diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 5f65428a1d7..c541eeff470 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -302,21 +302,37 @@ NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState /* DES encrypt a 16 byte password buffer using the session key */ -void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass) { struct samr_Password tmp; - des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1); + int rc; + + rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *pass = tmp; + + return NT_STATUS_OK; } /* DES decrypt a 16 byte password buffer using the session key */ -void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass) { struct samr_Password tmp; - des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0); + int rc; + + rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_DECRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *pass = tmp; + + return NT_STATUS_OK; } /* @@ -993,17 +1009,23 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden p = &logon->password->lmpassword; if (!all_zero(p->hash, 16)) { if (do_encrypt) { - netlogon_creds_des_encrypt(creds, p); + status = netlogon_creds_des_encrypt(creds, p); } else { - netlogon_creds_des_decrypt(creds, p); + status = netlogon_creds_des_decrypt(creds, p); + } + if (!NT_STATUS_IS_OK(status)) { + return status; } } p = &logon->password->ntpassword; if (!all_zero(p->hash, 16)) { if (do_encrypt) { - netlogon_creds_des_encrypt(creds, p); + status = netlogon_creds_des_encrypt(creds, p); } else { - netlogon_creds_des_decrypt(creds, p); + status = netlogon_creds_des_decrypt(creds, p); + } + if (!NT_STATUS_IS_OK(status)) { + return status; } } } diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 6f043d774cd..407cb471cbc 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -2032,8 +2032,12 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre return; } } else { - netlogon_creds_des_encrypt(&state->tmp_creds, - &state->samr_password); + status = netlogon_creds_des_encrypt(&state->tmp_creds, + &state->samr_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerPasswordSet_cleanup(req, status); + return; + } subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev, state->binding_handle, @@ -3187,14 +3191,22 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq cmp = memcmp(state->new_owf_password.hash, zero.hash, sizeof(zero.hash)); if (cmp != 0) { - netlogon_creds_des_decrypt(&state->tmp_creds, - &state->new_owf_password); + status = netlogon_creds_des_decrypt(&state->tmp_creds, + &state->new_owf_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); + return; + } } cmp = memcmp(state->old_owf_password.hash, zero.hash, sizeof(zero.hash)); if (cmp != 0) { - netlogon_creds_des_decrypt(&state->tmp_creds, - &state->old_owf_password); + status = netlogon_creds_des_decrypt(&state->tmp_creds, + &state->old_owf_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); + return; + } } *state->creds = state->tmp_creds; diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 3994db20a36..4c6d7af6763 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -17,8 +17,10 @@ NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState struct netr_LMSessionKey *key); NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); +NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass); +NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass); NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); @@ -229,7 +231,8 @@ int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], enum samba_gnutls_direction encrypt); -void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); +int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], + enum samba_gnutls_direction encrypt); int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, enum samba_gnutls_direction encrypt); #undef _PRINTF_ATTRIBUTE diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c index 8dc4fc4097c..8fc79dc5c71 100644 --- a/libcli/auth/smbdes.c +++ b/libcli/auth/smbdes.c @@ -442,10 +442,17 @@ int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], } /* des encryption of a 16 byte lump of data with a 112 bit key */ -void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw) +int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], + enum samba_gnutls_direction encrypt) { - des_crypt56(out, in, key, forw); - des_crypt56(out + 8, in + 8, key+7, forw); + int ret; + + ret = des_crypt56_gnutls(out, in, key, encrypt); + if (ret != 0) { + return ret; + } + + return des_crypt56_gnutls(out + 8, in + 8, key+7, encrypt); } /* Decode a sam password hash into a password. The password hash is the diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c index 68a27adc894..a6692b9a913 100644 --- a/libcli/auth/tests/test_gnutls.c +++ b/libcli/auth/tests/test_gnutls.c @@ -414,11 +414,14 @@ static void torture_gnutls_des_crypt112_16(void **state) uint8_t crypt[16]; uint8_t decrypt[16]; + int rc; - des_crypt112_16(crypt, clear, key, 1); + rc = des_crypt112_16(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); + assert_int_equal(rc, 0); assert_memory_equal(crypt, crypt_expected, 16); - des_crypt112_16(decrypt, crypt, key, 0); + rc = des_crypt112_16(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); + assert_int_equal(rc, 0); assert_memory_equal(decrypt, clear, 16); } diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 671300676ff..124bae95064 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1311,7 +1311,10 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n", r->in.computer_name, creds->computer_name)); - netlogon_creds_des_decrypt(creds, r->in.new_password); + status = netlogon_creds_des_decrypt(creds, r->in.new_password); + if (!NT_STATUS_IS_OK(status)) { + return status; + } DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n")); for(i = 0; i < sizeof(r->in.new_password->hash); i++) @@ -2560,6 +2563,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, { enum ndr_err_code ndr_err; struct trustAuthInOutBlob trustAuth; + NTSTATUS status; ndr_err = ndr_pull_struct_blob_all(trustAuth_blob, mem_ctx, &trustAuth, (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); @@ -2572,7 +2576,10 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, mdfour(current_pw_enc->hash, trustAuth.current.array[0].AuthInfo.clear.password, trustAuth.current.array[0].AuthInfo.clear.size); - netlogon_creds_des_encrypt(creds, current_pw_enc); + status = netlogon_creds_des_encrypt(creds, current_pw_enc); + if (!NT_STATUS_IS_OK(status)) { + return status; + } } else { return NT_STATUS_UNSUCCESSFUL; } @@ -2583,7 +2590,10 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, mdfour(previous_pw_enc->hash, trustAuth.previous.array[0].AuthInfo.clear.password, trustAuth.previous.array[0].AuthInfo.clear.size); - netlogon_creds_des_encrypt(creds, previous_pw_enc); + status = netlogon_creds_des_encrypt(creds, previous_pw_enc); + if (!NT_STATUS_IS_OK(status)) { + return status; + } } else { ZERO_STRUCTP(previous_pw_enc); } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1a36cc6ddca..0ab55afeab0 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -680,7 +680,8 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call return NT_STATUS_INVALID_SYSTEM_SERVICE; } - netlogon_creds_des_decrypt(creds, r->in.new_password); + nt_status = netlogon_creds_des_decrypt(creds, r->in.new_password); + NT_STATUS_NOT_OK_RETURN(nt_status); /* fetch the old password hashes (the NT hash has to exist) */ @@ -4206,11 +4207,17 @@ static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_cal if (curNtHash != NULL) { *r->out.new_owf_password = *curNtHash; - netlogon_creds_des_encrypt(creds, r->out.new_owf_password); + nt_status = netlogon_creds_des_encrypt(creds, r->out.new_owf_password); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } } if (prevNtHash != NULL) { *r->out.old_owf_password = *prevNtHash; - netlogon_creds_des_encrypt(creds, r->out.old_owf_password); + nt_status = netlogon_creds_des_encrypt(creds, r->out.old_owf_password); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } } if (trust_info != NULL) {