4.1.10.5.11 EncryptValuesIfNecessary

  • 项目 
 procedure EncryptValuesIfNecessary(
   hDrs: DRS_HANDLE,
   var attr: ATTR) : ULONG

Informative summary of behavior: The EncryptValuesIfNecessary procedure encrypts the values of attributes that contain secret data. It performs the encryption by using an MD5 digest (as specified in [RFC1321]), a CRC32 checksum (as specified in [ISO/IEC 13239]), and an RC4 stream cipher (as specified in [SCHNEIER] section 17.1). This encryption is in addition to the encryption that is provided by RPC privacy.

  
 sessionKey: sequence of BYTE
 i: integer
 salt: sequence of BYTE
 md5Context: MD5_CTX
 crc: ULONG
 pPayload: ADDRESS OF ENCRYPTED_PAYLOAD
  
  
 if not IsSecretAttribute(attr.attrTyp) then
   /* No additional encryption necessary. */
   return 0
 endif
  
 if not DRS_EXT_STRONG_ENCRYPTION in ClientExtensions(hDrs).dwFlags then
   return SEC_E_ALGORITHM_MISMATCH
 endif
  
  
  
 /* Get session key associated with the RPC connection. */
 sessionKey := session key associated with security context of hDrs,
   as specified by [MS-RPCE] section 3.3.1.5.2, "Building and Using a
   Security Context", and [MS-KILE] section 3.1.1.2, "Cryptographic
   Material"
  
  
 /* Encrypt each value of this attribute. */
 for i := 0 to attr.AttrVal.valCount - 1
   salt := randomly generated 128-bit number
  
  
   /* Calculate checksum of the clear value. */
   crc := CRC32 [ISO/IEC 13239] of the attr.AttrVal.pAVal[i].valLen
       bytes starting at attr.AttrVal.pAVal[i].pVal
  
  
   /* Compute encryption key. */
   MD5Init(md5Context)
   MD5Update(md5context, sessionKey, sessionKey.length)
   MD5Update(md5context, salt, 16)
   MD5Final(md5Context)
  
  
   /* Construct payload, encrypting its contents with the exception of
    * the Salt field. */
   pPayload := New ENCRYPTED_PAYLOAD, sized to hold
       attr.AttrVal.pAVal[i].valLen bytes in the EncryptedData field
   pPayload^.Salt := salt
   pPayload^.Checksum := crc
   Copy attr.AttrVal.pAVal[i].valLen bytes from
       attr.AttrVal.pAVal[i].pVal to pPayload^.EncryptedData
   Encrypt attr.AttrVal.pAVal[i].valLen + 4 bytes starting at the
       address of pPayload^.Checksum using the RC4 stream cipher
       algorithm with encryption key md5Context.digest
  
  
   /* Replace the clear value with the encrypted value. */
   attr.AttrVal.pAVal[i].pVal := pPayload
   attr.AttrVal.pAVal[i].valLen := attr.AttrVal.pAVal[i].valLen + 20
 endfor
  
 return 0