rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import samba-4.12.3-4.el8.3

Browse Source
This commit is contained in:
CentOS Sources 2020-07-28 02:45:29 -04:00 committed by Stepan Oksanichenko
parent 6975dbb9a1
commit 921119bb40
216 changed files with 2065 additions and 25892 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
SOURCES/samba-4.11.2.tar.xz
SOURCES/samba-4.12.3.tar.xz

2
.samba.metadata
View File

@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
e920c3d96119b51c1d12a2428e8830000b331fe5 SOURCES/samba-4.11.2.tar.xz
5e1f1a069527fbb3eba6e484c60348cb84c8433f SOURCES/samba-4.12.3.tar.xz

61
SOURCES/0001-s3-profile-Use-SHA1-for-hashing-in-profiling-functio.patch
View File

@ -1,61 +0,0 @@
From 826e500242004b269219ad3deeacf0e01d136933 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Jul 2019 16:54:15 +0200
Subject: [PATCH 001/187] s3:profile: Use SHA1 for hashing in profiling
functions.
This can use SHA NI instructions if the CPU supports it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 6fe2193b17ac2d57c559d3b936b37238d06d6be8)
---
source3/profile/profile.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index df0ba5b0af3..90a30f01f58 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -124,7 +124,7 @@ static void reqprofile_message(struct messaging_context *msg_ctx,
******************************************************************/
bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
{
- unsigned char tmp[16] = {};
+ uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)];
gnutls_hash_hd_t hash_hnd = NULL;
char *db_name;
bool ok = false;
@@ -154,7 +154,7 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
reqprofile_message);
}
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
if (rc < 0) {
goto out;
}
@@ -210,15 +210,14 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
goto out;
}
- gnutls_hash_deinit(hash_hnd, tmp);
+ gnutls_hash_deinit(hash_hnd, digest);
profile_p = &smbprofile_state.stats.global;
- profile_p->magic = BVAL(tmp, 0);
+ profile_p->magic = BVAL(digest, 0);
if (profile_p->magic == 0) {
- profile_p->magic = BVAL(tmp, 8);
+ profile_p->magic = BVAL(digest, 8);
}
- ZERO_ARRAY(tmp);
ok = true;
out:
--
2.23.0

33
SOURCES/0002-lib-crypto-Fix-path-to-header-file-in-gnutls_helpers.patch
View File

@ -1,33 +0,0 @@
From bb29683ddc7cdacfe9129074652d97a11a9084af Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 16:28:27 +0200
Subject: [PATCH 002/187] lib:crypto: Fix path to header file in
gnutls_helpers.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a31a40b41a18ae09a4e2e76f41c95b011ed30bea)
---
lib/crypto/gnutls_helpers.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index b8288c25649..7c950c79525 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,8 +18,8 @@
#ifndef _GNUTLS_HELPERS_H
#define _GNUTLS_HELPERS_H
-#include "ntstatus.h"
-#include "werror.h"
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
--
2.23.0

65
SOURCES/0003-lib-crypto-Add-GNUTLS_FIPS140_SET_-LAX-STRICT-_MODE-.patch
View File

@ -1,65 +0,0 @@
From bd6da0ff651385f14f8414ecb440e228d5a8a7d1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:38:44 +0200
Subject: [PATCH 003/187] lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE
to helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 31a943fa0890438cffc67a566373f36c94c0a5a8)
---
lib/crypto/gnutls_helpers.h | 11 +++++++++++
source3/modules/hash_inode.c | 10 +---------
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 7c950c79525..8a2a49baf73 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,9 +18,20 @@
#ifndef _GNUTLS_HELPERS_H
#define _GNUTLS_HELPERS_H
+#include <gnutls/gnutls.h>
+
#include "libcli/util/ntstatus.h"
#include "libcli/util/werror.h"
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
+
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
const char *function,
diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c
index 231538c72cb..a9144621901 100644
--- a/source3/modules/hash_inode.c
+++ b/source3/modules/hash_inode.c
@@ -22,15 +22,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-
-/* Those macros are only available in GnuTLS >= 3.6.4 */
-#ifndef GNUTLS_FIPS140_SET_LAX_MODE
-#define GNUTLS_FIPS140_SET_LAX_MODE()
-#endif
-
-#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
-#define GNUTLS_FIPS140_SET_STRICT_MODE()
-#endif
+#include "lib/crypto/gnutls_helpers.h"
SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
{
--
2.23.0

63
SOURCES/0004-s3-profile-Allow-profile-subsystem-to-use-SHA1-in-FI.patch
View File

@ -1,63 +0,0 @@
From 4728c82b9a9d857bac4cf04434856daa8d739995 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 08:41:12 +0200
Subject: [PATCH 004/187] s3:profile: Allow profile subsystem to use SHA1 in
FIPS mode
This is non-cryptographic use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 9 13:31:46 UTC 2019 on sn-devel-184
(cherry picked from commit ccf3e76625c42f5aceea0882971a232a9f56a971)
---
source3/profile/profile.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index 90a30f01f58..7e17d065d75 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -35,6 +35,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
struct profile_stats *profile_p;
struct smbprofile_global_state smbprofile_state;
@@ -154,6 +155,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
reqprofile_message);
}
+ GNUTLS_FIPS140_SET_LAX_MODE();
+
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
if (rc < 0) {
goto out;
@@ -212,6 +215,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
gnutls_hash_deinit(hash_hnd, digest);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
profile_p = &smbprofile_state.stats.global;
profile_p->magic = BVAL(digest, 0);
@@ -221,6 +226,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
ok = true;
out:
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
return ok;
}
--
2.23.0

114
SOURCES/0005-lib-util-Use-GnuTLS-random-number-generator-in-genra.patch
View File

@ -1,114 +0,0 @@
From 290c078652ffcacd69b0b00ea5e5413515c5de22 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Mar 2019 17:03:30 +0100
Subject: [PATCH 005/187] lib:util: Use GnuTLS random number generator in
genrand.c
FIPS requires that a random number generator from a certified crypto
library is used.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 18 01:30:20 UTC 2019 on sn-devel-184
(cherry picked from commit 664eed2e926f8f572b81e6d7c8e09b7ccbafb908)
---
lib/util/genrand.c | 31 +++++++------------------------
lib/util/genrand.h | 11 ++++-------
lib/util/wscript_build | 2 +-
3 files changed, 12 insertions(+), 32 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index a775535c49e..55997c3dd55 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -20,35 +20,17 @@
*/
#include "replace.h"
-#include "system/filesys.h"
#include "lib/util/genrand.h"
-#include "sys_rw_data.h"
-#include "lib/util/blocking.h"
-static int urand_fd = -1;
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
-static void open_urandom(void)
-{
- if (urand_fd != -1) {
- return;
- }
- urand_fd = open( "/dev/urandom", O_RDONLY,0);
- if (urand_fd == -1) {
- abort();
- }
- smb_set_close_on_exec(urand_fd);
-}
+/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
- ssize_t rw_ret;
-
- open_urandom();
-
- rw_ret = read_data(urand_fd, out, len);
- if (rw_ret != len) {
- abort();
- }
+ /* Thread and fork safe random number generator for temporary keys. */
+ gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
/*
@@ -57,5 +39,6 @@ _PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
*/
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- generate_random_buffer(out, len);
+ /* Thread and fork safe random number generator for long term keys. */
+ gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index ef6bbc64157..899ce8badc0 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -20,14 +20,11 @@
*/
/**
- Interface to the (hopefully) good crypto random number generator.
- Will use our internal PRNG if more than 40 bytes of random generation
- has been requested, otherwise tries to read from /dev/random
-**/
+ * Thread and fork safe random number generator for temporary keys.
+ */
void generate_random_buffer(uint8_t *out, int len);
/**
- Interface to the (hopefully) good crypto random number generator.
- Will always use /dev/urandom if available.
-**/
+ * Thread and fork safe random number generator for long term keys.
+ */
void generate_secret_buffer(uint8_t *out, int len);
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index ff1c76e3686..5f005c41e49 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -104,7 +104,7 @@ else:
bld.SAMBA_LIBRARY('genrand',
source='genrand.c',
- deps='replace socket-blocking sys_rw',
+ deps='replace gnutls',
local_include=False,
private_library=True)
--
2.23.0

49
SOURCES/0006-lib-crypto-Document-gnutls_error_to_werror.patch
View File

@ -1,49 +0,0 @@
From 8391caf4f4aa8fed5167b5e5cf04197a29ba40e8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 18 Jul 2019 13:27:57 +0200
Subject: [PATCH 006/187] lib:crypto: Document gnutls_error_to_werror()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e43678b84a3434b977f44b265599f1d9207d3b78)
---
lib/crypto/gnutls_helpers.h | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 8a2a49baf73..debaa701554 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -40,6 +40,21 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
_gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \
__FUNCTION__, __location__)
+#ifdef DOXYGEN
+/**
+ * @brief Convert a gnutls error code to a corresponding WERROR.
+ *
+ * @param[in] gnutls_rc The GnuTLS return code.
+ *
+ * @param[in] blocked_werr The WERROR code which should be returned if e.g
+ * the cipher we want to used it not allowed to be
+ * used because of FIPS mode.
+ *
+ * @return A corresponding WERROR code.
+ */
+WERROR gnutls_error_to_werror(int gnutls_rc,
+ WERROR blocked_werr);
+#else
WERROR _gnutls_error_to_werror(int gnutls_rc,
WERROR blocked_werr,
const char *function,
@@ -47,6 +62,7 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
#define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
_gnutls_error_to_werror(gnutls_rc, blocked_werr, \
__FUNCTION__, __location__)
+#endif
enum samba_gnutls_direction {
SAMBA_GNUTLS_ENCRYPT,
--
2.23.0

45
SOURCES/0007-lib-crypto-Document-samba_gnutls_arcfour_confounded_.patch
View File

@ -1,45 +0,0 @@
From 47f922c797006a3158fa3e077a7086086917b5e4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 18 Jul 2019 13:33:54 +0200
Subject: [PATCH 007/187] lib:crypto: Document
samba_gnutls_arcfour_confounded_md5()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit baa96ef20945638fb5ee76b03543c7b611e9c7d7)
---
lib/crypto/gnutls_helpers.h | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index debaa701554..d6000c7b316 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -69,6 +69,24 @@ enum samba_gnutls_direction {
SAMBA_GNUTLS_DECRYPT
};
+/**
+ * @brief Encrypt or decrypt a data blob using RC4 with a key and salt.
+ *
+ * One of the key input should be a session key and the other a confounder
+ * (aka salt). Which one depends on the implementation details of the
+ * protocol.
+ *
+ * @param[in] key_input1 Either a session_key or a confounder.
+ *
+ * @param[in] key_input2 Either a session_key or a confounder.
+ *
+ * @param[in] data The data blob ot either encrypt or decrypt. The data
+ * will be encrypted or decrypted in place.
+ *
+ * @param[in] encrypt The encryption direction.
+ *
+ * @return A gnutls error code.
+ */
int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
const DATA_BLOB *key_input2,
DATA_BLOB *data,
--
2.23.0

150
SOURCES/0008-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch
View File

@ -1,150 +0,0 @@
From bcbc9eca11583426d9b0e7ce4d4e51b16bda32f0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 16:22:11 +0200
Subject: [PATCH 008/187] s3:rpc_client: Return NTSTATUS for
init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4b9b1dbe9c8c988a39b1318a4f7aac031bc1ea8b)
---
source3/lib/netapi/user.c | 9 ++++++---
source3/libnet/libnet_join.c | 10 +++++++---
source3/rpc_client/init_samr.c | 14 ++++++++++----
source3/rpc_client/init_samr.h | 6 +++---
source3/rpcclient/cmd_samr.c | 5 ++++-
source3/utils/net_rpc.c | 9 ++++++---
6 files changed, 36 insertions(+), 17 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 4b66dab2f99..2136ef47ee6 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -326,9 +326,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info23.info = info21;
- init_samr_CryptPassword(uX->usriX_password,
- session_key,
- &user_info.info23.password);
+ status = init_samr_CryptPassword(uX->usriX_password,
+ session_key,
+ &user_info.info23.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
user_handle,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 9d4f656ffec..abf8672d050 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1570,9 +1570,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
/* retry with level 24 */
- init_samr_CryptPassword(r->in.machine_password,
- &session_key,
- &crypt_pwd);
+ status = init_samr_CryptPassword(r->in.machine_password,
+ &session_key,
+ &crypt_pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
user_info.info24.password = crypt_pwd;
user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
@@ -1584,6 +1587,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
&result);
}
+error:
old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index d116ece576f..8b41ec2f10f 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -81,12 +81,18 @@ out:
inits a samr_CryptPassword structure
*************************************************************************/
-void init_samr_CryptPassword(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPassword *pwd_buf)
+NTSTATUS init_samr_CryptPassword(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPassword *pwd_buf)
{
/* samr_CryptPassword */
+ bool ok;
- encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+ ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
arcfour_crypt_blob(pwd_buf->data, 516, session_key);
+
+ return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 223fa91e3d9..4214ab55a04 100644
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -25,8 +25,8 @@
void init_samr_CryptPasswordEx(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPasswordEx *pwd_buf);
-void init_samr_CryptPassword(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPassword *pwd_buf);
+NTSTATUS init_samr_CryptPassword(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPassword *pwd_buf);
#endif /* _RPC_CLIENT_INIT_SAMR_H_ */
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 8cbf8ab24bd..ccaec1ada40 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3063,7 +3063,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return status;
}
- init_samr_CryptPassword(param, &session_key, &pwd_buf);
+ status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
nt_lm_owf_gen(param, nt_hash, lm_hash);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index a56190f7be5..f6fb892a2d9 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6195,9 +6195,12 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
ZERO_STRUCT(info.info23);
- init_samr_CryptPassword(argv[1],
- &session_key,
- &crypt_pwd);
+ status = init_samr_CryptPassword(argv[1],
+ &session_key,
+ &crypt_pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
info.info23.info.fields_present = SAMR_FIELD_ACCT_FLAGS |
SAMR_FIELD_NT_PASSWORD_PRESENT;
--
2.23.0

199
SOURCES/0009-s3-rpc_client-Return-NTSTATUS-for-init_samr_CryptPas.patch
View File

@ -1,199 +0,0 @@
From 97f9ec9431ebf22ae06f61c97c183e04b59d6e7f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 17:16:26 +0200
Subject: [PATCH 009/187] s3:rpc_client: Return NTSTATUS for
init_samr_CryptPasswordEx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7915a48e53c8f72ba56da2f433427b961feeb16f)
---
source3/lib/netapi/user.c | 9 ++++---
source3/libnet/libnet_join.c | 9 ++++---
source3/rpc_client/init_samr.c | 27 +++++++++++++++------
source3/rpc_client/init_samr.h | 6 ++---
source3/rpc_server/netlogon/srv_netlog_nt.c | 9 ++++---
source3/rpcclient/cmd_samr.c | 5 +++-
6 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 2136ef47ee6..827b7902040 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -313,9 +313,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info25.info = info21;
- init_samr_CryptPasswordEx(uX->usriX_password,
- session_key,
- &user_info.info25.password);
+ status = init_samr_CryptPasswordEx(uX->usriX_password,
+ session_key,
+ &user_info.info25.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
user_handle,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index abf8672d050..eb8e0ea17f7 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1553,9 +1553,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
*/
old_timeout = rpccli_set_timeout(pipe_hnd, 600000);
- init_samr_CryptPasswordEx(r->in.machine_password,
- &session_key,
- &crypt_pwd_ex);
+ status = init_samr_CryptPasswordEx(r->in.machine_password,
+ &session_key,
+ &crypt_pwd_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
user_info.info26.password = crypt_pwd_ex;
user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 8b41ec2f10f..5f6cbc5d3c7 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -22,6 +22,7 @@
#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_samr.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -29,9 +30,9 @@
inits a samr_CryptPasswordEx structure
*************************************************************************/
-void init_samr_CryptPasswordEx(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPasswordEx *pwd_buf)
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *pwd_buf)
{
/* samr_CryptPasswordEx */
@@ -39,42 +40,52 @@ void init_samr_CryptPasswordEx(const char *pwd,
gnutls_hash_hd_t hash_hnd = NULL;
uint8_t confounder[16];
DATA_BLOB confounded_session_key = data_blob(NULL, 16);
+ NTSTATUS status;
+ bool ok;
int rc;
- encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+ ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
generate_random_buffer((uint8_t *)confounder, 16);
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, confounder, 16);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
arcfour_crypt_blob(pwbuf, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
+ data_blob_clear_free(&confounded_session_key);
memcpy(&pwbuf[516], confounder, 16);
ZERO_ARRAY(confounder);
memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
ZERO_ARRAY(pwbuf);
+
+ status = NT_STATUS_OK;
out:
- return;
+ data_blob_clear_free(&confounded_session_key);
+ return status;
}
/*************************************************************************
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 4214ab55a04..3f0dc847dd2 100644
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -22,9 +22,9 @@
/* The following definitions come from rpc_client/init_samr.c */
-void init_samr_CryptPasswordEx(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPasswordEx *pwd_buf);
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *pwd_buf);
NTSTATUS init_samr_CryptPassword(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPassword *pwd_buf);
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c9aaa90cbb9..d5267bf7062 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1226,9 +1226,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
infolevel = UserInternal5InformationNew;
- init_samr_CryptPasswordEx(cr->creds.password,
- &session_key,
- &info26.password);
+ status = init_samr_CryptPasswordEx(cr->creds.password,
+ &session_key,
+ &info26.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
info->info26 = info26;
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index ccaec1ada40..b1b7c06515c 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3067,7 +3067,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+ status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
nt_lm_owf_gen(param, nt_hash, lm_hash);
switch (level) {
--
2.23.0

115
SOURCES/0010-libcli-auth-Return-NTSTATUS-for-encode_or_decode_arc.patch
View File

@ -1,115 +0,0 @@
From 6125794925d054da191cf6c21a76ceb904848710 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 14:57:52 +0200
Subject: [PATCH 010/187] libcli:auth: Return NTSTATUS for
encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 57dd415ba49b9621deddf604a5bf148c10ebc37e)
---
libcli/auth/proto.h | 3 ++-
libcli/auth/smbencrypt.c | 10 ++++++++--
source3/rpc_server/samr/srv_samr_nt.c | 10 ++++++++--
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index afd7f0d148d..651f1139cf5 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,7 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key);
+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index a74ccf09b02..ae97f3cc93e 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,27 +843,32 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key)
+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key)
{
gnutls_hash_hd_t hash_hnd = NULL;
unsigned char key_out[16];
+ NTSTATUS status;
int rc;
/* Confounder is last 16 bytes. */
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, &pw_buf[516], 16);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
gnutls_hash_deinit(hash_hnd, key_out);
@@ -873,8 +878,9 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
ZERO_ARRAY(key_out);
+ status = NT_STATUS_OK;
out:
- return;
+ return status;
}
/***********************************************************
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 124d6d38cd7..c2be8bfc19a 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,9 +5185,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- encode_or_decode_arc4_passwd_buffer(
+ status = encode_or_decode_arc4_passwd_buffer(
info->info25.password.data,
&session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info25.password.data, 532);
@@ -5201,9 +5204,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- encode_or_decode_arc4_passwd_buffer(
+ status = encode_or_decode_arc4_passwd_buffer(
info->info26.password.data,
&session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info26.password.data, 516);
--
2.23.0

