111 lines
3.3 KiB
Diff
111 lines
3.3 KiB
Diff
|
From ef374b9b3b98b498545d40f0aa2e537bdf81ae59 Mon Sep 17 00:00:00 2001
|
||
|
From: Andreas Schneider <asn@samba.org>
|
||
|
Date: Thu, 17 Jan 2019 12:40:21 +0100
|
||
|
Subject: [PATCH 035/187] s3:utils: Use GnuTLS RC4 in ntlm_auth
|
||
|
|
||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
|
||
|
|
||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||
|
(cherry picked from commit 359ae5be0d21e7ab235035aab65710c9459e9593)
|
||
|
---
|
||
|
source3/utils/ntlm_auth.c | 45 ++++++++++++++++++++++++++++++++++++---
|
||
|
1 file changed, 42 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
|
||
|
index 87f6554ae4f..8a6218ac9ec 100644
|
||
|
--- a/source3/utils/ntlm_auth.c
|
||
|
+++ b/source3/utils/ntlm_auth.c
|
||
|
@@ -37,7 +37,6 @@
|
||
|
#include "librpc/crypto/gse.h"
|
||
|
#include "smb_krb5.h"
|
||
|
#include "lib/util/tiniparser.h"
|
||
|
-#include "../lib/crypto/arcfour.h"
|
||
|
#include "nsswitch/winbind_client.h"
|
||
|
#include "librpc/gen_ndr/krb5pac.h"
|
||
|
#include "../lib/util/asn1.h"
|
||
|
@@ -49,6 +48,9 @@
|
||
|
#include "lib/util/base64.h"
|
||
|
#include "cmdline_contexts.h"
|
||
|
|
||
|
+#include <gnutls/gnutls.h>
|
||
|
+#include <gnutls/crypto.h>
|
||
|
+
|
||
|
#ifdef HAVE_KRB5
|
||
|
#include "auth/kerberos/pac_utils.h"
|
||
|
#endif
|
||
|
@@ -1937,6 +1939,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
||
|
uchar new_nt_hash[16];
|
||
|
uchar new_lm_hash[16];
|
||
|
|
||
|
+ gnutls_cipher_hd_t cipher_hnd = NULL;
|
||
|
+ gnutls_datum_t old_nt_key = {
|
||
|
+ .data = old_nt_hash,
|
||
|
+ .size = sizeof(old_nt_hash),
|
||
|
+ };
|
||
|
+ int rc;
|
||
|
+
|
||
|
new_nt_pswd = data_blob(NULL, 516);
|
||
|
old_nt_hash_enc = data_blob(NULL, 16);
|
||
|
|
||
|
@@ -1956,6 +1965,19 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
||
|
Likewise, obey the admin's restriction
|
||
|
*/
|
||
|
|
||
|
+ rc = gnutls_cipher_init(&cipher_hnd,
|
||
|
+ GNUTLS_CIPHER_ARCFOUR_128,
|
||
|
+ &old_nt_key,
|
||
|
+ NULL);
|
||
|
+ if (rc < 0) {
|
||
|
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
|
||
|
+ gnutls_strerror(rc));
|
||
|
+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
|
||
|
+ DBG_ERR("Running in FIPS mode, NTLM blocked\n");
|
||
|
+ }
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
if (lp_client_lanman_auth() &&
|
||
|
E_deshash(newpswd, new_lm_hash) &&
|
||
|
E_deshash(oldpswd, old_lm_hash)) {
|
||
|
@@ -1964,7 +1986,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
||
|
encode_pw_buffer(new_lm_pswd.data, newpswd,
|
||
|
STR_UNICODE);
|
||
|
|
||
|
- arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516);
|
||
|
+ rc = gnutls_cipher_encrypt(cipher_hnd,
|
||
|
+ new_lm_pswd.data,
|
||
|
+ 516);
|
||
|
+ if (rc < 0) {
|
||
|
+ gnutls_cipher_deinit(cipher_hnd);
|
||
|
+ return;
|
||
|
+ }
|
||
|
E_old_pw_hash(new_nt_hash, old_lm_hash,
|
||
|
old_lm_hash_enc.data);
|
||
|
} else {
|
||
|
@@ -1977,9 +2005,20 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
||
|
encode_pw_buffer(new_nt_pswd.data, newpswd,
|
||
|
STR_UNICODE);
|
||
|
|
||
|
- arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516);
|
||
|
+ rc = gnutls_cipher_encrypt(cipher_hnd,
|
||
|
+ new_nt_pswd.data,
|
||
|
+ 516);
|
||
|
+ gnutls_cipher_deinit(cipher_hnd);
|
||
|
+ if (rc < 0) {
|
||
|
+ return;
|
||
|
+ }
|
||
|
E_old_pw_hash(new_nt_hash, old_nt_hash,
|
||
|
old_nt_hash_enc.data);
|
||
|
+
|
||
|
+ ZERO_ARRAY(old_nt_hash);
|
||
|
+ ZERO_ARRAY(old_lm_hash);
|
||
|
+ ZERO_ARRAY(new_nt_hash);
|
||
|
+ ZERO_ARRAY(new_lm_hash);
|
||
|
}
|
||
|
|
||
|
if (!full_username && !username) {
|
||
|
--
|
||
|
2.23.0
|
||
|
|