libcli/auth: add netlogon_creds_encrypt_samlogon_validation().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index d5bf1a63873c1a5085943a1b9780926549a09cd1..9d3df9f523e99534505b4968e63669a8521325a0 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -485,9 +485,10 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
        }
 }
 
-void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
-                                               uint16_t validation_level,
-                                               union netr_Validation *validation)
+static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+                                                    uint16_t validation_level,
+                                                    union netr_Validation *validation,
+                                                    bool encrypt)
 {
        static const char zeros[16];
 
@@ -524,16 +525,29 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
                /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
                if (memcmp(base->key.key, zeros,
                           sizeof(base->key.key)) != 0) {
-                       netlogon_creds_aes_decrypt(creds,
+                       if (encrypt) {
+                               netlogon_creds_aes_encrypt(creds,
+                                           base->key.key,
+                                           sizeof(base->key.key));
+                       } else {
+                               netlogon_creds_aes_decrypt(creds,
                                            base->key.key,
                                            sizeof(base->key.key));
+                       }
                }
 
                if (memcmp(base->LMSessKey.key, zeros,
                           sizeof(base->LMSessKey.key)) != 0) {
-                       netlogon_creds_aes_decrypt(creds,
+                       if (encrypt) {
+                               netlogon_creds_aes_encrypt(creds,
                                            base->LMSessKey.key,
                                            sizeof(base->LMSessKey.key));
+
+                       } else {
+                               netlogon_creds_aes_decrypt(creds,
+                                           base->LMSessKey.key,
+                                           sizeof(base->LMSessKey.key));
+                       }
                }
        } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
@@ -554,12 +568,33 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
                /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
                if (memcmp(base->LMSessKey.key, zeros,
                           sizeof(base->LMSessKey.key)) != 0) {
-                       netlogon_creds_des_decrypt_LMKey(creds,
+                       if (encrypt) {
+                               netlogon_creds_des_encrypt_LMKey(creds,
                                                &base->LMSessKey);
+                       } else {
+                               netlogon_creds_des_decrypt_LMKey(creds,
+                                               &base->LMSessKey);
+                       }
                }
        }
 }
 
+void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+                                               uint16_t validation_level,
+                                               union netr_Validation *validation)
+{
+       return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+                                                       validation, false);
+}
+
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+                                               uint16_t validation_level,
+                                               union netr_Validation *validation)
+{
+       return netlogon_creds_crypt_samlogon_validation(creds, validation_level,
+                                                       validation, true);
+}
+
 /*
   copy a netlogon_creds_CredentialState struct
 */

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 15900d470b6270bd13f7cd2f7f79fd127418643d..89a732e0525c1fe658882b6891fcf4c344f83cef 100644 (file)
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -60,6 +60,9 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                uint16_t validation_level,
                                                union netr_Validation *validation);
+void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+                                               uint16_t validation_level,
+                                               union netr_Validation *validation);
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c  */