234
SOURCES/0011-libcli-auth-Add-test-for-decoding-an-RC4-password-bu.patch
View File

@ -1,234 +0,0 @@
From f0d4f6ec31079506b01502f7b515245ace03227d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 09:39:02 +0200
Subject: [PATCH 011/187] libcli:auth: Add test for decoding an RC4 password
buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7ccc76f951a626a25d553ac85c5bf30eb29ffa2b)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 177 +++++++++++++++++++++
libcli/auth/wscript_build | 9 ++
selftest/tests.py | 2 +
3 files changed, 188 insertions(+)
create mode 100644 libcli/auth/tests/test_rc4_passwd_buffer.c
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
new file mode 100644
index 00000000000..f40ac3a5655
--- /dev/null
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -0,0 +1,177 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2018-2019 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "libcli/auth/libcli_auth.h"
+#include "rpc_client/init_samr.h"
+
+#define PASSWORD "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+static const uint8_t encrypted_test_blob[] = {
+ 0x37, 0x8e, 0x1d, 0xd5, 0xd3, 0x9f, 0xca, 0x8e,
+ 0x2f, 0x2d, 0xee, 0xc3, 0xb5, 0x50, 0xcd, 0x4e,
+ 0xc9, 0x08, 0x04, 0x68, 0x32, 0xc3, 0xac, 0x8e,
+ 0x53, 0x69, 0xd6, 0xb7, 0x56, 0xcc, 0xc0, 0xbe,
+ 0x4e, 0x96, 0xa7, 0x74, 0xe9, 0xaa, 0x10, 0x3d,
+ 0xd5, 0x8c, 0xaa, 0x12, 0x56, 0xb6, 0xf1, 0x85,
+ 0x21, 0xfa, 0xe9, 0xa1, 0x76, 0xe6, 0xa5, 0x33,
+ 0x33, 0x2f, 0x47, 0x29, 0xd6, 0xbd, 0xde, 0x64,
+ 0x4d, 0x15, 0x3e, 0x6a, 0x11, 0x9b, 0x52, 0xbf,
+ 0x7e, 0x3a, 0xeb, 0x1c, 0x55, 0xd1, 0xb2, 0xa4,
+ 0x35, 0x03, 0x6c, 0x39, 0x61, 0x28, 0x98, 0xc3,
+ 0x2d, 0xd4, 0x70, 0x69, 0x8b, 0x83, 0xe9, 0x62,
+ 0xbe, 0xd8, 0x72, 0x4e, 0xdf, 0xd4, 0xe9, 0xe3,
+ 0x46, 0x2a, 0xf9, 0x3c, 0x0f, 0x41, 0x62, 0xe1,
+ 0x43, 0xf0, 0x91, 0xbe, 0x72, 0xa0, 0xc9, 0x08,
+ 0x73, 0x20, 0x1f, 0x0d, 0x68, 0x2e, 0x32, 0xa1,
+ 0xb8, 0x9b, 0x08, 0xa1, 0xb4, 0x81, 0x6b, 0xf1,
+ 0xde, 0x0c, 0x28, 0x34, 0xe2, 0x65, 0x62, 0x54,
+ 0xeb, 0xc0, 0x71, 0x14, 0xad, 0x36, 0x43, 0x0e,
+ 0x92, 0x4d, 0x11, 0xe8, 0xdd, 0x2d, 0x5f, 0x05,
+ 0xff, 0x07, 0xda, 0x81, 0x4e, 0x27, 0x42, 0xa8,
+ 0xa9, 0x64, 0x4c, 0x74, 0xc8, 0x05, 0xbb, 0x83,
+ 0x5a, 0xd9, 0x90, 0x3e, 0x0d, 0x9d, 0xe5, 0x2f,
+ 0x08, 0xf9, 0x1b, 0xbd, 0x26, 0xc3, 0x0d, 0xac,
+ 0x43, 0xd5, 0x17, 0xf2, 0x61, 0xf5, 0x74, 0x9b,
+ 0xf3, 0x5b, 0x5f, 0xe1, 0x8a, 0xa6, 0xfd, 0xdf,
+ 0xff, 0xb5, 0x8b, 0xf1, 0x26, 0xf7, 0xe0, 0xa7,
+ 0x4f, 0x5b, 0xb8, 0x6d, 0xeb, 0xf6, 0x52, 0x68,
+ 0x8d, 0xa3, 0xd4, 0x7f, 0x56, 0x43, 0xaa, 0xec,
+ 0x58, 0x47, 0x03, 0xee, 0x9b, 0x59, 0xd9, 0x78,
+ 0x9a, 0xfb, 0x9e, 0xe9, 0xa6, 0x61, 0x4e, 0x6d,
+ 0x92, 0x35, 0xd3, 0x37, 0x6e, 0xf2, 0x34, 0x39,
+ 0xd4, 0xd2, 0xeb, 0xcf, 0x1c, 0x10, 0xb3, 0x2b,
+ 0x3e, 0x07, 0x42, 0x3e, 0x20, 0x90, 0x07, 0x3e,
+ 0xc7, 0xed, 0xd4, 0xdf, 0x50, 0xe5, 0xff, 0xaf,
+ 0x05, 0xce, 0x29, 0xbe, 0x01, 0xf8, 0xb0, 0x30,
+ 0x96, 0xae, 0x1b, 0x62, 0x23, 0x93, 0x91, 0x1a,
+ 0x52, 0x98, 0xd9, 0x59, 0xb8, 0x11, 0xec, 0xb8,
+ 0xcf, 0x20, 0x32, 0x90, 0x9e, 0xf2, 0x06, 0x43,
+ 0xb8, 0x36, 0xe3, 0x33, 0x4e, 0x6f, 0x75, 0xeb,
+ 0xf7, 0x6c, 0xac, 0x06, 0x5f, 0x24, 0x8e, 0x4a,
+ 0x03, 0xdf, 0x50, 0x31, 0xaa, 0x91, 0xd5, 0x85,
+ 0x95, 0x78, 0x5b, 0xf4, 0x7f, 0x3e, 0xbc, 0x41,
+ 0xfa, 0x10, 0xd3, 0x0f, 0x86, 0x8b, 0x23, 0xed,
+ 0xfc, 0xcc, 0x3e, 0x7d, 0x8c, 0xb4, 0x7c, 0xec,
+ 0x04, 0x7d, 0x12, 0x53, 0xa1, 0x30, 0xc5, 0xac,
+ 0xf3, 0x1e, 0x54, 0x1f, 0x97, 0x05, 0x86, 0x74,
+ 0x51, 0x13, 0x45, 0x98, 0xb8, 0x50, 0x62, 0x18,
+ 0x0f, 0x6d, 0x66, 0xa4, 0x88, 0x31, 0x76, 0xa3,
+ 0xb0, 0x75, 0x55, 0x44, 0x18, 0x7c, 0x67, 0xc7,
+ 0x09, 0x9c, 0xab, 0x53, 0x49, 0xc0, 0xc9, 0x27,
+ 0x53, 0xa6, 0x99, 0x01, 0x10, 0x49, 0x67, 0x8e,
+ 0x5b, 0x12, 0x96, 0x40, 0x16, 0x39, 0x11, 0x53,
+ 0x44, 0x8f, 0xa9, 0xbe, 0x84, 0xbe, 0xe0, 0x45,
+ 0xe3, 0xfd, 0x48, 0x46, 0x43, 0x53, 0x13, 0x5f,
+ 0xfa, 0xcf, 0x09, 0x67, 0x90, 0xa3, 0x94, 0xaa,
+ 0x0d, 0x1f, 0xc2, 0xc3, 0xd4, 0x7e, 0xc8, 0x14,
+ 0xbe, 0x84, 0xa5, 0x55, 0xee, 0x49, 0x8e, 0x03,
+ 0x1d, 0xaf, 0xad, 0x65, 0x2f, 0xf0, 0xd5, 0x90,
+ 0x5e, 0x8d, 0x29, 0x40, 0xba, 0x57, 0x26, 0xa8,
+ 0x6c, 0x4b, 0x59, 0x40, 0x4e, 0xc2, 0xc4, 0x88,
+ 0x0a, 0x06, 0x2b, 0x6c, 0x2a, 0xc7, 0x3f, 0xfe,
+ 0x37, 0x2c, 0x41, 0x58, 0xfe, 0x7e, 0xaf, 0xd1,
+ 0xd9, 0xd2, 0x9c, 0xd7, 0x8a, 0x01, 0x0e, 0x8c,
+ 0x9e, 0x8b, 0x5d, 0x72, 0x54, 0x00, 0xbe, 0xb2,
+ 0x9a, 0xc7, 0xfd, 0x83, 0x1e, 0x9c, 0x79, 0xdd,
+ 0x15, 0x13, 0xdc, 0x15,
+};
+
+static void torture_decode_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ memcpy(out_pwd_buf.data,
+ encrypted_test_blob,
+ sizeof(out_pwd_buf.data));
+
+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
+ &session_key);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+}
+
+static void torture_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ status = init_samr_CryptPasswordEx(PASSWORD,
+ &session_key,
+ &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
+ &session_key);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(torture_decode_rc4_passwd_buffer),
+ cmocka_unit_test(torture_rc4_passwd_buffer),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests, NULL, NULL);
+
+ return rc;
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 04e2b09eadf..eabf3814ba1 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -62,3 +62,12 @@ bld.SAMBA_BINARY('test_schannel',
cmocka
''',
install=False)
+
+bld.SAMBA_BINARY('test_rc4_passwd_buffer',
+ source='tests/test_rc4_passwd_buffer.c',
+ deps='''
+ INIT_SAMR
+ LIBCLI_AUTH
+ cmocka
+ ''',
+ install=False)
diff --git a/selftest/tests.py b/selftest/tests.py
index bbb5709ee47..c91d9b445fe 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -392,6 +392,8 @@ plantestsuite("samba.unittests.ntlm_check", "none",
[os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
plantestsuite("samba.unittests.schannel", "none",
[os.path.join(bindir(), "default/libcli/auth/test_schannel")])
+plantestsuite("samba.unittests.rc4_passwd_buffer", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_rc4_passwd_buffer")])
plantestsuite("samba.unittests.test_registry_regfio", "none",
[os.path.join(bindir(), "default/source3/test_registry_regfio")])
plantestsuite("samba.unittests.test_oLschema2ldif", "none",
--
2.23.0

94
SOURCES/0012-s3-rpc_client-Use-samba_gnutls_arcfour_confounded_md.patch
View File

@ -1,94 +0,0 @@
From 6546e97d27e45db9cbfd2f7d8c4838b2fd8d6a6a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 Jul 2019 16:22:48 +0200
Subject: [PATCH 012/187] s3:rpc_client: Use
samba_gnutls_arcfour_confounded_md5 in init_samr_CryptPasswordEx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2075019ca90d7d474003c87b2f0202239891eba5)
---
source3/rpc_client/init_samr.c | 50 ++++++++++------------------------
1 file changed, 15 insertions(+), 35 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 5f6cbc5d3c7..3968dfea99f 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -36,56 +36,36 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
{
/* samr_CryptPasswordEx */
- uint8_t pwbuf[532];
- gnutls_hash_hd_t hash_hnd = NULL;
- uint8_t confounder[16];
- DATA_BLOB confounded_session_key = data_blob(NULL, 16);
- NTSTATUS status;
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 16);
+ uint8_t pwbuf[532] = {0};
+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
bool ok;
int rc;
ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
if (!ok) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto out;
+ return NT_STATUS_INTERNAL_ERROR;
}
- generate_random_buffer((uint8_t *)confounder, 16);
+ generate_random_buffer(_confounder, sizeof(_confounder));
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ session_key,
+ &encrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ ZERO_ARRAY(_confounder);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
}
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
-
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(pwbuf, 516, &confounded_session_key);
- data_blob_clear_free(&confounded_session_key);
-
- memcpy(&pwbuf[516], confounder, 16);
- ZERO_ARRAY(confounder);
+ memcpy(&pwbuf[516], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
ZERO_ARRAY(pwbuf);
- status = NT_STATUS_OK;
-out:
- data_blob_clear_free(&confounded_session_key);
- return status;
+ return NT_STATUS_OK;
}
/*************************************************************************
--
2.23.0

65
SOURCES/0013-s3-rpc_client-Use-GnuTLS-RC4-in-init_samr_CryptPassw.patch
View File

@ -1,65 +0,0 @@
From 9913d8e981dd39fd1f7e260644f35aa6718c9bd2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 13:15:08 +0100
Subject: [PATCH 013/187] s3:rpc_client: Use GnuTLS RC4 in
init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 95db9a81db093488e625b4ef385a184a5e517ede)
---
source3/rpc_client/init_samr.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 3968dfea99f..0eb50c54525 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -19,7 +19,6 @@
#include "includes.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_samr.h"
#include "lib/crypto/gnutls_helpers.h"
@@ -77,13 +76,33 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
struct samr_CryptPassword *pwd_buf)
{
/* samr_CryptPassword */
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t sess_key = {
+ .data = session_key->data,
+ .size = session_key->length,
+ };
bool ok;
+ int rc;
ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
if (!ok) {
return NT_STATUS_INTERNAL_ERROR;
}
- arcfour_crypt_blob(pwd_buf->data, 516, session_key);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sess_key,
+ NULL);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ pwd_buf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
return NT_STATUS_OK;
}
--
2.23.0

73
SOURCES/0014-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch
View File

@ -1,73 +0,0 @@
From 15ca4ae322f88f797c571ad7801a9e44a6262d73 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:09:32 +0200
Subject: [PATCH 014/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() for rc4 passwd buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dea160820a393be51985a4e761a3f73da83972e7)
---
libcli/auth/smbencrypt.c | 39 +++++++++------------------------------
1 file changed, 9 insertions(+), 30 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index ae97f3cc93e..17c1e1f69ff 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -846,41 +846,20 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
const DATA_BLOB *psession_key)
{
- gnutls_hash_hd_t hash_hnd = NULL;
- unsigned char key_out[16];
- NTSTATUS status;
- int rc;
-
/* Confounder is last 16 bytes. */
+ DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
+ DATA_BLOB pw_data = data_blob_const(pw_buf, 516);
+ int rc;
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ psession_key,
+ &pw_data,
+ SAMBA_GNUTLS_DECRYPT);
if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
}
- rc = gnutls_hash(hash_hnd, &pw_buf[516], 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- gnutls_hash_deinit(hash_hnd, key_out);
-
- /* arc4 with key_out. */
- arcfour_crypt(pw_buf, key_out, 516);
-
- ZERO_ARRAY(key_out);
-
- status = NT_STATUS_OK;
-out:
- return status;
+ return NT_STATUS_OK;
}
/***********************************************************
--
2.23.0

97
SOURCES/0015-libcli-auth-Rename-encode_or_decode_arc4_passwd_buff.patch
View File

@ -1,97 +0,0 @@
From 228c16e06b82a3d7a33c2d4440aa258518c8c29f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:12:43 +0200
Subject: [PATCH 015/187] libcli:auth: Rename
encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 89f8b028e2d595348f9996854488d7aa552ae905)
---
libcli/auth/proto.h | 4 ++--
libcli/auth/smbencrypt.c | 4 ++--
libcli/auth/tests/test_rc4_passwd_buffer.c | 6 ++----
source3/rpc_server/samr/srv_samr_nt.c | 4 ++--
4 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 651f1139cf5..1bcbeddb228 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key);
+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 17c1e1f69ff..7e343f71577 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,8 +843,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key)
+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key)
{
/* Confounder is last 16 bytes. */
DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index f40ac3a5655..eb737703230 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -114,8 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state)
encrypted_test_blob,
sizeof(out_pwd_buf.data));
- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -144,8 +143,7 @@ static void torture_rc4_passwd_buffer(void **state)
&out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index c2be8bfc19a..4dc9132511f 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,7 +5185,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = encode_or_decode_arc4_passwd_buffer(
+ status = decode_rc4_passwd_buffer(
info->info25.password.data,
&session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -5204,7 +5204,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = encode_or_decode_arc4_passwd_buffer(
+ status = decode_rc4_passwd_buffer(
info->info26.password.data,
&session_key);
if (!NT_STATUS_IS_OK(status)) {
--
2.23.0

115
SOURCES/0016-libcli-auth-Pass-samr_CryptPasswordEx-to-decode_rc4_.patch
View File

@ -1,115 +0,0 @@
From 3eb3f3bdabd103c3858323e08a9180913c223e16 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 12:53:31 +0200
Subject: [PATCH 016/187] libcli:auth: Pass samr_CryptPasswordEx to
decode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 79ca72ec3d13fea5d2ad608415757ca9870035a3)
---
libcli/auth/proto.h | 4 ++--
libcli/auth/smbencrypt.c | 8 ++++----
libcli/auth/tests/test_rc4_passwd_buffer.c | 5 +++--
source3/rpc_server/samr/srv_samr_nt.c | 10 ++++------
4 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 1bcbeddb228..a67c89d8552 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key);
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
+ struct samr_CryptPasswordEx *inout_crypt_pwd);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 7e343f71577..b7b17130f07 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,12 +843,12 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key)
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
+ struct samr_CryptPasswordEx *inout_crypt_pwd)
{
/* Confounder is last 16 bytes. */
- DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
- DATA_BLOB pw_data = data_blob_const(pw_buf, 516);
+ DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16);
+ DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516);
int rc;
rc = samba_gnutls_arcfour_confounded_md5(&confounder,
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index eb737703230..3bf371c5dd5 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -114,7 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state)
encrypted_test_blob,
sizeof(out_pwd_buf.data));
- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -143,7 +143,7 @@ static void torture_rc4_passwd_buffer(void **state)
&out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -154,6 +154,7 @@ static void torture_rc4_passwd_buffer(void **state)
assert_true(ok);
assert_int_equal(password_decoded_len, strlen(PASSWORD));
assert_string_equal(password_decoded, PASSWORD);
+ talloc_free(password_decoded);
}
int main(int argc, char *argv[])
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 4dc9132511f..fd5c453e0eb 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,9 +5185,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = decode_rc4_passwd_buffer(
- info->info25.password.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(&session_key,
+ &info->info25.password);
if (!NT_STATUS_IS_OK(status)) {
break;
}
@@ -5204,9 +5203,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = decode_rc4_passwd_buffer(
- info->info26.password.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(&session_key,
+ &info->info26.password);
if (!NT_STATUS_IS_OK(status)) {
break;
}
--
2.23.0

89
SOURCES/0017-libcli-auth-Add-encode_rc4_passwd_buffer.patch
View File

@ -1,89 +0,0 @@
From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:01:10 +0200
Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf)
---
libcli/auth/proto.h | 7 +++++++
libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index a67c89d8552..67caaca8c41 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
size_t *new_pw_len,
charset_t string_charset);
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+ const DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *out_crypt_pwd);
+
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index b7b17130f07..793012553b2 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
return true;
}
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+ const DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *out_crypt_pwd)
+{
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 16);
+ DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516);
+ bool ok;
+ int rc;
+
+ ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ generate_random_buffer(confounder.data, confounder.length);
+
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ session_key,
+ &pw_data,
+ SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ ZERO_ARRAY(_confounder);
+ data_blob_clear(&pw_data);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
+
+ /*
+ * The packet format is the 516 byte RC4 encrypted
+ * pasword followed by the 16 byte counfounder
+ * The confounder is a salt to prevent pre-computed hash attacks on the
+ * database.
+ */
+ memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
+
+ return NT_STATUS_OK;
+}
+
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
--
2.23.0

