From a3d360ba0c46c077643559b4eee9df632080ef1a Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 7 Nov 2019 12:53:52 +0100
Subject: [PATCH 175/187] netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls
and return NTSTATUS
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38189f76d8b958fff8a6351f3fb21f6ed04b76da)
---
libcli/auth/credentials.c | 36 +++++++++++++++++++++++++++---------
libcli/auth/proto.h | 6 ++++--
2 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index f1088a1d8e0..d9237f3875b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -253,25 +253,40 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds
return NT_STATUS_OK;
}
-
/*
DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key)
{
+ int rc;
struct netr_LMSessionKey tmp;
- des_crypt56(tmp.key, key->key, creds->session_key, 1);
+
+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*key = tmp;
+
+ return NT_STATUS_OK;
}
/*
DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key)
{
+ int rc;
struct netr_LMSessionKey tmp;
- des_crypt56(tmp.key, key->key, creds->session_key, 0);
+
+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*key = tmp;
+
+ return NT_STATUS_OK;
}
/*
@@ -849,11 +864,14 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
if (!all_zero(base->LMSessKey.key,
sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
- netlogon_creds_des_encrypt_LMKey(creds,
- &base->LMSessKey);
+ status = netlogon_creds_des_encrypt_LMKey(creds,
+ &base->LMSessKey);
} else {
- netlogon_creds_des_decrypt_LMKey(creds,
- &base->LMSessKey);
+ status = netlogon_creds_des_decrypt_LMKey(creds,
+ &base->LMSessKey);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
}
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index e7c9923abf3..4a817e210b2 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -13,8 +13,10 @@
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key);
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
--
2.23.0