summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2012-12-05 16:24:24 +0100
committerStefan Metzmacher <metze@samba.org>2012-12-09 19:39:08 +0100
commit71572632bd33dcb5c03a701bbb72a707e5642237 (patch)
treee6632336195ec549d58df4149ef9863f6feda798
parenta52115ce67c2e5bd1e478d7601483fd2490aea31 (diff)
downloadsamba-71572632bd33dcb5c03a701bbb72a707e5642237.tar.gz
s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c28
1 files changed, 23 insertions, 5 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5db4fd12012..3eaf0d4e1df 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -635,7 +635,14 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case NetlogonServiceInformation:
case NetlogonInteractiveTransitiveInformation:
case NetlogonServiceTransitiveInformation:
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_decrypt(creds,
+ r->in.logon->password->lmpassword.hash,
+ sizeof(r->in.logon->password->lmpassword.hash));
+ netlogon_creds_aes_decrypt(creds,
+ r->in.logon->password->ntpassword.hash,
+ sizeof(r->in.logon->password->ntpassword.hash));
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds,
r->in.logon->password->lmpassword.hash,
sizeof(r->in.logon->password->lmpassword.hash));
@@ -698,7 +705,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case NetlogonGenericInformation:
{
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_decrypt(creds,
+ r->in.logon->generic->data, r->in.logon->generic->length);
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds,
r->in.logon->generic->data, r->in.logon->generic->length);
} else {
@@ -811,8 +821,12 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
/* It appears that level 6 is not individually encrypted */
if ((r->in.validation_level != 6) &&
memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
- /* This key is sent unencrypted without the ARCFOUR flag set */
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ /* This key is sent unencrypted without the ARCFOUR or AES flag set */
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_encrypt(creds,
+ sam->key.key,
+ sizeof(sam->key.key));
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds,
sam->key.key,
sizeof(sam->key.key));
@@ -823,7 +837,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
/* It appears that level 6 is not individually encrypted */
if ((r->in.validation_level != 6) &&
memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_encrypt(creds,
+ sam->LMSessKey.key,
+ sizeof(sam->LMSessKey.key));
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds,
sam->LMSessKey.key,
sizeof(sam->LMSessKey.key));