From ba5c00d4fc0acff3592d32729d6948f129b14ce9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 15 Dec 2011 17:50:33 +0100
Subject: [PATCH 1/3] samba: check for AES encryption type defines.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Jan 10 15:05:38 CET 2012 on sn-devel-104
---
 source3/configure.in | 21 +++++++++++++++++++++
 source3/wscript      |  2 ++
 2 files changed, 23 insertions(+)

diff --git a/source3/configure.in b/source3/configure.in
index 014d844..2018a6e 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -4156,6 +4156,27 @@ if test x"$with_ads_support" != x"no"; then
     found_arcfour_hmac=yes
   fi
 
+  AC_CACHE_CHECK([for ENCTYPE_AES128_CTS_HMAC_SHA1_96],
+                 samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,[
+    AC_TRY_COMPILE([#include <krb5.h>],
+      [krb5_enctype enctype; enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;],
+      samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=yes,
+      samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=no)])
+  if test x"$samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96" = x"yes"; then
+    AC_DEFINE(HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,1,
+              [Whether the ENCTYPE_AES128_CTS_HMAC_SHA1_96 key type definition is available])
+  fi
+  AC_CACHE_CHECK([for ENCTYPE_AES256_CTS_HMAC_SHA1_96],
+                 samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,[
+    AC_TRY_COMPILE([#include <krb5.h>],
+      [krb5_enctype enctype; enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;],
+      samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=yes,
+      samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=no)])
+  if test x"$samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96" = x"yes"; then
+    AC_DEFINE(HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,1,
+              [Whether the ENCTYPE_AES256_CTS_HMAC_SHA1_96 key type definition is available])
+  fi
+
   AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY],
                  samba_cv_HAVE_AP_OPTS_USE_SUBKEY,[
     AC_TRY_COMPILE([#include <krb5.h>],
diff --git a/source3/wscript b/source3/wscript
index 1ea3559..b40848d 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -661,6 +661,8 @@ krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''',
         conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h')
         conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h')
         conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h')
+	conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h')
+	conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h')
         conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key', headers='krb5.h',
                                     define='HAVE_KRB5_KEYTAB_ENTRY_KEY')
         conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'keyblock', headers='krb5.h',
-- 
1.7.11.7


From 045870519562c3734eec3c925a0c7c83abe82a5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Nov 2012 15:11:08 +0100
Subject: [PATCH 2/3] s3-libsmb: make sure we copy at most 16 bytes in
 cli_set_session_key().

Guenther
---
 source3/libsmb/cliconnect.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index f03219b..8653ba7 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -94,7 +94,9 @@ static NTSTATUS smb_bytes_talloc_string(struct cli_state *cli,
 
 static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) 
 {
-	cli->user_session_key = data_blob(session_key.data, session_key.length);
+	cli->user_session_key = data_blob(NULL, 16);
+	data_blob_clear(&cli->user_session_key);
+	memcpy(cli->user_session_key.data, session_key.data, MIN(session_key.length, 16));
 }
 
 /****************************************************************************
-- 
1.7.11.7


From cfd614014b6ca7c5c7cd99cb4f872ea7d46950e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Nov 2012 16:23:52 +0100
Subject: [PATCH 3/3] s3-kerberos: also try with AES keys, when decrypting
 tickets.

Guenther
---
 source3/libads/kerberos_verify.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index d4c68cd..df1503d 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -345,6 +345,12 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
 	krb5_data passwords[2];
 	krb5_enctype enctypes[] = {
 		ENCTYPE_ARCFOUR_HMAC,
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
 		ENCTYPE_DES_CBC_CRC,
 		ENCTYPE_DES_CBC_MD5,
 		ENCTYPE_NULL
-- 
1.7.11.7