[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Jun 27 14:12:02 UTC 2019
The branch, master has been updated
via 9920aefd4e1 s4:torture: Use GnuTLS RC4 in rpc forest_trust test
via 9767013b447 s4:tortue: Use GnuTLS RC4 in rpc lsa test
via 4f306a2fdd6 nsswitch: Use GnuTLS RC4 in wbclient test
via 6eb38daad4b s4:rpc_server: Use GnuTLS RC4 in lsa server
via cd1f4184731 s3:utils: Use GnuTLS RC4 in npc_rpc_trust
via acf605f5959 s4:rpc_server: Use GnuTLS RC4 in lsa endpoint
via 80b6ad51f9a s3:rpc_client: Use C99 inititializer in dcerpc_samr_chgpasswd_user()
via 0a8a1c9c78f auth:ntlmssp: Use GnuTLS RC4 in ntlmssp server
via ba96534eb3b auth:gensec: Return NTSTATUS for netsec_do_seal()
via 6148cd9c977 auth:gensec: Use GnuTLS RC4 in netsec_do_seal()
via d5ca7ff40f3 auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()
via 67e6a9af2c6 libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()
via 99d250a3abb libcli:auth: Return NTSTATUS for netlogon_creds_crypt_samlogon_logon()
via cad3adb0b47 libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_logon()
via 31f110317f5 libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_logon()
via 8c9cf56fe98 libcli:auth: Return NTSTATUS for netlogon_creds_server_step_check()
via 2e6fe27bad6 libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_validation()
via 00dd1a8bf8b libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_validation()
via f825fa6d90f libcli:auth: Use GnuTLS RC4 for netlogon credentials
via ad4505624e0 lib/crypto: Use GnuTLS RC4 for samba_gnutls_arcfour_confounded_md5()
via d5856b993e8 liblic/drsupai: use samba_gnutls_arcfour_confounded_md5() wrapper
via 31bac316daa lib/crypto: Add GnuTLS helper function samba_gnutls_arcfour_confounded_md5()
via 52c87fa1651 libcli/drsuapi: Correct comment in drsuapi_decrypt_attribute_value()
via 850e9ffe8ae libcli/drsuapi: Add expected value unit tests for drsuapi_{en,de}crypt_attribute_value()
via 4aa217bb064 libcli/drsuapi: Add const to *in parameters to drsuapi_{en,de}crypt_attribute_value()
via 56fb3ce083a libcli/drsuapi: Make drsuapi_decrypt_attribute_value() static
via 46231a53ef5 libcli:drsuapi: Use gnutls_error_to_werror() in repl_decrypt
via d4494648dd2 libcli:auth: Use gnutls_error_to_werror() in smbencrypt
via d1641f3e6a7 libcli:util: Add gnutls_error_to_werror()
via 8f4c30f785c lib/crypto: move gnutls error wrapper to own subsystem
from 29ee235caee s3: torture: Ensure we can always get a POSIX ACL on a directory handle.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9920aefd4e12e66b5e43469202c05962fa44035f
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 21 11:06:23 2019 +0100
s4:torture: Use GnuTLS RC4 in rpc forest_trust test
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jun 27 14:11:39 UTC 2019 on sn-devel-184
commit 9767013b447174881d471f84bc93acd644f564cf
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 21 11:03:01 2019 +0100
s4:tortue: Use GnuTLS RC4 in rpc lsa test
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f306a2fdd658d8319216f2d06515a0da97cfb1f
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 9 10:20:42 2018 +0100
nsswitch: Use GnuTLS RC4 in wbclient test
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6eb38daad4b49f2e47037e3cb8a51cc65cd86524
Author: Andreas Schneider <asn at samba.org>
Date: Tue Feb 19 12:18:52 2019 +0100
s4:rpc_server: Use GnuTLS RC4 in lsa server
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cd1f41847311ff5aba3e21099a4531078f369850
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 17 14:10:52 2019 +0100
s3:utils: Use GnuTLS RC4 in npc_rpc_trust
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit acf605f5959b5d50abbbd2d150f8a1a490ba4e43
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 17 12:25:43 2019 +0100
s4:rpc_server: Use GnuTLS RC4 in lsa endpoint
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 80b6ad51f9a029e0b315dabc852ce548bc76a21f
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 21 13:16:56 2019 +0100
s3:rpc_client: Use C99 inititializer in dcerpc_samr_chgpasswd_user()
