From 3f2ab4815d9ddf6a6d4a6d8904f528f05d1802cf Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 21 Nov 2019 14:02:03 +0100
Subject: [PATCH 185/187] session: convert sess_crypt_blob to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1)
---
libcli/auth/proto.h | 4 +-
libcli/auth/session.c | 42 ++++++++++++++++-----
libcli/auth/tests/test_gnutls.c | 7 +++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 7 +++-
source3/rpc_server/samr/srv_samr_nt.c | 27 +++++++++++--
source3/rpcclient/cmd_samr.c | 25 ++++++++++--
source4/rpc_server/samr/samr_password.c | 13 ++++++-
source4/torture/rpc/samr.c | 16 ++++----
8 files changed, 108 insertions(+), 33 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 4c6d7af6763..09ff3687fb7 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -90,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
- bool forward);
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
+ enum samba_gnutls_direction encrypt);
DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);
char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
DATA_BLOB *blob, const DATA_BLOB *session_key);
diff --git a/libcli/auth/session.c b/libcli/auth/session.c
index 10c728662db..4af70d361af 100644
--- a/libcli/auth/session.c
+++ b/libcli/auth/session.c
@@ -29,10 +29,10 @@
before calling, the out blob must be initialised to be the same size
as the in blob
*/
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
- bool forward)
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key,
+ enum samba_gnutls_direction encrypt)
{
- int i, k;
+ int i, k, rc;
for (i=0,k=0;
i<in->length;
@@ -47,10 +47,14 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi
}
memcpy(key, &session_key->data[k], 7);
- des_crypt56(bout, bin, key, forward?1:0);
+ rc = des_crypt56_gnutls(bout, bin, key, encrypt);
+ if (rc != 0) {
+ return rc;
+ }
memcpy(&out->data[i], bout, MIN(8, in->length-i));
}
+ return 0;
}
@@ -67,6 +71,7 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)
DATA_BLOB ret, src;
int slen = strlen(str);
int dlen = (slen+7) & ~7;
+ int rc;
src = data_blob(NULL, 8+dlen);
if (!src.data) {
@@ -84,9 +89,13 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key)
memset(src.data+8, 0, dlen);
memcpy(src.data+8, str, slen);
- sess_crypt_blob(&ret, &src, session_key, true);
+ rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);
data_blob_free(&src);
+ if (rc != 0) {
+ data_blob_free(&ret);
+ return data_blob(NULL, 0);
+ }
return ret;
}
@@ -100,7 +109,7 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
DATA_BLOB *blob, const DATA_BLOB *session_key)
{
DATA_BLOB out;
- int slen;
+ int rc, slen;
char *ret;
if (blob->length < 8) {
@@ -112,7 +121,11 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
return NULL;
}
- sess_crypt_blob(&out, blob, session_key, false);
+ rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ data_blob_free(&out);
+ return NULL;
+ }
if (IVAL(out.data, 4) != 1) {
DEBUG(0,("Unexpected revision number %d in session crypted string\n",
@@ -149,6 +162,7 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_
{
DATA_BLOB ret, src;
int dlen = (blob_in->length+7) & ~7;
+ int rc;
src = data_blob_talloc(mem_ctx, NULL, 8+dlen);
if (!src.data) {
@@ -166,9 +180,13 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_
memset(src.data+8, 0, dlen);
memcpy(src.data+8, blob_in->data, blob_in->length);
- sess_crypt_blob(&ret, &src, session_key, true);
+ rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT);
data_blob_free(&src);
+ if (rc != 0) {
+ data_blob_free(&ret);
+ return data_blob(NULL, 0);
+ }
return ret;
}
@@ -180,7 +198,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT
DATA_BLOB *ret)
{
DATA_BLOB out;
- int slen;
+ int rc, slen;
if (blob->length < 8) {
DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n",
@@ -193,7 +211,11 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT
return NT_STATUS_NO_MEMORY;
}
- sess_crypt_blob(&out, blob, session_key, false);
+ rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ data_blob_free(&out);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
if (IVAL(out.data, 4) != 1) {
DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n",
diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
index a6692b9a913..707a1bcecc3 100644
--- a/libcli/auth/tests/test_gnutls.c
+++ b/libcli/auth/tests/test_gnutls.c
@@ -494,11 +494,14 @@ static void torture_gnutls_sess_crypt_blob(void **state)
};
DATA_BLOB crypt = data_blob(NULL, 24);
DATA_BLOB decrypt = data_blob(NULL, 24);
+ int rc;
- sess_crypt_blob(&crypt, &clear, &key, true);
+ rc = sess_crypt_blob(&crypt, &clear, &key, SAMBA_GNUTLS_ENCRYPT);
+ assert_int_equal(rc, 0);
assert_memory_equal(crypt.data, crypt_expected, 24);
- sess_crypt_blob(&decrypt, &crypt, &key, false);
+ rc = sess_crypt_blob(&decrypt, &crypt, &key, SAMBA_GNUTLS_DECRYPT);
+ assert_int_equal(rc, 0);
assert_memory_equal(decrypt.data, clear.data, 24);
}
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 124bae95064..cbbf9feedc7 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1220,7 +1220,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
status = NT_STATUS_NO_MEMORY;
goto out;
}
- sess_crypt_blob(&out, &in, &session_key, true);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto out;
+ }
memcpy(info18.nt_pwd.hash, out.data, out.length);
info18.nt_pwd_active = true;
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 87214b2899e..91771e34502 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -4411,6 +4411,8 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
DATA_BLOB *session_key,
struct samu *pwd)
{
+ int rc;
+
if (id18 == NULL) {
DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -4429,7 +4431,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
