From f2d9589b178c0e3374e1c1ad363639b9e2bdce5f Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 6 Dec 2012 15:21:02 +0100
Subject: [PATCH] s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

All crypto is dealt with within the netlogon samlogon server now.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/auth/check_samsec.c                 |  2 +-
 source3/auth/proto.h                        |  6 ------
 source3/auth/server_info.c                  | 22 --------------------
 source3/rpc_server/netlogon/srv_netlog_nt.c | 32 +++++++++++++++++++++++++----
 source3/torture/pdbtest.c                   |  2 +-
 5 files changed, 30 insertions(+), 34 deletions(-)

diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 2d3cb657859..7ed8cc2341d 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge,
 		goto done;
 	}
 
-	status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+	status = serverinfo_to_SamInfo3(server_info, info3);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
 			   nt_errstr(status)));
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 6c9967227e1..76661fc833a 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -276,16 +276,10 @@ struct netr_SamInfo6;
 
 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo2 *sam2);
 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo3 *sam3);
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo6 *sam6);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			  struct samu *samu,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 02bf689b2c2..3f4f7081b8c 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo2 *sam2)
 {
 	struct netr_SamInfo3 *info3;
@@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
 		       server_info->session_key.data,
 		       MIN(sizeof(info3->base.key.key),
 			   server_info->session_key.length));
-		if (pipe_session_key) {
-			arcfour_crypt(info3->base.key.key,
-				      pipe_session_key, 16);
-		}
 	}
 	if (server_info->lm_session_key.length) {
 		memcpy(info3->base.LMSessKey.key,
 		       server_info->lm_session_key.data,
 		       MIN(sizeof(info3->base.LMSessKey.key),
 			   server_info->lm_session_key.length));
-		if (pipe_session_key) {
-			arcfour_crypt(info3->base.LMSessKey.key,
-				      pipe_session_key, 8);
-		}
 	}
 
 	sam2->base = info3->base;
@@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo3 *sam3)
 {
 	struct netr_SamInfo3 *info3;
@@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
 		       server_info->session_key.data,
 		       MIN(sizeof(info3->base.key.key),
 			   server_info->session_key.length));
-		if (pipe_session_key) {
-			arcfour_crypt(info3->base.key.key,
-				      pipe_session_key, 16);
-		}
 	}
 	if (server_info->lm_session_key.length) {
 		memcpy(info3->base.LMSessKey.key,
 		       server_info->lm_session_key.data,
 		       MIN(sizeof(info3->base.LMSessKey.key),
 			   server_info->lm_session_key.length));
-		if (pipe_session_key) {
-			arcfour_crypt(info3->base.LMSessKey.key,
-				      pipe_session_key, 8);
-		}
 	}
 
 	sam3->base = info3->base;
@@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
 *****************************************************************************/
 
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
-				uint8_t *pipe_session_key,
-				size_t pipe_session_key_len,
 				struct netr_SamInfo6 *sam6)
 {
 	struct pdb_domain_info *dominfo;
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 4be2355bb80..9b506552fbb 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1466,6 +1466,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	struct auth_serversupplied_info *server_info = NULL;
 	struct auth_context *auth_context = NULL;
 	const char *fn;
+	struct netr_SamBaseInfo *base;
 
 	switch (p->opnum) {
 		case NDR_NETR_LOGONSAMLOGON:
@@ -1690,22 +1691,45 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 
 	switch (r->in.validation_level) {
 	case 2:
-		status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16,
+		status = serverinfo_to_SamInfo2(server_info,
 						r->out.validation->sam2);
+		base = &r->out.validation->sam2->base;
 		break;
 	case 3:
-		status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16,
+		status = serverinfo_to_SamInfo3(server_info,
 						r->out.validation->sam3);
+		base = &r->out.validation->sam3->base;
 		break;
 	case 6:
-		status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16,
+		status = serverinfo_to_SamInfo6(server_info,
 						r->out.validation->sam6);
+		base = &r->out.validation->sam6->base;
 		break;
 	}
 
 	TALLOC_FREE(server_info);
 
-	return status;
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	if (r->in.validation_level == 6) {
+		/* no further crypto to be applied - gd */
+		return NT_STATUS_OK;
+	}
+
+	if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		netlogon_creds_aes_encrypt(creds, base->key.key, 16);
+		netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8);
+	} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+		netlogon_creds_arcfour_crypt(creds, base->key.key, 16);
+		netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8);
+	} else {
+		/* key is unencrypted when neither AES nor RC4 bits are set */
+		netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey);
+	}
+
+	return NT_STATUS_OK;
 }
 
 /****************************************************************
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index d0d529e9223..17da4552564 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -316,7 +316,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 		return False;
 	}
 
-	status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth);
+	status = serverinfo_to_SamInfo3(server_info, info3_auth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
 			  nt_errstr(status)));
-- 
2.11.4.GIT