2025-03-05 20:58:40 +03:00 · 2019-10-19 23:48:19 +03:00 · 2019-10-19 23:48:19 +03:00 · 0f855f1ab9
commit 0f855f1ab9
parent 2c470c8035
6 changed files with 74 additions and 3 deletions
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@ -4,6 +4,8 @@
 #undef _PRINTF_ATTRIBUTE
 #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)

+#include "lib/crypto/gnutls_helpers.h"
+
 /* this file contains prototypes for functions that are private 
 * to this subsystem or library. These functions should not be 
 * used outside this particular subsystem! */
@ -217,6 +219,8 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c  */

 void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw);
+int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7],
+		       enum samba_gnutls_direction encrypt);
 void E_P16(const uint8_t *p14,uint8_t *p16);
 void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
 void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out);
--- a/libcli/auth/smbdes.c
+++ b/libcli/auth/smbdes.c
@ -23,6 +23,9 @@
 #include "includes.h"
 #include "libcli/auth/libcli_auth.h"

+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
 /* NOTES: 

   This code makes no attempt to be fast! In fact, it is a very
@ -273,6 +276,60 @@ static void str_to_key(const uint8_t *str,uint8_t *key)
 	}
 }

+int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8],
+		       const uint8_t key_in[7],
+		       enum samba_gnutls_direction encrypt)
+{
+	/*
+	 * A single block DES-CBC op, with an all-zero IV is the same as DES
+	 * because the IV is combined with the data using XOR.
+	 * This allows us to use GNUTLS_CIPHER_DES_CBC from GnuTLS and not
+	 * implement single-DES in Samba.
+	 *
+	 * In turn this is used to build DES-ECB, which is used
+	 * for example in the NTLM challenge/response calculation.
+	 */
+	static const uint8_t iv8[8];
+	gnutls_datum_t iv = { discard_const(iv8), 8 };
+	gnutls_datum_t key;
+	gnutls_cipher_hd_t ctx;
+	uint8_t key2[8];
+	uint8_t outb[8];
+	int ret;
+
+	memset(out, 0, 8);
+
+	str_to_key(key_in, key2);
+
+	key.data = key2;
+	key.size = 8;
+
+	ret = gnutls_global_init();
+	if (ret != 0) {
+		return ret;
+	}
+
+	ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv);
+	if (ret != 0) {
+		return ret;
+	}
+
+	memcpy(outb, in, 8);
+	if (encrypt == SAMBA_GNUTLS_ENCRYPT) {
+		ret = gnutls_cipher_encrypt(ctx, outb, 8);
+	} else {
+		ret = gnutls_cipher_decrypt(ctx, outb, 8);
+	}
+
+	if (ret == 0) {
+		memcpy(out, outb, 8);
+	}
+
+	gnutls_cipher_deinit(ctx);
+
+	return ret;
+}
+
 /*
  basic des crypt using a 56 bit (7 byte) key
 */
--- a/libcli/auth/tests/test_gnutls.c
+++ b/libcli/auth/tests/test_gnutls.c
@ -242,12 +242,21 @@ static void torture_gnutls_des_crypt56(void **state)

 	uint8_t crypt[8];
 	uint8_t decrypt[8];
+	int rc;

 	des_crypt56(crypt, clear, key, 1);
 	assert_memory_equal(crypt, crypt_expected, 8);

 	des_crypt56(decrypt, crypt, key, 0);
 	assert_memory_equal(decrypt, clear, 8);
+
+	rc = des_crypt56_gnutls(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT);
+	assert_int_equal(rc, 0);
+	assert_memory_equal(crypt, crypt_expected, 8);
+
+	rc = des_crypt56_gnutls(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT);
+	assert_int_equal(rc, 0);
+	assert_memory_equal(decrypt, clear, 8);
 }

 static void torture_gnutls_E_P16(void **state)
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@ -13,7 +13,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',

 bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
                    source='ntlm_check.c',
-                    deps = 'talloc'
+                    deps = 'talloc LIBCLI_AUTH'
                    )

 bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
--- a/source3/passdb/wscript_build
+++ b/source3/passdb/wscript_build
@ -10,7 +10,7 @@ bld.SAMBA3_MODULE('pdb_tdbsam',

 bld.SAMBA3_MODULE('pdb_ldapsam',
                 subsystem='pdb',
-                 deps='smbldap smbldaphelper',
+                 deps='smbldap smbldaphelper LIBCLI_AUTH',
                 source='pdb_ldap.c pdb_nds.c',
                 init_function='',
                 internal_module=bld.SAMBA3_IS_STATIC_MODULE('pdb_ldapsam'),
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@ -86,7 +86,8 @@ bld.SAMBA3_SUBSYSTEM('RPC_NETDFS',

 bld.SAMBA3_SUBSYSTEM('RPC_NETLOGON',
                     source='''netlogon/srv_netlog_nt.c
-                     ../../librpc/gen_ndr/srv_netlogon.c''')
+                     ../../librpc/gen_ndr/srv_netlogon.c''',
+                    deps='LIBCLI_AUTH')

 bld.SAMBA3_SUBSYSTEM('RPC_NTSVCS',
                    source='''ntsvcs/srv_ntsvcs_nt.c