65
SOURCES/0018-libcli-auth-Add-test-for-encode_rc4_passwd_buffer.patch
View File

@ -1,65 +0,0 @@
From fe1f6278c7a5c54d948f6ca031686745ad653a94 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:06:49 +0200
Subject: [PATCH 018/187] libcli:auth: Add test for encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fe00b3735a7e8ae16fb6443965769f1e947a6aa6)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 31 ++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index 3bf371c5dd5..db6ca3f3f4c 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -157,12 +157,43 @@ static void torture_rc4_passwd_buffer(void **state)
talloc_free(password_decoded);
}
+static void torture_endode_decode_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ status = encode_rc4_passwd_buffer(PASSWORD,
+ &session_key,
+ &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+ talloc_free(password_decoded);
+}
+
int main(int argc, char *argv[])
{
int rc;
const struct CMUnitTest tests[] = {
cmocka_unit_test(torture_decode_rc4_passwd_buffer),
cmocka_unit_test(torture_rc4_passwd_buffer),
+ cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer),
};
if (argc == 2) {
--
2.23.0

60
SOURCES/0019-s3-rpc_client-Use-encode_rc4_passwd_buffer-in-init_s.patch
View File

@ -1,60 +0,0 @@
From 26b7ab9339d9e6530244bf35e38a3658d7fc8aa9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 11:44:51 +0200
Subject: [PATCH 019/187] s3:rpc_client: Use encode_rc4_passwd_buffer() in
init_samr_CryptPasswordEx()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f0c0cf299eb99e7b78be2f04141b6d415bf525e2)
---
source3/rpc_client/init_samr.c | 33 +--------------------------------
1 file changed, 1 insertion(+), 32 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 0eb50c54525..a98d50e3f6a 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -33,38 +33,7 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPasswordEx *pwd_buf)
{
- /* samr_CryptPasswordEx */
-
- uint8_t _confounder[16] = {0};
- DATA_BLOB confounder = data_blob_const(_confounder, 16);
- uint8_t pwbuf[532] = {0};
- DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
- bool ok;
- int rc;
-
- ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
- if (!ok) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- generate_random_buffer(_confounder, sizeof(_confounder));
-
- rc = samba_gnutls_arcfour_confounded_md5(&confounder,
- session_key,
- &encrypt_pwbuf,
- SAMBA_GNUTLS_ENCRYPT);
- if (rc < 0) {
- ZERO_ARRAY(_confounder);
- return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
- }
-
- memcpy(&pwbuf[516], confounder.data, confounder.length);
- ZERO_ARRAY(_confounder);
-
- memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
- ZERO_ARRAY(pwbuf);
-
- return NT_STATUS_OK;
+ return encode_rc4_passwd_buffer(pwd, session_key, pwd_buf);
}
/*************************************************************************
--
2.23.0

108
SOURCES/0020-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch
View File

@ -1,108 +0,0 @@
From c82322be0012f8bf467d75681bd82322eba11145 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:01:49 +0200
Subject: [PATCH 020/187] s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_26()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5afa402bb7ba11a8eefc6e14047eeec1f3327681)
---
source4/libnet/libnet_passwd.c | 47 ++++++++--------------------------
1 file changed, 11 insertions(+), 36 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 97ce7f58ddf..0beea077bd0 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -23,6 +23,7 @@
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "source4/librpc/rpc/dcerpc.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -276,10 +277,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd = NULL;
- int rc;
if (r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -287,9 +284,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
/* prepare samr_SetUserInfo2 level 26 */
ZERO_STRUCT(u_info);
- encode_pw_buffer(u_info.info26.password.data, r->samr_handle.in.newpassword, STR_UNICODE);
u_info.info26.password_expired = 0;
-
+
status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
r->samr_handle.out.error_string = talloc_asprintf(mem_ctx,
@@ -297,38 +293,18 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
nt_errstr(status));
return status;
}
-
- generate_random_buffer((uint8_t *)confounder, 16);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword,
+ &session_key,
+ &u_info.info26.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string =
+ talloc_asprintf(mem_ctx,
+ "encode_rc4_passwd_buffer failed: %s",
+ nt_errstr(status));
+ return status;
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info26.password.data, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
-
- memcpy(&u_info.info26.password.data[516], confounder, 16);
- ZERO_ARRAY(confounder);
-
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
sui.in.level = 26;
@@ -346,7 +322,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
r->samr_handle.in.account_name, nt_errstr(status));
}
-out:
return status;
}
--
2.23.0

95
SOURCES/0021-s4-libnet-Use-encode_rc4_passwd_buffer-in-libnet_Set.patch
View File

@ -1,95 +0,0 @@
From c162d52b14947990fb6102180a7e2fd6a7d8d1d5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:11:54 +0200
Subject: [PATCH 021/187] s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_25()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e44ba0397c7558e1da6a46cc38237a3b0e5cef49)
---
source4/libnet/libnet_passwd.c | 43 +++++++---------------------------
1 file changed, 9 insertions(+), 34 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 0beea077bd0..b2105121523 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -331,10 +331,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd = NULL;
- int rc;
if (!r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -344,7 +340,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
ZERO_STRUCT(u_info);
u_info.info25.info = *r->samr_handle.in.info21;
u_info.info25.info.fields_present |= SAMR_FIELD_NT_PASSWORD_PRESENT;
- encode_pw_buffer(u_info.info25.password.data, r->samr_handle.in.newpassword, STR_UNICODE);
status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -354,36 +349,17 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
return status;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword,
+ &session_key,
+ &u_info.info25.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string =
+ talloc_asprintf(mem_ctx,
+ "encode_rc4_passwd_buffer failed: %s",
+ nt_errstr(status));
+ return status;
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info25.password.data, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
-
- memcpy(&u_info.info25.password.data[516], confounder, 16);
- ZERO_ARRAY(confounder);
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -401,7 +377,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
r->samr_handle.in.account_name, nt_errstr(status));
}
-out:
return status;
}
--
2.23.0

72
SOURCES/0022-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch
View File

@ -1,72 +0,0 @@
From 5b0f5925814742ca8b7e772f1a7f4558b770c45b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Feb 2019 13:38:21 +0100
Subject: [PATCH 022/187] s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_24()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 18937f9ceb5aca23899555c5a34fe359f6fcb126)
---
source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index b2105121523..064ef98879a 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -386,6 +386,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t enc_session_key;
+ int rc;
if (r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -404,7 +407,28 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
return status;
}
- arcfour_crypt_blob(u_info.info24.password.data, 516, &session_key);
+ enc_session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ u_info.info24.password.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -421,6 +445,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
"SetUserInfo2 level 24 for [%s] failed: %s",
r->samr_handle.in.account_name, nt_errstr(status));
}
+
+out:
+ data_blob_clear(&session_key);
return status;
}
--
2.23.0

72
SOURCES/0023-s4-libnet-Use-GnuTLS-RC4-in-libnet_SetPassword_samr_.patch
View File

@ -1,72 +0,0 @@
From e5e6605b40f80eee699f3fde275a620022979f05 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Feb 2019 13:38:21 +0100
Subject: [PATCH 023/187] s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_23()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cdb4e12765266ae767021d932870fbfcd55ccbf6)
---
source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 064ef98879a..dce3813de38 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -457,6 +457,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t _session_key;
+ int rc;
if (!r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -477,7 +480,29 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
return status;
}
- arcfour_crypt_blob(u_info.info23.password.data, 516, &session_key);
+ _session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ u_info.info23.password.data,
+ 516);
+ data_blob_clear_free(&session_key);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -494,6 +519,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
"SetUserInfo2 level 23 for [%s] failed: %s",
r->samr_handle.in.account_name, nt_errstr(status));
}
+
+out:
return status;
}
--
2.23.0

174
SOURCES/0024-s4-libnet-Use-GnuTLS-RC4-in-libnet_ChangePassword_sa.patch
View File

@ -1,174 +0,0 @@
From 01c0b0ac77baae946d270d44d1c40dbdf17a8ee3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 25 Jul 2019 15:15:46 +1200
Subject: [PATCH 024/187] s4:libnet: Use GnuTLS RC4 in
libnet_ChangePassword_samr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9ea736590d9b22a7518f86b18e8c55b0d0e213d5)
---
source4/libnet/libnet_passwd.c | 110 +++++++++++++++++++++++++++++++--
1 file changed, 104 insertions(+), 6 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index dce3813de38..704a94a5864 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -20,7 +20,6 @@
#include "includes.h"
#include "libnet/libnet.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "source4/librpc/rpc/dcerpc.h"
@@ -57,6 +56,16 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
uint8_t old_lm_hash[16], new_lm_hash[16];
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t nt_session_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+ gnutls_datum_t lm_session_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
+ int rc;
ZERO_STRUCT(c);
@@ -87,11 +96,47 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
/* prepare samr_ChangePasswordUser3 */
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
pw3.in.server = &server;
@@ -125,11 +170,46 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
/* prepare samr_ChangePasswordUser2 */
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
pw2.in.server = &server;
@@ -161,7 +241,25 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
a_account.string = r->samr.in.account_name;
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
oe2.in.server = &a_server;
--
2.23.0

236
SOURCES/0025-libcli-auth-Return-WERROR-for-encode_wkssvc_join_pas.patch
View File

@ -1,236 +0,0 @@
From 2d6f95107af7357d1084a4ba272f865c8249510a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 15:50:45 +0200
Subject: [PATCH 025/187] libcli:auth: Return WERROR for
encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 576bcf61555fb641b2919ad84a6b26b242b57061)
---
libcli/auth/proto.h | 8 +++---
libcli/auth/smbencrypt.c | 20 ++++++++++-----
source3/lib/netapi/joindomain.c | 44 +++++++++++++++++++++------------
source4/torture/rpc/wkssvc.c | 20 ++++++++++++---
4 files changed, 62 insertions(+), 30 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 67caaca8c41..65ee06215dc 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -207,10 +207,10 @@ bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
uint8_t in_buffer[516], DATA_BLOB *new_pass);
struct wkssvc_PasswordBuffer;
-void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf);
+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
+ const char *pwd,
+ DATA_BLOB *session_key,
+ struct wkssvc_PasswordBuffer **pwd_buf);
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
struct wkssvc_PasswordBuffer *pwd_buf,
DATA_BLOB *session_key,
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 793012553b2..745f47999cd 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -965,10 +965,10 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
* buffer), calling MD5Update() first with session_key and then with confounder
* (vice versa in samr) - Guenther */
-void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf)
+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
+ const char *pwd,
+ DATA_BLOB *session_key,
+ struct wkssvc_PasswordBuffer **pwd_buf)
{
uint8_t buffer[516];
gnutls_hash_hd_t hash_hnd = NULL;
@@ -976,11 +976,12 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
DATA_BLOB confounded_session_key;
int confounder_len = 8;
uint8_t confounder[8];
+ WERROR werr;
int rc;
my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
if (!my_pwd_buf) {
- return;
+ return WERR_NOT_ENOUGH_MEMORY;
}
confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
@@ -991,17 +992,23 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
rc = gnutls_hash(hash_hnd, confounder, confounder_len);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
@@ -1017,8 +1024,9 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
*pwd_buf = my_pwd_buf;
+ werr = WERR_OK;
out:
- return;
+ return werr;
}
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index 8d0752f4531..f2d36fc00db 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -137,10 +137,13 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
old_timeout = rpccli_set_timeout(pipe_cli, 600000);
@@ -279,10 +282,13 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
old_timeout = rpccli_set_timeout(pipe_cli, 60000);
@@ -484,10 +490,13 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
status = dcerpc_wkssvc_NetrGetJoinableOus2(b, talloc_tos(),
@@ -537,10 +546,13 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
status = dcerpc_wkssvc_NetrRenameMachineInDomain2(b, talloc_tos(),
diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c
index c98ac92b39b..4bc1f9cd0c7 100644
--- a/source4/torture/rpc/wkssvc.c
+++ b/source4/torture/rpc/wkssvc.c
@@ -1199,6 +1199,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
+ WERROR werr;
DATA_BLOB session_key;
struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1240,8 +1241,13 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
return false;
}
- encode_wkssvc_join_password_buffer(tctx, domain_admin_password,
- &session_key, &pwd_buf);
+ werr = encode_wkssvc_join_password_buffer(tctx,
+ domain_admin_password,
+ &session_key,
+ &pwd_buf);
+ if (!W_ERROR_IS_OK(werr)) {
+ return false;
+ }
r.in.server_name = dcerpc_server_name(p);
r.in.domain_name = domain_name;
@@ -1284,6 +1290,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
+ WERROR werr;
DATA_BLOB session_key;
struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1322,8 +1329,13 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
return false;
}
- encode_wkssvc_join_password_buffer(tctx, domain_admin_password,
- &session_key, &pwd_buf);
+ werr = encode_wkssvc_join_password_buffer(tctx,
+ domain_admin_password,
+ &session_key,
+ &pwd_buf);
+ if (!W_ERROR_IS_OK(werr)) {
+ return false;
+ }
r.in.server_name = dcerpc_server_name(p);
r.in.account = domain_admin_account;
--
2.23.0

172
SOURCES/0026-libcli-auth-Add-test-for-encode-decode-_wkssvc_join_.patch
View File

@ -1,172 +0,0 @@
From 32004f3011bb6bb45f21d39c6e2830a47ec43f3e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 17:36:58 +0200
Subject: [PATCH 026/187] libcli:auth: Add test for
(encode|decode)_wkssvc_join_password_buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f4a16bfba8d87de883d3d2e54cdc825fc5e01c2b)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 129 +++++++++++++++++++++
1 file changed, 129 insertions(+)
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index db6ca3f3f4c..6d97ac6e2f7 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -99,6 +99,76 @@ static const uint8_t encrypted_test_blob[] = {
0x15, 0x13, 0xdc, 0x15,
};
+
+static const uint8_t encrypted_wkssvc_test_blob[] = {
+ 0x13, 0x79, 0x1f, 0x1a, 0x02, 0x15, 0x72, 0x1c,
+ 0xa6, 0x26, 0x37, 0xeb, 0x1d, 0x41, 0x7f, 0x76,
+ 0x11, 0x3f, 0x49, 0x4c, 0xf9, 0x69, 0x17, 0xc8,
+ 0x90, 0x92, 0x53, 0xb9, 0x3f, 0xcd, 0x06, 0xfe,
+ 0x5c, 0x17, 0x82, 0xbd, 0x86, 0xab, 0x49, 0xee,
+ 0x61, 0x76, 0x55, 0xc0, 0x10, 0x51, 0xcd, 0xd9,
+ 0x6f, 0x12, 0x86, 0xc6, 0x19, 0x59, 0x9a, 0x2f,
+ 0x27, 0x1d, 0x99, 0x30, 0x60, 0x0d, 0x65, 0xc6,
+ 0x43, 0xd6, 0xda, 0x6b, 0x66, 0x95, 0xd4, 0xca,
+ 0xf5, 0x04, 0xf7, 0x01, 0x5a, 0x55, 0xb0, 0x5e,
+ 0x72, 0x8a, 0x75, 0xe5, 0x33, 0x4c, 0xd8, 0xc4,
+ 0x0e, 0xf4, 0x6d, 0x23, 0xdd, 0x05, 0x90, 0xff,
+ 0xe0, 0x91, 0x7b, 0x62, 0x86, 0xee, 0x78, 0x31,
+ 0x07, 0xad, 0x8b, 0xf9, 0xdf, 0x6f, 0x8b, 0xbd,
+ 0x15, 0xde, 0x1b, 0xae, 0x84, 0x68, 0xe5, 0x41,
+ 0x7a, 0xe3, 0x47, 0x99, 0xba, 0x61, 0xe5, 0x51,
+ 0x64, 0x9a, 0xa0, 0x41, 0x44, 0xa1, 0x3a, 0x52,
+ 0x59, 0x7d, 0x6c, 0xcf, 0xcc, 0xf0, 0x11, 0xbc,
+ 0xb7, 0x51, 0xa9, 0xd8, 0xfd, 0xbf, 0x58, 0x77,
+ 0x28, 0x86, 0xa1, 0x27, 0x94, 0xe5, 0xf6, 0x1a,
+ 0x6b, 0x76, 0xf7, 0x72, 0x6e, 0x17, 0x09, 0xd8,
+ 0x3c, 0x6f, 0x39, 0x91, 0xea, 0x48, 0x98, 0xdc,
+ 0x1d, 0x50, 0x2e, 0x02, 0x6e, 0x7f, 0x80, 0x5d,
+ 0x6e, 0x96, 0xe1, 0xcf, 0x8b, 0x6b, 0xb6, 0xed,
+ 0xb4, 0x6a, 0x08, 0xd2, 0x45, 0x09, 0x88, 0x86,
+ 0x32, 0x58, 0xd8, 0x5e, 0x33, 0x8c, 0x29, 0x1a,
+ 0x8f, 0xc5, 0x54, 0x9b, 0xa8, 0x32, 0xb2, 0xc1,
+ 0x72, 0x14, 0x6c, 0x5d, 0x9d, 0xd3, 0xf2, 0x6c,
+ 0x6e, 0xa4, 0x84, 0x52, 0x26, 0x73, 0x7a, 0x30,
+ 0x56, 0x75, 0xef, 0xd1, 0x9d, 0xcd, 0xb7, 0x87,
+ 0xa9, 0x5c, 0xaf, 0xe6, 0xda, 0x1d, 0x3c, 0x9c,
+ 0xa3, 0xb1, 0x03, 0xb0, 0x8e, 0xf6, 0xc8, 0x8f,
+ 0x57, 0x1c, 0xce, 0x05, 0x54, 0x99, 0xf1, 0xf9,
+ 0x35, 0xe6, 0xf7, 0x67, 0x94, 0xb2, 0x67, 0x5b,
+ 0xe7, 0xa0, 0xa2, 0x1e, 0xa2, 0x74, 0xd3, 0x99,
+ 0x9c, 0xd5, 0xd9, 0x90, 0x86, 0x24, 0x0e, 0x1a,
+ 0x0d, 0xc8, 0x9e, 0x68, 0x4c, 0x43, 0x2f, 0x42,
+ 0xb1, 0x7c, 0xce, 0x1e, 0xb6, 0xac, 0x56, 0xb0,
+ 0x8d, 0x93, 0xf1, 0x53, 0x7d, 0x0e, 0x00, 0x46,
+ 0xba, 0x2e, 0x14, 0x7a, 0x0b, 0xaa, 0xcb, 0x07,
+ 0x9b, 0x09, 0x05, 0xa0, 0xd3, 0xa1, 0x80, 0xc2,
+ 0xd3, 0x59, 0x92, 0x27, 0x66, 0x1f, 0xdd, 0x76,
+ 0x36, 0xb3, 0x3c, 0xeb, 0xd7, 0x61, 0x94, 0xb1,
+ 0xf8, 0x3a, 0xe0, 0xba, 0x91, 0x0f, 0xef, 0x72,
+ 0x2b, 0x26, 0xc6, 0xb8, 0x6d, 0x0b, 0xdb, 0x60,
+ 0xf8, 0xb4, 0x98, 0xd7, 0x8b, 0x8d, 0xfb, 0xa7,
+ 0x4e, 0x27, 0xeb, 0x00, 0xe8, 0xf7, 0x5a, 0xec,
+ 0xf5, 0x60, 0x28, 0x37, 0xb2, 0xc4, 0x13, 0x48,
+ 0x2a, 0xe1, 0x34, 0xb2, 0x53, 0xcb, 0x44, 0x34,
+ 0x08, 0x7e, 0x56, 0x5c, 0x2b, 0x9b, 0xe2, 0xca,
+ 0x90, 0xb0, 0x57, 0xee, 0x10, 0x88, 0x39, 0x84,
+ 0xc6, 0x66, 0x07, 0x50, 0x63, 0xcc, 0x2a, 0x7c,
+ 0x99, 0x8c, 0x05, 0xf9, 0xf0, 0xb8, 0x62, 0xf0,
+ 0x92, 0xf7, 0x2a, 0x4a, 0x17, 0x14, 0x78, 0xa1,
+ 0x71, 0xb6, 0x42, 0xf0, 0x87, 0xa8, 0xa4, 0x48,
+ 0xeb, 0xdb, 0xed, 0x8a, 0x15, 0x19, 0x1a, 0xd9,
+ 0xfe, 0x6f, 0x07, 0x93, 0x5d, 0x39, 0xe8, 0x0e,
+ 0x47, 0xe6, 0x7a, 0x7d, 0x52, 0x2e, 0x40, 0x6f,
+ 0x31, 0x1b, 0xf6, 0x0c, 0xc2, 0x83, 0xae, 0xc1,
+ 0xf0, 0xf5, 0x71, 0xcd, 0xe2, 0xf5, 0x19, 0xb6,
+ 0xd8, 0xb0, 0x4d, 0xa9, 0x51, 0x1c, 0xb4, 0xaf,
+ 0x69, 0x9a, 0x89, 0xb6, 0x5b, 0x4d, 0xfa, 0x1b,
+ 0xca, 0xc8, 0x61, 0x92, 0x3a, 0xd6, 0x76, 0xad,
+ 0x5d, 0xa6, 0x17, 0x60, 0x3e, 0xea, 0x94, 0xcf,
+ 0x6d, 0x1b, 0x98, 0x5c, 0x19, 0x9e, 0x4e, 0xd3,
+ 0x21, 0x55, 0xda, 0xe3,
+};
+
static void torture_decode_rc4_passwd_buffer(void **state)
{
char *password_decoded = NULL;
@@ -187,6 +257,63 @@ static void torture_endode_decode_rc4_passwd_buffer(void **state)
talloc_free(password_decoded);
}
+static void torture_decode_wkssvc_join_password_buffer(void **state)
+{
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct wkssvc_PasswordBuffer pwd_buf = {
+ .data = {0},
+ };
+ char *password_decoded = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ WERROR werr;
+
+ mem_ctx = talloc_new(NULL);
+ assert_non_null(mem_ctx);
+
+ memcpy(pwd_buf.data,
+ encrypted_wkssvc_test_blob,
+ sizeof(pwd_buf.data));
+
+ werr = decode_wkssvc_join_password_buffer(mem_ctx,
+ &pwd_buf,
+ &session_key,
+ &password_decoded);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(password_decoded);
+ assert_string_equal(password_decoded, PASSWORD);
+
+ TALLOC_FREE(mem_ctx);
+}
+
+static void torture_wkssvc_join_password_buffer(void **state)
+{
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct wkssvc_PasswordBuffer *pwd_buf = NULL;
+ char *password_decoded = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ WERROR werr;
+
+ mem_ctx = talloc_new(NULL);
+ assert_non_null(mem_ctx);
+
+ werr = encode_wkssvc_join_password_buffer(mem_ctx,
+ PASSWORD,
+ &session_key,
+ &pwd_buf);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(pwd_buf);
+
+ werr = decode_wkssvc_join_password_buffer(mem_ctx,
+ pwd_buf,
+ &session_key,
+ &password_decoded);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(password_decoded);
+ assert_string_equal(password_decoded, PASSWORD);
+
+ TALLOC_FREE(mem_ctx);
+}
+
int main(int argc, char *argv[])
{
int rc;
@@ -194,6 +321,8 @@ int main(int argc, char *argv[])
cmocka_unit_test(torture_decode_rc4_passwd_buffer),
cmocka_unit_test(torture_rc4_passwd_buffer),
cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer),
+ cmocka_unit_test(torture_decode_wkssvc_join_password_buffer),
+ cmocka_unit_test(torture_wkssvc_join_password_buffer),
};
if (argc == 2) {
--
2.23.0

