From 645289216eeb718eab1201dd3ad0a50fdf85753c Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 5 Dec 2012 19:49:52 +0100
Subject: [PATCH] s3-rpc_server: support AES for interactive netlogon samlogon
 password decryption.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Still need to fix AES support for the returned validation info.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/auth/auth_util.c                    | 34 +--------------------------
 source3/auth/proto.h                        |  3 +--
 source3/rpc_server/netlogon/srv_netlog_nt.c | 36 +++++++++++++++++++++++++++--
 3 files changed, 36 insertions(+), 37 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 83c95a9d4d8..b75a390f361 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
 					 uint32 logon_parameters,
 					 const uchar chal[8], 
 					 const uchar lm_interactive_pwd[16], 
-					 const uchar nt_interactive_pwd[16], 
-					 const uchar *dc_sess_key)
+					 const uchar nt_interactive_pwd[16])
 {
 	struct samr_Password lm_pwd;
 	struct samr_Password nt_pwd;
 	unsigned char local_lm_response[24];
 	unsigned char local_nt_response[24];
-	unsigned char key[16];
-
-	memcpy(key, dc_sess_key, 16);
 
 	if (lm_interactive_pwd)
 		memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
@@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
 	if (nt_interactive_pwd)
 		memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
 
-#ifdef DEBUG_PASSWORD
-	DEBUG(100,("key:"));
-	dump_data(100, key, sizeof(key));
-
-	DEBUG(100,("lm owf password:"));
-	dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
-
-	DEBUG(100,("nt owf password:"));
-	dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
-#endif
-
-	if (lm_interactive_pwd)
-		arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
-
-	if (nt_interactive_pwd)
-		arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100,("decrypt of lm owf password:"));
-	dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
-
-	DEBUG(100,("decrypt of nt owf password:"));
-	dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
-#endif
-
 	if (lm_interactive_pwd)
 		SMBOWFencrypt(lm_pwd.hash, chal,
 			      local_lm_response);
@@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
 		SMBOWFencrypt(nt_pwd.hash, chal,
 			      local_nt_response);
 
-	/* Password info paranoia */
-	ZERO_STRUCT(key);
-
 	{
 		bool ret;
 		NTSTATUS nt_status;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 98b48df9983..6c9967227e1 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
 					 uint32 logon_parameters,
 					 const uchar chal[8],
 					 const uchar lm_interactive_pwd[16],
-					 const uchar nt_interactive_pwd[16],
-					 const uchar *dc_sess_key);
+					 const uchar nt_interactive_pwd[16]);
 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
 			      const char *smb_name,
 			      const char *client_domain,
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 16542f8306b..cb932b473ab 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1596,6 +1596,39 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	{
 		uint8_t chal[8];
 
+#ifdef DEBUG_PASSWORD
+		DEBUG(100,("lm owf password:"));
+		dump_data(100, logon->password->lmpassword.hash, 16);
+
+		DEBUG(100,("nt owf password:"));
+		dump_data(100, logon->password->ntpassword.hash, 16);
+#endif
+		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			netlogon_creds_aes_decrypt(creds,
+						   logon->password->lmpassword.hash,
+						   16);
+			netlogon_creds_aes_decrypt(creds,
+						   logon->password->ntpassword.hash,
+						   16);
+		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			netlogon_creds_arcfour_crypt(creds,
+						     logon->password->lmpassword.hash,
+						     16);
+			netlogon_creds_arcfour_crypt(creds,
+						     logon->password->ntpassword.hash,
+						     16);
+		} else {
+			netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
+			netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
+		}
+
+#ifdef DEBUG_PASSWORD
+		DEBUG(100,("decrypt of lm owf password:"));
+		dump_data(100, logon->password->lmpassword.hash, 16);
+
+		DEBUG(100,("decrypt of nt owf password:"));
+		dump_data(100, logon->password->ntpassword.hash, 16);
+#endif
 		status = make_auth_context_subsystem(talloc_tos(),
 						     &auth_context);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -1611,8 +1644,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 							 logon->password->identity_info.parameter_control,
 							 chal,
 							 logon->password->lmpassword.hash,
-							 logon->password->ntpassword.hash,
-							 creds->session_key)) {
+							 logon->password->ntpassword.hash)) {
 			status = NT_STATUS_NO_MEMORY;
 		}
 		break;
-- 
2.11.4.GIT