|
|
1524bc |
From a156d18abb509a48c45525da2f4e4db9cfdd1f30 Mon Sep 17 00:00:00 2001
|
|
|
1524bc |
From: Andreas Schneider <asn@samba.org>
|
|
|
1524bc |
Date: Mon, 18 Mar 2019 16:24:54 +0100
|
|
|
1524bc |
Subject: [PATCH 101/187] auth:gensec: Use GnuTLS AES CFB8 in netsec_do_seal()
|
|
|
1524bc |
|
|
|
1524bc |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
1524bc |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
1524bc |
(cherry picked from commit 025f6a135f930264ddcf1cd1b9e1004464618194)
|
|
|
1524bc |
---
|
|
|
1524bc |
auth/gensec/schannel.c | 95 +++++++++++++++++++++++++++++++++++++++++-
|
|
|
1524bc |
1 file changed, 94 insertions(+), 1 deletion(-)
|
|
|
1524bc |
|
|
|
1524bc |
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
|
|
|
1524bc |
index 2a36d0cfa7d..20b0a74e37f 100644
|
|
|
1524bc |
--- a/auth/gensec/schannel.c
|
|
|
1524bc |
+++ b/auth/gensec/schannel.c
|
|
|
1524bc |
@@ -33,9 +33,12 @@
|
|
|
1524bc |
#include "librpc/gen_ndr/dcerpc.h"
|
|
|
1524bc |
#include "param/param.h"
|
|
|
1524bc |
#include "auth/gensec/gensec_toplevel_proto.h"
|
|
|
1524bc |
-#include "lib/crypto/aes.h"
|
|
|
1524bc |
#include "libds/common/roles.h"
|
|
|
1524bc |
|
|
|
1524bc |
+#ifndef HAVE_GNUTLS_AES_CFB8
|
|
|
1524bc |
+#include "lib/crypto/aes.h"
|
|
|
1524bc |
+#endif
|
|
|
1524bc |
+
|
|
|
1524bc |
#include "lib/crypto/gnutls_helpers.h"
|
|
|
1524bc |
#include <gnutls/gnutls.h>
|
|
|
1524bc |
#include <gnutls/crypto.h>
|
|
|
1524bc |
@@ -258,6 +261,95 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
|
|
|
1524bc |
bool forward)
|
|
|
1524bc |
{
|
|
|
1524bc |
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
|
1524bc |
+#ifdef HAVE_GNUTLS_AES_CFB8
|
|
|
1524bc |
+ gnutls_cipher_hd_t cipher_hnd = NULL;
|
|
|
1524bc |
+ uint8_t sess_kf0[16] = {0};
|
|
|
1524bc |
+ gnutls_datum_t key = {
|
|
|
1524bc |
+ .data = sess_kf0,
|
|
|
1524bc |
+ .size = sizeof(sess_kf0),
|
|
|
1524bc |
+ };
|
|
|
1524bc |
+ uint32_t iv_size =
|
|
|
1524bc |
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
|
|
|
1524bc |
+ uint8_t _iv[iv_size];
|
|
|
1524bc |
+ gnutls_datum_t iv = {
|
|
|
1524bc |
+ .data = _iv,
|
|
|
1524bc |
+ .size = iv_size,
|
|
|
1524bc |
+ };
|
|
|
1524bc |
+ uint32_t i;
|
|
|
1524bc |
+ int rc;
|
|
|
1524bc |
+
|
|
|
1524bc |
+ for (i = 0; i < key.size; i++) {
|
|
|
1524bc |
+ key.data[i] = state->creds->session_key[i] ^ 0xf0;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+
|
|
|
1524bc |
+ ZERO_ARRAY(_iv);
|
|
|
1524bc |
+
|
|
|
1524bc |
+ memcpy(iv.data + 0, seq_num, 8);
|
|
|
1524bc |
+ memcpy(iv.data + 8, seq_num, 8);
|
|
|
1524bc |
+
|
|
|
1524bc |
+ rc = gnutls_cipher_init(&cipher_hnd,
|
|
|
1524bc |
+ GNUTLS_CIPHER_AES_128_CFB8,
|
|
|
1524bc |
+ &key,
|
|
|
1524bc |
+ &iv;;
|
|
|
1524bc |
+ if (rc < 0) {
|
|
|
1524bc |
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(rc));
|
|
|
1524bc |
+ return NT_STATUS_NO_MEMORY;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+
|
|
|
1524bc |
+ if (forward) {
|
|
|
1524bc |
+ rc = gnutls_cipher_encrypt(cipher_hnd,
|
|
|
1524bc |
+ confounder,
|
|
|
1524bc |
+ 8);
|
|
|
1524bc |
+ if (rc < 0) {
|
|
|
1524bc |
+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(errno));
|
|
|
1524bc |
+ gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
+ return NT_STATUS_INTERNAL_ERROR;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * Looks like we have to reuse the initial IV which is
|
|
|
1524bc |
+ * cryptographically wrong!
|
|
|
1524bc |
+ */
|
|
|
1524bc |
+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);
|
|
|
1524bc |
+ rc = gnutls_cipher_encrypt(cipher_hnd,
|
|
|
1524bc |
+ data,
|
|
|
1524bc |
+ length);
|
|
|
1524bc |
+ if (rc < 0) {
|
|
|
1524bc |
+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(errno));
|
|
|
1524bc |
+ gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
+ return NT_STATUS_INTERNAL_ERROR;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ } else {
|
|
|
1524bc |
+ rc = gnutls_cipher_decrypt(cipher_hnd,
|
|
|
1524bc |
+ confounder,
|
|
|
1524bc |
+ 8);
|
|
|
1524bc |
+ if (rc < 0) {
|
|
|
1524bc |
+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(errno));
|
|
|
1524bc |
+ gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
+ return NT_STATUS_INTERNAL_ERROR;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * Looks like we have to reuse the initial IV which is
|
|
|
1524bc |
+ * cryptographically wrong!
|
|
|
1524bc |
+ */
|
|
|
1524bc |
+ gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);
|
|
|
1524bc |
+ rc = gnutls_cipher_decrypt(cipher_hnd,
|
|
|
1524bc |
+ data,
|
|
|
1524bc |
+ length);
|
|
|
1524bc |
+ if (rc < 0) {
|
|
|
1524bc |
+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(errno));
|
|
|
1524bc |
+ gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
+ return NT_STATUS_INTERNAL_ERROR;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
|
|
|
1524bc |
AES_KEY key;
|
|
|
1524bc |
uint8_t iv[AES_BLOCK_SIZE];
|
|
|
1524bc |
uint8_t sess_kf0[16];
|
|
|
1524bc |
@@ -279,6 +371,7 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
|
|
|
1524bc |
aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
|
|
|
1524bc |
aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
|
|
|
1524bc |
}
|
|
|
1524bc |
+#endif /* HAVE_GNUTLS_AES_CFB8 */
|
|
|
1524bc |
} else {
|
|
|
1524bc |
gnutls_cipher_hd_t cipher_hnd;
|
|
|
1524bc |
uint8_t _sealing_key[16];
|
|
|
1524bc |
--
|
|
|
1524bc |
2.23.0
|
|
|
1524bc |
|