diff options
author | Günther Deschner <gd@samba.org> | 2012-12-05 19:49:52 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-12-09 19:39:08 +0100 |
commit | 645289216eeb718eab1201dd3ad0a50fdf85753c (patch) | |
tree | a55f5da7017db41cfe42b9c48069b45aaf07cde3 | |
parent | 71572632bd33dcb5c03a701bbb72a707e5642237 (diff) | |
download | samba-645289216eeb718eab1201dd3ad0a50fdf85753c.tar.gz samba-645289216eeb718eab1201dd3ad0a50fdf85753c.tar.bz2 samba-645289216eeb718eab1201dd3ad0a50fdf85753c.zip |
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/auth/auth_util.c | 34 | ||||
-rw-r--r-- | source3/auth/proto.h | 3 | ||||
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 36 |
3 files changed, 36 insertions, 37 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 83c95a9d4d..b75a390f36 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key) + const uchar nt_interactive_pwd[16]) { struct samr_Password lm_pwd; struct samr_Password nt_pwd; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - unsigned char key[16]; - - memcpy(key, dc_sess_key, 16); if (lm_interactive_pwd) memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); @@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in if (nt_interactive_pwd) memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); -#ifdef DEBUG_PASSWORD - DEBUG(100,("key:")); - dump_data(100, key, sizeof(key)); - - DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash)); - - DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash)); -#endif - - if (lm_interactive_pwd) - arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash)); - - if (nt_interactive_pwd) - arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash)); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd)); - - DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd)); -#endif - if (lm_interactive_pwd) SMBOWFencrypt(lm_pwd.hash, chal, local_lm_response); @@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in SMBOWFencrypt(nt_pwd.hash, chal, local_nt_response); - /* Password info paranoia */ - ZERO_STRUCT(key); - { bool ret; NTSTATUS nt_status; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 98b48df998..6c9967227e 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key); + const uchar nt_interactive_pwd[16]); bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 16542f8306..cb932b473a 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1596,6 +1596,39 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, { uint8_t chal[8]; +#ifdef DEBUG_PASSWORD + DEBUG(100,("lm owf password:")); + dump_data(100, logon->password->lmpassword.hash, 16); + + DEBUG(100,("nt owf password:")); + dump_data(100, logon->password->ntpassword.hash, 16); +#endif + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, + logon->password->lmpassword.hash, + 16); + netlogon_creds_aes_decrypt(creds, + logon->password->ntpassword.hash, + 16); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(creds, + logon->password->lmpassword.hash, + 16); + netlogon_creds_arcfour_crypt(creds, + logon->password->ntpassword.hash, + 16); + } else { + netlogon_creds_des_decrypt(creds, &logon->password->lmpassword); + netlogon_creds_des_decrypt(creds, &logon->password->ntpassword); + } + +#ifdef DEBUG_PASSWORD + DEBUG(100,("decrypt of lm owf password:")); + dump_data(100, logon->password->lmpassword.hash, 16); + + DEBUG(100,("decrypt of nt owf password:")); + dump_data(100, logon->password->ntpassword.hash, 16); +#endif status = make_auth_context_subsystem(talloc_tos(), &auth_context); if (!NT_STATUS_IS_OK(status)) { @@ -1611,8 +1644,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, logon->password->identity_info.parameter_control, chal, logon->password->lmpassword.hash, - logon->password->ntpassword.hash, - creds->session_key)) { + logon->password->ntpassword.hash)) { status = NT_STATUS_NO_MEMORY; } break; |