mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
smbdes: convert sam_rid_crypt() to use gnutls
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
bbcf568f31
commit
ecee199803
@ -230,7 +230,8 @@ void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
|
||||
void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
|
||||
void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw);
|
||||
void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
|
||||
void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw);
|
||||
int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
|
||||
enum samba_gnutls_direction encrypt);
|
||||
#undef _PRINTF_ATTRIBUTE
|
||||
#define _PRINTF_ATTRIBUTE(a1, a2)
|
||||
|
||||
|
@ -418,15 +418,20 @@ void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14
|
||||
/* Decode a sam password hash into a password. The password hash is the
|
||||
same method used to store passwords in the NT registry. The DES key
|
||||
used is based on the RID of the user. */
|
||||
void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw)
|
||||
int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
|
||||
enum samba_gnutls_direction encrypt)
|
||||
{
|
||||
uint8_t s[14];
|
||||
int ret;
|
||||
|
||||
s[0] = s[4] = s[8] = s[12] = (uint8_t)(rid & 0xFF);
|
||||
s[1] = s[5] = s[9] = s[13] = (uint8_t)((rid >> 8) & 0xFF);
|
||||
s[2] = s[6] = s[10] = (uint8_t)((rid >> 16) & 0xFF);
|
||||
s[3] = s[7] = s[11] = (uint8_t)((rid >> 24) & 0xFF);
|
||||
|
||||
des_crypt56(out, in, s, forw);
|
||||
des_crypt56(out+8, in+8, s+7, forw);
|
||||
ret = des_crypt56_gnutls(out, in, s, encrypt);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
return des_crypt56_gnutls(out+8, in+8, s+7, encrypt);
|
||||
}
|
||||
|
@ -422,11 +422,14 @@ static void torture_gnutls_sam_rid_crypt(void **state)
|
||||
uint8_t crypt[16];
|
||||
uint8_t decrypt[16];
|
||||
int rid = 500;
|
||||
int rc;
|
||||
|
||||
sam_rid_crypt(rid, clear, crypt, 1);
|
||||
rc = sam_rid_crypt(rid, clear, crypt, SAMBA_GNUTLS_ENCRYPT);
|
||||
assert_int_equal(rc, 0);
|
||||
assert_memory_equal(crypt, crypt_expected, 16);
|
||||
|
||||
sam_rid_crypt(rid, crypt, decrypt, 0);
|
||||
rc = sam_rid_crypt(rid, crypt, decrypt, SAMBA_GNUTLS_DECRYPT);
|
||||
assert_int_equal(rc, 0);
|
||||
assert_memory_equal(decrypt, clear, 16);
|
||||
}
|
||||
|
||||
|
@ -135,7 +135,13 @@ static WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
|
||||
num_hashes = plain_buffer.length / 16;
|
||||
for (i = 0; i < num_hashes; i++) {
|
||||
uint32_t offset = i * 16;
|
||||
sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
|
||||
rc = sam_rid_crypt(rid, checked_buffer.data + offset,
|
||||
plain_buffer.data + offset,
|
||||
SAMBA_GNUTLS_DECRYPT);
|
||||
if (rc != 0) {
|
||||
result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -255,7 +261,13 @@ static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx,
|
||||
num_hashes = rid_crypt_out.length / 16;
|
||||
for (i = 0; i < num_hashes; i++) {
|
||||
uint32_t offset = i * 16;
|
||||
sam_rid_crypt(rid, in->data + offset, rid_crypt_out.data + offset, 1);
|
||||
rc = sam_rid_crypt(rid, in->data + offset,
|
||||
rid_crypt_out.data + offset,
|
||||
SAMBA_GNUTLS_ENCRYPT);
|
||||
if (rc != 0) {
|
||||
result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
in = &rid_crypt_out;
|
||||
}
|
||||
|
@ -25,6 +25,7 @@
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../libcli/samsync/samsync.h"
|
||||
#include "librpc/gen_ndr/ndr_netlogon.h"
|
||||
#include "lib/crypto/gnutls_helpers.h"
|
||||
|
||||
/**
|
||||
* Decrypt and extract the user's passwords.
|
||||
@ -43,13 +44,19 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
|
||||
struct netr_DELTA_USER *user = delta->delta_union.user;
|
||||
struct samr_Password lm_hash;
|
||||
struct samr_Password nt_hash;
|
||||
int rc;
|
||||
|
||||
/* Note that win2000 may send us all zeros
|
||||
* for the hashes if it doesn't
|
||||
* think this channel is secure enough. */
|
||||
if (user->lm_password_present) {
|
||||
if (!all_zero(user->lmpassword.hash, 16)) {
|
||||
sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
|
||||
rc = sam_rid_crypt(rid, user->lmpassword.hash,
|
||||
lm_hash.hash, SAMBA_GNUTLS_DECRYPT);
|
||||
if (rc != 0) {
|
||||
return gnutls_error_to_ntstatus(rc,
|
||||
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
||||
}
|
||||
} else {
|
||||
memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
|
||||
}
|
||||
@ -58,7 +65,12 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if (user->nt_password_present) {
|
||||
if (!all_zero(user->ntpassword.hash, 16)) {
|
||||
sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
|
||||
rc = sam_rid_crypt(rid, user->ntpassword.hash,
|
||||
nt_hash.hash, SAMBA_GNUTLS_DECRYPT);
|
||||
if (rc != 0) {
|
||||
return gnutls_error_to_ntstatus(rc,
|
||||
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
||||
}
|
||||
} else {
|
||||
memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
|
||||
}
|
||||
@ -97,9 +109,13 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
|
||||
if (keys.keys.keys2.lmpassword.length == 16) {
|
||||
if (!all_zero(keys.keys.keys2.lmpassword.pwd.hash,
|
||||
16)) {
|
||||
sam_rid_crypt(rid,
|
||||
rc = sam_rid_crypt(rid,
|
||||
keys.keys.keys2.lmpassword.pwd.hash,
|
||||
lm_hash.hash, 0);
|
||||
lm_hash.hash, SAMBA_GNUTLS_DECRYPT);
|
||||
if (rc != 0) {
|
||||
return gnutls_error_to_ntstatus(rc,
|
||||
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
||||
}
|
||||
} else {
|
||||
memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
|
||||
}
|
||||
@ -109,9 +125,13 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
|
||||
if (keys.keys.keys2.ntpassword.length == 16) {
|
||||
if (!all_zero(keys.keys.keys2.ntpassword.pwd.hash,
|
||||
16)) {
|
||||
sam_rid_crypt(rid,
|
||||
rc = sam_rid_crypt(rid,
|
||||
keys.keys.keys2.ntpassword.pwd.hash,
|
||||
nt_hash.hash, 0);
|
||||
nt_hash.hash, SAMBA_GNUTLS_DECRYPT);
|
||||
if (rc != 0) {
|
||||
return gnutls_error_to_ntstatus(rc,
|
||||
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
||||
}
|
||||
} else {
|
||||
memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user