111
SOURCES/0027-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch
View File

@ -1,111 +0,0 @@
From cbabf1224f61900eb96ea15841950c26b8b88cb5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 18:03:00 +0200
Subject: [PATCH 027/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() in encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 85e2a3c96ad9acc1a85db189f6418c9d880b4718)
---
libcli/auth/smbencrypt.c | 69 ++++++++++++++--------------------------
1 file changed, 23 insertions(+), 46 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 745f47999cd..823e16a3387 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -968,65 +968,42 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
const char *pwd,
DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf)
+ struct wkssvc_PasswordBuffer **out_pwd_buf)
{
- uint8_t buffer[516];
- gnutls_hash_hd_t hash_hnd = NULL;
- struct wkssvc_PasswordBuffer *my_pwd_buf = NULL;
- DATA_BLOB confounded_session_key;
- int confounder_len = 8;
- uint8_t confounder[8];
- WERROR werr;
+ struct wkssvc_PasswordBuffer *pwd_buf = NULL;
+ uint8_t _confounder[8] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 8);
+ uint8_t pwbuf[516] = {0};
+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
int rc;
- my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
- if (!my_pwd_buf) {
+ pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
+ if (pwd_buf == NULL) {
return WERR_NOT_ENOUGH_MEMORY;
}
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
- encode_pw_buffer(buffer, pwd, STR_UNICODE);
+ encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
- generate_random_buffer((uint8_t *)confounder, confounder_len);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+ generate_random_buffer(_confounder, sizeof(_confounder));
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, confounder_len);
+ rc = samba_gnutls_arcfour_confounded_md5(session_key,
+ &confounder,
+ &encrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
- goto out;
+ ZERO_ARRAY(_confounder);
+ TALLOC_FREE(pwd_buf);
+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
- arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
- memcpy(&my_pwd_buf->data[0], confounder, confounder_len);
- ZERO_ARRAY(confounder);
- memcpy(&my_pwd_buf->data[8], buffer, 516);
- ZERO_ARRAY(buffer);
-
- data_blob_clear_free(&confounded_session_key);
+ memcpy(&pwd_buf->data[0], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
+ memcpy(&pwd_buf->data[8], encrypt_pwbuf.data, encrypt_pwbuf.length);
+ ZERO_ARRAY(pwbuf);
- *pwd_buf = my_pwd_buf;
+ *out_pwd_buf = pwd_buf;
- werr = WERR_OK;
-out:
- return werr;
+ return WERR_OK;
}
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
--
2.23.0

117
SOURCES/0028-libcli-auth-Use-samba_gnutls_arcfour_confounded_md5-.patch
View File

@ -1,117 +0,0 @@
From 0d2898429e7eb2ca144885d5a1f9485cca620464 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 18:21:18 +0200
Subject: [PATCH 028/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() in decode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bcf7808d3aa8a5932a40955e4b764f55061e07d7)
---
libcli/auth/smbencrypt.c | 71 ++++++++++++++--------------------------
1 file changed, 24 insertions(+), 47 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 823e16a3387..cc5e1fbb899 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -1011,70 +1011,47 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
char **pwd)
{
- gnutls_hash_hd_t hash_hnd = NULL;
- uint8_t buffer[516];
- size_t pwd_len;
- WERROR result;
+ uint8_t _confounder[8];
+ DATA_BLOB confounder = data_blob_const(_confounder, 8);
+ uint8_t pwbuf[516] = {0};
+ DATA_BLOB decrypt_pwbuf = data_blob_const(pwbuf, 516);
bool ok;
int rc;
- DATA_BLOB confounded_session_key;
-
- int confounder_len = 8;
- uint8_t confounder[8];
-
- *pwd = NULL;
-
- if (!pwd_buf) {
+ if (pwd_buf == NULL) {
return WERR_INVALID_PASSWORD;
}
+ *pwd = NULL;
+
if (session_key->length != 16) {
DEBUG(10,("invalid session key\n"));
return WERR_INVALID_PASSWORD;
}
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+ confounder = data_blob_const(&pwd_buf->data[0], 8);
+ memcpy(&pwbuf, &pwd_buf->data[8], 516);
- memcpy(&confounder, &pwd_buf->data[0], confounder_len);
- memcpy(&buffer, &pwd_buf->data[8], 516);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, confounder_len);
+ rc = samba_gnutls_arcfour_confounded_md5(session_key,
+ &confounder,
+ &decrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
+ ZERO_ARRAY(_confounder);
+ TALLOC_FREE(pwd_buf);
+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
- arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
- ok = decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, CH_UTF16);
-
- ZERO_ARRAY(confounder);
- ZERO_ARRAY(buffer);
-
- data_blob_clear_free(&confounded_session_key);
+ ok = decode_pw_buffer(mem_ctx,
+ decrypt_pwbuf.data,
+ pwd,
+ &decrypt_pwbuf.length,
+ CH_UTF16);
+ ZERO_ARRAY(pwbuf);
if (!ok) {
- result = WERR_INVALID_PASSWORD;
- goto out;
+ return WERR_INVALID_PASSWORD;
}
- result = WERR_OK;
-out:
- return result;
+ return WERR_OK;
}
-
--
2.23.0

66
SOURCES/0029-auth-ntlmssp-Use-GnuTLS-RC4-in-ntlmssp-client.patch
View File

@ -1,66 +0,0 @@
From ba125c495c950570017d84b1cb2a223679250961 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 9 Nov 2018 12:29:55 +0100
Subject: [PATCH 029/187] auth:ntlmssp: Use GnuTLS RC4 in ntlmssp client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cb4025a50232f24139f21d87e50b6e6ea69238ba)
---
auth/ntlmssp/ntlmssp_client.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index df891f8d933..b8d1190466b 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -690,17 +690,43 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
/* Make up a new session key */
uint8_t client_session_key[16];
+ gnutls_cipher_hd_t cipher_hnd;
+ gnutls_datum_t enc_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
generate_secret_buffer(client_session_key, sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
client_session_key, sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
- arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ encrypted_session_key.data,
+ encrypted_session_key.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */
session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
+ ZERO_ARRAY(client_session_key);
}
/* this generates the actual auth packet */
--
2.23.0

411
SOURCES/0030-auth-ntlmssp-Use-GnuTLS-RC4-for-ntlmssp-signing.patch
View File

@ -1,411 +0,0 @@
From 73f0d5f5a62edbcfeb8f79fffa422416b83edf3e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 6 Dec 2018 18:11:14 +0100
Subject: [PATCH 030/187] auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7bd502dcdb44c7d0f8a56b2ba489ae8cf2b886bd)
---
auth/ntlmssp/ntlmssp_private.h | 5 +-
auth/ntlmssp/ntlmssp_sign.c | 212 ++++++++++++++++++++++++++-------
2 files changed, 174 insertions(+), 43 deletions(-)
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 95ec6374f51..4d84e3347b6 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -20,14 +20,15 @@
/* For structures internal to the NTLMSSP implementation that should not be exposed */
-#include "../lib/crypto/arcfour.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
struct auth_session_info;
struct ntlmssp_crypt_direction {
uint32_t seq_num;
uint8_t sign_key[16];
- struct arcfour_state seal_state;
+ gnutls_cipher_hd_t seal_state;
};
union ntlmssp_crypt_state {
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 8ba2e246b34..89f1aa04f7a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -47,9 +47,9 @@
*/
static void dump_arc4_state(const char *description,
- struct arcfour_state *state)
+ gnutls_cipher_hd_t *state)
{
- dump_data_pw(description, state->sbox, sizeof(state->sbox));
+ DBG_DEBUG("%s\n", description);
}
static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
@@ -90,13 +90,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
enum ntlmssp_direction direction,
DATA_BLOB *sig, bool encrypt_sig)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ int rc;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
gnutls_hmac_hd_t hmac_hnd = NULL;
uint8_t digest[16];
uint8_t seq_num[4];
- int rc;
*sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
if (!sig->data) {
@@ -158,14 +158,24 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
switch (direction) {
case NTLMSSP_SEND:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ digest,
+ 8);
break;
case NTLMSSP_RECEIVE:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ digest,
+ 8);
break;
}
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
+ "%s packet signature failed: %s\n",
+ direction == NTLMSSP_SEND ?
+ "send" : "receive",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
@@ -194,8 +204,15 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
dump_arc4_state("ntlmssp hash: \n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
+ "signature failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
return NT_STATUS_OK;
@@ -317,6 +334,8 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ int rc;
+
if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -353,11 +372,25 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
return nt_status;
}
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- sig->data+4, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ sig->data + 4,
+ 8);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
+ "the EXCH signature data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
} else {
NTSTATUS status;
@@ -381,17 +414,30 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
* is not constant, but is is rather updated with
* each iteration
*/
-
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
ntlmssp_state->crypt->ntlm.seq_num++;
}
@@ -412,6 +458,8 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB *sig)
{
NTSTATUS status;
+ int rc;
+
if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -422,14 +470,29 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
/* First unseal the data. */
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv2 clear data\n", data, length);
} else {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv1 clear data\n", data, length);
}
+
status = ntlmssp_check_packet(ntlmssp_state,
data, length,
whole_pdu, pdu_length,
@@ -555,6 +618,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums)
{
+ int rc;
+
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
@@ -584,12 +649,16 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
const char *send_seal_const;
const char *recv_sign_const;
const char *recv_seal_const;
- uint8_t send_seal_key[16];
- DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
- sizeof(send_seal_key));
- uint8_t recv_seal_key[16];
- DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
- sizeof(recv_seal_key));
+ uint8_t send_seal_key[16] = {0};
+ gnutls_datum_t send_seal_blob = {
+ .data = send_seal_key,
+ .size = sizeof(send_seal_key),
+ };
+ uint8_t recv_seal_key[16] = {0};
+ gnutls_datum_t recv_seal_blob = {
+ .data = recv_seal_key,
+ .size = sizeof(recv_seal_key),
+ };
NTSTATUS status;
switch (ntlmssp_state->role) {
@@ -648,10 +717,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
+ dump_data_pw("NTLMSSP send seal key:\n",
+ send_seal_key,
+ sizeof(send_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- &send_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &send_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP send seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.sending.seal_state);
@@ -677,10 +758,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
+ dump_data_pw("NTLMSSP recv seal key:\n",
+ recv_seal_key,
+ sizeof(recv_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- &recv_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &recv_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.receiving.seal_state);
@@ -690,8 +783,10 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
}
} else {
- uint8_t weak_session_key[8];
- DATA_BLOB seal_session_key = ntlmssp_state->session_key;
+ gnutls_datum_t seal_session_key = {
+ .data = ntlmssp_state->session_key.data,
+ .size = ntlmssp_state->session_key.length,
+ };
bool do_weak = false;
DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
@@ -709,14 +804,19 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
* Nothing to weaken.
* We certainly don't want to 'extend' the length...
*/
- if (seal_session_key.length < 16) {
+ if (ntlmssp_state->session_key.length < 16) {
/* TODO: is this really correct? */
do_weak = false;
}
if (do_weak) {
+ uint8_t weak_session_key[8];
+
memcpy(weak_session_key, seal_session_key.data, 8);
- seal_session_key = data_blob_const(weak_session_key, 8);
+ seal_session_key = (gnutls_datum_t) {
+ .data = weak_session_key,
+ .size = sizeof(weak_session_key),
+ };
/*
* LM key doesn't support 128 bit crypto, so this is
@@ -732,8 +832,18 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
}
}
- arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
- &seal_session_key);
+ if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &seal_session_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
@@ -746,6 +856,24 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
return NT_STATUS_OK;
}
+static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
+{
+ if (c->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
+ c->ntlm2.sending.seal_state = NULL;
+ }
+ if (c->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
+ c->ntlm2.receiving.seal_state = NULL;
+ }
+ if (c->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm.seal_state);
+ c->ntlm.seal_state = NULL;
+ }
+
+ return 0;
+}
+
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
{
if (ntlmssp_state->session_key.length < 8) {
@@ -758,6 +886,8 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ talloc_set_destructor(ntlmssp_state->crypt,
+ ntlmssp_crypt_free_gnutls_cipher_state);
return ntlmssp_sign_reset(ntlmssp_state, true);
}
--
2.23.0

76
SOURCES/0031-s3-libsmb-Use-GnuTLS-RC4-in-clirap.patch
View File

@ -1,76 +0,0 @@
From c7e79b33a10a8e393df78fd7adf60a5a3dbebcc6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Jan 2019 18:14:17 +0100
Subject: [PATCH 031/187] s3:libsmb: Use GnuTLS RC4 in clirap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0947d8388def40b01b322d0deee4dba386983410)
---
source3/libsmb/clirap.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index b4b40ebdab4..c0b9dcdff39 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -22,7 +22,6 @@
#include "includes.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/rap.h"
-#include "../lib/crypto/arcfour.h"
#include "../lib/util/tevent_ntstatus.h"
#include "async_smb.h"
#include "libsmb/libsmb.h"
@@ -31,6 +30,9 @@
#include "../libcli/smb/smbXcli_base.h"
#include "cli_smb2_fnum.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#define PIPE_LANMAN "\\PIPE\\LANMAN"
/****************************************************************************
@@ -508,6 +510,12 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
char *rparam = NULL;
char *rdata = NULL;
unsigned int rprcnt, rdrcnt;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_pw_key = {
+ .data = old_pw_hash,
+ .size = sizeof(old_pw_hash),
+ };
+ int rc;
if (strlen(user) >= sizeof(fstring)-1) {
DEBUG(0,("cli_oem_change_password: user name %s is too long.\n", user));
@@ -539,7 +547,22 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
DEBUG(100,("make_oem_passwd_hash\n"));
dump_data(100, data, 516);
#endif
- arcfour_crypt( (unsigned char *)data, (unsigned char *)old_pw_hash, 516);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_pw_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return false;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return false;
+ }
/*
* Now place the old password hash in the data.
--
2.23.0

