s4-rpc_server: support AES encryption in interactive and generic samlogon.

author Günther Deschner <gd@samba.org>

Wed, 5 Dec 2012 15:24:24 +0000 (16:24 +0100)

committer Stefan Metzmacher <metze@samba.org>

Sun, 9 Dec 2012 18:39:08 +0000 (19:39 +0100)
author Günther Deschner <gd@samba.org>
Wed, 5 Dec 2012 15:24:24 +0000 (16:24 +0100)
committer Stefan Metzmacher <metze@samba.org>
Sun, 9 Dec 2012 18:39:08 +0000 (19:39 +0100)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index 5db4fd120121a479893a808372d24524547a0b1d..3eaf0d4e1df2279df2169789b7d56e2cb54bc7f4 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -635,7 +635,14 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
         case NetlogonServiceInformation:
         case NetlogonInteractiveTransitiveInformation:
         case NetlogonServiceTransitiveInformation:
-               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+                       netlogon_creds_aes_decrypt(creds,
+                                                  r->in.logon->password->lmpassword.hash,
+                                                  sizeof(r->in.logon->password->lmpassword.hash));
+                       netlogon_creds_aes_decrypt(creds,
+                                                  r->in.logon->password->ntpassword.hash,
+                                                  sizeof(r->in.logon->password->ntpassword.hash));
+               } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                         netlogon_creds_arcfour_crypt(creds,
                                             r->in.logon->password->lmpassword.hash,
                                             sizeof(r->in.logon->password->lmpassword.hash));
@@ -698,7 +705,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
  
         case NetlogonGenericInformation:
         {
-               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+                       netlogon_creds_aes_decrypt(creds,
+                                           r->in.logon->generic->data, r->in.logon->generic->length);
+               } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                         netlogon_creds_arcfour_crypt(creds,
                                             r->in.logon->generic->data, r->in.logon->generic->length);
                 } else {
@@ -811,8 +821,12 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
         /* It appears that level 6 is not individually encrypted */
         if ((r->in.validation_level != 6) &&
             memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
-               /* This key is sent unencrypted without the ARCFOUR flag set */
-               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               /* This key is sent unencrypted without the ARCFOUR or AES flag set */
+               if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+                       netlogon_creds_aes_encrypt(creds,
+                                           sam->key.key,
+                                           sizeof(sam->key.key));
+               } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                         netlogon_creds_arcfour_crypt(creds,
                                             sam->key.key,
                                             sizeof(sam->key.key));
@@ -823,7 +837,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
         /* It appears that level 6 is not individually encrypted */
         if ((r->in.validation_level != 6) &&
             memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
-               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+                       netlogon_creds_aes_encrypt(creds,
+                                           sam->LMSessKey.key,
+                                           sizeof(sam->LMSessKey.key));
+               } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                         netlogon_creds_arcfour_crypt(creds,
                                             sam->LMSessKey.key,
                                             sizeof(sam->LMSessKey.key));
author	Günther Deschner <gd@samba.org>
	Wed, 5 Dec 2012 15:24:24 +0000 (16:24 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Sun, 9 Dec 2012 18:39:08 +0000 (19:39 +0100)