sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code

lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()

Browse Source 
This is for [MS-SAMR] 3.2.2.4 AES Cipher Usage

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andreas Schneider 2021-08-02 16:21:19 +02:00 committed by Andreas Schneider
parent 8b22b448e8
commit dc7f0f15ce
3 changed files with 288 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

240
lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c Normal file
View File

@ -0,0 +1,240 @@
/*
* Copyright (c) 2021-2022 Andreas Schneider <asn@samba.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "lib/util/data_blob.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include "gnutls_helpers.h"
#define SAMR_AES_VERSION_BYTE 0x01
#define SAMR_AES_VERSION_BYTE_LEN 1
static NTSTATUS calculate_enc_key(const DATA_BLOB *cek,
const DATA_BLOB *key_salt,
uint8_t enc_key[32])
{
gnutls_mac_algorithm_t hash_algo = GNUTLS_MAC_SHA512;
size_t hmac_size = gnutls_hmac_get_len(hash_algo);
uint8_t enc_key_data[hmac_size];
int rc;
rc = gnutls_hmac_fast(hash_algo,
cek->data,
cek->length,
key_salt->data,
key_salt->length,
enc_key_data);
if (rc < 0) {
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
/* The key gets truncated to 32 byte */
memcpy(enc_key, enc_key_data, 32);
BURN_DATA(enc_key_data);
return NT_STATUS_OK;
}
static NTSTATUS calculate_mac_key(const DATA_BLOB *cek,
const DATA_BLOB *mac_salt,
uint8_t mac_key[64])
{
int rc;
rc = gnutls_hmac_fast(GNUTLS_MAC_SHA512,
cek->data,
cek->length,
mac_salt->data,
mac_salt->length,
mac_key);
if (rc < 0) {
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
return NT_STATUS_OK;
}
/* This is an implementation of [MS-SAMR] 3.2.2.4 AES Cipher Usage */
NTSTATUS
samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx,
const DATA_BLOB *plaintext,
const DATA_BLOB *cek,
const DATA_BLOB *key_salt,
const DATA_BLOB *mac_salt,
const DATA_BLOB *iv,
DATA_BLOB *pciphertext,
uint8_t pauth_tag[64])
{
gnutls_hmac_hd_t hmac_hnd = NULL;
gnutls_mac_algorithm_t hmac_algo = GNUTLS_MAC_SHA512;
size_t hmac_size = gnutls_hmac_get_len(hmac_algo);
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_cipher_algorithm_t cipher_algo = GNUTLS_CIPHER_AES_256_CBC;
uint32_t aes_block_size = gnutls_cipher_get_block_size(cipher_algo);
gnutls_datum_t iv_datum = {
.data = iv->data,
.size = iv->length,
};
uint8_t enc_key_data[32] = {0};
gnutls_datum_t enc_key = {
.data = enc_key_data,
.size = sizeof(enc_key_data),
};
uint8_t *cipher_text = NULL;
size_t cipher_text_len = 0;
uint8_t mac_key_data[64] = {0};
gnutls_datum_t mac_key = {
.data = mac_key_data,
.size = sizeof(mac_key_data),
};
uint8_t version_byte = SAMR_AES_VERSION_BYTE;
uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN;
uint8_t auth_data[hmac_size];
DATA_BLOB padded_plaintext;
size_t padding;
NTSTATUS status;
int rc;
if (plaintext->length == 0 || cek->length == 0 ||
key_salt->length == 0 || mac_salt->length == 0 || iv->length == 0) {
return NT_STATUS_INVALID_PARAMETER;
}
/*
* PKCS#7 padding
*
* TODO: Use gnutls_cipher_encrypt3()
*/
if (plaintext->length + aes_block_size < plaintext->length) {
return NT_STATUS_INVALID_BUFFER_SIZE;
}
padded_plaintext.length =
aes_block_size * (plaintext->length / aes_block_size) +
aes_block_size;
padding = padded_plaintext.length - plaintext->length;
padded_plaintext =
data_blob_talloc(mem_ctx, NULL, padded_plaintext.length);
if (padded_plaintext.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
/* Allocate buffer for cipher text */
cipher_text_len = padded_plaintext.length;
cipher_text = talloc_size(mem_ctx, cipher_text_len);
if (cipher_text == NULL) {
data_blob_free(&padded_plaintext);
return NT_STATUS_NO_MEMORY;
}
memcpy(padded_plaintext.data, plaintext->data, plaintext->length);
memset(padded_plaintext.data + plaintext->length, padding, padding);
status = calculate_enc_key(cek, key_salt, enc_key_data);
if (!NT_STATUS_IS_OK(status)) {
data_blob_clear_free(&padded_plaintext);
return status;
}
/* Encrypt plaintext */
rc = gnutls_cipher_init(&cipher_hnd, cipher_algo, &enc_key, &iv_datum);
if (rc < 0) {
data_blob_clear_free(&padded_plaintext);
BURN_DATA(enc_key_data);
TALLOC_FREE(cipher_text);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
rc = gnutls_cipher_encrypt2(cipher_hnd,
padded_plaintext.data,
padded_plaintext.length,
cipher_text,
cipher_text_len);
gnutls_cipher_deinit(cipher_hnd);
data_blob_clear_free(&padded_plaintext);
BURN_DATA(enc_key_data);
if (rc < 0) {
TALLOC_FREE(cipher_text);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
/* Calculate mac key */
status = calculate_mac_key(cek, mac_salt, mac_key_data);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(cipher_text);
return status;
}
/* Generate auth tag */
rc = gnutls_hmac_init(&hmac_hnd, hmac_algo, mac_key.data, mac_key.size);
BURN_DATA(mac_key_data);
if (rc < 0) {
TALLOC_FREE(cipher_text);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
rc = gnutls_hmac(hmac_hnd, &version_byte, sizeof(uint8_t));
if (rc < 0) {
TALLOC_FREE(cipher_text);
gnutls_hmac_deinit(hmac_hnd, NULL);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
rc = gnutls_hmac(hmac_hnd, iv->data, iv->length);
if (rc < 0) {
TALLOC_FREE(cipher_text);
gnutls_hmac_deinit(hmac_hnd, NULL);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
rc = gnutls_hmac(hmac_hnd, cipher_text, cipher_text_len);
if (rc < 0) {
TALLOC_FREE(cipher_text);
gnutls_hmac_deinit(hmac_hnd, NULL);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
rc = gnutls_hmac(hmac_hnd, &version_byte_len, sizeof(uint8_t));
if (rc < 0) {
TALLOC_FREE(cipher_text);
gnutls_hmac_deinit(hmac_hnd, NULL);
return gnutls_error_to_ntstatus(rc,
NT_STATUS_ENCRYPTION_FAILED);
}
gnutls_hmac_deinit(hmac_hnd, auth_data);
if (pciphertext != NULL) {
pciphertext->length = cipher_text_len;
pciphertext->data = cipher_text;
}
(void)memcpy(pauth_tag, auth_data, hmac_size);
return NT_STATUS_OK;
}

