git.samba.org / kai / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
[kai/samba.git] / source3 / rpc_server / netlogon / srv_netlog_nt.c
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index f6f6d874a46da4c8d25c6938f3f06cfe33ad4d61..aef97e4f9a64e4d8655eb917db1295970d12c9fd 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -909,6 +909,10 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
        }
 
+       if (in_neg_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
+       }
+
        if (lp_server_schannel() != false) {
                srv_flgs |= NETLOGON_NEG_SCHANNEL;
        }
@@ -1138,9 +1142,17 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
        struct samr_UserInfo18 info18;
        DATA_BLOB in,out;
        int rc;
+       DATA_BLOB session_key;
 
        ZERO_STRUCT(user_handle);
 
+       status = session_extract_session_key(session_info,
+                                            &session_key,
+                                            KEY_USE_16BYTES);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto out;
+       }
+
        rc = tsocket_address_inet_from_strings(mem_ctx,
                                               "ip",
                                               "127.0.0.1",
@@ -1206,7 +1218,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
 
        in = data_blob_const(nt_hash->hash, 16);
        out = data_blob_talloc_zero(mem_ctx, 16);
-       sess_crypt_blob(&out, &in, &session_info->session_key, true);
+       sess_crypt_blob(&out, &in, &session_key, true);
        memcpy(info18.nt_pwd.hash, out.data, out.length);
 
        info18.nt_pwd_active = true;
@@ -1320,7 +1332,12 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
 
        memcpy(password_buf.data, r->in.new_password->data, 512);
        SIVAL(password_buf.data, 512, r->in.new_password->length);
-       netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+
+       if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+       } else {
+               netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+       }
 
        if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
                TALLOC_FREE(creds);
@@ -2381,7 +2398,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
 
 static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
                                            const DATA_BLOB *trustAuth_blob,
-                                           const DATA_BLOB *session_key,
+                                           struct netlogon_creds_CredentialState *creds,
                                            struct samr_Password *current_pw_enc,
                                            struct samr_Password *previous_pw_enc)
 {
@@ -2404,8 +2421,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       arcfour_crypt_blob(current_pw_enc->hash, sizeof(current_pw_enc->hash),
-                          session_key);
+       netlogon_creds_arcfour_crypt(creds, current_pw_enc->hash, sizeof(current_pw_enc->hash));
 
        if (trustAuth.previous.count != 0 &&
            trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
@@ -2415,8 +2431,8 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
        } else {
                mdfour(previous_pw_enc->hash, NULL, 0);
        }
-       arcfour_crypt_blob(previous_pw_enc->hash, sizeof(previous_pw_enc->hash),
-                          session_key);
+
+       netlogon_creds_arcfour_crypt(creds, previous_pw_enc->hash, sizeof(previous_pw_enc->hash));
 
        return NT_STATUS_OK;
 }
@@ -2438,7 +2454,6 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
        DATA_BLOB trustAuth_blob;
        struct samr_Password *new_owf_enc;
        struct samr_Password *old_owf_enc;
-       DATA_BLOB session_key;
        struct loadparm_context *lp_ctx;
 
        lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
@@ -2526,10 +2541,8 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
                        trustAuth_blob = td->trust_auth_outgoing;
                }
 
-               session_key.data = creds->session_key;
-               session_key.length = sizeof(creds->session_key);
                status = get_password_from_trustAuth(p->mem_ctx, &trustAuth_blob,
-                                                    &session_key,
+                                                    creds,
                                                     new_owf_enc, old_owf_enc);
 
                if (!NT_STATUS_IS_OK(status)) {
Kai's WIP code