160
SOURCES/0032-s3-rpc_client-Use-init_samr_CryptPassword-in-cli_sam.patch
View File

@ -1,160 +0,0 @@
From 36dfd6496dc9b954b2243bbb5293af8ce332cf4f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 12:41:32 +0100
Subject: [PATCH 032/187] s3:rpc_client: Use init_samr_CryptPassword in
cli_samr rpc_client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a95647e12ac75ffda42d95b41144596a078aebd6)
---
source3/rpc_client/cli_samr.c | 59 ++++++++++++++++++++++++++++-------
source3/wscript_build | 2 +-
2 files changed, 48 insertions(+), 13 deletions(-)
diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c
index 7764e1a8540..452e9593f6a 100644
--- a/source3/rpc_client/cli_samr.c
+++ b/source3/rpc_client/cli_samr.c
@@ -26,8 +26,8 @@
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "rpc_client/cli_samr.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_lsa.h"
+#include "rpc_client/init_samr.h"
/* User change password */
@@ -128,6 +128,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
uint8_t new_lanman_hash[16];
struct lsa_String server, account;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+
DEBUG(10,("rpccli_samr_chgpasswd_user2\n"));
init_lsa_String(&server, srv_name_slash);
@@ -144,19 +146,25 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_lm_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_nt_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser2(h,
@@ -170,6 +178,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
&old_lanman_hash_enc,
presult);
+ ZERO_STRUCT(new_nt_password);
+ ZERO_STRUCT(new_lm_password);
+ ZERO_STRUCT(old_nt_hash_enc);
+ ZERO_STRUCT(old_lanman_hash_enc);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lanman_hash);
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lanman_hash);
+
return status;
}
@@ -308,6 +325,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
struct lsa_String server, account;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+
DEBUG(10,("rpccli_samr_chgpasswd_user3\n"));
init_lsa_String(&server, srv_name_slash);
@@ -324,19 +343,26 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_lm_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_nt_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser3(h,
@@ -353,6 +379,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
reject,
presult);
+ ZERO_STRUCT(new_nt_password);
+ ZERO_STRUCT(new_lm_password);
+ ZERO_STRUCT(old_nt_hash_enc);
+ ZERO_STRUCT(old_lanman_hash_enc);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lanman_hash);
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lanman_hash);
+
return status;
}
diff --git a/source3/wscript_build b/source3/wscript_build
index aa3c7175202..b73f6dc0664 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1009,7 +1009,7 @@ bld.SAMBA3_SUBSYSTEM('errors3',
bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR',
source='rpc_client/cli_samr.c',
- deps='RPC_NDR_SAMR')
+ deps='RPC_NDR_SAMR INIT_SAMR')
bld.SAMBA3_LIBRARY('libcli_lsa3',
source='rpc_client/cli_lsarpc.c',
--
2.23.0

77
SOURCES/0033-s3-rpc_server-Use-GnuTLS-RC4-in-samr-password-check.patch
View File

@ -1,77 +0,0 @@
From 07925f22341c508792b3ce8feeae2abc939a61f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 17:40:13 +0100
Subject: [PATCH 033/187] s3:rpc_server: Use GnuTLS RC4 in samr password check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d31f6a6803c86b8de0a97927731091f5a7bee4f1)
---
source3/rpc_server/samr/srv_samr_chgpasswd.c | 30 ++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index 3749edbb044..fc509494ebc 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -50,12 +50,15 @@
#include "system/passwd.h"
#include "system/filesys.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_server/samr/srv_samr_util.h"
#include "passdb.h"
#include "auth.h"
#include "lib/util/sys_rw.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#ifndef ALLOW_CHANGE_PASSWORD
#if (defined(HAVE_TERMIOS_H) && defined(HAVE_DUP2) && defined(HAVE_SETSID))
#define ALLOW_CHANGE_PASSWORD 1
@@ -685,6 +688,10 @@ static NTSTATUS check_oem_password(const char *user,
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t enc_key;
+ int rc;
+
/* this call should be disabled without NTLM auth */
if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
DBG_WARNING("NTLM password changes not"
@@ -752,7 +759,26 @@ static NTSTATUS check_oem_password(const char *user,
/*
* Decrypt the password with the key
*/
- arcfour_crypt( password_encrypted, encryption_key, 516);
+ enc_key = (gnutls_datum_t) {
+ .data = discard_const_p(unsigned char, encryption_key),
+ .size = 16,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_key,
+ NULL);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ password_encrypted,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
if (!decode_pw_buffer(talloc_tos(),
password_encrypted,
--
2.23.0

119
SOURCES/0034-s3-rpc_server-Use-GnuTLS-RC4-to-decrypt-samr-passwor.patch
View File

@ -1,119 +0,0 @@
From 6eb8a45387ae6400d4b48d838ec89510afe2b37a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 14:04:31 +0200
Subject: [PATCH 034/187] s3:rpc_server: Use GnuTLS RC4 to decrypt samr
password buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f)
---
source3/rpc_server/samr/srv_samr_nt.c | 58 ++++++++++++++++++++++++---
1 file changed, 52 insertions(+), 6 deletions(-)
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index fd5c453e0eb..ad1d1853bda 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -37,7 +37,6 @@
#include "ntdomain.h"
#include "../librpc/gen_ndr/srv_samr.h"
#include "rpc_server/samr/srv_samr_util.h"
-#include "../lib/crypto/arcfour.h"
#include "secrets.h"
#include "rpc_client/init_lsa.h"
#include "../libcli/security/security.h"
@@ -47,6 +46,10 @@
#include "../lib/tsocket/tsocket.h"
#include "lib/util/base64.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -4946,6 +4949,41 @@ static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
return acc_required;
}
+static NTSTATUS arc4_decrypt_data(DATA_BLOB session_key,
+ uint8_t *data,
+ size_t data_size)
+{
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t my_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+ int rc;
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &my_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ data,
+ data_size);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ status = NT_STATUS_OK;
+out:
+ return status;
+}
+
/*******************************************************************
samr_SetUserInfo
********************************************************************/
@@ -5153,8 +5191,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- arcfour_crypt_blob(info->info23.password.data, 516,
- &session_key);
+ status = arc4_decrypt_data(session_key,
+ info->info23.password.data,
+ 516);
+ if(!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info23.password.data, 516);
@@ -5165,13 +5207,17 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 24:
+
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
- arcfour_crypt_blob(info->info24.password.data,
- 516,
- &session_key);
+ status = arc4_decrypt_data(session_key,
+ info->info24.password.data,
+ 516);
+ if(!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info24.password.data, 516);
--
2.23.0

110
SOURCES/0035-s3-utils-Use-GnuTLS-RC4-in-ntlm_auth.patch
View File

@ -1,110 +0,0 @@
From ef374b9b3b98b498545d40f0aa2e537bdf81ae59 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 12:40:21 +0100
Subject: [PATCH 035/187] s3:utils: Use GnuTLS RC4 in ntlm_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 359ae5be0d21e7ab235035aab65710c9459e9593)
---
source3/utils/ntlm_auth.c | 45 ++++++++++++++++++++++++++++++++++++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 87f6554ae4f..8a6218ac9ec 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -37,7 +37,6 @@
#include "librpc/crypto/gse.h"
#include "smb_krb5.h"
#include "lib/util/tiniparser.h"
-#include "../lib/crypto/arcfour.h"
#include "nsswitch/winbind_client.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "../lib/util/asn1.h"
@@ -49,6 +48,9 @@
#include "lib/util/base64.h"
#include "cmdline_contexts.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#ifdef HAVE_KRB5
#include "auth/kerberos/pac_utils.h"
#endif
@@ -1937,6 +1939,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
uchar new_nt_hash[16];
uchar new_lm_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+ int rc;
+
new_nt_pswd = data_blob(NULL, 516);
old_nt_hash_enc = data_blob(NULL, 16);
@@ -1956,6 +1965,19 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
Likewise, obey the admin's restriction
*/
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_nt_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+ DBG_ERR("Running in FIPS mode, NTLM blocked\n");
+ }
+ return;
+ }
+
if (lp_client_lanman_auth() &&
E_deshash(newpswd, new_lm_hash) &&
E_deshash(oldpswd, old_lm_hash)) {
@@ -1964,7 +1986,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
encode_pw_buffer(new_lm_pswd.data, newpswd,
STR_UNICODE);
- arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ new_lm_pswd.data,
+ 516);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return;
+ }
E_old_pw_hash(new_nt_hash, old_lm_hash,
old_lm_hash_enc.data);
} else {
@@ -1977,9 +2005,20 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
encode_pw_buffer(new_nt_pswd.data, newpswd,
STR_UNICODE);
- arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ new_nt_pswd.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return;
+ }
E_old_pw_hash(new_nt_hash, old_nt_hash,
old_nt_hash_enc.data);
+
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lm_hash);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lm_hash);
}
if (!full_username && !username) {
--
2.23.0

76
SOURCES/0036-s4-rpc_server-Use-samba_gnutls_arcfour_confounded_md.patch
View File

@ -1,76 +0,0 @@
From e81c7a540896c9a3fed8d6a8b080f76c83d70369 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 12:50:57 +1200
Subject: [PATCH 036/187] s4:rpc_server: Use
samba_gnutls_arcfour_confounded_md5() in samr_set_password_ex()
This allows the use of GnuTLS for the underlying RC4 crypto operations.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9363abfb5fcfeff30295ce0cf94c18941a6c4e9f)
---
source4/rpc_server/samr/samr_password.c | 34 ++++++-------------------
1 file changed, 8 insertions(+), 26 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 7c441f38ce2..fde0de2c3cc 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -586,9 +586,11 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
{
NTSTATUS nt_status;
DATA_BLOB new_password;
- DATA_BLOB co_session_key;
+
+ /* The confounder is in the last 16 bytes of the buffer */
+ DATA_BLOB confounder = data_blob_const(&pwbuf->data[516], 16);
+ DATA_BLOB pw_data = data_blob_const(pwbuf->data, 516);
DATA_BLOB session_key = data_blob(NULL, 0);
- gnutls_hash_hd_t hash_hnd = NULL;
int rc;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
@@ -599,35 +601,15 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
return NT_STATUS_WRONG_PASSWORD;
}
- co_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- if (!co_session_key.data) {
- return NT_STATUS_NO_MEMORY;
- }
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ &session_key,
+ &pw_data,
+ SAMBA_GNUTLS_DECRYPT);
if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
- rc = gnutls_hash(hash_hnd, &pwbuf->data[516], 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- gnutls_hash_deinit(hash_hnd, co_session_key.data);
-
- arcfour_crypt_blob(pwbuf->data, 516, &co_session_key);
- ZERO_ARRAY_LEN(co_session_key.data,
- co_session_key.length);
-
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
nt_status = NT_STATUS_WRONG_PASSWORD;
--
2.23.0

195
SOURCES/0037-s4-rpc_server-Use-GnuTLS-RC4-for-samr-password.patch
View File

@ -1,195 +0,0 @@
From 23f422c0df67c0f9e701e0deb5f1708a930a98bd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 19 Feb 2019 17:40:29 +0100
Subject: [PATCH 037/187] s4:rpc_server: Use GnuTLS RC4 for samr password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4326e7de6ba0ce02ab23af7297d2f7242988daa4)
---
source4/rpc_server/samr/samr_password.c | 105 ++++++++++++++++++++----
1 file changed, 89 insertions(+), 16 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index fde0de2c3cc..b04e37f06f3 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -24,7 +24,7 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/samr/dcesrv_samr.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
+#include "lib/crypto/md4.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/auth/libcli_auth.h"
@@ -119,13 +119,15 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
"samAccountName",
NULL };
struct samr_Password *lm_pwd;
- DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
struct samr_Password lm_verifier;
size_t unicode_pw_len;
size_t converted_size = 0;
const char *user_samAccountName = NULL;
struct dom_sid *user_objectSid = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t lm_session_key;
+ int rc;
if (pwbuf == NULL) {
return NT_STATUS_INVALID_PARAMETER;
@@ -179,9 +181,28 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
}
/* decrypt the password we have been given */
- lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash));
- arcfour_crypt_blob(pwbuf->data, 516, &lm_pwd_blob);
- data_blob_free(&lm_pwd_blob);
+ lm_session_key = (gnutls_datum_t) {
+ .data = lm_pwd->hash,
+ .size = sizeof(lm_pwd->hash),
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ pwbuf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -315,7 +336,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
"badPwdCount", "badPasswordTime",
"objectSid", NULL };
struct samr_Password *nt_pwd, *lm_pwd;
- DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR;
@@ -325,6 +345,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
struct dom_sid *user_objectSid = NULL;
enum ntlm_auth_level ntlm_auth_level
= lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t nt_session_key;
+ int rc;
*r->out.dominfo = NULL;
*r->out.reject = NULL;
@@ -381,9 +404,28 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
}
/* decrypt the password we have been given */
- nt_pwd_blob = data_blob(nt_pwd->hash, sizeof(nt_pwd->hash));
- arcfour_crypt_blob(r->in.nt_password->data, 516, &nt_pwd_blob);
- data_blob_free(&nt_pwd_blob);
+ nt_session_key = (gnutls_datum_t) {
+ .data = nt_pwd->hash,
+ .size = sizeof(nt_pwd->hash),
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ r->in.nt_password->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
if (!extract_pw_from_buffer(mem_ctx, r->in.nt_password->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -547,6 +589,9 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
NTSTATUS nt_status;
DATA_BLOB new_password;
DATA_BLOB session_key = data_blob(NULL, 0);
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t _session_key;
+ int rc;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -556,7 +601,28 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
return NT_STATUS_WRONG_PASSWORD;
}
- arcfour_crypt_blob(pwbuf->data, 516, &session_key);
+ _session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &_session_key,
+ NULL);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ pwbuf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -565,12 +631,19 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
/* set the password - samdb needs to know both the domain and user DNs,
so the domain password policy can be used */
- return samdb_set_password(sam_ctx, mem_ctx,
- account_dn, domain_dn,
- &new_password,
- NULL, NULL,
- NULL, NULL, /* This is a password set, not change */
- NULL, NULL);
+ nt_status = samdb_set_password(sam_ctx,
+ mem_ctx,
+ account_dn,
+ domain_dn,
+ &new_password,
+ NULL,
+ NULL,
+ NULL,
+ NULL, /* This is a password set, not change */
+ NULL,
+ NULL);
+out:
+ return nt_status;
}
--
2.23.0

64
SOURCES/0038-s4-torture-Use-GnuTLS-RC4-for-RAP-SAM-test.patch
View File

@ -1,64 +0,0 @@
From 7839408010ba413f766e950192dd5a0632234ce7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 20 Feb 2019 15:52:49 +0100
Subject: [PATCH 038/187] s4:torture: Use GnuTLS RC4 for RAP SAM test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 811c412da5c24d7274f9aa4c7d653bbb1191e6a6)
---
source4/torture/rap/sam.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rap/sam.c b/source4/torture/rap/sam.c
index 4ca7b793dec..3c13849b398 100644
--- a/source4/torture/rap/sam.c
+++ b/source4/torture/rap/sam.c
@@ -26,10 +26,12 @@
#include "torture/util.h"
#include "libcli/rap/rap.h"
#include "torture/rap/proto.h"
-#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
#include "torture/rpc/torture_rpc.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#define TEST_RAP_USER "torture_rap_user"
static char *samr_rand_pass(TALLOC_CTX *mem_ctx, int min_len)
@@ -137,6 +139,11 @@ static bool test_oemchangepassword_args(struct torture_context *tctx,
char *newpass = samr_rand_pass(tctx, 9);
uint8_t old_pw_hash[16];
uint8_t new_pw_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t pw_key = {
+ .data = old_pw_hash,
+ .size = sizeof(old_pw_hash),
+ };
r.in.UserName = username;
@@ -144,7 +151,15 @@ static bool test_oemchangepassword_args(struct torture_context *tctx,
E_deshash(newpass, new_pw_hash);
encode_pw_buffer(r.in.crypt_password, newpass, STR_ASCII);
- arcfour_crypt(r.in.crypt_password, old_pw_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &pw_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ r.in.crypt_password,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_pw_hash, old_pw_hash, r.in.password_hash);
torture_comment(tctx, "Testing rap_NetOEMChangePassword(%s)\n", r.in.UserName);
--
2.23.0

121
SOURCES/0039-s4-torture-Use-init_samr_CryptPassword-Ex-in-samba3r.patch
View File

@ -1,121 +0,0 @@
From d68771ee1f47bc238a2967ac43ccded3717d4bb5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 21 Feb 2019 10:21:39 +0100
Subject: [PATCH 039/187] s4:torture: Use init_samr_CryptPassword(Ex) in
samba3rpc test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 80f5beb4804c694ee6e5f5b450e751f538677593)
---
source4/torture/rpc/samba3rpc.c | 43 ++++++++++++++-------------------
1 file changed, 18 insertions(+), 25 deletions(-)
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index bf1de04a5b5..d55d6c47b57 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -36,7 +36,6 @@
#include "libcli/libcli.h"
#include "libcli/smb_composite/smb_composite.h"
#include "libcli/auth/libcli_auth.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/security/security.h"
#include "param/param.h"
#include "lib/registry/registry.h"
@@ -47,9 +46,7 @@
#include "librpc/rpc/dcerpc.h"
#include "librpc/rpc/dcerpc_proto.h"
#include "libcli/smb/smbXcli_base.h"
-
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
+#include "source3/rpc_client/init_samr.h"
/*
* open pipe and bind, given an IPC$ context
@@ -666,7 +663,6 @@ static bool create_user(struct torture_context *tctx,
union samr_UserInfo *info;
DATA_BLOB session_key;
-
ZERO_STRUCT(u_info);
encode_pw_buffer(u_info.info23.password.data, password,
STR_UNICODE);
@@ -676,8 +672,15 @@ static bool create_user(struct torture_context *tctx,
torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
goto done;
}
- arcfour_crypt_blob(u_info.info23.password.data, 516,
- &session_key);
+
+ status = init_samr_CryptPassword(password,
+ &session_key,
+ &u_info.info23.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_comment(tctx, "init_samr_CryptPassword failed\n");
+ goto done;
+ }
+
u_info.info23.info.password_expired = 0;
u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT |
SAMR_FIELD_LM_PASSWORD_PRESENT |
@@ -872,10 +875,6 @@ static bool join3(struct torture_context *tctx,
union samr_UserInfo u_info;
struct samr_UserInfo21 *i21 = &u_info.info25.info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(
- mem_ctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
ZERO_STRUCT(u_info);
@@ -890,25 +889,16 @@ static bool join3(struct torture_context *tctx,
i21->password_expired = 1;
*/
- encode_pw_buffer(u_info.info25.password.data,
- cli_credentials_get_password(wks_creds),
- STR_UNICODE);
status = dcerpc_fetch_session_key(samr_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_comment(tctx, "dcerpc_fetch_session_key failed: %s\n",
nt_errstr(status));
goto done;
}
- generate_random_buffer((uint8_t *)confounder, 16);
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info25.password.data, 516,
- &confounded_session_key);
- memcpy(&u_info.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(cli_credentials_get_password(wks_creds),
+ &session_key,
+ &u_info.info25.password);
sui2.in.user_handle = wks_handle;
sui2.in.level = 25;
@@ -942,8 +932,11 @@ static bool join3(struct torture_context *tctx,
torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
goto done;
}
- arcfour_crypt_blob(u_info.info24.password.data, 516,
- &session_key);
+
+ status = init_samr_CryptPassword(cli_credentials_get_password(wks_creds),
+ &session_key,
+ &u_info.info24.password);
+
sui2.in.user_handle = wks_handle;
sui2.in.info = &u_info;
sui2.in.level = 24;
--
2.23.0