59
lib/crypto/gnutls_helpers.h
View File

@ -44,16 +44,17 @@
*
* @return A corresponding NTSTATUS code.
*/
NTSTATUS gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status);
NTSTATUS gnutls_error_to_ntstatus(int gnutls_rc, NTSTATUS blocked_status);
#else
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
const char *function,
const char *location);
#define gnutls_error_to_ntstatus(gnutls_rc, blocked_status) \
_gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \
__FUNCTION__, __location__)
_gnutls_error_to_ntstatus(gnutls_rc, \
blocked_status, \
__FUNCTION__, \
__location__)
#endif
#ifdef DOXYGEN
@ -68,22 +69,20 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
*
* @return A corresponding WERROR code.
*/
WERROR gnutls_error_to_werror(int gnutls_rc,
WERROR blocked_werr);
WERROR gnutls_error_to_werror(int gnutls_rc, WERROR blocked_werr);
#else
WERROR _gnutls_error_to_werror(int gnutls_rc,
WERROR blocked_werr,
const char *function,
const char *location);
#define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
_gnutls_error_to_werror(gnutls_rc, blocked_werr, \
__FUNCTION__, __location__)
_gnutls_error_to_werror(gnutls_rc, \
blocked_werr, \
__FUNCTION__, \
__location__)
#endif
enum samba_gnutls_direction {
SAMBA_GNUTLS_ENCRYPT,
SAMBA_GNUTLS_DECRYPT
};
enum samba_gnutls_direction { SAMBA_GNUTLS_ENCRYPT, SAMBA_GNUTLS_DECRYPT };
/**
* @brief Encrypt or decrypt a data blob using RC4 with a key and salt.
@ -108,6 +107,42 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
DATA_BLOB *data,
enum samba_gnutls_direction encrypt);
/**
* @brief Encrypted a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 and
* the session key.
*
* This encrypts a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 with a
* key (can be the session key or PBKDF2 password). This is used in SAMR and
* LSA.
*
* @param mem_ctx The memory context to allocate the cipher text pointer.
*
* @param plaintext The secret to encrypt
*
* @param cek The content encryption key to encrypt the secret.
*
* @param key_salt The salt used to calculate the encryption key.
*
* @param key_salt The salt used to calculate the mac key.
* @param iv The initialization vector used for the encryption.
*
* @param pciphertext A pointer to store the cipher text.
*
* @param pauth_tag[64] An array to store the auth tag.
*
* @return NT_STATUS_OK on success, an nt status error code otherwise.
*/
NTSTATUS
samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx,
const DATA_BLOB *plaintext,
const DATA_BLOB *cek,
const DATA_BLOB *key_salt,
const DATA_BLOB *mac_salt,
const DATA_BLOB *iv,
DATA_BLOB *pciphertext,
uint8_t pauth_tag[64]);
/**
* @brief Check if weak crypto is allowed.
*

1
lib/crypto/wscript
View File

@ -39,6 +39,7 @@ def build(bld):
bld.SAMBA_SUBSYSTEM("GNUTLS_HELPERS",
source='''
gnutls_error.c
gnutls_aead_aes_256_cbc_hmac_sha512.c
gnutls_arcfour_confounded_md5.c
gnutls_weak_crypto.c
''',