Blob Blame History Raw
From 3f2ab4815d9ddf6a6d4a6d8904f528f05d1802cf Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 21 Nov 2019 14:02:03 +0100
Subject: [PATCH 185/187] session: convert sess_crypt_blob to use gnutls

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1)
---
 libcli/auth/proto.h                         |  4 +-
 libcli/auth/session.c                       | 42 ++++++++++++++++-----
 libcli/auth/tests/test_gnutls.c             |  7 +++-
 source3/rpc_server/netlogon/srv_netlog_nt.c |  7 +++-
 source3/rpc_server/samr/srv_samr_nt.c       | 27 +++++++++++--
 source3/rpcclient/cmd_samr.c                | 25 ++++++++++--
 source4/rpc_server/samr/samr_password.c     | 13 ++++++-
 source4/torture/rpc/samr.c                  | 16 ++++----
 8 files changed, 108 insertions(+), 33 deletions(-)

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 4c6d7af6763..09ff3687fb7 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -90,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c  */
 
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
-		     bool forward);
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
+		    enum samba_gnutls_direction encrypt);
 DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);
 char *sess_decrypt_string(TALLOC_CTX *mem_ctx, 
 			  DATA_BLOB *blob, const DATA_BLOB *session_key);
diff --git a/libcli/auth/session.c b/libcli/auth/session.c
index 10c728662db..4af70d361af 100644
--- a/libcli/auth/session.c
+++ b/libcli/auth/session.c
@@ -29,10 +29,10 @@
   before calling, the out blob must be initialised to be the same size
   as the in blob
 */
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
-		     bool forward)
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
+		    enum samba_gnutls_direction encrypt)
 {
-	int i, k;
+	int i, k, rc;
 
 	for (i=0,k=0;
 	     i<in->length;
@@ -47,10 +47,14 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi
 		}
 		memcpy(key, &session_key->data[k], 7);
 
-		des_crypt56(bout, bin, key, forward?1:0);
+		rc = des_crypt56_gnutls(bout, bin, key, encrypt);
+		if (rc != 0) {
+			return rc;
+		}
 
 		memcpy(&out->data[i], bout, MIN(8, in->length-i));
 	}
+	return 0;
 }
 
 
@@ -67,6 +71,7 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)
 	DATA_BLOB ret, src;
 	int slen = strlen(str);
 	int dlen = (slen+7) & ~7;
+	int rc;
 
 	src = data_blob(NULL, 8+dlen);
 	if (!src.data) {
@@ -84,9 +89,13 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)
 	memset(src.data+8, 0,   dlen);
 	memcpy(src.data+8, str, slen);
 
-	sess_crypt_blob(&ret, &src, session_key, true);
+	rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);
 	
 	data_blob_free(&src);
+	if (rc != 0) {
+		data_blob_free(&ret);
+		return data_blob(NULL, 0);
+	}
 
 	return ret;
 }
@@ -100,7 +109,7 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
 			  DATA_BLOB *blob, const DATA_BLOB *session_key)
 {
 	DATA_BLOB out;
-	int slen;
+	int rc, slen;
 	char *ret;
 
 	if (blob->length < 8) {
@@ -112,7 +121,11 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	sess_crypt_blob(&out, blob, session_key, false);
+	rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);
+	if (rc != 0) {
+		data_blob_free(&out);
+		return NULL;
+	}
 
 	if (IVAL(out.data, 4) != 1) {
 		DEBUG(0,("Unexpected revision number %d in session crypted string\n",
@@ -149,6 +162,7 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_
 {
 	DATA_BLOB ret, src;
 	int dlen = (blob_in->length+7) & ~7;
+	int rc;
 
 	src = data_blob_talloc(mem_ctx, NULL, 8+dlen);
 	if (!src.data) {
@@ -166,9 +180,13 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_
 	memset(src.data+8, 0, dlen);
 	memcpy(src.data+8, blob_in->data, blob_in->length);
 
-	sess_crypt_blob(&ret, &src, session_key, true);
+	rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);
 	
 	data_blob_free(&src);
+	if (rc != 0) {
+		data_blob_free(&ret);
+		return data_blob(NULL, 0);
+	}
 
 	return ret;
 }
@@ -180,7 +198,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT
 			   DATA_BLOB *ret)
 {
 	DATA_BLOB out;
-	int slen;
+	int rc, slen;
 
 	if (blob->length < 8) {
 		DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n",
@@ -193,7 +211,11 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	sess_crypt_blob(&out, blob, session_key, false);
+	rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);
+	if (rc != 0) {
+		data_blob_free(&out);
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
 
 	if (IVAL(out.data, 4) != 1) {
 		DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n",
diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
index a6692b9a913..707a1bcecc3 100644
--- a/libcli/auth/tests/test_gnutls.c
+++ b/libcli/auth/tests/test_gnutls.c
@@ -494,11 +494,14 @@ static void torture_gnutls_sess_crypt_blob(void **state)
 	};
 	DATA_BLOB crypt = data_blob(NULL, 24);
 	DATA_BLOB decrypt = data_blob(NULL, 24);
+	int rc;
 
