From 780006db9de7a55030ba07fc5236c85bee7b4961 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 23 Dec 2011 15:20:26 +0100
Subject: [PATCH] s4:librpc/rpc: add DCERPC_SCHANNEL_AES support
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

metze

Signed-off-by: Günther Deschner <gd@samba.org>
---
 librpc/rpc/rpc_common.h              |  3 +++
 source4/librpc/rpc/dcerpc_schannel.c | 17 +++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index a28835fa634..e2b37550e1f 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -110,6 +110,9 @@ struct dcerpc_binding {
 /* handle upgrades or downgrades automatically */
 #define DCERPC_SCHANNEL_AUTO           (1<<23)
 
+/* use aes schannel with hmac-sh256 session key */
+#define DCERPC_SCHANNEL_AES            (1<<24)
+
 /* The following definitions come from ../librpc/rpc/dcerpc_error.c  */
 
 const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 3a3dec068b7..f3e52585ae1 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -243,7 +243,13 @@ static void continue_srv_auth2(struct tevent_req *subreq)
 		}
 		s->dcerpc_schannel_auto = false;
 
-		if (lf & NETLOGON_NEG_STRONG_KEYS) {
+		if (lf & NETLOGON_NEG_SUPPORTS_AES)  {
+			ln = "aes";
+			if (rf & NETLOGON_NEG_SUPPORTS_AES) {
+				composite_error(c, s->a.out.result);
+				return;
+			}
+		} else if (lf & NETLOGON_NEG_STRONG_KEYS) {
 			ln = "strong";
 			if (rf & NETLOGON_NEG_STRONG_KEYS) {
 				composite_error(c, s->a.out.result);
@@ -253,7 +259,9 @@ static void continue_srv_auth2(struct tevent_req *subreq)
 			ln = "des";
 		}
 
-		if (rf & NETLOGON_NEG_STRONG_KEYS) {
+		if (rf & NETLOGON_NEG_SUPPORTS_AES)  {
+			rn = "aes";
+		} else if (rf & NETLOGON_NEG_STRONG_KEYS) {
 			rn = "strong";
 		} else {
 			rn = "des";
@@ -324,8 +332,13 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 	if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 		s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	}
+	if (s->pipe->conn->flags & DCERPC_SCHANNEL_AES) {
+		s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
+	}
 	if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
 		s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
 		s->dcerpc_schannel_auto = true;
 	}
 
-- 
2.11.4.GIT