summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAlexander Bokovoy <ab@samba.org>2012-03-02 16:18:16 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-03-13 12:23:44 +0100
commit7d4ed899831a853ec2eef8dcd82d74fdbf568f0e (patch)
tree4ff03d559933f3b11ae4c96a3ad357ff4abcda89 /source3/auth
parente25f830f1df323607999179e00a5a39197bf02ea (diff)
downloadsamba-7d4ed899831a853ec2eef8dcd82d74fdbf568f0e.tar.gz
samba-7d4ed899831a853ec2eef8dcd82d74fdbf568f0e.tar.bz2
samba-7d4ed899831a853ec2eef8dcd82d74fdbf568f0e.zip
s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_util.c28
-rw-r--r--source3/auth/proto.h1
2 files changed, 29 insertions, 0 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 21a8642751..4f6ebfa4a4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1618,3 +1618,31 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
return status;
}
+
+/*
+ Extract session key from a session info and return it in a blob
+ if intent is KEY_USE_16BYTES, truncate it to 16 bytes
+
+ See sections 3.2.4.15 and 3.3.4.2 of MS-SMB
+ Also see https://lists.samba.org/archive/cifs-protocol/2012-January/002265.html for details
+
+ Note that returned session_key is referencing the original key, it is supposed to be
+ short-lived. If original session_info->session_key is gone, the reference will be broken.
+*/
+NTSTATUS session_extract_session_key(const struct auth_session_info *session_info, DATA_BLOB *session_key, enum session_key_use_intent intent)
+{
+
+ if (session_key == NULL || session_info == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (session_info->session_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *session_key = session_info->session_key;
+ if (intent == KEY_USE_16BYTES) {
+ session_key->length = MIN(session_info->session_key.length, 16);
+ }
+ return NT_STATUS_OK;
+}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 01e2934dc7..44ae9097a5 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -248,6 +248,7 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info **server_info);
void free_user_info(struct auth_usersupplied_info **user_info);
bool is_trusted_domain(const char* dom_name);
+NTSTATUS session_extract_session_key(const struct auth_session_info *session_info, DATA_BLOB *session_key, enum session_key_use_intent intent);
/* The following definitions come from auth/user_info.c */