The branch, master has been updated via ade5bfd s4-torture: call the s4u2self tests with arcfour and aes. via d0bad6c s4-torture: precalculate expected session keys from samlogon in schannel test. via f6cb804 libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon(). via be296a2 libcli/auth: remove trailing whitespace. via f2d9589 s3-auth: remove crypto from serverinfo_to_SamInfoX calls. via c1fb595 s3-rpc_server: Remove obsolete process_creds boolean in samlogon server. via 7f435bd s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted. via 6452892 s3-rpc_server: support AES for interactive netlogon samlogon password decryption. via 7157263 s4-rpc_server: support AES encryption in interactive and generic samlogon. via a52115c s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo(). via 6aec126 s4-torture: validate owf password hash and negotiate AES in forest trust test. via 83b00af s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test. via 306a78d s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo(). via fd70870 s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test. via 4afb7dc s4-torture: exit early when join fails in samba3rpc tests. via 5089442 s4-torture: support AES encryption in interactive samlogon tests in rpc.samr. via d94f012 s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests. via 3dffd29 s4-torture: use names for r.in.logon_level of netlogon samlogon requests. via 7ea9da0 s4-torture: remove trailing whitespace in smbtorture remote_pac test. via c6f4745 s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon. via 01e6970 s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. via 3dc8c20 s4-torture: add AES support for netr_ServerPasswordSet2 tests. via 0a09160 s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests. via d1f481f s4-torture: remove trailing whitespace from netlogon test. via 1362d54 s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. via 6434501 s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client. via ec06c81 s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword. via 429600c libcli/auth: add netlogon_creds_aes_{en|de}crypt routines. from b6e2be8 wafsamba: replace try:except: case with explicit comment about FIPS mode
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ade5bfd304cc806758a58f04b35834cd730dd9ba Author: Günther Deschner <g...@samba.org> Date: Fri Dec 7 12:51:10 2012 +0100 s4-torture: call the s4u2self tests with arcfour and aes. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104 commit d0bad6c3350698b26ba009bb0c91d0265cc22f60 Author: Günther Deschner <g...@samba.org> Date: Fri Dec 7 12:57:18 2012 +0100 s4-torture: precalculate expected session keys from samlogon in schannel test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f6cb8049b2fe62054d254a006b8a39f000d1d1d5 Author: Günther Deschner <g...@samba.org> Date: Fri Dec 7 12:38:16 2012 +0100 libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit be296a21fc509cacaedb5aad0c3ca4ccd44b4a62 Author: Günther Deschner <g...@samba.org> Date: Fri Dec 7 01:05:00 2012 +0100 libcli/auth: remove trailing whitespace. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f2d9589b178c0e3374e1c1ad363639b9e2bdce5f Author: Günther Deschner <g...@samba.org> Date: Thu Dec 6 15:21:02 2012 +0100 s3-auth: remove crypto from serverinfo_to_SamInfoX calls. All crypto is dealt with within the netlogon samlogon server now. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c1fb595081c2b0bf66bce06c09750f53e8031311 Author: Günther Deschner <g...@samba.org> Date: Thu Dec 6 14:54:25 2012 +0100 s3-rpc_server: Remove obsolete process_creds boolean in samlogon server. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7f435bd649f0b313804f40807a38de9478478b6c Author: Günther Deschner <g...@samba.org> Date: Thu Dec 6 14:31:32 2012 +0100 s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 645289216eeb718eab1201dd3ad0a50fdf85753c Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 19:49:52 2012 +0100 s3-rpc_server: support AES for interactive netlogon samlogon password decryption. Still need to fix AES support for the returned validation info. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 71572632bd33dcb5c03a701bbb72a707e5642237 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:24:24 2012 +0100 s4-rpc_server: support AES encryption in interactive and generic samlogon. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit a52115ce67c2e5bd1e478d7601483fd2490aea31 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 19:52:54 2012 +0100 s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo(). Sumit, please check. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6aec126566d01dd9ddbbd5488f73b61729094a52 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 18:06:54 2012 +0100 s4-torture: validate owf password hash and negotiate AES in forest trust test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 83b00afe9f2116ef04378c251070143595450a3e Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 17:59:12 2012 +0100 s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 306a78d97f2fdfaa81c58bafdebcfab0fb8f1636 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:37:02 2012 +0100 s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fd7087020344f7d24737e3be2f3afbd0417b0026 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 18:38:01 2012 +0100 s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 4afb7dcb43c6903568c0fe2c2c2044706e9bd613 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:21:59 2012 +0100 s4-torture: exit early when join fails in samba3rpc tests. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5089442bfdbeff7314e589387c3702f9c401e12a Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:20:14 2012 +0100 s4-torture: support AES encryption in interactive samlogon tests in rpc.samr. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d94f012f3fb428027709a9c8becf8edb85072463 Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:23:34 2012 +0100 s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3dffd29904b3de145941a7420d56b30611f9616f Author: Günther Deschner <g...@samba.org> Date: Wed Dec 5 16:11:19 2012 +0100 s4-torture: use names for r.in.logon_level of netlogon samlogon requests. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf Author: Günther Deschner <g...@samba.org> Date: Tue Dec 4 23:11:10 2012 +0100 s4-torture: remove trailing whitespace in smbtorture remote_pac test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c6f4745c5670e8da77078e19f2d6a3a485e7adc6 Author: Günther Deschner <g...@samba.org> Date: Sat Dec 1 00:59:44 2012 +0100 s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 01e69703fb8c58ab1940bb560e34f6c3f10e0ae9 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 22:47:40 2012 +0100 s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3dc8c20b8a94063c6578b60750757c5a40d7db38 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 22:47:19 2012 +0100 s4-torture: add AES support for netr_ServerPasswordSet2 tests. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0a091604a45b4b143745a20fa842878ceb745c39 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 22:44:33 2012 +0100 s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d1f481ffe17ce84ffddbedf1bd7efb0654e2807e Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 22:24:37 2012 +0100 s4-torture: remove trailing whitespace from netlogon test. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1362d542df715aa31e9b818ee8783b5ee35f8870 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 21:35:04 2012 +0100 s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 64345018cda744d16b123d6ef5c4a982340484dc Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 21:34:36 2012 +0100 s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ec06c81db313f2862544c972cbf582a07bb844c2 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 21:30:24 2012 +0100 s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 429600c5f3079c8433d5a542383908d6ff61fe60 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 21:23:30 2012 +0100 libcli/auth: add netlogon_creds_aes_{en|de}crypt routines. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/auth/credentials.c | 118 +++++++---- libcli/auth/proto.h | 2 + source3/auth/auth_util.c | 34 +--- source3/auth/check_samsec.c | 2 +- source3/auth/proto.h | 9 +- source3/auth/server_info.c | 30 --- source3/rpc_client/cli_netlogon.c | 7 +- source3/rpc_client/init_netlogon.c | 12 +- source3/rpc_client/init_netlogon.h | 2 +- source3/rpc_server/netlogon/srv_netlog_nt.c | 110 ++++++--- source3/torture/pdbtest.c | 2 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 35 +++- source4/torture/rpc/forest_trust.c | 13 +- source4/torture/rpc/netlogon.c | 296 +++++++++++++++---------- source4/torture/rpc/remote_pac.c | 226 +++++++++++++------ source4/torture/rpc/samba3rpc.c | 19 +- source4/torture/rpc/samlogon.c | 4 +- source4/torture/rpc/samr.c | 7 +- source4/torture/rpc/samsync.c | 2 +- source4/torture/rpc/schannel.c | 122 ++++++++++- 20 files changed, 677 insertions(+), 375 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index dfbfdb3..63407e7 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. code to manipulate domain credentials Copyright (C) Andrew Tridgell 1997-2003 Copyright (C) Andrew Bartlett <abart...@samba.org> 2004 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -85,7 +85,7 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr memset(zero, 0, sizeof(zero)); - hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); + hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); MD5Init(&md5); MD5Update(&md5, zero, sizeof(zero)); MD5Update(&md5, client_challenge->data, 8); @@ -142,7 +142,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) { struct netr_Credential time_cred; - DEBUG(5,("\tseed %08x:%08x\n", + DEBUG(5,("\tseed %08x:%08x\n", IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4))); SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence); @@ -152,18 +152,18 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) netlogon_creds_step_crypt(creds, &time_cred, &creds->client); - DEBUG(5,("\tCLIENT %08x:%08x\n", + DEBUG(5,("\tCLIENT %08x:%08x\n", IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1); SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4)); - DEBUG(5,("\tseed+time+1 %08x:%08x\n", + DEBUG(5,("\tseed+time+1 %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); netlogon_creds_step_crypt(creds, &time_cred, &creds->server); - DEBUG(5,("\tSERVER %08x:%08x\n", + DEBUG(5,("\tSERVER %08x:%08x\n", IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); creds->seed = time_cred; @@ -222,6 +222,34 @@ void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, data_blob_free(&session_key); } +/* + AES encrypt a password buffer using the session key +*/ +void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) +{ + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + + AES_set_encrypt_key(creds->session_key, 128, &key); + ZERO_STRUCT(iv); + + aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT); +} + +/* + AES decrypt a password buffer using the session key +*/ +void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) +{ + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + + AES_set_encrypt_key(creds->session_key, 128, &key); + ZERO_STRUCT(iv); + + aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT); +} + /***************************************************************** The above functions are common to the client and server interface next comes the client specific functions @@ -231,10 +259,10 @@ next comes the client specific functions initialise the credentials chain and return the first client credentials */ - -struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, + +struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, const char *client_account, - const char *client_computer_name, + const char *client_computer_name, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, const struct samr_Password *machine_password, @@ -242,11 +270,11 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me uint32_t negotiate_flags) { struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); - + if (!creds) { return NULL; } - + creds->sequence = time(NULL); creds->negotiate_flags = negotiate_flags; @@ -289,7 +317,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me initialise the credentials structure with only a session key. The caller better know what they are doing! */ -struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, +struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, const uint8_t session_key[16]) { struct netlogon_creds_CredentialState *creds; @@ -298,7 +326,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA if (!creds) { return NULL; } - + memcpy(creds->session_key, session_key, 16); return creds; @@ -308,12 +336,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA step the credentials to the next element in the chain, updating the current client and server credentials and the seed - produce the next authenticator in the sequence ready to send to + produce the next authenticator in the sequence ready to send to the server */ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, struct netr_Authenticator *next) -{ +{ creds->sequence += 2; netlogon_creds_step(creds); @@ -327,7 +355,7 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState * bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds, const struct netr_Credential *received_credentials) { - if (!received_credentials || + if (!received_credentials || memcmp(received_credentials->data, creds->server.data, 8) != 0) { DEBUG(2,("credentials check failed\n")); return false; @@ -360,9 +388,9 @@ static bool netlogon_creds_server_check_internal(const struct netlogon_creds_Cre initialise the credentials chain and return the first server credentials */ -struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, +struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, const char *client_account, - const char *client_computer_name, + const char *client_computer_name, uint16_t secure_channel_type, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, @@ -371,13 +399,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me struct netr_Credential *credentials_out, uint32_t negotiate_flags) { - + struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); - + if (!creds) { return NULL; } - + creds->negotiate_flags = negotiate_flags; creds->secure_channel_type = secure_channel_type; @@ -402,10 +430,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me server_challenge, machine_password); } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { - netlogon_creds_init_128bit(creds, client_challenge, server_challenge, + netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password); } else { - netlogon_creds_init_64bit(creds, client_challenge, server_challenge, + netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password); } @@ -433,7 +461,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator) + struct netr_Authenticator *return_authenticator) { if (!received_authenticator || !return_authenticator) { return NT_STATUS_INVALID_PARAMETER; @@ -459,7 +487,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation) + union netr_Validation *validation) { static const char zeros[16]; @@ -492,28 +520,42 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred /* find and decyrpt the session keys, return in parameters above */ if (validation_level == 6) { /* they aren't encrypted! */ + } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + if (memcmp(base->key.key, zeros, + sizeof(base->key.key)) != 0) { + netlogon_creds_aes_decrypt(creds, + base->key.key, + sizeof(base->key.key)); + } + + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + netlogon_creds_aes_decrypt(creds, + base->LMSessKey.key, + sizeof(base->LMSessKey.key)); + } } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - if (memcmp(base->key.key, zeros, + if (memcmp(base->key.key, zeros, sizeof(base->key.key)) != 0) { - netlogon_creds_arcfour_crypt(creds, - base->key.key, + netlogon_creds_arcfour_crypt(creds, + base->key.key, sizeof(base->key.key)); } - - if (memcmp(base->LMSessKey.key, zeros, + + if (memcmp(base->LMSessKey.key, zeros, sizeof(base->LMSessKey.key)) != 0) { - netlogon_creds_arcfour_crypt(creds, - base->LMSessKey.key, + netlogon_creds_arcfour_crypt(creds, + base->LMSessKey.key, sizeof(base->LMSessKey.key)); } } else { - if (memcmp(base->LMSessKey.key, zeros, + if (memcmp(base->LMSessKey.key, zeros, sizeof(base->LMSessKey.key)) != 0) { - netlogon_creds_des_decrypt_LMKey(creds, + netlogon_creds_des_decrypt_LMKey(creds, &base->LMSessKey); } } -} +} /* copy a netlogon_creds_CredentialState struct diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 37c87b4..b9d91d0 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -16,6 +16,8 @@ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *cre void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); +void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); +void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); /***************************************************************** The above functions are common to the client and server interface diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 83c95a9..b75a390 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key) + const uchar nt_interactive_pwd[16]) { struct samr_Password lm_pwd; struct samr_Password nt_pwd; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - unsigned char key[16]; - - memcpy(key, dc_sess_key, 16); if (lm_interactive_pwd) memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); @@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in if (nt_interactive_pwd) memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); -#ifdef DEBUG_PASSWORD - DEBUG(100,("key:")); - dump_data(100, key, sizeof(key)); - - DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash)); - - DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash)); -#endif - - if (lm_interactive_pwd) - arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash)); - - if (nt_interactive_pwd) - arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash)); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd)); - - DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd)); -#endif - if (lm_interactive_pwd) SMBOWFencrypt(lm_pwd.hash, chal, local_lm_response); @@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in SMBOWFencrypt(nt_pwd.hash, chal, local_nt_response); - /* Password info paranoia */ - ZERO_STRUCT(key); - { bool ret; NTSTATUS nt_status; diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c index 2d3cb65..7ed8cc2 100644 --- a/source3/auth/check_samsec.c +++ b/source3/auth/check_samsec.c @@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge, goto done; } - status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3); + status = serverinfo_to_SamInfo3(server_info, info3); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n", nt_errstr(status))); diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 98b48df..76661fc 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key); + const uchar nt_interactive_pwd[16]); bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, @@ -277,16 +276,10 @@ struct netr_SamInfo6; struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx); NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo2 *sam2); NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo3 *sam3); NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo6 *sam6); NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, struct samu *samu, diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 216e5e3..3f4f708 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo2 *sam2) { struct netr_SamInfo3 *info3; @@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } } sam2->base = info3->base; @@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo3 *sam3) { struct netr_SamInfo3 *info3; @@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } } sam3->base = info3->base; @@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo6 *sam6) { struct pdb_domain_info *dominfo; @@ -176,20 +154,12 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } -- Samba Shared Repository