60
SOURCES/0040-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch
View File

@ -1,60 +0,0 @@
From 92a1bd505e5bb9c793f05b386d4e9ee2b2b74027 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:56:08 +0200
Subject: [PATCH 040/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70e05d7eb78a0c363dbd72cbbf4f3a264636c840)
---
source4/torture/rpc/samr.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index eb1bb14a555..f281be654cc 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -31,7 +31,7 @@
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
-#include "../lib/crypto/crypto.h"
+#include "lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "torture/rpc/torture_rpc.h"
@@ -40,6 +40,8 @@
#include "auth/gensec/gensec_proto.h"
#include "../libcli/auth/schannel.h"
#include "torture/util.h"
+#include "source4/librpc/rpc/dcerpc.h"
+#include "source3/rpc_client/init_samr.h"
#define TEST_ACCOUNT_NAME "samrtorturetest"
#define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
@@ -637,7 +639,6 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
s.in.info = &u;
s.in.level = 24;
- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE);
u.info24.password_expired = 0;
status = dcerpc_fetch_session_key(p, &session_key);
@@ -647,7 +648,12 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
return false;
}
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
torture_comment(tctx, "Testing SetUserInfo level 24 (set password)\n");
--
2.23.0

72
SOURCES/0041-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch
View File

@ -1,72 +0,0 @@
From 2f7cd9ededefa6499f4fad15758fec27a15a5de3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:57:25 +0200
Subject: [PATCH 041/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_23
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0b9cabc4de64497140d33d0fdaf2927f2915987)
---
source4/torture/rpc/samr.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index f281be654cc..543ef64e9ac 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -706,8 +706,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
u.info23.info.fields_present = fields_present;
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -715,7 +713,12 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
return false;
}
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
torture_comment(tctx, "Testing SetUserInfo level 23 (set password)\n");
@@ -732,8 +735,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
*password = newpass;
}
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -742,8 +743,17 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
}
/* This should break the key nicely */
- session_key.length--;
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ session_key.data[0]++;
+
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
+ /* Reset the session key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 23 (set password) with wrong password\n");
--
2.23.0

87
SOURCES/0042-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch
View File

@ -1,87 +0,0 @@
From d56d8f629ea89a9a3cc7aecc17331ac5c57a61fa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:58:06 +0200
Subject: [PATCH 042/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPassEx
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e398ecbd8e32bb428073f3635d9178abfae28255)
---
source4/torture/rpc/samr.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 543ef64e9ac..0e9989449be 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -781,14 +781,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
- gnutls_hash_hd_t hash_hnd;
struct samr_GetUserPwInfo pwp;
struct samr_PwInfo info;
int policy_min_pw_len = 0;
+
pwp.in.user_handle = handle;
pwp.out.info = &info;
@@ -807,7 +805,6 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
s.in.info = &u;
s.in.level = 26;
- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE);
u.info26.password_expired = 0;
status = dcerpc_fetch_session_key(p, &session_key);
@@ -817,15 +814,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex)\n");
@@ -843,10 +837,17 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
}
/* This should break the key nicely */
- confounded_session_key.data[0]++;
+ session_key.data[0]++;
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
+
+ /* Reset the key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex) with wrong session key\n");
--
2.23.0

88
SOURCES/0043-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch
View File

@ -1,88 +0,0 @@
From 9f2f94aff0be089658eabd0c62896775332e1acb Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:58:38 +0200
Subject: [PATCH 043/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_25
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3b9496d905408b75c21919b35b2105e2b0b0325f)
---
source4/torture/rpc/samr.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0e9989449be..2f67bcf6be7 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -876,14 +876,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
struct samr_GetUserPwInfo pwp;
struct samr_PwInfo info;
int policy_min_pw_len = 0;
+
pwp.in.user_handle = handle;
pwp.out.info = &info;
@@ -902,8 +900,6 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
u.info25.info.fields_present = fields_present;
- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -911,15 +907,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex)\n");
@@ -937,10 +930,17 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
}
/* This should break the key nicely */
- confounded_session_key.data[0]++;
+ session_key.data[0]++;
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
+
+ /* Reset the key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with wrong session key\n");
--
2.23.0

116
SOURCES/0044-s4-torture-Use-init_samr_CryptPassword-in-test_SetUs.patch
View File

@ -1,116 +0,0 @@
From 905ffa85002a4100172835c550547bab024ef30f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:59:19 +0200
Subject: [PATCH 044/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_level_ex
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f45ba47afb11c1f7bbb8c5c84670395500e1afc1)
---
source4/torture/rpc/samr.c | 48 +++++++++++++++++++-------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 2f67bcf6be7..530c457bbd9 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -1166,9 +1166,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
struct samr_GetUserPwInfo pwp;
@@ -1244,28 +1241,20 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
u.info23.info.password_expired = password_expired;
u.info23.info.comment.string = comment;
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
break;
case 24:
u.info24.password_expired = password_expired;
- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE);
-
break;
case 25:
u.info25.info.fields_present = fields_present;
u.info25.info.password_expired = password_expired;
u.info25.info.comment.string = comment;
- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE);
-
break;
case 26:
u.info26.password_expired = password_expired;
- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE);
-
break;
}
@@ -1276,13 +1265,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
switch (level) {
case 18:
{
@@ -1320,18 +1302,36 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
}
break;
case 23:
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
break;
case 24:
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
break;
case 25:
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
break;
case 26:
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
break;
}
--
2.23.0

91
SOURCES/0045-s4-torture-Use-GnuTLS-RC4-in-test_OemChangePasswordU.patch
View File

@ -1,91 +0,0 @@
From 752f6efc6ac65cba6b8ebf125b19a6685a0d40c2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:49:53 +0200
Subject: [PATCH 045/187] s4:torture: Use GnuTLS RC4 in
test_OemChangePasswordUser2
This uses STR_ASCII for password encoding!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b512b5974494fe41010800f60df0f248b8ea850e)
---
source4/torture/rpc/samr.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 530c457bbd9..eb032905dc8 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2032,6 +2032,11 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_lm_hash[16], new_lm_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t session_key = {
+ .data = old_lm_hash,
+ .size = 16
+ };
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
@@ -2065,7 +2070,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
r.in.server = &server;
@@ -2092,7 +2103,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
/* Break the old password */
old_lm_hash[0]++;
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
/* unbreak it for the next operation */
old_lm_hash[0]--;
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
@@ -2116,7 +2132,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
}
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
r.in.server = &server;
r.in.account = &account;
@@ -2192,7 +2213,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
r.in.server = &server;
--
2.23.0

53
SOURCES/0046-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch
View File

@ -1,53 +0,0 @@
From 88d136aae60d4aa8b6fe622e0e92a8bddbba1b1e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 16:46:06 +1200
Subject: [PATCH 046/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dfda49472e0b4a81653963e80d8d65788f80a591)
---
source4/torture/rpc/samr.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index eb032905dc8..6cc508a2d44 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2259,11 +2259,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
uint8_t old_lm_hash[16], new_lm_hash[16];
-
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash));
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
struct lsa_String domain_name;
+ NTSTATUS status;
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
@@ -2299,8 +2301,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
arcfour_crypt(lm_pass.data, old_lm_hash, 516);
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

54
SOURCES/0047-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch
View File

@ -1,54 +0,0 @@
From 90bdf8b2063c05576450975df0983953d6febd95 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 16:52:41 +1200
Subject: [PATCH 047/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2_ntstatus
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1b1c302a7db23bf4377b8fa742ebf7ae913e3511)
---
source4/torture/rpc/samr.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 6cc508a2d44..5bf758e2fb2 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2349,11 +2349,15 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
uint8_t old_lm_hash[16], new_lm_hash[16];
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash));
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
struct lsa_String domain_name;
+ NTSTATUS crypt_status;
+
char *newpass;
int policy_min_pw_len = 0;
@@ -2386,8 +2390,13 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
arcfour_crypt(lm_pass.data, old_lm_hash, 516);
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ crypt_status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ crypt_status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

57
SOURCES/0048-s4_torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch
View File

@ -1,57 +0,0 @@
From b21a4ac4a6d92d720e1e04b9eadf50cc59a4ebe5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:24:18 +0200
Subject: [PATCH 048/187] s4_torture: Use GnuTLS RC4 in
test_ChangePasswordUser2
This uses STR_ASCII as string encodings.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9cbdf7b2e5f734e9b5e0e447d54d720d18977950)
---
source4/torture/rpc/samr.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 5bf758e2fb2..7f1da86d19a 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2267,6 +2267,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
struct lsa_String domain_name;
NTSTATUS status;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_lm_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
dom_pw_info.out.info = &info;
@@ -2298,7 +2308,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_lm_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
status = init_samr_CryptPassword(newpass,
--
2.23.0

61
SOURCES/0049-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordUser.patch
View File

@ -1,61 +0,0 @@
From b7700aa619a69f652b350b89a5a67a989658a474 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:00:32 +0200
Subject: [PATCH 049/187] s4:torture: Use GnuTLS RC4 in
test_ChangePasswordUser2_ntstatus
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a476a2e3322a550e2857cb5a66096fa3e46416d3)
---
source4/torture/rpc/samr.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 7f1da86d19a..307b0b03594 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2272,10 +2272,6 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
.data = old_lm_hash,
.size = sizeof(old_lm_hash),
};
- gnutls_datum_t old_nt_key = {
- .data = old_nt_hash,
- .size = sizeof(old_nt_hash),
- };
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
@@ -2370,6 +2366,11 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
uint8_t old_lm_hash[16], new_lm_hash[16];
DATA_BLOB old_nt_hash_blob
= data_blob_const(old_nt_hash, sizeof(old_nt_hash));
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_lm_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
@@ -2406,7 +2407,16 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_lm_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
crypt_status = init_samr_CryptPassword(newpass,
--
2.23.0

119
SOURCES/0050-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch
View File

@ -1,119 +0,0 @@
From e3c6cd617dc324d86212a50555adbeffb966555c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:01:02 +0200
Subject: [PATCH 050/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b7c21fca576bf6e44233d69b47273058b9197c8)
---
source4/torture/rpc/samr.c | 64 +++++++++++++++++++++++++++++---------
1 file changed, 49 insertions(+), 15 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 307b0b03594..55059a26b43 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2472,6 +2472,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+ NTSTATUS status;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
@@ -2500,12 +2502,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
/* Break the verification */
@@ -2534,16 +2546,28 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
ret = false;
}
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- /* Break the NT hash */
- old_nt_hash[0]++;
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ /* Break the session key */
+ session_key.data[0]++;
+
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
/* Unbreak it again */
- old_nt_hash[0]--;
+ session_key.data[0]--;
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
@@ -2590,12 +2614,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

130
SOURCES/0051-s4-torture-clarify-comments-and-variable-names-in-Ch.patch
View File

@ -1,130 +0,0 @@
From f0d05dc2dce30f851f9e1eb6a1952730dfe907f6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 17:18:50 +1200
Subject: [PATCH 051/187] s4:torture: clarify comments and variable names in
"ChangePasswordUser3 tests
There is no session key here, the buffers are directly encrypted
with the long-term passwords.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8380668be7963b74cbbd31bfab3d01d1f3089034)
---
source4/torture/rpc/samr.c | 43 +++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 10 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 55059a26b43..20afa9392e2 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2472,7 +2472,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
- DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+ DATA_BLOB old_nt_hash_blob = data_blob_const(old_nt_hash, 16);
NTSTATUS status;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
@@ -2502,22 +2502,45 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
+ /*
+ * The new plaintext password is encrypted using RC4 with the
+ * old NT password hash (directly, with no confounder). The
+ * password is at the end of the random padded buffer,
+ * offering a little protection.
+ *
+ * This is almost certainly wrong, it should be the old LM
+ * hash, it was switched in an unrelated commit
+ * 579c13da43d5b40ac6d6c1436399fbc1d8dfd054 in 2004.
+ */
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
+ /*
+ * Now we prepare a DES cross-hash of the old LM and new NT
+ * passwords to link the two buffers
+ */
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
+ /*
+ * The new plaintext password is also encrypted using RC4 with
+ * the old NT password hash (directly, with no confounder).
+ * The password is at the end of the random padded buffer,
+ * offering a little protection.
+ */
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
+ /*
+ * Another DES based cross-hash
+ */
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
/* Break the verification */
@@ -2547,7 +2570,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
}
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
@@ -2555,18 +2578,18 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- /* Break the session key */
- session_key.data[0]++;
+ /* Break the NT Hash */
+ old_nt_hash[0]++;
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
/* Unbreak it again */
- session_key.data[0]--;
+ old_nt_hash[0]--;
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
@@ -2615,7 +2638,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(newpass, new_lm_hash);
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
@@ -2624,7 +2647,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
--
2.23.0

48
SOURCES/0052-s4-torture-Use-init_samr_CryptPassword-in-test_Chang.patch
View File

@ -1,48 +0,0 @@
From 7ce6d4730f7ff8c5008ad91d665a172fec8e5ba8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 17:43:23 +1200
Subject: [PATCH 052/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordRandomBytes
This allows the use of GnuTLS for the underlying RC4 crypto
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 19d9c2c01a54957bc3852e2565d92c1cdd89498b)
---
source4/torture/rpc/samr.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 20afa9392e2..10377850314 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2790,6 +2790,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
char *oldpass;
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash,
+ sizeof(old_nt_hash));
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
@@ -2893,8 +2896,13 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
E_md4hash(newpass, new_nt_hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

51
SOURCES/0053-s4-torture-Use-GnuTLS-RC4-in-test_ChangePasswordRand.patch
View File

@ -1,51 +0,0 @@
From 74f61d6ecf74311a12e8454f2ce12a4b63bbfe90 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:01:31 +0200
Subject: [PATCH 053/187] s4:torture: Use GnuTLS RC4 in
test_ChangePasswordRandomBytes
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 82a6480611f791a3c26fcf70975e6f8b3b1757ad)
---
source4/torture/rpc/samr.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 10377850314..10bdd52fd47 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2796,6 +2796,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
new_random_pass = samr_very_rand_pass(tctx, 128);
@@ -2855,7 +2860,16 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
mdfour(new_nt_hash, new_random_pass.data, new_random_pass.length);
set_pw_in_buffer(nt_pass.data, &new_random_pass);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_nt_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

84
SOURCES/0054-s4-torture-Use-samba_gnutls_arcfour_confounded_md5-i.patch
View File

@ -1,84 +0,0 @@
From 0f56ee5720764eec28ce23bc82a01c16411df5fb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 13:07:48 +1200
Subject: [PATCH 054/187] s4:torture: Use samba_gnutls_arcfour_confounded_md5()
in test_ChangePasswordRandomBytes
This ensures GnuTLS is used as the underlying RC4 crypto engine
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5740e9516f3587e3a9f72cf52cfe1eedd940b2a9)
---
source4/torture/rpc/samr.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 10bdd52fd47..4b3ad093bf6 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -42,6 +42,7 @@
#include "torture/util.h"
#include "source4/librpc/rpc/dcerpc.h"
#include "source3/rpc_client/init_samr.h"
+#include "lib/crypto/gnutls_helpers.h"
#define TEST_ACCOUNT_NAME "samrtorturetest"
#define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
@@ -2777,9 +2778,6 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
struct samr_SetUserInfo s;
union samr_UserInfo u;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd;
bool ret = true;
struct lsa_String server, account;
@@ -2797,6 +2795,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
gnutls_cipher_hd_t cipher_hnd = NULL;
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder
+ = data_blob_const(_confounder,
+ sizeof(_confounder));
+ DATA_BLOB pw_data;
gnutls_datum_t old_nt_key = {
.data = old_nt_hash,
.size = sizeof(old_nt_hash),
@@ -2821,6 +2824,8 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
set_pw_in_buffer(u.info25.password.data, &new_random_pass);
+ pw_data = data_blob_const(u.info25.password.data, 516);
+
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -2828,15 +2833,15 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
+ generate_random_buffer(_confounder,
+ sizeof(_confounder));
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+ samba_gnutls_arcfour_confounded_md5(&confounder,
+ &session_key,
+ &pw_data,
+ SAMBA_GNUTLS_ENCRYPT);
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ memcpy(&u.info25.password.data[516], _confounder, sizeof(_confounder));
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with a password made up of only random bytes\n");
--
2.23.0

68
SOURCES/0055-s4-torture-Use-init_samr_CryptPassword-in-testjoin-R.patch
View File

@ -1,68 +0,0 @@
From e1fd1c24002f30d31367d1caa59ccb057e8c9794 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 13:06:34 +0100
Subject: [PATCH 055/187] s4:torture: Use init_samr_CryptPassword in testjoin
RPC test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 301544ab2b0c85752d5307f2daab59652c08e1e0)
---
source4/torture/rpc/testjoin.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c
index c4e287d579b..11394b1c277 100644
--- a/source4/torture/rpc/testjoin.c
+++ b/source4/torture/rpc/testjoin.c
@@ -26,7 +26,6 @@
#include "includes.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
#include "libnet/libnet.h"
#include "lib/cmdline/popt_common.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
@@ -36,6 +35,7 @@
#include "torture/rpc/torture_rpc.h"
#include "libcli/security/security.h"
#include "param/param.h"
+#include "source3/rpc_client/init_samr.h"
struct test_join {
struct dcerpc_pipe *p;
@@ -145,7 +145,6 @@ struct test_join *torture_create_testuser_max_pwlen(struct torture_context *tctx
char *random_pw;
const char *dc_binding = torture_setting_string(tctx, "dc_binding", NULL);
struct dcerpc_binding_handle *b = NULL;
-
join = talloc(NULL, struct test_join);
if (join == NULL) {
return NULL;
@@ -330,7 +329,6 @@ again:
s.in.info = &u;
s.in.level = 24;
- encode_pw_buffer(u.info24.password.data, random_pw, STR_UNICODE);
u.info24.password_expired = 0;
status = dcerpc_fetch_session_key(join->p, &session_key);
@@ -341,7 +339,12 @@ again:
goto failed;
}
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(random_pw,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
status = dcerpc_samr_SetUserInfo_r(b, join, &s);
if (!NT_STATUS_IS_OK(status)) {
--
2.23.0

