/drsuapi/drsuapi.h | 33 + libcli/drsuapi/repl_decrypt.c | 188 +++++ libcli/samsync/config.mk | 10 + libcli/samsync/decrypt.c | 174 +++++ nsswitch/wbinfo.c | 7 +- source3/Makefile.in | 17 +- source3/auth/auth_domain.c | 1 + source3/auth/auth_netlogond.c | 7 +- source3/auth/auth_sam.c | 53 ++- source3/auth/auth_util.c | 5 +- source3/include/client.h | 4 +- source3/include/ntlmssp.h | 5 - source3/include/proto.h | 152 +---- source3/include/rpc_dce.h | 45 -- source3/lib/charcnv.c | 38 + source3/lib/netapi/joindomain.c | 1 + source3/libnet/libnet_dssync.c | 76 +-- source3/libnet/libnet_join.c | 3 +- source3/libnet/libnet_samsync.c | 162 +---- source3/libsmb/cliconnect.c | 9 +- source3/libsmb/clirap.c | 3 +- source3/libsmb/credentials.c | 86 +-- source3/libsmb/ntlm_check.c | 470 ------------ source3/libsmb/ntlmssp.c | 110 +-- source3/libsmb/ntlmssp_parse.c | 384 ---------- source3/libsmb/ntlmssp_sign.c | 5 +- source3/libsmb/smbdes.c | 421 ----------- source3/libsmb/smbencrypt.c | 898 ----------------------- source3/libsmb/trusts_util.c | 1 + source3/passdb/passdb.c | 1 + source3/passdb/pdb_get_set.c | 1 + source3/passdb/pdb_ldap.c | 1 + source3/passdb/secrets.c | 2 +- source3/rpc_client/cli_netlogon.c | 156 ++--- source3/rpc_client/cli_pipe.c | 17 +- source3/rpc_client/cli_samr.c | 9 +- source3/rpc_client/init_netlogon.c | 7 +- source3/rpc_client/init_samr.c | 5 +- source3/rpc_parse/parse_prs.c | 12 +- source3/rpc_server/srv_netlog_nt.c | 1 + source3/rpc_server/srv_samr_nt.c | 19 +- source3/rpc_server/srv_wkssvc_nt.c | 1 + source3/rpcclient/cmd_lsarpc.c | 22 +- source3/rpcclient/cmd_netlogon.c | 9 +- source3/rpcclient/cmd_samr.c | 1 + source3/rpcclient/rpcclient.c | 1 + source3/smbd/chgpasswd.c | 7 +- source3/smbd/trans2.c | 1 + source3/utils/net_rpc.c | 9 +- source3/utils/net_rpc_join.c | 5 +- source3/utils/ntlm_auth.c | 13 +- source3/utils/ntlm_auth_diagnostics.c | 11 +- source3/winbindd/winbindd_cache.c | 1 + source3/winbindd/winbindd_cm.c | 21 +- source3/winbindd/winbindd_cred_cache.c | 1 + source3/winbindd/winbindd_creds.c | 1 + source3/winbindd/winbindd_pam.c | 7 +- source4/auth/credentials/credentials.c | 4 +- source4/auth/credentials/credentials.h | 6 +- source4/auth/gensec/config.mk | 2 +- source4/auth/gensec/gensec.h | 4 +- source4/auth/gensec/schannel.c | 31 +- source4/auth/gensec/schannel.h | 7 +- source4/auth/gensec/schannel_sign.c | 6 +- source4/auth/gensec/schannel_state.c | 283 ------- source4/auth/ntlm/auth_sam.c | 2 +- source4/auth/ntlm/config.mk | 5 - source4/auth/ntlm/ntlm_check.c | 603 --------------- source4/auth/ntlmssp/config.mk | 6 - source4/auth/ntlmssp/ntlmssp.c | 4 +- source4/auth/ntlmssp/ntlmssp.h | 5 - source4/auth/ntlmssp/ntlmssp_client.c | 3 +- source4/auth/ntlmssp/ntlmssp_parse.c | 368 ---------- source4/auth/ntlmssp/ntlmssp_server.c | 4 +- source4/auth/ntlmssp/ntlmssp_sign.c | 4 +- source4/dsdb/config.mk | 3 +- source4/dsdb/repl/replicated_objects.c | 160 +---- source4/libcli/auth/config.mk | 17 - source4/libcli/auth/credentials.c | 375 ---------- source4/libcli/auth/credentials.h | 46 -- source4/libcli/auth/libcli_auth.h | 24 - source4/libcli/auth/smbencrypt.c | 595 --------------- source4/libcli/config.mk | 1 - source4/libnet/config.mk | 2 +- source4/libnet/libnet_samdump.c | 1 - source4/libnet/libnet_samdump_keytab.c | 1 - source4/libnet/libnet_samsync.c | 150 +---- source4/libnet/libnet_samsync.h | 1 - source4/libnet/libnet_samsync_ldb.c | 1 - source4/librpc/idl-deps.pl | 2 + source4/librpc/rpc/dcerpc_schannel.c | 18 +- source4/main.mk | 3 + source4/rpc_server/netlogon/dcerpc_netlogon.c | 212 +++--- source4/torture/config.mk | 2 +- source4/torture/rpc/dssync.c | 125 +--- source4/torture/rpc/netlogon.c | 173 +++--- source4/torture/rpc/netlogon.h | 2 +- source4/torture/rpc/remote_pac.c | 27 +- source4/torture/rpc/samba3rpc.c | 51 +- source4/torture/rpc/samlogon.c | 34 +- source4/torture/rpc/samr.c | 8 +- source4/torture/rpc/samsync.c | 30 +- source4/torture/rpc/schannel.c | 12 +- source4/torture/rpc/wkssvc.c | 45 +- source4/utils/ntlm_auth.c | 1 - source4/winbind/wb_sam_logon.c | 14 +- 119 files changed, 3818 insertions(+), 6067 deletions(-) create mode 100644 libcli/auth/config.mk create mode 100644 libcli/auth/credentials.c create mode 100644 libcli/auth/credentials.h create mode 100644 libcli/auth/libcli_auth.h create mode 100644 libcli/auth/msrpc_parse.c create mode 100644 libcli/auth/ntlm_check.c rename {source4/auth/ntlm => libcli/auth}/ntlm_check.h (100%) create mode 100644 libcli/auth/schannel_state.c create mode 100644 libcli/auth/schannel_state.h rename {source4/libcli => libcli}/auth/session.c (100%) rename {source4/libcli => libcli}/auth/smbdes.c (100%) create mode 100644 libcli/auth/smbencrypt.c create mode 100644 libcli/drsuapi/config.mk create mode 100644 libcli/drsuapi/drsuapi.h create mode 100644 libcli/drsuapi/repl_decrypt.c create mode 100644 libcli/samsync/config.mk create mode 100644 libcli/samsync/decrypt.c delete mode 100644 source3/libsmb/ntlm_check.c delete mode 100644 source3/libsmb/ntlmssp_parse.c delete mode 100644 source3/libsmb/smbdes.c delete mode 100644 source3/libsmb/smbencrypt.c delete mode 100644 source4/auth/ntlm/ntlm_check.c delete mode 100644 source4/auth/ntlmssp/ntlmssp_parse.c delete mode 100644 source4/libcli/auth/config.mk delete mode 100644 source4/libcli/auth/credentials.c delete mode 100644 source4/libcli/auth/credentials.h delete mode 100644 source4/libcli/auth/libcli_auth.h delete mode 100644 source4/libcli/auth/smbencrypt.c Changeset truncated at 500 lines: diff --git a/libcli/auth/config.mk b/libcli/auth/config.mk new file mode 100644 index 0000000..1034020 --- /dev/null +++ b/libcli/auth/config.mk @@ -0,0 +1,31 @@ +[SUBSYSTEM::ntlm_check] +PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL + +ntlm_check_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, ntlm_check.o) + +[SUBSYSTEM::MSRPC_PARSE] + +MSRPC_PARSE_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, msrpc_parse.o) + +$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/msrpc_parse.h,$(MSRPC_PARSE_OBJ_FILES:.o=.c))) + +[SUBSYSTEM::LIBCLI_AUTH] +PUBLIC_DEPENDENCIES = \ + MSRPC_PARSE \ + LIBSAMBA-HOSTCONFIG + +LIBCLI_AUTH_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, \ + credentials.o \ + session.o \ + smbencrypt.o \ + smbdes.o) + +PUBLIC_HEADERS += ../libcli/auth/credentials.h +$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/proto.h,$(LIBCLI_AUTH_OBJ_FILES:.o=.c))) + +[SUBSYSTEM::COMMON_SCHANNELDB] +PRIVATE_DEPENDENCIES = LDB_WRAP + +COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state.o) +$(eval $(call proto_header_template,$(libclicommonsrcdir)/auth/schannel_state_proto.h,$(COMMON_SCHANNELDB_OBJ_FILES:.o=.c))) + diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c new file mode 100644 index 0000000..dc84ffb --- /dev/null +++ b/libcli/auth/credentials.c @@ -0,0 +1,446 @@ +/* + Unix SMB/CIFS implementation. + + code to manipulate domain credentials + + Copyright (C) Andrew Tridgell 1997-2003 + Copyright (C) Andrew Bartlett <abart...@samba.org> 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/time.h" +#include "../lib/crypto/crypto.h" +#include "libcli/auth/libcli_auth.h" + +/* + initialise the credentials state for old-style 64 bit session keys + + this call is made after the netr_ServerReqChallenge call +*/ +static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const struct samr_Password *machine_password) +{ + uint32_t sum[2]; + uint8_t sum2[8]; + + sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0); + sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4); + + SIVAL(sum2,0,sum[0]); + SIVAL(sum2,4,sum[1]); + + ZERO_STRUCT(creds->session_key); + + des_crypt128(creds->session_key, sum2, machine_password->hash); + + des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1); + des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1); + + creds->seed = creds->client; +} + +/* + initialise the credentials state for ADS-style 128 bit session keys + + this call is made after the netr_ServerReqChallenge call +*/ +static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *creds, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const struct samr_Password *machine_password) +{ + unsigned char zero[4], tmp[16]; + HMACMD5Context ctx; + struct MD5Context md5; + + ZERO_STRUCT(creds->session_key); + + memset(zero, 0, sizeof(zero)); + + hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); + MD5Init(&md5); + MD5Update(&md5, zero, sizeof(zero)); + MD5Update(&md5, client_challenge->data, 8); + MD5Update(&md5, server_challenge->data, 8); + MD5Final(tmp, &md5); + hmac_md5_update(tmp, sizeof(tmp), &ctx); + hmac_md5_final(creds->session_key, &ctx); + + creds->client = *client_challenge; + creds->server = *server_challenge; + + des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1); + des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1); + + creds->seed = creds->client; +} + + +/* + step the credentials to the next element in the chain, updating the + current client and server credentials and the seed +*/ +static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) +{ + struct netr_Credential time_cred; + + DEBUG(5,("\tseed %08x:%08x\n", + IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4))); + + SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence); + SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4)); + + DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); + + des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1); + + DEBUG(5,("\tCLIENT %08x:%08x\n", + IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); + + SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1); + SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4)); + + DEBUG(5,("\tseed+time+1 %08x:%08x\n", + IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); + + des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1); + + DEBUG(5,("\tSERVER %08x:%08x\n", + IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); + + creds->seed = time_cred; +} + + +/* + DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key +*/ +void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) +{ + struct netr_LMSessionKey tmp; + des_crypt56(tmp.key, key->key, creds->session_key, 1); + *key = tmp; +} + +/* + DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key +*/ +void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) +{ + struct netr_LMSessionKey tmp; + des_crypt56(tmp.key, key->key, creds->session_key, 0); + *key = tmp; +} + +/* + DES encrypt a 16 byte password buffer using the session key +*/ +void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +{ + struct samr_Password tmp; + des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1); + *pass = tmp; +} + +/* + DES decrypt a 16 byte password buffer using the session key +*/ +void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +{ + struct samr_Password tmp; + des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0); + *pass = tmp; +} + +/* + ARCFOUR encrypt/decrypt a password buffer using the session key +*/ +void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) +{ + DATA_BLOB session_key = data_blob(creds->session_key, 16); + + arcfour_crypt_blob(data, len, &session_key); + + data_blob_free(&session_key); +} + +/***************************************************************** +The above functions are common to the client and server interface +next comes the client specific functions +******************************************************************/ + +/* + initialise the credentials chain and return the first client + credentials +*/ + +struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, + const char *client_account, + const char *client_computer_name, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const struct samr_Password *machine_password, + struct netr_Credential *initial_credential, + uint32_t negotiate_flags) +{ + struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState); + + if (!creds) { + return NULL; + } + + creds->sequence = time(NULL); + creds->negotiate_flags = negotiate_flags; + + creds->computer_name = talloc_strdup(creds, client_computer_name); + if (!creds->computer_name) { + talloc_free(creds); + return NULL; + } + creds->account_name = talloc_strdup(creds, client_account); + if (!creds->account_name) { + talloc_free(creds); + return NULL; + } + + dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data)); + dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); + dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); + + if (negotiate_flags & NETLOGON_NEG_128BIT) { + netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password); + } else { + netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password); + } + + dump_data_pw("Session key", creds->session_key, 16); + dump_data_pw("Credential ", creds->client.data, 8); + + *initial_credential = creds->client; + return creds; +} + +/* + initialise the credentials structure with only a session key. The caller better know what they are doing! + */ + +struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, + const uint8_t session_key[16]) +{ + struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState); + + if (!creds) { + return NULL; + } + + memcpy(creds->session_key, session_key, 16); + + return creds; +} + +/* + step the credentials to the next element in the chain, updating the + current client and server credentials and the seed + + produce the next authenticator in the sequence ready to send to + the server +*/ +void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, + struct netr_Authenticator *next) +{ + creds->sequence += 2; + netlogon_creds_step(creds); + + next->cred = creds->client; + next->timestamp = creds->sequence; +} + +/* + check that a credentials reply from a server is correct +*/ +bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds, + const