This also cleans up after using them.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0a8a1c9c78f4f4eda45514a267e080543b3c29ef
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 9 12:33:10 2018 +0100
auth:ntlmssp: Use GnuTLS RC4 in ntlmssp server
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ba96534eb3b895d1424e25b82dcb1f7f374f5959
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 22 09:17:37 2019 +0200
auth:gensec: Return NTSTATUS for netsec_do_seal()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6148cd9c977bd5e3c69e9b7e0e7bee9032b5aa45
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 22 09:08:09 2019 +0200
auth:gensec: Use GnuTLS RC4 in netsec_do_seal()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5ca7ff40f32845afaba4a1fc2a40e093132ea62
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 9 10:33:44 2018 +0100
auth:gensec: Use GnuTLS RC4 in netsec_do_seq_num()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 67e6a9af2c688ce89c87b0ed381274b3c12c37a9
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 14:46:17 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 99d250a3abb1761e509359532e72caee2af6ee81
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 16:51:01 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_crypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cad3adb0b478e3bb2b964d4eefba4e96f34d4270
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 16:49:29 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31f110317f52e90693e71c7035b360ac9bc21967
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 16:46:36 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_logon()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8c9cf56fe9865029bf033557b00e8987873a7096
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 14:39:34 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_server_step_check()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e6fe27bad609cf6143b41c4062a1acf2d49930f
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 14:35:20 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_validation()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 00dd1a8bf8b081cb69a8b1c26af5c70e7ff58088
Author: Andreas Schneider <asn at samba.org>
Date: Wed May 29 14:25:57 2019 +0200
libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_validation()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f825fa6d90f165c26df46e2420dbeaf64144466d
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 31 11:28:02 2019 +0100
libcli:auth: Use GnuTLS RC4 for netlogon credentials
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad4505624e07f7a31c27a92c3867d343f2d9e9c3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 16:45:33 2019 +1200
lib/crypto: Use GnuTLS RC4 for samba_gnutls_arcfour_confounded_md5()
This allows Samba to use GnuTLS for drsuapi_{en,de}crypt_attribute_value()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d5856b993e8ddd83f36097a5aba0026aa8e9d2ca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 16:05:32 2019 +1200
liblic/drsupai: use samba_gnutls_arcfour_confounded_md5() wrapper
This common code will reduce duplication, particularly when we move
arcfour_encrypt_buffer() calls to GnuTLS
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 31bac316daa1b5bbf70d62950cebee655b3c1d95
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 15:05:49 2019 +1200
lib/crypto: Add GnuTLS helper function samba_gnutls_arcfour_confounded_md5()
This will avoid duplicated code as we convert arcfour_crypt_blob() into
direct GnuTLS calls
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 52c87fa16512c040066dbfd8d1811a1d28851850
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 14:53:49 2019 +1200
libcli/drsuapi: Correct comment in drsuapi_decrypt_attribute_value()
This is not a copy, it is just a pointer assignment.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 850e9ffe8ae6dff5d888ee5b3ff789e831c2fe94
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 14:45:36 2019 +1200
libcli/drsuapi: Add expected value unit tests for drsuapi_{en,de}crypt_attribute_value()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4aa217bb064ff682566c228140b904d9dea92c06
