diff options
| -rw-r--r-- | librpc/rpc/rpc_common.h | 3 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 17 |
2 files changed, 18 insertions, 2 deletions
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h index a28835fa63..e2b37550e1 100644 --- a/librpc/rpc/rpc_common.h +++ b/librpc/rpc/rpc_common.h @@ -110,6 +110,9 @@ struct dcerpc_binding { /* handle upgrades or downgrades automatically */ #define DCERPC_SCHANNEL_AUTO (1<<23) +/* use aes schannel with hmac-sh256 session key */ +#define DCERPC_SCHANNEL_AES (1<<24) + /* The following definitions come from ../librpc/rpc/dcerpc_error.c */ const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code); diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 3a3dec068b..f3e52585ae 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -243,7 +243,13 @@ static void continue_srv_auth2(struct tevent_req *subreq) } s->dcerpc_schannel_auto = false; - if (lf & NETLOGON_NEG_STRONG_KEYS) { + if (lf & NETLOGON_NEG_SUPPORTS_AES) { + ln = "aes"; + if (rf & NETLOGON_NEG_SUPPORTS_AES) { + composite_error(c, s->a.out.result); + return; + } + } else if (lf & NETLOGON_NEG_STRONG_KEYS) { ln = "strong"; if (rf & NETLOGON_NEG_STRONG_KEYS) { composite_error(c, s->a.out.result); @@ -253,7 +259,9 @@ static void continue_srv_auth2(struct tevent_req *subreq) ln = "des"; } - if (rf & NETLOGON_NEG_STRONG_KEYS) { + if (rf & NETLOGON_NEG_SUPPORTS_AES) { + rn = "aes"; + } else if (rf & NETLOGON_NEG_STRONG_KEYS) { rn = "strong"; } else { rn = "des"; @@ -324,8 +332,13 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) { s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; } + if (s->pipe->conn->flags & DCERPC_SCHANNEL_AES) { + s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES; + } if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) { s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES; s->dcerpc_schannel_auto = true; } |