91
SOURCES/0056-lib-crypto-Use-GnuTLS-RC4-in-py_crypto.patch
View File

@ -1,91 +0,0 @@
From f20d681243aed9c4e2c1a669cb04964b380413f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 12:59:13 +0100
Subject: [PATCH 056/187] lib:crypto: Use GnuTLS RC4 in py_crypto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc4ae06001fbb0045318a8cec7af6af81241c60e)
---
lib/crypto/py_crypto.c | 34 +++++++++++++++++++++++++++++-----
lib/crypto/wscript_build | 7 +++----
2 files changed, 32 insertions(+), 9 deletions(-)
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index 13e2569945d..c85cd2c13d2 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -21,13 +21,18 @@
#include <Python.h>
#include "includes.h"
#include "python/py3compat.h"
-#include "lib/crypto/arcfour.h"
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
{
- DATA_BLOB data, key;
+ DATA_BLOB data;
PyObject *py_data, *py_key, *result;
TALLOC_CTX *ctx;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key;
+ int rc;
if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
return NULL;
@@ -51,10 +56,29 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
return PyErr_NoMemory();
}
- key.data = (uint8_t *)PyBytes_AsString(py_key);
- key.length = PyBytes_Size(py_key);
+ key = (gnutls_datum_t) {
+ .data = (uint8_t *)PyBytes_AsString(py_key),
+ .size = PyBytes_Size(py_key),
+ };
- arcfour_crypt_blob(data.data, data.length, &key);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &key,
+ NULL);
+ if (rc < 0) {
+ talloc_free(ctx);
+ PyErr_Format(PyExc_OSError, "encryption failed");
+ return NULL;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data.data,
+ data.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ talloc_free(ctx);
+ PyErr_Format(PyExc_OSError, "encryption failed");
+ return NULL;
+ }
result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
talloc_free(ctx);
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 2ad8dfe2cd0..46b0e084328 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -28,7 +28,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
)
bld.SAMBA_PYTHON('python_crypto',
- source='py_crypto.c',
- deps='LIBCRYPTO',
- realname='samba/crypto.so'
- )
+ source='py_crypto.c',
+ deps='gnutls talloc',
+ realname='samba/crypto.so')
--
2.23.0

29
SOURCES/0057-lib-crypto-Remove-arcfour.h-from-crypto.h.patch
View File

@ -1,29 +0,0 @@
From d40afca3d8b1881ecebc171fede2aa36aa0240d0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:18:36 +0100
Subject: [PATCH 057/187] lib:crypto: Remove arcfour.h from crypto.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 14c4a075875860e709a9e2e52aad83aa4c58a5ad)
---
lib/crypto/crypto.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h
index 12aebaecefd..d7409f9a46d 100644
--- a/lib/crypto/crypto.h
+++ b/lib/crypto/crypto.h
@@ -21,7 +21,6 @@
#define _SAMBA_CRYPTO_H_
#include "../lib/crypto/md4.h"
-#include "../lib/crypto/arcfour.h"
#include "../lib/crypto/aes.h"
#include "../lib/crypto/aes_cmac_128.h"
#include "../lib/crypto/aes_ccm_128.h"
--
2.23.0

59
SOURCES/0058-lib-crypto-Don-t-build-RC4-if-we-have-GnuTLS-3.4.7.patch
View File

@ -1,59 +0,0 @@
From 32aea65d8f1c896a78f93d1183fb9bdf88eee7df Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 13:28:01 +0100
Subject: [PATCH 058/187] lib:crypto: Don't build RC4 if we have GnuTLS >=
3.4.7
We have a GnuTLS DCEPRC backupkey implementation for the server and the
test. However this is only working with GnuTLS >= 3.4.7. So we need to
keep this around till we can require at least GnuTLS in a newer version.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9ede63fbada7842cd9ae120936bc6bd4b6ad16ac)
---
lib/crypto/wscript_build | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 46b0e084328..a26c10b627b 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -12,12 +12,27 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
''',
deps='gnutls samba-errors');
+# We have a GnuTLS DCEPRC backupkey implementation for the server and the test.
+# However this is only working with GnuTLS >= 3.4.7. So we need to keep this
+# around till we can require at least GnuTLS in a newer version.
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4',
+ source='arcfour.c',
+ deps='talloc',
+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7'))
+
bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
- source='''md4.c arcfour.c
- aes.c rijndael-alg-fst.c aes_cmac_128.c aes_ccm_128.c aes_gcm_128.c
- ''',
- deps='talloc' + extra_deps
- )
+ source='''
+ md4.c
+ aes.c
+ rijndael-alg-fst.c
+ aes_cmac_128.c
+ aes_ccm_128.c
+ aes_gcm_128.c
+ ''',
+ deps='''
+ talloc
+ LIBCRYPTO_RC4
+ ''' + extra_deps)
bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
source='''md4test.c
--
2.23.0

56
SOURCES/0059-s3-lib-Use-the-passed-mem_ctx-instead-of-talloc_tos.patch
View File

@ -1,56 +0,0 @@
From 0fb7a341e75794027de988894da7547a5258d705 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:20:23 +0200
Subject: [PATCH 059/187] s3:lib: Use the passed mem_ctx instead of
talloc_tos()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa09e811ca6fb08a66940380b310ce9794397071)
---
source3/lib/netapi/user.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 827b7902040..fc236e55d1f 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -290,7 +290,7 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level,
/****************************************************************
****************************************************************/
-static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
+static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *pipe_cli,
DATA_BLOB *session_key,
struct policy_handle *user_handle,
@@ -320,7 +320,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
return status;
}
- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
user_handle,
25,
&user_info,
@@ -336,7 +336,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
return status;
}
- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
user_handle,
23,
&user_info,
@@ -353,7 +353,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info21 = info21;
- status = dcerpc_samr_SetUserInfo(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo(b, mem_ctx,
user_handle,
21,
&user_info,
--
2.23.0

188
SOURCES/0060-s3-rpcclient-Use-a-stackframe-for-temporary-memory.patch
View File

@ -1,188 +0,0 @@
From a2b0dcbb525b7aa3a6f79ca8f8cca4ef7fc2f8f7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:45:51 +0200
Subject: [PATCH 060/187] s3:rpcclient: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9158a6ba8693070f3b2b71dd15089488869ab6cd)
---
source3/rpcclient/cmd_samr.c | 56 +++++++++++++++++++++++++-----------
1 file changed, 39 insertions(+), 17 deletions(-)
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index b1b7c06515c..0cd8b50058e 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3043,6 +3043,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
DATA_BLOB session_key;
uint8_t password_expired = 0;
struct dcerpc_binding_handle *b = cli->binding_handle;
+ TALLOC_CTX *frame = NULL;
if (argc < 4) {
printf("Usage: %s username level password [password_expired]\n",
@@ -3050,6 +3051,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return NT_STATUS_INVALID_PARAMETER;
}
+ frame = talloc_stackframe();
+
user = argv[1];
level = atoi(argv[2]);
param = argv[3];
@@ -3058,18 +3061,18 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
password_expired = atoi(argv[4]);
}
- status = cli_get_session_key(mem_ctx, cli, &session_key);
+ status = cli_get_session_key(frame, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
nt_lm_owf_gen(param, nt_hash, lm_hash);
@@ -3078,14 +3081,22 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
{
DATA_BLOB in,out;
in = data_blob_const(nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(nt_hash, out.data, out.length);
}
{
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 15);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(lm_hash, out.data, out.length);
}
@@ -3118,18 +3129,26 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
{
DATA_BLOB in,out;
in = data_blob_const(nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
info.info21.nt_owf_password.array =
- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16);
+ (uint16_t *)talloc_memdup(frame, out.data, 16);
}
{
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
sess_crypt_blob(&out, &in, &session_key, true);
info.info21.lm_owf_password.array =
- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16);
+ (uint16_t *)talloc_memdup(frame, out.data, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
}
break;
@@ -3175,7 +3194,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
/* Get sam policy handle */
- status = rpccli_try_samr_connects(cli, mem_ctx,
+ status = rpccli_try_samr_connects(cli, frame,
MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(status)) {
@@ -3184,7 +3203,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
/* Get domain policy handle */
- status = dcerpc_samr_OpenDomain(b, mem_ctx,
+ status = dcerpc_samr_OpenDomain(b, frame,
&connect_pol,
access_mask,
&domain_sid,
@@ -3200,7 +3219,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
user_rid = strtol(user, NULL, 0);
if (user_rid) {
- status = dcerpc_samr_OpenUser(b, mem_ctx,
+ status = dcerpc_samr_OpenUser(b, frame,
&domain_pol,
access_mask,
user_rid,
@@ -3222,7 +3241,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
init_lsa_String(&lsa_acct_name, user);
- status = dcerpc_samr_LookupNames(b, mem_ctx,
+ status = dcerpc_samr_LookupNames(b, frame,
&domain_pol,
1,
&lsa_acct_name,
@@ -3242,7 +3261,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
- status = dcerpc_samr_OpenUser(b, mem_ctx,
+ status = dcerpc_samr_OpenUser(b, frame,
&domain_pol,
access_mask,
rids.ids[0],
@@ -3258,14 +3277,14 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
switch (opcode) {
case NDR_SAMR_SETUSERINFO:
- status = dcerpc_samr_SetUserInfo(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo(b, frame,
&user_pol,
level,
&info,
&result);
break;
case NDR_SAMR_SETUSERINFO2:
- status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo2(b, frame,
&user_pol,
level,
&info,
@@ -3283,7 +3302,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
DEBUG(0,("result: %s\n", nt_errstr(status)));
goto done;
}
+
+ status = NT_STATUS_OK;
done:
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

104
SOURCES/0061-s3-utils-Use-a-stackframe-for-temporary-memory.patch
View File

@ -1,104 +0,0 @@
From 5a4fb7d50cfa71a57ce62fdd0e090b70da56b33c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:49:43 +0200
Subject: [PATCH 061/187] s3:utils: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 52b3f921ad2d04cb30232a6aadf261c9fc9aafb2)
---
source3/utils/net_rpc.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index f6fb892a2d9..03462d89e1b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6095,6 +6095,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
unsigned int orig_timeout;
struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
DATA_BLOB session_key = data_blob_null;
+ TALLOC_CTX *frame = NULL;
if (argc != 2) {
d_printf("%s\n%s",
@@ -6104,22 +6105,24 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
return NT_STATUS_INVALID_PARAMETER;
}
+ frame = talloc_stackframe();
+
/*
* Make valid trusting domain account (ie. uppercased and with '$' appended)
*/
if (asprintf(&acct_name, "%s$", argv[0]) < 0) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
}
if (!strupper_m(acct_name)) {
- SAFE_FREE(acct_name);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
}
init_lsa_String(&lsa_acct_name, acct_name);
- status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key);
+ status = cli_get_session_key(frame, pipe_hnd, &session_key);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Error getting session_key of SAM pipe. Error was %s\n",
nt_errstr(status)));
@@ -6127,7 +6130,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
/* Get samr policy handle */
- status = dcerpc_samr_Connect2(b, mem_ctx,
+ status = dcerpc_samr_Connect2(b, frame,
pipe_hnd->desthost,
MAXIMUM_ALLOWED_ACCESS,
&connect_pol,
@@ -6141,7 +6144,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
/* Get domain policy handle */
- status = dcerpc_samr_OpenDomain(b, mem_ctx,
+ status = dcerpc_samr_OpenDomain(b, frame,
&connect_pol,
MAXIMUM_ALLOWED_ACCESS,
discard_const_p(struct dom_sid2, domain_sid),
@@ -6168,7 +6171,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
SAMR_USER_ACCESS_GET_ATTRIBUTES |
SAMR_USER_ACCESS_SET_ATTRIBUTES;
- status = dcerpc_samr_CreateUser2(b, mem_ctx,
+ status = dcerpc_samr_CreateUser2(b, frame,
&domain_pol,
&lsa_acct_name,
acb_info,
@@ -6207,7 +6210,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
info.info23.info.acct_flags = ACB_DOMTRUST;
info.info23.password = crypt_pwd;
- status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo2(b, frame,
&user_pol,
23,
&info,
@@ -6224,9 +6227,11 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
}
+ status = NT_STATUS_OK;
done:
SAFE_FREE(acct_name);
data_blob_clear_free(&session_key);
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

96
SOURCES/0062-s3-rpc_server-Use-a-stackframe-for-temporary-memory.patch
View File

@ -1,96 +0,0 @@
From cb51fd8abb0f0d3fa672452cd15d49af193de6ee Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 16:02:12 +0200
Subject: [PATCH 062/187] s3:rpc_server: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1c84bda361678cb6c4685cff17a2d5a5026f2bce)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index d5267bf7062..791aa7acaff 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1134,6 +1134,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
int rc;
DATA_BLOB session_key;
enum samr_UserInfoLevel infolevel;
+ TALLOC_CTX *frame = talloc_stackframe();
ZERO_STRUCT(user_handle);
@@ -1144,7 +1145,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
goto out;
}
- rc = tsocket_address_inet_from_strings(mem_ctx,
+ rc = tsocket_address_inet_from_strings(frame,
"ip",
"127.0.0.1",
0,
@@ -1154,7 +1155,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
goto out;
}
- status = rpcint_binding_handle(mem_ctx,
+ status = rpcint_binding_handle(frame,
&ndr_table_samr,
local,
NULL,
@@ -1166,7 +1167,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
}
become_root();
- status = samr_find_machine_account(mem_ctx,
+ status = samr_find_machine_account(frame,
h,
account_name,
SEC_FLAG_MAXIMUM_ALLOWED,
@@ -1179,7 +1180,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
}
status = dcerpc_samr_QueryUserInfo2(h,
- mem_ctx,
+ frame,
&user_handle,
UserControlInformation,
&info,
@@ -1213,7 +1214,11 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
infolevel = UserInternal1Information;
in = data_blob_const(cr->creds.nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(info18.nt_pwd.hash, out.data, out.length);
@@ -1244,7 +1249,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
become_root();
status = dcerpc_samr_SetUserInfo2(h,
- mem_ctx,
+ frame,
&user_handle,
infolevel,
info,
@@ -1260,8 +1265,9 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
out:
if (h && is_valid_policy_hnd(&user_handle)) {
- dcerpc_samr_Close(h, mem_ctx, &user_handle, &result);
+ dcerpc_samr_Close(h, frame, &user_handle, &result);
}
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

32
SOURCES/0063-netlogon-Fix-potential-use-of-uninitialized-variable.patch
View File

@ -1,32 +0,0 @@
From b26c0a881c5a71ee310a942ffd65960974eabea8 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@samba.org>
Date: Fri, 12 Jul 2019 17:29:23 +0200
Subject: [PATCH 063/187] netlogon: Fix potential use of uninitialized variable
The _netr_NetrEnumerateTrustedDomains()->dcerpc_lsa_open_policy2() error
path checks the policy handle and closes it if non-empty. The policy
handle may be uninitialized in this code-path - fix this.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 93d424528f1c3d0d50ebd8a784f4624b2721d416)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 791aa7acaff..08bce367bf0 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -419,6 +419,7 @@ NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
int i;
uint32_t max_size = (uint32_t)-1;
+ ZERO_STRUCT(pol);
DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
status = rpcint_binding_handle(p->mem_ctx,
--
2.23.0

64
SOURCES/0064-s3-rpc_server-Only-dump-passwords-in-developer-build.patch
View File

@ -1,64 +0,0 @@
From 8746734f6874d62825209a49b29b06f28183559d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 16:13:17 +0200
Subject: [PATCH 064/187] s3:rpc_server: Only dump passwords in developer
builds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 26 03:05:01 UTC 2019 on sn-devel-184
(cherry picked from commit 1f923e067dbe358c17cbccfe179baa811aa3b8b3)
---
source3/rpc_server/samr/srv_samr_nt.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index ad1d1853bda..87214b2899e 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5198,7 +5198,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info23.password.data, 516);
+#endif
status = set_user_info_23(p->mem_ctx,
&info->info23,
@@ -5219,7 +5221,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info24.password.data, 516);
+#endif
status = set_user_info_24(p->mem_ctx,
rhost,
@@ -5237,7 +5241,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info25.password.data, 532);
+#endif
status = set_user_info_25(p->mem_ctx,
rhost,
@@ -5255,7 +5261,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info26.password.data, 516);
+#endif
status = set_user_info_26(p->mem_ctx,
rhost,
--
2.23.0

38
SOURCES/0065-libcli-smb-Add-forward-declaration-for-gnutls_hmac_h.patch
View File

@ -1,38 +0,0 @@
From 595df06b59c80cbb7a484a893e1ebaf917ddddb6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 8 Aug 2019 11:57:02 +0200
Subject: [PATCH 065/187] libcli:smb: Add forward declaration for
gnutls_hmac_hd_t
This file is basically included everywhere. So use a forward declaration
for gnutls_hmac_hd_t. This way we don't have to link everthing against
gnutls to get access to the header path.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6bf6cb1643ae5e8fff66a7cbec50f58ede632666)
---
libcli/smb/smb2_signing.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
index 6e1682955c9..96a002f4a0c 100644
--- a/libcli/smb/smb2_signing.h
+++ b/libcli/smb/smb2_signing.h
@@ -21,10 +21,10 @@
#ifndef _LIBCLI_SMB_SMB2_SIGNING_H_
#define _LIBCLI_SMB_SMB2_SIGNING_H_
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
-
struct iovec;
+ /* Forward declaration of GnuTLS typedefs */
+struct hmac_hd_st;
+typedef struct hmac_hd_st* gnutls_hmac_hd_t;
struct smb2_signing_key {
gnutls_hmac_hd_t hmac_hnd;
--
2.23.0

29
SOURCES/0066-s3-modules-Link-vfs_acl_common-against-gnutls.patch
View File

@ -1,29 +0,0 @@
From 5132a12a30ccc008644be11fa6af4a3d253a8a27 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 8 Aug 2019 13:14:45 +0200
Subject: [PATCH 066/187] s3:modules: Link vfs_acl_common against gnutls
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b81cb04d03d57b8175d862ba48ac476fedf23636)
---
source3/modules/wscript_build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 80b0ce9ff90..b8b965c8edd 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -10,7 +10,8 @@ bld.SAMBA3_BINARY('test_nfs4_acls',
install=False)
bld.SAMBA3_SUBSYSTEM('vfs_acl_common',
- source='vfs_acl_common.c')
+ source='vfs_acl_common.c',
+ deps='gnutls')
bld.SAMBA3_SUBSYSTEM('POSIXACL_XATTR',
source='posixacl_xattr.c',
--
2.23.0

62
SOURCES/0067-lib-util-Add-generate_nonce_buffer.patch
View File

@ -1,62 +0,0 @@
From 45c34e04c2018d839be71371bee594bc4794de2d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:16:37 +0200
Subject: [PATCH 067/187] lib:util: Add generate_nonce_buffer()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70ff216935acc099b762b527033b6191ba3307d0)
---
lib/util/genrand.c | 12 ++++++++++--
lib/util/genrand.h | 11 +++++++++++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 55997c3dd55..76c2cb81962 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -25,8 +25,6 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */
-
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
/* Thread and fork safe random number generator for temporary keys. */
@@ -42,3 +40,13 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
/* Thread and fork safe random number generator for long term keys. */
gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
+
+_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
+{
+ /*
+ * The nonce generator will reseed after outputting a fixed amount of
+ * bytes (typically few megabytes), or after few hours of operation
+ * without reaching the limit has passed.
+ */
+ gnutls_rnd(GNUTLS_RND_NONCE, out, len);
+}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 899ce8badc0..5af23100596 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -28,3 +28,14 @@ void generate_random_buffer(uint8_t *out, int len);
* Thread and fork safe random number generator for long term keys.
*/
void generate_secret_buffer(uint8_t *out, int len);
+
+/**
+ * @brief Generate random values for a nonce buffer.
+ *
+ * This is also known as initialization vector.
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
+ */
+void generate_nonce_buffer(uint8_t *out, int len);
--
2.23.0

