mirror of
https://github.com/samba-team/samba.git
synced 2025-08-31 22:02:58 +03:00
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Günther Deschner
committed by
Stefan Metzmacher
Stefan Metzmacher
parent
71572632bd
commit
645289216e
@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
|
|||||||
uint32 logon_parameters,
|
uint32 logon_parameters,
|
||||||
const uchar chal[8],
|
const uchar chal[8],
|
||||||
const uchar lm_interactive_pwd[16],
|
const uchar lm_interactive_pwd[16],
|
||||||
const uchar nt_interactive_pwd[16],
|
const uchar nt_interactive_pwd[16])
|
||||||
const uchar *dc_sess_key)
|
|
||||||
{
|
{
|
||||||
struct samr_Password lm_pwd;
|
struct samr_Password lm_pwd;
|
||||||
struct samr_Password nt_pwd;
|
struct samr_Password nt_pwd;
|
||||||
unsigned char local_lm_response[24];
|
unsigned char local_lm_response[24];
|
||||||
unsigned char local_nt_response[24];
|
unsigned char local_nt_response[24];
|
||||||
unsigned char key[16];
|
|
||||||
|
|
||||||
memcpy(key, dc_sess_key, 16);
|
|
||||||
|
|
||||||
if (lm_interactive_pwd)
|
if (lm_interactive_pwd)
|
||||||
memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
|
memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
|
||||||
@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
|
|||||||
if (nt_interactive_pwd)
|
if (nt_interactive_pwd)
|
||||||
memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
|
memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
|
||||||
|
|
||||||
#ifdef DEBUG_PASSWORD
|
|
||||||
DEBUG(100,("key:"));
|
|
||||||
dump_data(100, key, sizeof(key));
|
|
||||||
|
|
||||||
DEBUG(100,("lm owf password:"));
|
|
||||||
dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
|
|
||||||
|
|
||||||
DEBUG(100,("nt owf password:"));
|
|
||||||
dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (lm_interactive_pwd)
|
|
||||||
arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
|
|
||||||
|
|
||||||
if (nt_interactive_pwd)
|
|
||||||
arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
|
|
||||||
|
|
||||||
#ifdef DEBUG_PASSWORD
|
|
||||||
DEBUG(100,("decrypt of lm owf password:"));
|
|
||||||
dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
|
|
||||||
|
|
||||||
DEBUG(100,("decrypt of nt owf password:"));
|
|
||||||
dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (lm_interactive_pwd)
|
if (lm_interactive_pwd)
|
||||||
SMBOWFencrypt(lm_pwd.hash, chal,
|
SMBOWFencrypt(lm_pwd.hash, chal,
|
||||||
local_lm_response);
|
local_lm_response);
|
||||||
@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
|
|||||||
SMBOWFencrypt(nt_pwd.hash, chal,
|
SMBOWFencrypt(nt_pwd.hash, chal,
|
||||||
local_nt_response);
|
local_nt_response);
|
||||||
|
|
||||||
/* Password info paranoia */
|
|
||||||
ZERO_STRUCT(key);
|
|
||||||
|
|
||||||
{
|
{
|
||||||
bool ret;
|
bool ret;
|
||||||
NTSTATUS nt_status;
|
NTSTATUS nt_status;
|
||||||
|
|||||||
@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
|
|||||||
uint32 logon_parameters,
|
uint32 logon_parameters,
|
||||||
const uchar chal[8],
|
const uchar chal[8],
|
||||||
const uchar lm_interactive_pwd[16],
|
const uchar lm_interactive_pwd[16],
|
||||||
const uchar nt_interactive_pwd[16],
|
const uchar nt_interactive_pwd[16]);
|
||||||
const uchar *dc_sess_key);
|
|
||||||
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
|
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
|
||||||
const char *smb_name,
|
const char *smb_name,
|
||||||
const char *client_domain,
|
const char *client_domain,
|
||||||
|
|||||||
@ -1596,6 +1596,39 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|||||||
{
|
{
|
||||||
uint8_t chal[8];
|
uint8_t chal[8];
|
||||||
|
|
||||||
|
#ifdef DEBUG_PASSWORD
|
||||||
|
DEBUG(100,("lm owf password:"));
|
||||||
|
dump_data(100, logon->password->lmpassword.hash, 16);
|
||||||
|
|
||||||
|
DEBUG(100,("nt owf password:"));
|
||||||
|
dump_data(100, logon->password->ntpassword.hash, 16);
|
||||||
|
#endif
|
||||||
|
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||||
|
netlogon_creds_aes_decrypt(creds,
|
||||||
|
logon->password->lmpassword.hash,
|
||||||
|
16);
|
||||||
|
netlogon_creds_aes_decrypt(creds,
|
||||||
|
logon->password->ntpassword.hash,
|
||||||
|
16);
|
||||||
|
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
|
||||||
|
netlogon_creds_arcfour_crypt(creds,
|
||||||
|
logon->password->lmpassword.hash,
|
||||||
|
16);
|
||||||
|
netlogon_creds_arcfour_crypt(creds,
|
||||||
|
logon->password->ntpassword.hash,
|
||||||
|
16);
|
||||||
|
} else {
|
||||||
|
netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
|
||||||
|
netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef DEBUG_PASSWORD
|
||||||
|
DEBUG(100,("decrypt of lm owf password:"));
|
||||||
|
dump_data(100, logon->password->lmpassword.hash, 16);
|
||||||
|
|
||||||
|
DEBUG(100,("decrypt of nt owf password:"));
|
||||||
|
dump_data(100, logon->password->ntpassword.hash, 16);
|
||||||
|
#endif
|
||||||
status = make_auth_context_subsystem(talloc_tos(),
|
status = make_auth_context_subsystem(talloc_tos(),
|
||||||
&auth_context);
|
&auth_context);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
@ -1611,8 +1644,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|||||||
logon->password->identity_info.parameter_control,
|
logon->password->identity_info.parameter_control,
|
||||||
chal,
|
chal,
|
||||||
logon->password->lmpassword.hash,
|
logon->password->lmpassword.hash,
|
||||||
logon->password->ntpassword.hash,
|
logon->password->ntpassword.hash)) {
|
||||||
creds->session_key)) {
|
|
||||||
status = NT_STATUS_NO_MEMORY;
|
status = NT_STATUS_NO_MEMORY;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|||||||
Reference in New Issue
Block a user