in = data_blob_const(id18->nt_pwd.hash, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, session_key, false);
+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
return NT_STATUS_ACCESS_DENIED;
@@ -4445,7 +4451,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
in = data_blob_const(id18->lm_pwd.hash, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, session_key, false);
+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
return NT_STATUS_ACCESS_DENIED;
@@ -4487,6 +4497,7 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
struct samu *pwd)
{
NTSTATUS status;
+ int rc;
if (id21 == NULL) {
DEBUG(5, ("set_user_info_21: NULL id21\n"));
@@ -4517,7 +4528,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
in = data_blob_const(id21->nt_owf_password.array, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, session_key, false);
+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
@@ -4540,7 +4555,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
in = data_blob_const(id21->lm_owf_password.array, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, session_key, false);
+ rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 0cd8b50058e..de95eb2160d 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3044,6 +3044,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
uint8_t password_expired = 0;
struct dcerpc_binding_handle *b = cli->binding_handle;
TALLOC_CTX *frame = NULL;
+ int rc;
if (argc < 4) {
printf("Usage: %s username level password [password_expired]\n",
@@ -3086,7 +3087,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
status = NT_STATUS_NO_MEMORY;
goto done;
}
- sess_crypt_blob(&out, &in, &session_key, true);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
memcpy(nt_hash, out.data, out.length);
}
{
@@ -3097,7 +3102,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
status = NT_STATUS_NO_MEMORY;
goto done;
}
- sess_crypt_blob(&out, &in, &session_key, true);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
memcpy(lm_hash, out.data, out.length);
}
@@ -3134,7 +3143,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
status = NT_STATUS_NO_MEMORY;
goto done;
}
- sess_crypt_blob(&out, &in, &session_key, true);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
info.info21.nt_owf_password.array =
(uint16_t *)talloc_memdup(frame, out.data, 16);
}
@@ -3142,7 +3155,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
out = data_blob_talloc_zero(frame, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
info.info21.lm_owf_password.array =
(uint16_t *)talloc_memdup(frame, out.data, 16);
if (out.data == NULL) {
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 4fa00bf6360..fba236ebdd7 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -737,6 +737,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB in, out;
NTSTATUS nt_status = NT_STATUS_OK;
+ int rc;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
@@ -761,7 +762,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
in = data_blob_const(lm_pwd_hash, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, &session_key, false);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
d_lm_pwd_hash = (struct samr_Password *) out.data;
}
@@ -769,7 +774,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
in = data_blob_const(nt_pwd_hash, 16);
out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, &session_key, false);
+ rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
d_nt_pwd_hash = (struct samr_Password *) out.data;
}
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 4b3ad093bf6..1961c05b5f6 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -1007,14 +1007,14 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
DATA_BLOB in,out;
in = data_blob_const(nt_hash, 16);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
memcpy(u.info18.nt_pwd.hash, out.data, out.length);
}
{
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
memcpy(u.info18.lm_pwd.hash, out.data, out.length);
}
@@ -1096,7 +1096,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
in = data_blob_const(u.info21.lm_owf_password.array,
u.info21.lm_owf_password.length);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
u.info21.lm_owf_password.array = (uint16_t *)out.data;
}
@@ -1105,7 +1105,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
in = data_blob_const(u.info21.nt_owf_password.array,
u.info21.nt_owf_password.length);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
u.info21.nt_owf_password.array = (uint16_t *)out.data;
}
@@ -1272,14 +1272,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
DATA_BLOB in,out;
in = data_blob_const(u.info18.nt_pwd.hash, 16);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
memcpy(u.info18.nt_pwd.hash, out.data, out.length);
}
{
DATA_BLOB in,out;
in = data_blob_const(u.info18.lm_pwd.hash, 16);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
memcpy(u.info18.lm_pwd.hash, out.data, out.length);
}
@@ -1290,7 +1290,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
in = data_blob_const(u.info21.lm_owf_password.array,
u.info21.lm_owf_password.length);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
u.info21.lm_owf_password.array = (uint16_t *)out.data;
}
if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
@@ -1298,7 +1298,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
in = data_blob_const(u.info21.nt_owf_password.array,
u.info21.nt_owf_password.length);
out = data_blob_talloc_zero(tctx, 16);
- sess_crypt_blob(&out, &in, &session_key, true);
+ sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
u.info21.nt_owf_password.array = (uint16_t *)out.data;
}
break;
--
2.23.0