dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
- if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
} else {
netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
struct netr_Credential *credentials_out,
uint32_t negotiate_flags)
{
-
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
+ bool ok = false;
+ bool try_strong = true;
+ bool try_weak = true;
+ bool fallback = false;
+
if (!creds) {
return NULL;
}
return NULL;
}
- if (negotiate_flags & NETLOGON_NEG_128BIT) {
+ if (!ok && try_strong) {
+ if (fallback) {
+ DEBUG(2,("credentials check fallback to strong key\n"));
+ }
+ creds->negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
machine_password);
- } else {
+ netlogon_creds_first_step(creds, client_challenge, server_challenge);
+ ok = netlogon_creds_server_check_internal(creds, credentials_in);
+ if (!ok) {
+ creds->negotiate_flags &= ~NETLOGON_NEG_STRONG_KEYS;
+ fallback = true;
+ }
+ }
+
+ if (!ok && try_weak) {
+ if (fallback) {
+ DEBUG(2,("credentials check fallback to weak key\n"));
+ }
+ creds->negotiate_flags &= ~NETLOGON_NEG_STRONG_KEYS;
netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
machine_password);
+ netlogon_creds_first_step(creds, client_challenge, server_challenge);
+ ok = netlogon_creds_server_check_internal(creds, credentials_in);
}
- netlogon_creds_first_step(creds, client_challenge, server_challenge);
-
/* And before we leak information about the machine account
* password, check that they got the first go right */
- if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
+ if (!ok) {
talloc_free(creds);
return NULL;
}