-	sess_crypt_blob(&crypt, &clear, &key, true);
+	rc = sess_crypt_blob(&crypt, &clear, &key, SAMBA_GNUTLS_ENCRYPT);
+	assert_int_equal(rc, 0);
 	assert_memory_equal(crypt.data, crypt_expected, 24);
 
-	sess_crypt_blob(&decrypt, &crypt, &key, false);
+	rc = sess_crypt_blob(&decrypt, &crypt, &key, SAMBA_GNUTLS_DECRYPT);
+	assert_int_equal(rc, 0);
 	assert_memory_equal(decrypt.data, clear.data, 24);
 }
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 124bae95064..cbbf9feedc7 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1220,7 +1220,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
 				status = NT_STATUS_NO_MEMORY;
 				goto out;
 			}
-			sess_crypt_blob(&out, &in, &session_key, true);
+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+			if (rc != 0) {
+				status = gnutls_error_to_ntstatus(rc,
+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+				goto out;
+			}
 			memcpy(info18.nt_pwd.hash, out.data, out.length);
 
 			info18.nt_pwd_active = true;
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 87214b2899e..91771e34502 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -4411,6 +4411,8 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
 				 DATA_BLOB *session_key,
 				 struct samu *pwd)
 {
+	int rc;
+
 	if (id18 == NULL) {
 		DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
 		return NT_STATUS_INVALID_PARAMETER;
@@ -4429,7 +4431,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
 		in = data_blob_const(id18->nt_pwd.hash, 16);
 		out = data_blob_talloc_zero(mem_ctx, 16);
 
-		sess_crypt_blob(&out, &in, session_key, false);
+		rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+		if (rc != 0) {
+			return gnutls_error_to_ntstatus(rc,
+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+		}
 
 		if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
 			return NT_STATUS_ACCESS_DENIED;
@@ -4445,7 +4451,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
 		in = data_blob_const(id18->lm_pwd.hash, 16);
 		out = data_blob_talloc_zero(mem_ctx, 16);
 
-		sess_crypt_blob(&out, &in, session_key, false);
+		rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+		if (rc != 0) {
+			return gnutls_error_to_ntstatus(rc,
+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+		}
 
 		if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
 			return NT_STATUS_ACCESS_DENIED;
@@ -4487,6 +4497,7 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
 				 struct samu *pwd)
 {
 	NTSTATUS status;
+	int rc;
 
 	if (id21 == NULL) {
 		DEBUG(5, ("set_user_info_21: NULL id21\n"));
@@ -4517,7 +4528,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
 			in = data_blob_const(id21->nt_owf_password.array, 16);
 			out = data_blob_talloc_zero(mem_ctx, 16);
 
-			sess_crypt_blob(&out, &in, session_key, false);
+			rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+			if (rc != 0) {
+				return gnutls_error_to_ntstatus(rc,
+								NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 
 			pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
 			pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
@@ -4540,7 +4555,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
 			in = data_blob_const(id21->lm_owf_password.array, 16);
 			out = data_blob_talloc_zero(mem_ctx, 16);
 
-			sess_crypt_blob(&out, &in, session_key, false);
+			rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+			if (rc != 0) {
+				return gnutls_error_to_ntstatus(rc,
+								NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 
 			pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
 			pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 0cd8b50058e..de95eb2160d 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3044,6 +3044,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 	uint8_t password_expired = 0;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
 	TALLOC_CTX *frame = NULL;
+	int rc;
 
 	if (argc < 4) {
 		printf("Usage: %s username level password [password_expired]\n",
@@ -3086,7 +3087,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 				status = NT_STATUS_NO_MEMORY;
 				goto done;
 			}
-			sess_crypt_blob(&out, &in, &session_key, true);
+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+			if (rc != 0) {
+				status = gnutls_error_to_ntstatus(rc,
+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 			memcpy(nt_hash, out.data, out.length);
 		}
 		{
@@ -3097,7 +3102,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 				status = NT_STATUS_NO_MEMORY;
 				goto done;
 			}
-			sess_crypt_blob(&out, &in, &session_key, true);
+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+			if (rc != 0) {
+				status = gnutls_error_to_ntstatus(rc,
+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 			memcpy(lm_hash, out.data, out.length);
 		}
 
