From 3f2ab4815d9ddf6a6d4a6d8904f528f05d1802cf Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 21 Nov 2019 14:02:03 +0100 Subject: [PATCH 185/187] session: convert sess_crypt_blob to use gnutls Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1) --- libcli/auth/proto.h | 4 +- libcli/auth/session.c | 42 ++++++++++++++++----- libcli/auth/tests/test_gnutls.c | 7 +++- source3/rpc_server/netlogon/srv_netlog_nt.c | 7 +++- source3/rpc_server/samr/srv_samr_nt.c | 27 +++++++++++-- source3/rpcclient/cmd_samr.c | 25 ++++++++++-- source4/rpc_server/samr/samr_password.c | 13 ++++++- source4/torture/rpc/samr.c | 16 ++++---- 8 files changed, 108 insertions(+), 33 deletions(-) diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 4c6d7af6763..09ff3687fb7 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -90,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx, /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */ -void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, - bool forward); +int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, + enum samba_gnutls_direction encrypt); DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key); char *sess_decrypt_string(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, const DATA_BLOB *session_key); diff --git a/libcli/auth/session.c b/libcli/auth/session.c index 10c728662db..4af70d361af 100644 --- a/libcli/auth/session.c +++ b/libcli/auth/session.c @@ -29,10 +29,10 @@ before calling, the out blob must be initialised to be the same size as the in blob */ -void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, - bool forward) +int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, + enum samba_gnutls_direction encrypt) { - int i, k; + int i, k, rc; for (i=0,k=0; ilength; @@ -47,10 +47,14 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi } memcpy(key, &session_key->data[k], 7); - des_crypt56(bout, bin, key, forward?1:0); + rc = des_crypt56_gnutls(bout, bin, key, encrypt); + if (rc != 0) { + return rc; + } memcpy(&out->data[i], bout, MIN(8, in->length-i)); } + return 0; } @@ -67,6 +71,7 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key) DATA_BLOB ret, src; int slen = strlen(str); int dlen = (slen+7) & ~7; + int rc; src = data_blob(NULL, 8+dlen); if (!src.data) { @@ -84,9 +89,13 @@ DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key) memset(src.data+8, 0, dlen); memcpy(src.data+8, str, slen); - sess_crypt_blob(&ret, &src, session_key, true); + rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT); data_blob_free(&src); + if (rc != 0) { + data_blob_free(&ret); + return data_blob(NULL, 0); + } return ret; } @@ -100,7 +109,7 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, const DATA_BLOB *session_key) { DATA_BLOB out; - int slen; + int rc, slen; char *ret; if (blob->length < 8) { @@ -112,7 +121,11 @@ char *sess_decrypt_string(TALLOC_CTX *mem_ctx, return NULL; } - sess_crypt_blob(&out, blob, session_key, false); + rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + data_blob_free(&out); + return NULL; + } if (IVAL(out.data, 4) != 1) { DEBUG(0,("Unexpected revision number %d in session crypted string\n", @@ -149,6 +162,7 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_ { DATA_BLOB ret, src; int dlen = (blob_in->length+7) & ~7; + int rc; src = data_blob_talloc(mem_ctx, NULL, 8+dlen); if (!src.data) { @@ -166,9 +180,13 @@ DATA_BLOB sess_encrypt_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob_in, const DATA_ memset(src.data+8, 0, dlen); memcpy(src.data+8, blob_in->data, blob_in->length); - sess_crypt_blob(&ret, &src, session_key, true); + rc = sess_crypt_blob(&ret, &src, session_key, SAMBA_GNUTLS_ENCRYPT); data_blob_free(&src); + if (rc != 0) { + data_blob_free(&ret); + return data_blob(NULL, 0); + } return ret; } @@ -180,7 +198,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT DATA_BLOB *ret) { DATA_BLOB out; - int slen; + int rc, slen; if (blob->length < 8) { DEBUG(0, ("Unexpected length %d in session crypted secret (BLOB)\n", @@ -193,7 +211,11 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT return NT_STATUS_NO_MEMORY; } - sess_crypt_blob(&out, blob, session_key, false); + rc = sess_crypt_blob(&out, blob, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + data_blob_free(&out); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } if (IVAL(out.data, 4) != 1) { DEBUG(2,("Unexpected revision number %d in session crypted secret (BLOB)\n", diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c index a6692b9a913..707a1bcecc3 100644 --- a/libcli/auth/tests/test_gnutls.c +++ b/libcli/auth/tests/test_gnutls.c @@ -494,11 +494,14 @@ static void torture_gnutls_sess_crypt_blob(void **state) }; DATA_BLOB crypt = data_blob(NULL, 24); DATA_BLOB decrypt = data_blob(NULL, 24); + int rc; - sess_crypt_blob(&crypt, &clear, &key, true); + rc = sess_crypt_blob(&crypt, &clear, &key, SAMBA_GNUTLS_ENCRYPT); + assert_int_equal(rc, 0); assert_memory_equal(crypt.data, crypt_expected, 24); - sess_crypt_blob(&decrypt, &crypt, &key, false); + rc = sess_crypt_blob(&decrypt, &crypt, &key, SAMBA_GNUTLS_DECRYPT); + assert_int_equal(rc, 0); assert_memory_equal(decrypt.data, clear.data, 24); } diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 124bae95064..cbbf9feedc7 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1220,7 +1220,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, status = NT_STATUS_NO_MEMORY; goto out; } - sess_crypt_blob(&out, &in, &session_key, true); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + status = gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + goto out; + } memcpy(info18.nt_pwd.hash, out.data, out.length); info18.nt_pwd_active = true; diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 87214b2899e..91771e34502 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -4411,6 +4411,8 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, DATA_BLOB *session_key, struct samu *pwd) { + int rc; + if (id18 == NULL) { DEBUG(2, ("set_user_info_18: id18 is NULL\n")); return NT_STATUS_INVALID_PARAMETER; @@ -4429,7 +4431,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, in = data_blob_const(id18->nt_pwd.hash, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, session_key, false); + rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) { return