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 14:17:44 2019 +1200
libcli/drsuapi: Add const to *in parameters to drsuapi_{en,de}crypt_attribute_value()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 56fb3ce083a72297f6c972423b19efad51f3e5d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 11:29:29 2019 +1200
libcli/drsuapi: Make drsuapi_decrypt_attribute_value() static
The last external user was removed in 0980a3471ed8fcc3a37296857285dc0235e0e0d2 in 2010
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 46231a53ef53beb5f8cb37862acf36021a384ed1
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 24 13:20:58 2019 +0200
libcli:drsuapi: Use gnutls_error_to_werror() in repl_decrypt
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d4494648dd274328b57a99889bd23440c19f75fd
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 24 13:18:32 2019 +0200
libcli:auth: Use gnutls_error_to_werror() in smbencrypt
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d1641f3e6a7a760a669ff2d9aa45dc2f4c61071b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 24 13:14:12 2019 +0200
libcli:util: Add gnutls_error_to_werror()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f4c30f785cd012597883016e35f794e9a800404
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 26 16:41:05 2019 +1200
lib/crypto: move gnutls error wrapper to own subsystem
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 11 +-
auth/credentials/credentials_ntlm.c | 2 +-
auth/credentials/wscript_build | 2 +-
auth/gensec/schannel.c | 113 +++--
auth/gensec/wscript_build | 2 +-
auth/ntlmssp/ntlmssp_client.c | 2 +-
auth/ntlmssp/ntlmssp_server.c | 28 +-
auth/ntlmssp/ntlmssp_sign.c | 2 +-
auth/ntlmssp/wscript_build | 1 +
lib/crypto/gnutls_arcfour_confounded_md5.c | 93 ++++
{libcli/util => lib/crypto}/gnutls_error.c | 50 +-
.../gnutls_error.h => lib/crypto/gnutls_helpers.h | 25 +-
lib/crypto/wscript_build | 7 +
libcli/auth/credentials.c | 148 ++++--
libcli/auth/netlogon_creds_cli.c | 62 ++-
libcli/auth/proto.h | 28 +-
libcli/auth/smbencrypt.c | 7 +-
libcli/auth/wscript_build | 2 +-
libcli/drsuapi/drsuapi.h | 7 -
libcli/drsuapi/repl_decrypt.c | 114 ++---
libcli/drsuapi/tests/test_repl_decrypt.c | 522 +++++++++++++++++++++
libcli/drsuapi/wscript_build | 12 +
libcli/samsync/decrypt.c | 29 +-
libcli/smb/smb2_signing.c | 2 +-
libcli/smb/smbXcli_base.c | 2 +-
libcli/smb/smb_signing.c | 2 +-
libcli/smb/wscript | 2 +-
libcli/util/wscript_build | 4 +-
nsswitch/libwbclient/tests/wbclient.c | 31 +-
source3/rpc_client/cli_samr.c | 18 +-
source3/rpc_client/init_netlogon.c | 8 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 39 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 27 +-
source3/rpc_server/wscript_build | 2 +-
source3/smbd/smb2_server.c | 2 +-
source3/smbd/smb2_sesssetup.c | 2 +-
source3/utils/net_rpc_trust.c | 54 ++-
source3/wscript_build | 3 +-
source4/libcli/smb2/signing.c | 2 +-
source4/libcli/smb2/wscript_build | 2 +-
source4/libnet/libnet_passwd.c | 2 +-
source4/libnet/wscript_build | 2 +-
source4/ntp_signd/ntp_signd.c | 2 +-
source4/ntp_signd/wscript_build | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 36 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +-
source4/rpc_server/samr/samr_password.c | 2 +-
source4/rpc_server/wscript_build | 2 +-
source4/selftest/tests.py | 2 +
source4/torture/rpc/forest_trust.c | 21 +-
source4/torture/rpc/lsa.c | 21 +-
source4/torture/rpc/samlogon.c | 36 +-
52 files changed, 1343 insertions(+), 288 deletions(-)
create mode 100644 lib/crypto/gnutls_arcfour_confounded_md5.c
rename {libcli/util => lib/crypto}/gnutls_error.c (63%)
rename libcli/util/gnutls_error.h => lib/crypto/gnutls_helpers.h (61%)
create mode 100644 libcli/drsuapi/tests/test_repl_decrypt.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index befce2c2119..5ebec483705 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1317,6 +1317,8 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
struct netlogon_creds_CredentialState *state,
DATA_BLOB data)
{
+ NTSTATUS status;
+
if (data.data == NULL || data.length == 0) {
DBG_ERR("Nothing to encrypt "
"data.data == NULL or data.length == 0");
@@ -1335,9 +1337,12 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
data.data,
data.length);
} else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(state,
- data.data,
- data.length);
+ status = netlogon_creds_arcfour_crypt(state,
+ data.data,
+ data.length);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
} else {
DBG_ERR("Unsupported encryption option negotiated");
return NT_STATUS_NOT_SUPPORTED;
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index f437ee50879..bf55ab97b04 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -28,7 +28,7 @@
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
-#include "libcli/util/gnutls_error.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index 637b6ccf268..f5aba1de248 100644
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -22,7 +22,7 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS',
bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
source='credentials_ntlm.c',
- deps='samba-credentials')
+ deps='samba-credentials GNUTLS_HELPERS')
pytalloc_util = bld.pyembed_libname('pytalloc-util')
pyparam_util = bld.pyembed_libname('pyparam_util')
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index d0febc7dc9c..8ba1eafc76d 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -33,10 +33,10 @@
#include "librpc/gen_ndr/dcerpc.h"
#include "param/param.h"
#include "auth/gensec/gensec_toplevel_proto.h"
-#include "lib/crypto/crypto.h"
+#include "lib/crypto/aes.h"
#include "libds/common/roles.h"
-#include "libcli/util/gnutls_error.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -158,7 +158,12 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
} else {
static const uint8_t zeros[4];
- uint8_t sequence_key[16];
+ uint8_t _sequence_key[16];
+ gnutls_cipher_hd_t cipher_hnd;
+ gnutls_datum_t sequence_key = {
+ .data = _sequence_key,
+ .size = sizeof(_sequence_key),
+ };
uint8_t digest1[16];
int rc;
@@ -177,16 +182,30 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
sizeof(digest1),
checksum,
checksum_length,
- sequence_key);
+ _sequence_key);
if (rc < 0) {
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
ZERO_ARRAY(digest1);
- arcfour_crypt(seq_num, sequence_key, 8);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sequence_key,
+ NULL);
+ if (rc < 0) {
+ ZERO_ARRAY(_sequence_key);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
- ZERO_ARRAY(sequence_key);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ seq_num,
+ 8);
+ gnutls_cipher_deinit(cipher_hnd);
+ ZERO_ARRAY(_sequence_key);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+ }
}
state->seq_num++;
@@ -194,11 +213,11 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
return NT_STATUS_OK;
}
-static void netsec_do_seal(struct schannel_state *state,
- const uint8_t seq_num[8],
- uint8_t confounder[8],
- uint8_t *data, uint32_t length,
- bool forward)
+static NTSTATUS netsec_do_seal(struct schannel_state *state,
+ const uint8_t seq_num[8],
+ uint8_t confounder[8],
+ uint8_t *data, uint32_t length,
+ bool forward)
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
AES_KEY key;
@@ -223,7 +242,12 @@ static void netsec_do_seal(struct schannel_state *state,
aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
}
} else {
- uint8_t sealing_key[16];
+ gnutls_cipher_hd_t cipher_hnd;
+ uint8_t _sealing_key[16];
+ gnutls_datum_t sealing_key = {
+ .data = _sealing_key,
+ .size = sizeof(_sealing_key),
+ };
static const uint8_t zeros[4];
uint8_t digest2[16];
uint8_t sess_kf0[16];
@@ -242,7 +266,7 @@ static void netsec_do_seal(struct schannel_state *state,
digest2);
if (rc < 0) {
ZERO_ARRAY(digest2);
- return;
+ return NT_STATUS_INTERNAL_ERROR;
}
rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
@@ -250,17 +274,39 @@ static void netsec_do_seal(struct schannel_state *state,
sizeof(digest2),
seq_num,
8,
- sealing_key);
+ _sealing_key);
+
ZERO_ARRAY(digest2);
if (rc < 0) {
- return;
+ return NT_STATUS_INTERNAL_ERROR;
}
- arcfour_crypt(confounder, sealing_key, 8);
- arcfour_crypt(data, sealing_key, length);
-
