From c7319fce604d5f89a89094b6b18ef459a347aef8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 25 Apr 2013 17:01:00 +0200 Subject: [PATCH] libcli/auth: add netlogon_creds_[de|en]crypt_samlogon_logon() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++ libcli/auth/proto.h | 6 ++ 2 files changed, 124 insertions(+) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 2e9c87e8f62..78a8d7ad6c8 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential validation, true); } +static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, + enum netr_LogonInfoClass level, + union netr_LogonLevel *logon, + bool encrypt) +{ + static const char zeros[16]; + + if (logon == NULL) { + return; + } + + switch (level) { + case NetlogonInteractiveInformation: + case NetlogonInteractiveTransitiveInformation: + case NetlogonServiceInformation: + case NetlogonServiceTransitiveInformation: + if (logon->password == NULL) { + return; + } + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + uint8_t *h; + + h = logon->password->lmpassword.hash; + if (memcmp(h, zeros, 16) != 0) { + if (encrypt) { + netlogon_creds_aes_encrypt(creds, h, 16); + } else { + netlogon_creds_aes_decrypt(creds, h, 16); + } + } + + h = logon->password->ntpassword.hash; + if (memcmp(h, zeros, 16) != 0) { + if (encrypt) { + netlogon_creds_aes_encrypt(creds, h, 16); + } else { + netlogon_creds_aes_decrypt(creds, h, 16); + } + } + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + uint8_t *h; + + h = logon->password->lmpassword.hash; + if (memcmp(h, zeros, 16) != 0) { + netlogon_creds_arcfour_crypt(creds, h, 16); + } + + h = logon->password->ntpassword.hash; + if (memcmp(h, zeros, 16) != 0) { + netlogon_creds_arcfour_crypt(creds, h, 16); + } + } else { + struct samr_Password *p; + + p = &logon->password->lmpassword; + if (memcmp(p->hash, zeros, 16) != 0) { + if (encrypt) { + netlogon_creds_des_encrypt(creds, p); + } else { + netlogon_creds_des_decrypt(creds, p); + } + } + p = &logon->password->ntpassword; + if (memcmp(p->hash, zeros, 16) != 0) { + if (encrypt) { + netlogon_creds_des_encrypt(creds, p); + } else { + netlogon_creds_des_decrypt(creds, p); + } + } + } + break; + + case NetlogonNetworkInformation: + case NetlogonNetworkTransitiveInformation: + break; + + case NetlogonGenericInformation: + if (logon->generic == NULL) { + return; + } + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + if (encrypt) { + netlogon_creds_aes_encrypt(creds, + logon->generic->data, + logon->generic->length); + } else { + netlogon_creds_aes_decrypt(creds, + logon->generic->data, + logon->generic->length); + } + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(creds, + logon->generic->data, + logon->generic->length); + } else { + /* Using DES to verify kerberos tickets makes no sense */ + } + break; + } +} + +void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, + enum netr_LogonInfoClass level, + union netr_LogonLevel *logon) +{ + netlogon_creds_crypt_samlogon_logon(creds, level, logon, false); +} + +void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, + enum netr_LogonInfoClass level, + union netr_LogonLevel *logon) +{ + netlogon_creds_crypt_samlogon_logon(creds, level, logon, true); +} + /* copy a netlogon_creds_CredentialState struct */ diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 6bc18d78205..110e039eaec 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, union netr_Validation *validation); +void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, + enum netr_LogonInfoClass level, + union netr_LogonLevel *logon); +void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, + enum netr_LogonInfoClass level, + union netr_LogonLevel *logon); /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */