From 41f45d98f22a7bae8d29fb3828452324c6b88eef Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 20 Nov 2019 15:41:02 +0100 Subject: [PATCH 183/187] smbdes: convert des_crypt112 to use gnutls Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit 254739137bdaebca31163f1683bfd7111dfefe67) --- libcli/auth/credentials.c | 8 +++++++- libcli/auth/proto.h | 3 ++- libcli/auth/smbdes.c | 25 ++++++++++++++++++------- libcli/auth/tests/test_gnutls.c | 7 +++++-- 4 files changed, 32 insertions(+), 11 deletions(-) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 1b94a06ebfb..5f65428a1d7 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -38,6 +38,8 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState struct netr_Credential *out) { NTSTATUS status; + int rc; + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { memcpy(out->data, in->data, sizeof(out->data)); @@ -48,7 +50,11 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState return status; } } else { - des_crypt112(out->data, in->data, creds->session_key, 1); + rc = des_crypt112(out->data, in->data, creds->session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } } return NT_STATUS_OK; diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 5e88d7527fd..3994db20a36 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -227,7 +227,8 @@ int E_P16(const uint8_t *p14,uint8_t *p16); int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); -void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); +int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], + enum samba_gnutls_direction encrypt); void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, enum samba_gnutls_direction encrypt); diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c index ec922da4727..8dc4fc4097c 100644 --- a/libcli/auth/smbdes.c +++ b/libcli/auth/smbdes.c @@ -418,16 +418,27 @@ int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]) } /* des encryption with a 112 bit (14 byte) key */ -void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw) +int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], + enum samba_gnutls_direction encrypt) { uint8_t buf[8]; - if (forw) { - des_crypt56(buf, in, key, forw); - des_crypt56(out, buf, key+7, forw); - } else { - des_crypt56(buf, in, key+7, forw); - des_crypt56(out, buf, key, forw); + int ret; + + if (encrypt == SAMBA_GNUTLS_ENCRYPT) { + ret = des_crypt56_gnutls(buf, in, key, SAMBA_GNUTLS_ENCRYPT); + if (ret != 0) { + return ret; + } + + return des_crypt56_gnutls(out, buf, key+7, SAMBA_GNUTLS_ENCRYPT); } + + ret = des_crypt56_gnutls(buf, in, key+7, SAMBA_GNUTLS_DECRYPT); + if (ret != 0) { + return ret; + } + + return des_crypt56_gnutls(out, buf, key, SAMBA_GNUTLS_DECRYPT); } /* des encryption of a 16 byte lump of data with a 112 bit key */ diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c index 087afee09db..68a27adc894 100644 --- a/libcli/auth/tests/test_gnutls.c +++ b/libcli/auth/tests/test_gnutls.c @@ -386,11 +386,14 @@ static void torture_gnutls_des_crypt112(void **state) uint8_t crypt[8]; uint8_t decrypt[8]; + int rc; - des_crypt112(crypt, clear, key, 1); + rc = des_crypt112(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); + assert_int_equal(rc, 0); assert_memory_equal(crypt, crypt_expected, 8); - des_crypt112(decrypt, crypt, key, 0); + rc = des_crypt112(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); + assert_int_equal(rc, 0); assert_memory_equal(decrypt, clear, 8); } -- 2.23.0