From 3f2ab4815d9ddf6a6d4a6d8904f528f05d1802cf Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Thu, 21 Nov 2019 14:02:03 +0100

Subject: [PATCH 185/187] session: convert sess_crypt_blob to use gnutls

Signed-off-by: Isaac Boukris <iboukris@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1)

---

 libcli/auth/proto.h                         |  4 +-

 libcli/auth/session.c                       | 42 ++++++++++++++++-----

 libcli/auth/tests/test_gnutls.c             |  7 +++-

 source3/rpc_server/netlogon/srv_netlog_nt.c |  7 +++-

 source3/rpc_server/samr/srv_samr_nt.c       | 27 +++++++++++--

 source3/rpcclient/cmd_samr.c                | 25 ++++++++++--

 source4/rpc_server/samr/samr_password.c     | 13 ++++++-

 source4/torture/rpc/samr.c                  | 16 ++++----

 8 files changed, 108 insertions(+), 33 deletions(-)

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h

index 4c6d7af6763..09ff3687fb7 100644

--- a/libcli/auth/proto.h

+++ b/libcli/auth/proto.h

@@ -90,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,

 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c  */

-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,

-		     bool forward);

+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,

+		    enum samba_gnutls_direction encrypt);

 DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);

 char *sess_decrypt_string(TALLOC_CTX *mem_ctx, 

 			  DATA_BLOB *blob, const DATA_BLOB *session_key);

diff --git a/libcli/auth/session.c b/libcli/auth/session.c

index 10c728662db..4af70d361af 100644

--- a/libcli/auth/session.c

+++ b/libcli/auth/session.c

@@ -29,10 +29,10 @@

   before calling, the out blob must be initialised to be the same size

   as the in blob

 */

-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,

-		     bool forward)

+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,

+		    enum samba_gnutls_direction encrypt)

 {

-	int i, k;

+	int i, k, rc;

 	for (i=0,k=0;

 	     i<in->length;

@@ -47,10 +47,14 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi

 		}

 		memcpy(key, &session_key->data[k], 7);

-		des_crypt56(bout, bin, key, forward?1:0);

+		rc = des_crypt56_gnutls(bout, bin, key, encrypt);

+		if (rc != 0) {

+			return rc;

+		}

 		memcpy(&out->data[i], bout, MIN(8, in->length-i));

 	}

+	return 0;

 }

@@ -67,6 +71,7 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)

 	DATA_BLOB ret, src;

 	int slen = strlen(str);

 	int dlen = (slen+7) & ~7;

+	int rc;

 	src = data_blob(NULL, 8+dlen);

 	if (!src.data) {

@@ -84,9 +89,13 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)

 	memset(src.data+8, 0,   dlen);

 	memcpy(src.data+8, str, slen);

-	sess_crypt_blob(&ret, &src, session_key, true);

+	rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);

 	data_blob_free(&src;;

+	if (rc != 0) {

+		data_blob_free(&ret;;

+		return data_blob(NULL, 0);

+	}

 	return ret;

 }

@@ -100,7 +109,7 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,

 			  DATA_BLOB *blob, const DATA_BLOB *session_key)

 {

 	DATA_BLOB out;

-	int slen;

+	int rc, slen;

 	char *ret;

 	if (blob->length < 8) {

@@ -112,7 +121,11 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,

 		return NULL;

 	}

-	sess_crypt_blob(&out, blob, session_key, false);

+	rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);

+	if (rc != 0) {

+		data_blob_free(&out;;

+		return NULL;

+	}

 	if (IVAL(out.data, 4) != 1) {

 		DEBUG(0,("Unexpected revision number %d in session crypted string\n",

@@ -149,6 +162,7 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_

 {

 	DATA_BLOB ret, src;

 	int dlen = (blob_in->length+7) & ~7;

+	int rc;

 	src = data_blob_talloc(mem_ctx, NULL, 8+dlen);

 	if (!src.data) {

@@ -166,9 +180,13 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_

 	memset(src.data+8, 0, dlen);

 	memcpy(src.data+8, blob_in->data, blob_in->length);

-	sess_crypt_blob(&ret, &src, session_key, true);

+	rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);

 	data_blob_free(&src;;

+	if (rc != 0) {

+		data_blob_free(&ret;;

+		return data_blob(NULL, 0);

+	}

 	return ret;

 }

@@ -180,7 +198,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT

 			   DATA_BLOB *ret)

 {

 	DATA_BLOB out;

-	int slen;

+	int rc, slen;

 	if (blob->length < 8) {

 		DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n",

@@ -193,7 +211,11 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT

 		return NT_STATUS_NO_MEMORY;

 	}

-	sess_crypt_blob(&out, blob, session_key, false);

+	rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);

+	if (rc != 0) {

+		data_blob_free(&out;;

+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+	}

 	if (IVAL(out.data, 4) != 1) {

 		DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n",

diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c

index a6692b9a913..707a1bcecc3 100644

--- a/libcli/auth/tests/test_gnutls.c

+++ b/libcli/auth/tests/test_gnutls.c

@@ -494,11 +494,14 @@ static void torture_gnutls_sess_crypt_blob(void **state)

