s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
authorGünther Deschner <gd@samba.org>
Thu, 6 Dec 2012 14:21:02 +0000 (15:21 +0100)
committerStefan Metzmacher <metze@samba.org>
Sun, 9 Dec 2012 18:39:08 +0000 (19:39 +0100)
All crypto is dealt with within the netlogon samlogon server now.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/auth/check_samsec.c
source3/auth/proto.h
source3/auth/server_info.c
source3/rpc_server/netlogon/srv_netlog_nt.c
source3/torture/pdbtest.c

index 2d3cb65..7ed8cc2 100644 (file)
@@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge,
                goto done;
        }
 
-       status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+       status = serverinfo_to_SamInfo3(server_info, info3);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
                           nt_errstr(status)));
index 6c99672..76661fc 100644 (file)
@@ -276,16 +276,10 @@ struct netr_SamInfo6;
 
 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo2 *sam2);
 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo3 *sam3);
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo6 *sam6);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
                          struct samu *samu,
index 02bf689..3f4f708 100644 (file)
@@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo2 *sam2)
 {
        struct netr_SamInfo3 *info3;
@@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
                       server_info->session_key.data,
                       MIN(sizeof(info3->base.key.key),
                           server_info->session_key.length));
-               if (pipe_session_key) {
-                       arcfour_crypt(info3->base.key.key,
-                                     pipe_session_key, 16);
-               }
        }
        if (server_info->lm_session_key.length) {
                memcpy(info3->base.LMSessKey.key,
                       server_info->lm_session_key.data,
                       MIN(sizeof(info3->base.LMSessKey.key),
                           server_info->lm_session_key.length));
-               if (pipe_session_key) {
-                       arcfour_crypt(info3->base.LMSessKey.key,
-                                     pipe_session_key, 8);
-               }
        }
 
        sam2->base = info3->base;
@@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo3 *sam3)
 {
        struct netr_SamInfo3 *info3;
@@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
                       server_info->session_key.data,
                       MIN(sizeof(info3->base.key.key),
                           server_info->session_key.length));
-               if (pipe_session_key) {
-                       arcfour_crypt(info3->base.key.key,
-                                     pipe_session_key, 16);
-               }
        }
        if (server_info->lm_session_key.length) {
                memcpy(info3->base.LMSessKey.key,
                       server_info->lm_session_key.data,
                       MIN(sizeof(info3->base.LMSessKey.key),
                           server_info->lm_session_key.length));
-               if (pipe_session_key) {
-                       arcfour_crypt(info3->base.LMSessKey.key,
-                                     pipe_session_key, 8);
-               }
        }
 
        sam3->base = info3->base;
@@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
-                               uint8_t *pipe_session_key,
-                               size_t pipe_session_key_len,
                                struct netr_SamInfo6 *sam6)
 {
        struct pdb_domain_info *dominfo;
index 4be2355..9b50655 100644 (file)
@@ -1466,6 +1466,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
        struct auth_serversupplied_info *server_info = NULL;
        struct auth_context *auth_context = NULL;
        const char *fn;
+       struct netr_SamBaseInfo *base;
 
        switch (p->opnum) {
                case NDR_NETR_LOGONSAMLOGON:
@@ -1690,22 +1691,45 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 
        switch (r->in.validation_level) {
        case 2:
-               status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16,
+               status = serverinfo_to_SamInfo2(server_info,
                                                r->out.validation->sam2);
+               base = &r->out.validation->sam2->base;
                break;
        case 3:
-               status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16,
+               status = serverinfo_to_SamInfo3(server_info,
                                                r->out.validation->sam3);
+               base = &r->out.validation->sam3->base;
                break;
        case 6:
-               status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16,
+               status = serverinfo_to_SamInfo6(server_info,
                                                r->out.validation->sam6);
+               base = &r->out.validation->sam6->base;
                break;
        }
 
        TALLOC_FREE(server_info);
 
-       return status;
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       if (r->in.validation_level == 6) {
+               /* no further crypto to be applied - gd */
+               return NT_STATUS_OK;
+       }
+
+       if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+               netlogon_creds_aes_encrypt(creds, base->key.key, 16);
+               netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8);
+       } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               netlogon_creds_arcfour_crypt(creds, base->key.key, 16);
+               netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8);
+       } else {
+               /* key is unencrypted when neither AES nor RC4 bits are set */
+               netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey);
+       }
+
+       return NT_STATUS_OK;
 }
 
 /****************************************************************
index d0d529e..17da455 100644 (file)
@@ -316,7 +316,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
                return False;
        }
 
-       status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth);
+       status = serverinfo_to_SamInfo3(server_info, info3_auth);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
                          nt_errstr(status)));