- ZERO_ARRAY(sealing_key);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sealing_key,
+ NULL);
+ if (rc < 0) {
+ ZERO_ARRAY(_sealing_key);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ confounder,
+ 8);
+ if (rc < 0) {
+ ZERO_ARRAY(_sealing_key);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data,
+ length);
+ gnutls_cipher_deinit(cipher_hnd);
+ ZERO_ARRAY(_sealing_key);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
}
+
+ return NT_STATUS_OK;
}
/*******************************************************************
@@ -427,10 +473,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
SETUP_SEQNUM(state, seq_num, !state->initiator);
if (do_unseal) {
- netsec_do_seal(state, seq_num,
- confounder,
- data, length,
- false);
+ status = netsec_do_seal(state,
+ seq_num,
+ confounder,
+ data,
+ length,
+ false);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_seal failed: %s\n", nt_errstr(status));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
@@ -548,10 +600,17 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
}
if (do_seal) {
- netsec_do_seal(state, seq_num,
- confounder,
- data, length,
- true);
+ status = netsec_do_seal(state,
+ seq_num,
+ confounder,
+ data,
+ length,
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_seal failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
}
status = netsec_do_seq_num(state, checksum, checksum_length, seq_num);
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index 8f6dedc1909..1d8071d7c0f 100644
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -19,7 +19,7 @@ bld.SAMBA_MODULE('gensec_schannel',
source='schannel.c',
subsystem='gensec',
init_function='gensec_schannel_init',
- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session GNUTLS_HELPERS'
)
bld.SAMBA_MODULE('gensec_ncalrpc',
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 8940522d39c..df891f8d933 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -35,7 +35,7 @@ struct auth_session_info;
#include "../auth/ntlmssp/ntlmssp_ndr.h"
#include "../nsswitch/libwbclient/wbclient.h"
-#include "libcli/util/gnutls_error.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 6d090b023f8..5a56a4db99f 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -36,7 +36,7 @@
#include "param/loadparm.h"
#include "libcli/security/session.h"
-#include "libcli/util/gnutls_error.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -1033,12 +1033,32 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
ntlmssp_state->session_key = session_key;
talloc_steal(ntlmssp_state, session_key.data);
} else {
+ gnutls_cipher_hd_t cipher_hnd;
+ gnutls_datum_t enc_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+ int rc;
+
dump_data_pw("KEY_EXCH session key (enc):\n",
state->encrypted_session_key.data,
state->encrypted_session_key.length);
- arcfour_crypt(state->encrypted_session_key.data,
- session_key.data,
- state->encrypted_session_key.length);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ state->encrypted_session_key.data,
+ state->encrypted_session_key.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
+
ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state,
state->encrypted_session_key.data,
state->encrypted_session_key.length);
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 1c4b11174cb..8ba2e246b34 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -24,7 +24,7 @@
#include "zlib.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
-#include "libcli/util/gnutls_error.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
diff --git a/auth/ntlmssp/wscript_build b/auth/ntlmssp/wscript_build
index 0802330ec6a..20836efad0a 100644
--- a/auth/ntlmssp/wscript_build
+++ b/auth/ntlmssp/wscript_build
@@ -15,6 +15,7 @@ bld.SAMBA_SUBSYSTEM('NTLMSSP_COMMON',
samba-credentials
wbclient
z
+ GNUTLS_HELPERS
''')
bld.SAMBA_MODULE('gensec_ntlmssp',
diff --git a/lib/crypto/gnutls_arcfour_confounded_md5.c b/lib/crypto/gnutls_arcfour_confounded_md5.c
new file mode 100644
index 00000000000..b99e611df75
--- /dev/null
+++ b/lib/crypto/gnutls_arcfour_confounded_md5.c
@@ -0,0 +1,93 @@
+/*
+ Unix SMB/CIFS implementation.