 	};

 	DATA_BLOB crypt = data_blob(NULL, 24);

 	DATA_BLOB decrypt = data_blob(NULL, 24);

+	int rc;

-	sess_crypt_blob(&crypt, &clear, &key, true);

+	rc = sess_crypt_blob(&crypt, &clear, &key, SAMBA_GNUTLS_ENCRYPT);

+	assert_int_equal(rc, 0);

 	assert_memory_equal(crypt.data, crypt_expected, 24);

-	sess_crypt_blob(&decrypt, &crypt, &key, false);

+	rc = sess_crypt_blob(&decrypt, &crypt, &key, SAMBA_GNUTLS_DECRYPT);

+	assert_int_equal(rc, 0);

 	assert_memory_equal(decrypt.data, clear.data, 24);

 }

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c

index 124bae95064..cbbf9feedc7 100644

--- a/source3/rpc_server/netlogon/srv_netlog_nt.c

+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c

@@ -1220,7 +1220,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,

 				status = NT_STATUS_NO_MEMORY;

 				goto out;

 			}

-			sess_crypt_blob(&out, &in, &session_key, true);

+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

+			if (rc != 0) {

+				status = gnutls_error_to_ntstatus(rc,

+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+				goto out;

+			}

 			memcpy(info18.nt_pwd.hash, out.data, out.length);

 			info18.nt_pwd_active = true;

diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c

index 87214b2899e..91771e34502 100644

--- a/source3/rpc_server/samr/srv_samr_nt.c

+++ b/source3/rpc_server/samr/srv_samr_nt.c

@@ -4411,6 +4411,8 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,

 				 DATA_BLOB *session_key,

 				 struct samu *pwd)

 {

+	int rc;

+

 	if (id18 == NULL) {

 		DEBUG(2, ("set_user_info_18: id18 is NULL\n"));

 		return NT_STATUS_INVALID_PARAMETER;

@@ -4429,7 +4431,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,

 		in = data_blob_const(id18->nt_pwd.hash, 16);

 		out = data_blob_talloc_zero(mem_ctx, 16);

-		sess_crypt_blob(&out, &in, session_key, false);

+		rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);

+		if (rc != 0) {

+			return gnutls_error_to_ntstatus(rc,

+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+		}

 		if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {

 			return NT_STATUS_ACCESS_DENIED;

@@ -4445,7 +4451,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,

 		in = data_blob_const(id18->lm_pwd.hash, 16);

 		out = data_blob_talloc_zero(mem_ctx, 16);

-		sess_crypt_blob(&out, &in, session_key, false);

+		rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);

+		if (rc != 0) {

+			return gnutls_error_to_ntstatus(rc,

+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+		}

 		if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {

 			return NT_STATUS_ACCESS_DENIED;

@@ -4487,6 +4497,7 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,

 				 struct samu *pwd)

 {

 	NTSTATUS status;

+	int rc;

 	if (id21 == NULL) {

 		DEBUG(5, ("set_user_info_21: NULL id21\n"));

@@ -4517,7 +4528,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,

 			in = data_blob_const(id21->nt_owf_password.array, 16);

 			out = data_blob_talloc_zero(mem_ctx, 16);

-			sess_crypt_blob(&out, &in, session_key, false);

+			rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);

+			if (rc != 0) {

+				return gnutls_error_to_ntstatus(rc,

+								NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);

 			pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);

@@ -4540,7 +4555,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,

 			in = data_blob_const(id21->lm_owf_password.array, 16);

 			out = data_blob_talloc_zero(mem_ctx, 16);

-			sess_crypt_blob(&out, &in, session_key, false);

+			rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);

+			if (rc != 0) {

+				return gnutls_error_to_ntstatus(rc,

+								NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);

 			pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);

diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c

index 0cd8b50058e..de95eb2160d 100644

--- a/source3/rpcclient/cmd_samr.c

+++ b/source3/rpcclient/cmd_samr.c

@@ -3044,6 +3044,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,

 	uint8_t password_expired = 0;

 	struct dcerpc_binding_handle *b = cli->binding_handle;

 	TALLOC_CTX *frame = NULL;

+	int rc;

 	if (argc < 4) {

 		printf("Usage: %s username level password [password_expired]\n",

@@ -3086,7 +3087,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,

 				status = NT_STATUS_NO_MEMORY;

 				goto done;

 			}

-			sess_crypt_blob(&out, &in, &session_key, true);

+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

+			if (rc != 0) {

+				status = gnutls_error_to_ntstatus(rc,

+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			memcpy(nt_hash, out.data, out.length);

 		}

 		{

@@ -3097,7 +3102,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,

 				status = NT_STATUS_NO_MEMORY;

 				goto done;

 			}

-			sess_crypt_blob(&out, &in, &session_key, true);

+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

+			if (rc != 0) {

+				status = gnutls_error_to_ntstatus(rc,

+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			memcpy(lm_hash, out.data, out.length);

