From 89693b474a37c393ceb47afd668e8a96282a98b0 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Mon, 18 Nov 2019 10:28:59 +0100

Subject: [PATCH 158/187] s3:winbind: Replace E_md5hash() with GnuTLS calls

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit 4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6)

---

 source3/winbindd/winbindd_pam.c | 23 ++++++++++++++++++++++-

 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index c5b7c09b5c1..8946dd70f99 100644

--- a/source3/winbindd/winbindd_pam.c

+++ b/source3/winbindd/winbindd_pam.c

@@ -48,6 +48,9 @@

 #include "param/param.h"

 #include "messaging/messaging.h"

+#include "lib/crypto/gnutls_helpers.h"

+#include <gnutls/crypto.h>

+

 #undef DBGC_CLASS

 #define DBGC_CLASS DBGC_WINBIND

@@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,

 		/* In this case we didn't store the nt_hash itself,

 		   but the MD5 combination of salt + nt_hash. */

 		uchar salted_hash[NT_HASH_LEN];

-		E_md5hash(cached_salt, new_nt_pass, salted_hash);

+		gnutls_hash_hd_t hash_hnd = NULL;

+		int rc;

+

+		rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);

+		if (rc < 0) {

+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);

+		}

+

+		rc = gnutls_hash(hash_hnd, cached_salt, 16);

+		if (rc < 0) {

+			gnutls_hash_deinit(hash_hnd, NULL);

+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);

+		}

+		rc = gnutls_hash(hash_hnd, new_nt_pass, 16);

+		if (rc < 0) {

+			gnutls_hash_deinit(hash_hnd, NULL);

+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);

+		}

+		gnutls_hash_deinit(hash_hnd, salted_hash);

 		password_good = (memcmp(cached_nt_pass, salted_hash,

 					NT_HASH_LEN) == 0);

-- 

2.23.0