+ Wrapper for gnutls hash and encryption functions
+
+ Copyright (C) Stefan Metzmacher <metze at samba.org> 2007
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2009-2019
+ Copyright (c) Andreas Schneider <asn at samba.org> 2019
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+/*
+ * This (arcfour over data with a key combined from two imputs, one
+ * the key another the confounder), is a common pattern in pre-AES
+ * windows cryptography
+ *
+ * Some protocols put the confounder first, others second so both
+ * parameters are named key_input here.
+ *
+ */
+
+#include "includes.h"
+#include "lib/util/data_blob.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include "gnutls_helpers.h"
+#include "lib/util/memory.h"
+
+int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
+ const DATA_BLOB *key_input2,
+ DATA_BLOB *data,
+ enum samba_gnutls_direction encrypt)
+{
+ int rc;
+ gnutls_hash_hd_t hash_hnd = NULL;
+ uint8_t confounded_key[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t confounded_key_datum = {
+ .data = confounded_key,
+ .size = sizeof(confounded_key),
+ };
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ return rc;
+ }
+ rc = gnutls_hash(hash_hnd, key_input1->data, key_input1->length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return rc;
+ }
+ rc = gnutls_hash(hash_hnd, key_input2->data, key_input2->length);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return rc;
+ }
+
+ gnutls_hash_deinit(hash_hnd, confounded_key);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &confounded_key_datum,
+ NULL);
+ if (rc < 0) {
+ return rc;
+ }
+
+ if (encrypt == SAMBA_GNUTLS_ENCRYPT) {
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data->data,
+ data->length);
+ } else {
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ data->data,
+ data->length);
+ }
+ gnutls_cipher_deinit(cipher_hnd);
+ ZERO_ARRAY(confounded_key);
+
+ return rc;
+}
diff --git a/libcli/util/gnutls_error.c b/lib/crypto/gnutls_error.c
similarity index 63%
rename from libcli/util/gnutls_error.c
rename to lib/crypto/gnutls_error.c
index 306977cd771..764e2175328 100644
--- a/libcli/util/gnutls_error.c
+++ b/lib/crypto/gnutls_error.c
@@ -16,7 +16,7 @@
*/
#include "includes.h"
-#include "gnutls_error.h"
+#include "gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -67,3 +67,51 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
return status;
}
+
+WERROR _gnutls_error_to_werror(int gnutls_rc,
+ WERROR blocked_werr,
+ const char *function,
+ const char *location)
+{
+ WERROR werr;
+
+ if (gnutls_rc == GNUTLS_E_SUCCESS) {
+ return WERR_OK;
+ }
+
+ switch (gnutls_rc) {
+ case GNUTLS_E_UNWANTED_ALGORITHM:
+ werr = blocked_werr;
+ break;
+ case GNUTLS_E_MEMORY_ERROR:
+ werr = WERR_NOT_ENOUGH_MEMORY;
+ break;
+ case GNUTLS_E_INVALID_REQUEST:
+ werr = WERR_INVALID_VARIANT;
+ break;
+ case GNUTLS_E_DECRYPTION_FAILED:
+ werr = WERR_DECRYPTION_FAILED;
+ break;
+ case GNUTLS_E_ENCRYPTION_FAILED:
+ werr = WERR_ENCRYPTION_FAILED;
+ break;
+ case GNUTLS_E_SHORT_MEMORY_BUFFER:
+ werr = WERR_INVALID_PARAMETER;
+ break;
+ case GNUTLS_E_BASE64_DECODING_ERROR:
--
Samba Shared Repository
More information about the samba-cvs
mailing list