@@ -3134,7 +3143,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 				status = NT_STATUS_NO_MEMORY;
 				goto done;
 			}
-			sess_crypt_blob(&out, &in, &session_key, true);
+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+			if (rc != 0) {
+				status = gnutls_error_to_ntstatus(rc,
+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 			info.info21.nt_owf_password.array =
 				(uint16_t *)talloc_memdup(frame, out.data, 16);
 		}
@@ -3142,7 +3155,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 			DATA_BLOB in,out;
 			in = data_blob_const(lm_hash, 16);
 			out = data_blob_talloc_zero(frame, 16);
-			sess_crypt_blob(&out, &in, &session_key, true);
+			rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+			if (rc != 0) {
+				status = gnutls_error_to_ntstatus(rc,
+								  NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+			}
 			info.info21.lm_owf_password.array =
 				(uint16_t *)talloc_memdup(frame, out.data, 16);
 			if (out.data == NULL) {
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 4fa00bf6360..fba236ebdd7 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -737,6 +737,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
 	DATA_BLOB session_key = data_blob(NULL, 0);
 	DATA_BLOB in, out;
 	NTSTATUS nt_status = NT_STATUS_OK;
+	int rc;
 
 	nt_status = dcesrv_transport_session_key(dce_call, &session_key);
 	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
@@ -761,7 +762,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
 		in = data_blob_const(lm_pwd_hash, 16);
 		out = data_blob_talloc_zero(mem_ctx, 16);
 
-		sess_crypt_blob(&out, &in, &session_key, false);
+		rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);
+		if (rc != 0) {
+			return gnutls_error_to_ntstatus(rc,
+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+		}
 
 		d_lm_pwd_hash = (struct samr_Password *) out.data;
 	}
@@ -769,7 +774,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
 		in = data_blob_const(nt_pwd_hash, 16);
 		out = data_blob_talloc_zero(mem_ctx, 16);
 
-		sess_crypt_blob(&out, &in, &session_key, false);
+		rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);
+		if (rc != 0) {
+			return gnutls_error_to_ntstatus(rc,
+							NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+		}
 
 		d_nt_pwd_hash = (struct samr_Password *) out.data;
 	}
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 4b3ad093bf6..1961c05b5f6 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -1007,14 +1007,14 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
 		DATA_BLOB in,out;
 		in = data_blob_const(nt_hash, 16);
 		out = data_blob_talloc_zero(tctx, 16);
-		sess_crypt_blob(&out, &in, &session_key, true);
+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 		memcpy(u.info18.nt_pwd.hash, out.data, out.length);
 	}
 	{
 		DATA_BLOB in,out;
 		in = data_blob_const(lm_hash, 16);
 		out = data_blob_talloc_zero(tctx, 16);
-		sess_crypt_blob(&out, &in, &session_key, true);
+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 		memcpy(u.info18.lm_pwd.hash, out.data, out.length);
 	}
 
@@ -1096,7 +1096,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
 		in = data_blob_const(u.info21.lm_owf_password.array,
 				     u.info21.lm_owf_password.length);
 		out = data_blob_talloc_zero(tctx, 16);
-		sess_crypt_blob(&out, &in, &session_key, true);
+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 		u.info21.lm_owf_password.array = (uint16_t *)out.data;
 	}
 
@@ -1105,7 +1105,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
 		in = data_blob_const(u.info21.nt_owf_password.array,
 				     u.info21.nt_owf_password.length);
 		out = data_blob_talloc_zero(tctx, 16);
-		sess_crypt_blob(&out, &in, &session_key, true);
+		sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 		u.info21.nt_owf_password.array = (uint16_t *)out.data;
 	}
 
@@ -1272,14 +1272,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
 			DATA_BLOB in,out;
 			in = data_blob_const(u.info18.nt_pwd.hash, 16);
 			out = data_blob_talloc_zero(tctx, 16);
-			sess_crypt_blob(&out, &in, &session_key, true);
+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 			memcpy(u.info18.nt_pwd.hash, out.data, out.length);
 		}
 		{
 			DATA_BLOB in,out;
 			in = data_blob_const(u.info18.lm_pwd.hash, 16);
 			out = data_blob_talloc_zero(tctx, 16);
-			sess_crypt_blob(&out, &in, &session_key, true);
+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 			memcpy(u.info18.lm_pwd.hash, out.data, out.length);
 		}
 
@@ -1290,7 +1290,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
 			in = data_blob_const(u.info21.lm_owf_password.array,
 					     u.info21.lm_owf_password.length);
 			out = data_blob_talloc_zero(tctx, 16);
-			sess_crypt_blob(&out, &in, &session_key, true);
+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 			u.info21.lm_owf_password.array = (uint16_t *)out.data;
 		}
 		if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
@@ -1298,7 +1298,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
 			in = data_blob_const(u.info21.nt_owf_password.array,
 					     u.info21.nt_owf_password.length);
 			out = data_blob_talloc_zero(tctx, 16);
-			sess_crypt_blob(&out, &in, &session_key, true);
+			sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
 			u.info21.nt_owf_password.array = (uint16_t *)out.data;
 		}
 		break;
-- 
2.23.0