 		}

@@ -3134,7 +3143,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,

 				status = NT_STATUS_NO_MEMORY;

 				goto done;

 			}

-			sess_crypt_blob(&out, &in, &session_key, true);

+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

+			if (rc != 0) {

+				status = gnutls_error_to_ntstatus(rc,

+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			info.info21.nt_owf_password.array =

 				(uint16_t *)talloc_memdup(frame, out.data, 16);

 		}

@@ -3142,7 +3155,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,

 			DATA_BLOB in,out;

 			in = data_blob_const(lm_hash, 16);

 			out = data_blob_talloc_zero(frame, 16);

-			sess_crypt_blob(&out, &in, &session_key, true);

+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

+			if (rc != 0) {

+				status = gnutls_error_to_ntstatus(rc,

+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+			}

 			info.info21.lm_owf_password.array =

 				(uint16_t *)talloc_memdup(frame, out.data, 16);

 			if (out.data == NULL) {

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c

index 4fa00bf6360..fba236ebdd7 100644

--- a/source4/rpc_server/samr/samr_password.c

+++ b/source4/rpc_server/samr/samr_password.c

@@ -737,6 +737,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,

 	DATA_BLOB session_key = data_blob(NULL, 0);

 	DATA_BLOB in, out;

 	NTSTATUS nt_status = NT_STATUS_OK;

+	int rc;

 	nt_status = dcesrv_transport_session_key(dce_call, &session_key);

 	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {

@@ -761,7 +762,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,

 		in = data_blob_const(lm_pwd_hash, 16);

 		out = data_blob_talloc_zero(mem_ctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, false);

+		rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);

+		if (rc != 0) {

+			return gnutls_error_to_ntstatus(rc,

+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+		}

 		d_lm_pwd_hash = (struct samr_Password *) out.data;

 	}

@@ -769,7 +774,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,

 		in = data_blob_const(nt_pwd_hash, 16);

 		out = data_blob_talloc_zero(mem_ctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, false);

+		rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);

+		if (rc != 0) {

+			return gnutls_error_to_ntstatus(rc,

+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+		}

 		d_nt_pwd_hash = (struct samr_Password *) out.data;

 	}

diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c

index 4b3ad093bf6..1961c05b5f6 100644

--- a/source4/torture/rpc/samr.c

+++ b/source4/torture/rpc/samr.c

@@ -1007,14 +1007,14 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t

 		DATA_BLOB in,out;

 		in = data_blob_const(nt_hash, 16);

 		out = data_blob_talloc_zero(tctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, true);

+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 		memcpy(u.info18.nt_pwd.hash, out.data, out.length);

 	}

 	{

 		DATA_BLOB in,out;

 		in = data_blob_const(lm_hash, 16);

 		out = data_blob_talloc_zero(tctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, true);

+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 		memcpy(u.info18.lm_pwd.hash, out.data, out.length);

 	}

@@ -1096,7 +1096,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t

 		in = data_blob_const(u.info21.lm_owf_password.array,

 				     u.info21.lm_owf_password.length);

 		out = data_blob_talloc_zero(tctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, true);

+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 		u.info21.lm_owf_password.array = (uint16_t *)out.data;

 	}

@@ -1105,7 +1105,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t

 		in = data_blob_const(u.info21.nt_owf_password.array,

 				     u.info21.nt_owf_password.length);

 		out = data_blob_talloc_zero(tctx, 16);

-		sess_crypt_blob(&out, &in, &session_key, true);

+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 		u.info21.nt_owf_password.array = (uint16_t *)out.data;

 	}

@@ -1272,14 +1272,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,

 			DATA_BLOB in,out;

 			in = data_blob_const(u.info18.nt_pwd.hash, 16);

 			out = data_blob_talloc_zero(tctx, 16);

-			sess_crypt_blob(&out, &in, &session_key, true);

+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 			memcpy(u.info18.nt_pwd.hash, out.data, out.length);

 		}

 		{

 			DATA_BLOB in,out;

 			in = data_blob_const(u.info18.lm_pwd.hash, 16);

 			out = data_blob_talloc_zero(tctx, 16);

-			sess_crypt_blob(&out, &in, &session_key, true);

+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 			memcpy(u.info18.lm_pwd.hash, out.data, out.length);

 		}

@@ -1290,7 +1290,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,

 			in = data_blob_const(u.info21.lm_owf_password.array,

 					     u.info21.lm_owf_password.length);

 			out = data_blob_talloc_zero(tctx, 16);

-			sess_crypt_blob(&out, &in, &session_key, true);

+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 			u.info21.lm_owf_password.array = (uint16_t *)out.data;

 		}

 		if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {

@@ -1298,7 +1298,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,

 			in = data_blob_const(u.info21.nt_owf_password.array,

 					     u.info21.nt_owf_password.length);

 			out = data_blob_talloc_zero(tctx, 16);

-			sess_crypt_blob(&out, &in, &session_key, true);

+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);

 			u.info21.nt_owf_password.array = (uint16_t *)out.data;

 		}

 		break;

-- 

2.23.0