|
|
b6b438 |
From 41f45d98f22a7bae8d29fb3828452324c6b88eef Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
b6b438 |
Date: Wed, 20 Nov 2019 15:41:02 +0100
|
|
|
b6b438 |
Subject: [PATCH 183/187] smbdes: convert des_crypt112 to use gnutls
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
b6b438 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
b6b438 |
(cherry picked from commit 254739137bdaebca31163f1683bfd7111dfefe67)
|
|
|
b6b438 |
---
|
|
|
b6b438 |
libcli/auth/credentials.c | 8 +++++++-
|
|
|
b6b438 |
libcli/auth/proto.h | 3 ++-
|
|
|
b6b438 |
libcli/auth/smbdes.c | 25 ++++++++++++++++++-------
|
|
|
b6b438 |
libcli/auth/tests/test_gnutls.c | 7 +++++--
|
|
|
b6b438 |
4 files changed, 32 insertions(+), 11 deletions(-)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
|
|
|
b6b438 |
index 1b94a06ebfb..5f65428a1d7 100644
|
|
|
b6b438 |
--- a/libcli/auth/credentials.c
|
|
|
b6b438 |
+++ b/libcli/auth/credentials.c
|
|
|
b6b438 |
@@ -38,6 +38,8 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState
|
|
|
b6b438 |
struct netr_Credential *out)
|
|
|
b6b438 |
{
|
|
|
b6b438 |
NTSTATUS status;
|
|
|
b6b438 |
+ int rc;
|
|
|
b6b438 |
+
|
|
|
b6b438 |
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
|
b6b438 |
memcpy(out->data, in->data, sizeof(out->data));
|
|
|
b6b438 |
|
|
|
b6b438 |
@@ -48,7 +50,11 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState
|
|
|
b6b438 |
return status;
|
|
|
b6b438 |
}
|
|
|
b6b438 |
} else {
|
|
|
b6b438 |
- des_crypt112(out->data, in->data, creds->session_key, 1);
|
|
|
b6b438 |
+ rc = des_crypt112(out->data, in->data, creds->session_key, SAMBA_GNUTLS_ENCRYPT);
|
|
|
b6b438 |
+ if (rc != 0) {
|
|
|
b6b438 |
+ return gnutls_error_to_ntstatus(rc,
|
|
|
b6b438 |
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
return NT_STATUS_OK;
|
|
|
b6b438 |
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
|
|
|
b6b438 |
index 5e88d7527fd..3994db20a36 100644
|
|
|
b6b438 |
--- a/libcli/auth/proto.h
|
|
|
b6b438 |
+++ b/libcli/auth/proto.h
|
|
|
b6b438 |
@@ -227,7 +227,8 @@ int E_P16(const uint8_t *p14,uint8_t *p16);
|
|
|
b6b438 |
int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
|
|
|
b6b438 |
int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
|
|
|
b6b438 |
int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
|
|
|
b6b438 |
-void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw);
|
|
|
b6b438 |
+int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
|
|
|
b6b438 |
+ enum samba_gnutls_direction encrypt);
|
|
|
b6b438 |
void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
|
|
|
b6b438 |
int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
|
|
|
b6b438 |
enum samba_gnutls_direction encrypt);
|
|
|
b6b438 |
diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c
|
|
|
b6b438 |
index ec922da4727..8dc4fc4097c 100644
|
|
|
b6b438 |
--- a/libcli/auth/smbdes.c
|
|
|
b6b438 |
+++ b/libcli/auth/smbdes.c
|
|
|
b6b438 |
@@ -418,16 +418,27 @@ int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16])
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
/* des encryption with a 112 bit (14 byte) key */
|
|
|
b6b438 |
-void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw)
|
|
|
b6b438 |
+int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
|
|
|
b6b438 |
+ enum samba_gnutls_direction encrypt)
|
|
|
b6b438 |
{
|
|
|
b6b438 |
uint8_t buf[8];
|
|
|
b6b438 |
- if (forw) {
|
|
|
b6b438 |
- des_crypt56(buf, in, key, forw);
|
|
|
b6b438 |
- des_crypt56(out, buf, key+7, forw);
|
|
|
b6b438 |
- } else {
|
|
|
b6b438 |
- des_crypt56(buf, in, key+7, forw);
|
|
|
b6b438 |
- des_crypt56(out, buf, key, forw);
|
|
|
b6b438 |
+ int ret;
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ if (encrypt == SAMBA_GNUTLS_ENCRYPT) {
|
|
|
b6b438 |
+ ret = des_crypt56_gnutls(buf, in, key, SAMBA_GNUTLS_ENCRYPT);
|
|
|
b6b438 |
+ if (ret != 0) {
|
|
|
b6b438 |
+ return ret;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ return des_crypt56_gnutls(out, buf, key+7, SAMBA_GNUTLS_ENCRYPT);
|
|
|
b6b438 |
}
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ ret = des_crypt56_gnutls(buf, in, key+7, SAMBA_GNUTLS_DECRYPT);
|
|
|
b6b438 |
+ if (ret != 0) {
|
|
|
b6b438 |
+ return ret;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ return des_crypt56_gnutls(out, buf, key, SAMBA_GNUTLS_DECRYPT);
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
/* des encryption of a 16 byte lump of data with a 112 bit key */
|
|
|
b6b438 |
diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
|
|
|
b6b438 |
index 087afee09db..68a27adc894 100644
|
|
|
b6b438 |
--- a/libcli/auth/tests/test_gnutls.c
|
|
|
b6b438 |
+++ b/libcli/auth/tests/test_gnutls.c
|
|
|
b6b438 |
@@ -386,11 +386,14 @@ static void torture_gnutls_des_crypt112(void **state)
|
|
|
b6b438 |
|
|
|
b6b438 |
uint8_t crypt[8];
|
|
|
b6b438 |
uint8_t decrypt[8];
|
|
|
b6b438 |
+ int rc;
|
|
|
b6b438 |
|
|
|
b6b438 |
- des_crypt112(crypt, clear, key, 1);
|
|
|
b6b438 |
+ rc = des_crypt112(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT);
|
|
|
b6b438 |
+ assert_int_equal(rc, 0);
|
|
|
b6b438 |
assert_memory_equal(crypt, crypt_expected, 8);
|
|
|
b6b438 |
|
|
|
b6b438 |
- des_crypt112(decrypt, crypt, key, 0);
|
|
|
b6b438 |
+ rc = des_crypt112(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT);
|
|
|
b6b438 |
+ assert_int_equal(rc, 0);
|
|
|
b6b438 |
assert_memory_equal(decrypt, clear, 8);
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|