NT_STATUS_ACCESS_DENIED; @@ -4445,7 +4451,11 @@ static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18, in = data_blob_const(id18->lm_pwd.hash, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, session_key, false); + rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) { return NT_STATUS_ACCESS_DENIED; @@ -4487,6 +4497,7 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, struct samu *pwd) { NTSTATUS status; + int rc; if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); @@ -4517,7 +4528,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, in = data_blob_const(id21->nt_owf_password.array, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, session_key, false); + rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED); pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); @@ -4540,7 +4555,11 @@ static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21, in = data_blob_const(id21->lm_owf_password.array, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, session_key, false); + rc = sess_crypt_blob(&out, &in, session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED); pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED); diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 0cd8b50058e..de95eb2160d 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -3044,6 +3044,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, uint8_t password_expired = 0; struct dcerpc_binding_handle *b = cli->binding_handle; TALLOC_CTX *frame = NULL; + int rc; if (argc < 4) { printf("Usage: %s username level password [password_expired]\n", @@ -3086,7 +3087,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, status = NT_STATUS_NO_MEMORY; goto done; } - sess_crypt_blob(&out, &in, &session_key, true); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + status = gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } memcpy(nt_hash, out.data, out.length); } { @@ -3097,7 +3102,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, status = NT_STATUS_NO_MEMORY; goto done; } - sess_crypt_blob(&out, &in, &session_key, true); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + status = gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } memcpy(lm_hash, out.data, out.length); } @@ -3134,7 +3143,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, status = NT_STATUS_NO_MEMORY; goto done; } - sess_crypt_blob(&out, &in, &session_key, true); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + status = gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } info.info21.nt_owf_password.array = (uint16_t *)talloc_memdup(frame, out.data, 16); } @@ -3142,7 +3155,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, DATA_BLOB in,out; in = data_blob_const(lm_hash, 16); out = data_blob_talloc_zero(frame, 16); - sess_crypt_blob(&out, &in, &session_key, true); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + status = gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } info.info21.lm_owf_password.array = (uint16_t *)talloc_memdup(frame, out.data, 16); if (out.data == NULL) { diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 4fa00bf6360..fba236ebdd7 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -737,6 +737,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, DATA_BLOB session_key = data_blob(NULL, 0); DATA_BLOB in, out; NTSTATUS nt_status = NT_STATUS_OK; + int rc; nt_status = dcesrv_transport_session_key(dce_call, &session_key); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) { @@ -761,7 +762,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, in = data_blob_const(lm_pwd_hash, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, &session_key, false); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } d_lm_pwd_hash = (struct samr_Password *) out.data; } @@ -769,7 +774,11 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, in = data_blob_const(nt_pwd_hash, 16); out = data_blob_talloc_zero(mem_ctx, 16); - sess_crypt_blob(&out, &in, &session_key, false); + rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } d_nt_pwd_hash = (struct samr_Password *) out.data; } diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 4b3ad093bf6..1961c05b5f6 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -1007,14 +1007,14 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t DATA_BLOB in,out; in = data_blob_const(nt_hash, 16); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); memcpy(u.info18.nt_pwd.hash, out.data, out.length); } { DATA_BLOB in,out; in = data_blob_const(lm_hash, 16); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); memcpy(u.info18.lm_pwd.hash, out.data, out.length); } @@ -1096,7 +1096,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t in = data_blob_const(u.info21.lm_owf_password.array, u.info21.lm_owf_password.length); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); u.info21.lm_owf_password.array = (uint16_t *)out.data; } @@ -1105,7 +1105,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t in = data_blob_const(u.info21.nt_owf_password.array, u.info21.nt_owf_password.length); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); u.info21.nt_owf_password.array = (uint16_t *)out.data; } @@ -1272,14 +1272,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, DATA_BLOB in,out; in = data_blob_const(u.info18.nt_pwd.hash, 16); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); memcpy(u.info18.nt_pwd.hash, out.data, out.length); } { DATA_BLOB in,out; in = data_blob_const(u.info18.lm_pwd.hash, 16); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); memcpy(u.info18.lm_pwd.hash, out.data, out.length); } @@ -1290,7 +1290,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, in = data_blob_const(u.info21.lm_owf_password.array, u.info21.lm_owf_password.length); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); u.info21.lm_owf_password.array = (uint16_t *)out.data; } if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) { @@ -1298,7 +1298,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, in = data_blob_const(u.info21.nt_owf_password.array, u.info21.nt_owf_password.length); out = data_blob_talloc_zero(tctx, 16); - sess_crypt_blob(&out, &in, &session_key, true); + sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT); u.info21.nt_owf_password.array = (uint16_t *)out.data; } break; -- 2.23.0