Blob Blame History Raw
From cbabf1224f61900eb96ea15841950c26b8b88cb5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 18:03:00 +0200
Subject: [PATCH 027/187] libcli:auth: Use
 samba_gnutls_arcfour_confounded_md5() in encode_wkssvc_join_password_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 85e2a3c96ad9acc1a85db189f6418c9d880b4718)
---
 libcli/auth/smbencrypt.c | 69 ++++++++++++++--------------------------
 1 file changed, 23 insertions(+), 46 deletions(-)

diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 745f47999cd..823e16a3387 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -968,65 +968,42 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
 WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 					  const char *pwd,
 					  DATA_BLOB *session_key,
-					  struct wkssvc_PasswordBuffer **pwd_buf)
+					  struct wkssvc_PasswordBuffer **out_pwd_buf)
 {
-	uint8_t buffer[516];
-	gnutls_hash_hd_t hash_hnd = NULL;
-	struct wkssvc_PasswordBuffer *my_pwd_buf = NULL;
-	DATA_BLOB confounded_session_key;
-	int confounder_len = 8;
-	uint8_t confounder[8];
-	WERROR werr;
+	struct wkssvc_PasswordBuffer *pwd_buf = NULL;
+	uint8_t _confounder[8] = {0};
+	DATA_BLOB confounder = data_blob_const(_confounder, 8);
+	uint8_t pwbuf[516] = {0};
+	DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
 	int rc;
 
-	my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
-	if (!my_pwd_buf) {
+	pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
+	if (pwd_buf == NULL) {
 		return WERR_NOT_ENOUGH_MEMORY;
 	}
 
-	confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
-	encode_pw_buffer(buffer, pwd, STR_UNICODE);
+	encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
 
-	generate_random_buffer((uint8_t *)confounder, confounder_len);
-
-	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
-	if (rc < 0) {
-		werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
-		goto out;
-	}
-
-	rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
-	if (rc < 0) {
-		gnutls_hash_deinit(hash_hnd, NULL);
-		werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	generate_random_buffer(_confounder, sizeof(_confounder));
 
-		goto out;
-	}
-	rc = gnutls_hash(hash_hnd, confounder, confounder_len);
+	rc = samba_gnutls_arcfour_confounded_md5(session_key,
+						 &confounder,
+						 &encrypt_pwbuf,
+						 SAMBA_GNUTLS_ENCRYPT);
 	if (rc < 0) {
-		gnutls_hash_deinit(hash_hnd, NULL);
-		werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
-		goto out;
+		ZERO_ARRAY(_confounder);
+		TALLOC_FREE(pwd_buf);
+		return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
 	}
-	gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
 
-	arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
-	memcpy(&my_pwd_buf->data[0], confounder, confounder_len);
-	ZERO_ARRAY(confounder);
-	memcpy(&my_pwd_buf->data[8], buffer, 516);
-	ZERO_ARRAY(buffer);
-
-	data_blob_clear_free(&confounded_session_key);
+	memcpy(&pwd_buf->data[0], confounder.data, confounder.length);
+	ZERO_ARRAY(_confounder);
+	memcpy(&pwd_buf->data[8], encrypt_pwbuf.data, encrypt_pwbuf.length);
+	ZERO_ARRAY(pwbuf);
 
-	*pwd_buf = my_pwd_buf;
+	*out_pwd_buf = pwd_buf;
 
-	werr = WERR_OK;
-out:
-	return werr;
+	return WERR_OK;
 }
 
 WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
-- 
2.23.0