struct netr_Credential *received_credentials) +{ + if (!received_credentials || + memcmp(received_credentials->data, creds->server.data, 8) != 0) { + DEBUG(2,("credentials check failed\n")); + return false; + } + return true; +} + + +/***************************************************************** +The above functions are common to the client and server interface +next comes the server specific functions +******************************************************************/ + +/* + check that a credentials reply from a server is correct +*/ +static bool netlogon_creds_server_check_internal(const struct netlogon_creds_CredentialState *creds, + const struct netr_Credential *received_credentials) +{ + if (memcmp(received_credentials->data, creds->client.data, 8) != 0) { + DEBUG(2,("credentials check failed\n")); + dump_data_pw("client creds", creds->client.data, 8); + dump_data_pw("calc creds", received_credentials->data, 8); + return false; + } + return true; +} + +/* + initialise the credentials chain and return the first server + credentials +*/ +struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, + const char *client_account, + const char *client_computer_name, + uint16_t secure_channel_type, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const struct samr_Password *machine_password, + struct netr_Credential *credentials_in, + struct netr_Credential *credentials_out, + uint32_t negotiate_flags) +{ + + struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); + + if (!creds) { + return NULL; + } + + creds->negotiate_flags = negotiate_flags; + + creds->computer_name = talloc_strdup(creds, client_computer_name); + if (!creds->computer_name) { + talloc_free(creds); + return NULL; + } + creds->account_name = talloc_strdup(creds, client_account); + if (!creds->account_name) { + talloc_free(creds); + return NULL; + } + + if (negotiate_flags & NETLOGON_NEG_128BIT) { + netlogon_creds_init_128bit(creds, client_challenge, server_challenge, + machine_password); + } else { + netlogon_creds_init_64bit(creds, client_challenge, server_challenge, + machine_password); + } + + /* And before we leak information about the machine account + * password, check that they got the first go right */ + if (!netlogon_creds_server_check_internal(creds, credentials_in)) { + talloc_free(creds); + return NULL; + } + + *credentials_out = creds->server; + + return creds; +} + +NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator) +{ + if (!received_authenticator || !return_authenticator) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!creds) { + return NT_STATUS_ACCESS_DENIED; + } + + /* TODO: this may allow the a replay attack on a non-signed + connection. Should we check that this is increasing? */ + creds->sequence = received_authenticator->timestamp; + netlogon_creds_step(creds); + if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) { + return_authenticator->cred = creds->server; + return_authenticator->timestamp = creds->sequence; + return NT_STATUS_OK; + } else { + ZERO_STRUCTP(return_authenticator); + return NT_STATUS_ACCESS_DENIED; + } +} + +void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, + uint16_t validation_level, + union netr_Validation *validation) +{ + static const char zeros[16]; + + struct netr_SamBaseInfo *base = NULL; + switch (validation_level) { + case 2: + if (validation->sam2) { + base = &validation->sam2->base; + } + break; + case 3: + if (validation->sam3) { + base = &validation->sam3->base; + } + break; + case 6: + if (validation->sam6) { + base = &validation->sam6->base; + } + break; + default: + /* If we can't find it, we can't very well decrypt it */ + return; + } + + if (!base) { + return; + } + + /* find and decyrpt the session keys, return in parameters above */ + if (validation_level == 6) { + /* they aren't encrypted! */ + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (memcmp(base->key.key, zeros, + sizeof(base->key.key)) != 0) { + netlogon_creds_arcfour_crypt(creds, + base->key.key, + sizeof(base->key.key)); + } + + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + netlogon_creds_arcfour_crypt(creds, + base->LMSessKey.key, + sizeof(base->LMSessKey.key)); + } + } else { + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + netlogon_creds_des_decrypt_LMKey(creds, + &base->LMSessKey); + } + } +} + diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h new file mode 100644 index 0000000..b84b902 --- /dev/null +++ b/libcli/auth/credentials.h @@ -0,0 +1,84 @@ +/* + Unix SMB/CIFS implementation. + + code to manipulate domain credentials + -- Samba Shared Repository