2019-05-22 17:09:50 +02:00
/*
* Copyright ( c ) 2019 Andreas Schneider < asn @ samba . org >
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation , either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2019-06-26 16:41:05 +12:00
# ifndef _GNUTLS_HELPERS_H
# define _GNUTLS_HELPERS_H
2019-05-22 17:09:50 +02:00
2019-07-05 10:38:44 +02:00
# include <gnutls/gnutls.h>
2019-07-05 16:28:27 +02:00
# include "libcli/util/ntstatus.h"
# include "libcli/util/werror.h"
2019-05-22 17:09:50 +02:00
2019-07-05 10:38:44 +02:00
/* Those macros are only available in GnuTLS >= 3.6.4 */
# ifndef GNUTLS_FIPS140_SET_LAX_MODE
# define GNUTLS_FIPS140_SET_LAX_MODE()
# endif
# ifndef GNUTLS_FIPS140_SET_STRICT_MODE
# define GNUTLS_FIPS140_SET_STRICT_MODE()
# endif
2019-07-18 09:03:51 +02:00
# ifdef DOXYGEN
/**
* @ brief Convert a gnutls error code to a corresponding NTSTATUS .
*
* @ param [ in ] gnutls_rc The GnuTLS return code .
*
* @ param [ in ] blocked_status The NTSTATUS return code which should be returned
* in case the e . g . the cipher might be blocked due
* to FIPS mode .
*
* @ return A corresponding NTSTATUS code .
*/
2021-08-02 16:21:19 +02:00
NTSTATUS gnutls_error_to_ntstatus ( int gnutls_rc , NTSTATUS blocked_status ) ;
2019-07-18 09:03:51 +02:00
# else
2019-05-22 17:09:50 +02:00
NTSTATUS _gnutls_error_to_ntstatus ( int gnutls_rc ,
NTSTATUS blocked_status ,
const char * function ,
const char * location ) ;
# define gnutls_error_to_ntstatus(gnutls_rc, blocked_status) \
2021-08-02 16:21:19 +02:00
_gnutls_error_to_ntstatus ( gnutls_rc , \
blocked_status , \
__FUNCTION__ , \
__location__ )
2019-07-18 09:03:51 +02:00
# endif
2019-05-22 17:09:50 +02:00
2019-07-18 13:27:57 +02:00
# ifdef DOXYGEN
/**
* @ brief Convert a gnutls error code to a corresponding WERROR .
*
* @ param [ in ] gnutls_rc The GnuTLS return code .
*
* @ param [ in ] blocked_werr The WERROR code which should be returned if e . g
* the cipher we want to used it not allowed to be
* used because of FIPS mode .
*
* @ return A corresponding WERROR code .
*/
2021-08-02 16:21:19 +02:00
WERROR gnutls_error_to_werror ( int gnutls_rc , WERROR blocked_werr ) ;
2019-07-18 13:27:57 +02:00
# else
2019-06-24 13:14:12 +02:00
WERROR _gnutls_error_to_werror ( int gnutls_rc ,
WERROR blocked_werr ,
const char * function ,
const char * location ) ;
# define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
2021-08-02 16:21:19 +02:00
_gnutls_error_to_werror ( gnutls_rc , \
blocked_werr , \
__FUNCTION__ , \
__location__ )
2019-07-18 13:27:57 +02:00
# endif
2019-06-27 15:05:49 +12:00
2021-08-02 16:21:19 +02:00
enum samba_gnutls_direction { SAMBA_GNUTLS_ENCRYPT , SAMBA_GNUTLS_DECRYPT } ;
2019-06-27 16:45:33 +12:00
2019-07-18 13:33:54 +02:00
/**
* @ brief Encrypt or decrypt a data blob using RC4 with a key and salt .
*
* One of the key input should be a session key and the other a confounder
* ( aka salt ) . Which one depends on the implementation details of the
* protocol .
*
* @ param [ in ] key_input1 Either a session_key or a confounder .
*
* @ param [ in ] key_input2 Either a session_key or a confounder .
*
2019-08-29 22:19:03 +02:00
* @ param [ in ] data The data blob to either encrypt or decrypt . The data
2019-07-18 13:33:54 +02:00
* will be encrypted or decrypted in place .
*
* @ param [ in ] encrypt The encryption direction .
*
* @ return A gnutls error code .
*/
2019-06-27 15:05:49 +12:00
int samba_gnutls_arcfour_confounded_md5 ( const DATA_BLOB * key_input1 ,
const DATA_BLOB * key_input2 ,
2019-06-27 16:45:33 +12:00
DATA_BLOB * data ,
enum samba_gnutls_direction encrypt ) ;
2019-06-27 15:05:49 +12:00
2021-08-02 16:21:19 +02:00
/**
* @ brief Encrypted a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 and
* the session key .
*
* This encrypts a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 with a
* key ( can be the session key or PBKDF2 password ) . This is used in SAMR and
* LSA .
*
* @ param mem_ctx The memory context to allocate the cipher text pointer .
*
* @ param plaintext The secret to encrypt
*
* @ param cek The content encryption key to encrypt the secret .
*
* @ param key_salt The salt used to calculate the encryption key .
*
* @ param key_salt The salt used to calculate the mac key .
* @ param iv The initialization vector used for the encryption .
*
* @ param pciphertext A pointer to store the cipher text .
*
* @ param pauth_tag [ 64 ] An array to store the auth tag .
*
* @ return NT_STATUS_OK on success , an nt status error code otherwise .
*/
NTSTATUS
samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB * plaintext ,
const DATA_BLOB * cek ,
const DATA_BLOB * key_salt ,
const DATA_BLOB * mac_salt ,
const DATA_BLOB * iv ,
DATA_BLOB * pciphertext ,
uint8_t pauth_tag [ 64 ] ) ;
2021-08-16 17:14:19 +02:00
/**
* @ brief Decypt cipher text using AEAD_AES_256_CBC_HMAC_SHA512 and the session
* key .
*
* This decrypts the cipher text using AEAD_AES_256_CBC_HMAC_SHA512 with the
* given content decryption key key . The plaintext will be zeroed as soon as the
* data blob is freed .
*
* @ param mem_ctx The memory context to allocate the plaintext on .
*
* @ param ciphertext The cipher text to decrypt .
*
* @ param cdk The content decryption key .
*
* @ param key_salt The salt used to calculate the encryption key .
*
* @ param key_salt The salt used to calculate the mac key .
* @ param iv The initialization vector used for the encryption .
*
* @ param auth_tag [ 64 ] The authentication blob to be verified .
*
* @ param pplaintext A pointer to a DATA_BLOB to store the plaintext .
*
* @ return NT_STATUS_OK on success , an nt status error code otherwise .
*/
NTSTATUS
samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB * ciphertext ,
const DATA_BLOB * cdk ,
const DATA_BLOB * key_salt ,
const DATA_BLOB * mac_salt ,
const DATA_BLOB * iv ,
const uint8_t auth_tag [ 64 ] ,
DATA_BLOB * pplaintext ) ;
2019-11-04 17:01:50 +01:00
/**
* @ brief Check if weak crypto is allowed .
*
* @ return true if weak crypo is allowed , false otherwise .
*/
bool samba_gnutls_weak_crypto_allowed ( void ) ;
2019-06-26 16:41:05 +12:00
# endif /* _GNUTLS_HELPERS_H */
