diff options
-rw-r--r-- | libcli/auth/credentials.c | 9 | ||||
-rw-r--r-- | libcli/auth/proto.h | 6 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 6 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 12 | ||||
-rw-r--r-- | source4/winbind/wb_sam_logon.c | 6 |
5 files changed, 25 insertions, 14 deletions
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 63407e7988..d5bf1a6387 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -485,9 +485,9 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState } } -void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, - uint16_t validation_level, - union netr_Validation *validation) +void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, + uint16_t validation_level, + union netr_Validation *validation) { static const char zeros[16]; @@ -521,6 +521,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred if (validation_level == 6) { /* they aren't encrypted! */ } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(base->key.key, zeros, sizeof(base->key.key)) != 0) { netlogon_creds_aes_decrypt(creds, @@ -535,6 +536,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred sizeof(base->LMSessKey.key)); } } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(base->key.key, zeros, sizeof(base->key.key)) != 0) { netlogon_creds_arcfour_crypt(creds, @@ -549,6 +551,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred sizeof(base->LMSessKey.key)); } } else { + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(base->LMSessKey.key, zeros, sizeof(base->LMSessKey.key)) != 0) { netlogon_creds_des_decrypt_LMKey(creds, diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index b9d91d04ea..15900d470b 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -57,9 +57,9 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator) ; -void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, - uint16_t validation_level, - union netr_Validation *validation) ; +void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, + uint16_t validation_level, + union netr_Validation *validation); /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */ diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a0a94578be..66a50a8f2d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -467,7 +467,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, return result; } - netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); + netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level, + &validation); result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3); if (!NT_STATUS_IS_OK(result)) { @@ -575,7 +576,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, return result; } - netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); + netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level, + &validation); result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3); if (!NT_STATUS_IS_OK(result)) { diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 8d13a6350e..bd85c229ac 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -176,7 +176,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r->in.validation_level; - netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation); + netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, + validation_level, + r->out.validation); switch (validation_level) { case 2: @@ -208,7 +210,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_ex->in.validation_level; - netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation); + netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, + validation_level, + r_ex->out.validation); switch (validation_level) { case 2: @@ -248,7 +252,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_flags->in.validation_level; - netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation); + netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, + validation_level, + r_flags->out.validation); switch (validation_level) { case 2: diff --git a/source4/winbind/wb_sam_logon.c b/source4/winbind/wb_sam_logon.c index 32fddd2e0a..e940082791 100644 --- a/source4/winbind/wb_sam_logon.c +++ b/source4/winbind/wb_sam_logon.c @@ -208,9 +208,9 @@ static void wb_sam_logon_recv_samlogon(struct tevent_req *subreq) /* Decrypt the session keys before we reform the info3, so the * person on the other end of winbindd pipe doesn't have to. * They won't have the encryption key anyway */ - netlogon_creds_decrypt_samlogon(state->creds_state, - state->r.in.validation_level, - state->r.out.validation); + netlogon_creds_decrypt_samlogon_validation(state->creds_state, + state->r.in.validation_level, + state->r.out.validation); /* * we do not need the netlogon_creds lock anymore |