31
SOURCES/0068-libcli-smb-Use-generate_nonce_buffer-for-AES-CCM-and.patch
View File

@ -1,31 +0,0 @@
From 85272ea8c52056f559b7bfde79805ce2b7ab4f72 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:25:35 +0200
Subject: [PATCH 068/187] libcli:smb: Use generate_nonce_buffer() for AES-CCM
and AES-GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b2506f2407429efb40c3e4e4c360f5817ac13d27)
---
libcli/smb/smbXcli_base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c9b396106ae..5db86720c9c 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -6253,8 +6253,8 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
*
* NOTE: We assume nonces greater than 8 bytes.
*/
- generate_random_buffer((uint8_t *)&session->smb2->nonce_high_random,
- sizeof(session->smb2->nonce_high_random));
+ generate_nonce_buffer((uint8_t *)&session->smb2->nonce_high_random,
+ sizeof(session->smb2->nonce_high_random));
switch (conn->smb2.server.cipher) {
case SMB2_ENCRYPTION_AES128_CCM:
nonce_size = AES_CCM_128_NONCE_SIZE;
--
2.23.0

31
SOURCES/0069-s3-smbd-Use-generate_nonce_buffer-for-AES-CCM-and-AE.patch
View File

@ -1,31 +0,0 @@
From 230457a6c024e236815b6f9f0351b236044ad515 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:28:34 +0200
Subject: [PATCH 069/187] s3:smbd: Use generate_nonce_buffer() for AES-CCM and
AES-GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2df6cd398c9cb62989710f9b1642665ec89406)
---
source3/smbd/smb2_sesssetup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 770c22b00f1..591d5c37160 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -419,8 +419,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
*
* NOTE: We assume nonces greater than 8 bytes.
*/
- generate_random_buffer((uint8_t *)&x->nonce_high_random,
- sizeof(x->nonce_high_random));
+ generate_nonce_buffer((uint8_t *)&x->nonce_high_random,
+ sizeof(x->nonce_high_random));
switch (xconn->smb2.server.cipher) {
case SMB2_ENCRYPTION_AES128_CCM:
nonce_size = AES_CCM_128_NONCE_SIZE;
--
2.23.0

70
SOURCES/0070-lib-util-Add-better-documentation-for-generate_secre.patch
View File

@ -1,70 +0,0 @@
From deeb93c2fb7cc131741ced4877b75bcd3a64cef4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:38:50 +0200
Subject: [PATCH 070/187] lib:util: Add better documentation for
generate_secret_buffer()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bf52ab7d2982de84a68a1b9c6d2f68250b7e7cca)
---
lib/util/genrand.c | 17 ++++++++++++-----
lib/util/genrand.h | 6 +++++-
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 76c2cb81962..a5809aa2bc9 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -25,19 +25,26 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+/*
+ * Details about the GnuTLS CSPRNG:
+ *
+ * https://nikmav.blogspot.com/2017/03/improving-by-simplifying-gnutls-prng.html
+ */
+
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
/* Thread and fork safe random number generator for temporary keys. */
gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
-/*
- * Keep generate_secret_buffer in case we ever want to do something
- * different
- */
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- /* Thread and fork safe random number generator for long term keys. */
+ /* The key generator, will re-seed after a fixed amount of bytes is
+ * generated (typically less than the nonce), and will also re-seed
+ * based on time, i.e., after few hours of operation without reaching
+ * the limit for a re-seed. For its re-seed it mixes mixes data obtained
+ * from the OS random device with the previous key.
+ */
gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 5af23100596..abb8ce2c10a 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -25,7 +25,11 @@
void generate_random_buffer(uint8_t *out, int len);
/**
- * Thread and fork safe random number generator for long term keys.
+ * @brief Generate random values for key buffers (e.g. session keys)
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
*/
void generate_secret_buffer(uint8_t *out, int len);
--
2.23.0

33
SOURCES/0071-s4-rpc_server-Use-generate_secret_buffer-to-create-a.patch
View File

@ -1,33 +0,0 @@
From 299dd35d7816770560a17a0e30886c08d9687589 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:40:12 +0200
Subject: [PATCH 071/187] s4:rpc_server: Use generate_secret_buffer() to create
a session key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4b2480518bd3887be3a6cfb713523ac084e09fd5)
---
source4/rpc_server/samr/samr_password.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index b04e37f06f3..6bf907181c8 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -733,9 +733,10 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
nt_errstr(nt_status)));
/*
- * Windows just uses a random key
+ * Windows just uses a random key. We need to use a CSPRNG
+ * which reseeds for generating session keys.
*/
- generate_random_buffer(random_session_key,
+ generate_secret_buffer(random_session_key,
sizeof(random_session_key));
session_key = data_blob_const(random_session_key,
sizeof(random_session_key));
--
2.23.0

30
SOURCES/0072-s4-rpc_server-Use-generate_secret_buffer-for-backupk.patch
View File

@ -1,30 +0,0 @@
From 5cd54770ca2055eee9ae651510b0ff5d1c914f6c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:41:29 +0200
Subject: [PATCH 072/187] s4:rpc_server: Use generate_secret_buffer() for
backupkey wap_key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a62056b4530e4c509444be9164a1fca1dce193f)
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index a826ae083f4..d192858e468 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1263,7 +1263,8 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
- generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
--
2.23.0

30
SOURCES/0073-s4-rpc_server-Use-generate_secret_buffer-for-netlogo.patch
View File

@ -1,30 +0,0 @@
From a9efbcf21a5dc8b8b8195916b8a5eaa03ccbf5a5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:42:26 +0200
Subject: [PATCH 073/187] s4:rpc_server: Use generate_secret_buffer() for
netlogon challange
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a21770cfdffd2a21045a1bc87e489af0f4c6f130)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ac745e32b02..f4e24b7fd7f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -90,7 +90,8 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
pipe_state->client_challenge = *r->in.credentials;
- generate_random_buffer(pipe_state->server_challenge.data,
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(pipe_state->server_challenge.data,
sizeof(pipe_state->server_challenge.data));
*r->out.return_credentials = pipe_state->server_challenge;
--
2.23.0

34
SOURCES/0074-libcli-auth-Use-generate_secret_buffer-for-netlogon-.patch
View File

@ -1,34 +0,0 @@
From 34c4199f21f5d2dfbf3d732fd4da7be390ce095b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:44:24 +0200
Subject: [PATCH 074/187] libcli:auth: Use generate_secret_buffer() for
netlogon challenge
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug 12 10:42:35 UTC 2019 on sn-devel-184
(cherry picked from commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0)
---
libcli/auth/netlogon_creds_cli.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 50a5f50a57d..18143ca36d0 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,7 +1177,8 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- generate_random_buffer(state->client_challenge.data,
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(state->client_challenge.data,
sizeof(state->client_challenge.data));
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
--
2.23.0

72
SOURCES/0075-lib-util-Fix-documentation-for-random-number-functio.patch
View File

@ -1,72 +0,0 @@
From 5d53f417762503b9c73edcdb1364834f3b665e74 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 16:10:20 +0200
Subject: [PATCH 075/187] lib:util: Fix documentation for random number
functions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 97c441d7c28feb29168e81ebbc5c55b09a845087)
---
lib/util/genrand.c | 9 +++++++--
lib/util/genrand.h | 8 ++++++--
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index a5809aa2bc9..18ffa0d95e6 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -33,13 +33,16 @@
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
- /* Thread and fork safe random number generator for temporary keys. */
+ /* Random number generator for temporary keys. */
gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- /* The key generator, will re-seed after a fixed amount of bytes is
+ /*
+ * Random number generator for long term keys.
+ *
+ * The key generator, will re-seed after a fixed amount of bytes is
* generated (typically less than the nonce), and will also re-seed
* based on time, i.e., after few hours of operation without reaching
* the limit for a re-seed. For its re-seed it mixes mixes data obtained
@@ -51,6 +54,8 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
{
/*
+ * Random number generator for nonce and initialization vectors.
+ *
* The nonce generator will reseed after outputting a fixed amount of
* bytes (typically few megabytes), or after few hours of operation
* without reaching the limit has passed.
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index abb8ce2c10a..70f36312e58 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -20,12 +20,16 @@
*/
/**
- * Thread and fork safe random number generator for temporary keys.
+ * @brief Generate random values for session and temporary keys.
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
*/
void generate_random_buffer(uint8_t *out, int len);
/**
- * @brief Generate random values for key buffers (e.g. session keys)
+ * @brief Generate random values for long term keys and passwords.
*
* @param[in] out A pointer to the buffer to fill with random data.
*
--
2.23.0

31
SOURCES/0076-Revert-libcli-auth-Use-generate_secret_buffer-for-ne.patch
View File

@ -1,31 +0,0 @@
From 5b8d3df9856f081cbca601926ca909085cc73f05 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:31 +0200
Subject: [PATCH 076/187] Revert "libcli:auth: Use generate_secret_buffer() for
netlogon challenge"
This reverts commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 689760f26521fe5b4c8964a25ddd3ab1c9e9977c)
---
libcli/auth/netlogon_creds_cli.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 18143ca36d0..50a5f50a57d 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(state->client_challenge.data,
+ generate_random_buffer(state->client_challenge.data,
sizeof(state->client_challenge.data));
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
--
2.23.0

31
SOURCES/0077-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch
View File

@ -1,31 +0,0 @@
From c08b8c1b2ccbd3c180c730940d7efce8fcef8b5b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:37 +0200
Subject: [PATCH 077/187] Revert "s4:rpc_server: Use generate_secret_buffer()
for netlogon challange"
This reverts commit a21770cfdffd2a21045a1bc87e489af0f4c6f130.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 1c68085404cd467c217640e3eabfc4b7f8b1ce9f)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index f4e24b7fd7f..ac745e32b02 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
pipe_state->client_challenge = *r->in.credentials;
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(pipe_state->server_challenge.data,
+ generate_random_buffer(pipe_state->server_challenge.data,
sizeof(pipe_state->server_challenge.data));
*r->out.return_credentials = pipe_state->server_challenge;
--
2.23.0

31
SOURCES/0078-Revert-s4-rpc_server-Use-generate_secret_buffer-for-.patch
View File

@ -1,31 +0,0 @@
From 5576562cc327cfa6cc77d5962ee8ec85d9ca0ad6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:52 +0200
Subject: [PATCH 078/187] Revert "s4:rpc_server: Use generate_secret_buffer()
for backupkey wap_key"
This reverts commit 5a62056b4530e4c509444be9164a1fca1dce193f.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 38b0695ddac244c67b2a33eb927ad3e95d2e8bd6)
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index d192858e468..a826ae083f4 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1263,8 +1263,7 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key));
+ generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
--
2.23.0

34
SOURCES/0079-Revert-s4-rpc_server-Use-generate_secret_buffer-to-c.patch
View File

@ -1,34 +0,0 @@
From ea69efd5e269e3ec0c93121d0448a1f6fb4275ac Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:50:02 +0200
Subject: [PATCH 079/187] Revert "s4:rpc_server: Use generate_secret_buffer()
to create a session key"
This reverts commit 4b2480518bd3887be3a6cfb713523ac084e09fd5.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d73be972ea58d564c770698bf6374a6074f111fe)
---
source4/rpc_server/samr/samr_password.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 6bf907181c8..b04e37f06f3 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -733,10 +733,9 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
nt_errstr(nt_status)));
/*
- * Windows just uses a random key. We need to use a CSPRNG
- * which reseeds for generating session keys.
+ * Windows just uses a random key
*/
- generate_secret_buffer(random_session_key,
+ generate_random_buffer(random_session_key,
sizeof(random_session_key));
session_key = data_blob_const(random_session_key,
sizeof(random_session_key));
--
2.23.0

47
SOURCES/0080-lib-util-Use-generate_secret_buffer-for-long-term-pa.patch
View File

@ -1,47 +0,0 @@
From d2cc9f2ef31092c1ce5e5ad967a6be4f3bc84c06 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:55:56 +0200
Subject: [PATCH 080/187] lib:util: Use generate_secret_buffer() for long term
passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 93196dd823e114f260a68d28bb59eac3909c30d8)
---
lib/util/genrand_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index d7b74c6cf1a..05d1f3ef6e5 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -185,7 +185,7 @@ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const c
char *retstr = talloc_array(mem_ctx, char, len + 1);
if (!retstr) return NULL;
- generate_random_buffer((uint8_t *)retstr, len);
+ generate_secret_buffer((uint8_t *)retstr, len);
for (i = 0; i < len; i++) {
retstr[i] = list[retstr[i] % list_len];
}
@@ -247,7 +247,7 @@ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t
if (diff > 0 ) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
@@ -317,7 +317,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min,
if (diff > 0) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
--
2.23.0

29
SOURCES/0081-s4-samdb-Use-generate_nonce_buffer-for-AEC-GCM-nonce.patch
View File

@ -1,29 +0,0 @@
From 3a22faf5aa81b8a2e918e250cb201440094f9757 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:56:35 +0200
Subject: [PATCH 081/187] s4:samdb: Use generate_nonce_buffer() for AEC GCM
nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit a3e36dd8f43a5c06969ae158fa54fbc649f44d03)
---
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index b2df15c08f4..deaa03cbb35 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -447,7 +447,7 @@ static struct ldb_val samba_encrypt_aead(int *err,
goto error_exit;
}
- generate_random_buffer(iv, AES_GCM_128_IV_SIZE);
+ generate_nonce_buffer(iv, AES_GCM_128_IV_SIZE);
es->iv.length = AES_GCM_128_IV_SIZE;
es->iv.data = iv;
--
2.23.0

30
SOURCES/0082-s3-passdb-Use-generate_secret_buffer-for-generating-.patch
View File

@ -1,30 +0,0 @@
From 8057d84f33d96a3143b1908b47e65e6a89d4f861 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:57:06 +0200
Subject: [PATCH 082/187] s3:passdb: Use generate_secret_buffer() for
generating passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 6fa3e4de7c168dc7c869ec9966729a36bda27f57)
---
source3/passdb/pdb_nds.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/passdb/pdb_nds.c b/source3/passdb/pdb_nds.c
index 349ea0b6c38..216c9e6b50b 100644
--- a/source3/passdb/pdb_nds.c
+++ b/source3/passdb/pdb_nds.c
@@ -814,7 +814,8 @@ static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods,
got_clear_text_pw = True;
}
} else {
- generate_random_buffer((unsigned char *)clear_text_pw, 24);
+ /* This is a long term key */
+ generate_secret_buffer((unsigned char *)clear_text_pw, 24);
clear_text_pw[24] = '\0';
DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw));
}
--
2.23.0

33
SOURCES/0083-auth-ntlmssp-Use-generate_random_buffer-for-session-.patch
View File

@ -1,33 +0,0 @@
From 9a257522e3c811853b2b9f0b93992b07ecdad5d9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 19:07:15 +0200
Subject: [PATCH 083/187] auth:ntlmssp: Use generate_random_buffer() for
session keys
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
(cherry picked from commit 9b7825d2d387bcb2515154418a990669ab96358d)
---
auth/ntlmssp/ntlmssp_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b8d1190466b..2a80feb4fed 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -696,7 +696,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
.size = session_key.length,
};
- generate_secret_buffer(client_session_key, sizeof(client_session_key));
+ generate_random_buffer(client_session_key, sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
--
2.23.0

84
SOURCES/0084-encrypted_secrets-Add-known-and-expected-value-test.patch
View File

@ -1,84 +0,0 @@
From 40a13974c5279d43fa2e13b8a274ba41ec051533 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 15 Aug 2019 15:27:30 +1200
Subject: [PATCH 084/187] encrypted_secrets: Add known and expected value test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 92b9cdf99da1f8657c166d413c5136c8db938a9e)
---
.../tests/test_encrypted_secrets.c | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
index 258e1ba829f..cfea95ae544 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
@@ -1101,6 +1101,53 @@ static void test_unencrypted_secret(void **state)
assert_int_equal(LDB_ERR_OPERATIONS_ERROR, ret);
}
+/*
+ * Test full decryption of a static value with static key
+ */
+static void test_record_decryption(void **state)
+{
+ struct ldbtest_ctx *test_ctx =
+ talloc_get_type_abort(*state, struct ldbtest_ctx);
+ unsigned char plain_data[] = {
+ 0xe6, 0xa6, 0xb8, 0xff, 0xdf, 0x06, 0x6c, 0xe3,
+ 0xea, 0xd0, 0x94, 0xbb, 0x79, 0xbd, 0x0a, 0x24
+ };
+ unsigned char encrypted_data[] = {
+ 0x0c, 0x00, 0x00, 0x00, 0x33, 0x91, 0x74, 0x25,
+ 0x26, 0xcc, 0x0b, 0x8c, 0x21, 0xc1, 0x13, 0xe2,
+ 0xed, 0xad, 0x5c, 0xca, 0x01, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x1a, 0xdc, 0xc9, 0x11, 0x08, 0xca, 0x2c, 0xfb,
+ 0xc8, 0x32, 0x6b, 0x1b, 0x25, 0x7f, 0x52, 0xbb,
+ 0xae, 0x9b, 0x88, 0x52, 0xb0, 0x18, 0x6d, 0x9d,
+ 0x9b, 0xdd, 0xcd, 0x1b, 0x5f, 0x4a, 0x5c, 0x29,
+ 0xca, 0x0b, 0x36, 0xaa
+ };
+ struct ldb_val cipher_text
+ = data_blob_const(encrypted_data,
+ sizeof(encrypted_data));
+ unsigned char es_keys_blob[] = {
+ 0x1d, 0xae, 0xf5, 0xaa, 0xa3, 0x85, 0x0d, 0x0a,
+ 0x8c, 0x24, 0x5c, 0x4c, 0xa7, 0x0f, 0x81, 0x79
+ };
+ struct es_data data = {
+ .encrypt_secrets = true,
+ .keys[0] = {
+ .data = es_keys_blob,
+ .length = sizeof(es_keys_blob),
+ },
+#ifdef HAVE_GNUTLS_AEAD
+ .encryption_algorithm = GNUTLS_CIPHER_AES_128_GCM,
+#endif
+ };
+ int err = LDB_SUCCESS;
+ struct ldb_val dec = decrypt_value(&err, test_ctx, test_ctx->ldb, cipher_text,
+ &data);
+ assert_int_equal(LDB_SUCCESS, err);
+ assert_int_equal(sizeof(plain_data), dec.length);
+ assert_memory_equal(dec.data, plain_data, sizeof(plain_data));
+}
+
int main(void) {
const struct CMUnitTest tests[] = {
@@ -1166,6 +1213,10 @@ int main(void) {
test_unencrypted_secret,
setup_with_key,
teardown),
+ cmocka_unit_test_setup_teardown(
+ test_record_decryption,
+ setup_with_key,
+ teardown),
};
cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
--
2.23.0

154
SOURCES/0085-s4-samdb-Remove-dual-stack-mode-from-test_-encrypted.patch
View File

@ -1,154 +0,0 @@
From ce7a5f793d0d5983504be61189ec7c57cfbf07d0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:32:34 +0100
Subject: [PATCH 085/187] s4:samdb: Remove dual-stack mode from
(test_)encrypted_secrets
Now we either build with GnuTLS or Samba crypto. If a modern GnuTLS
version is detected that will be used and Samba crypto wont be
available.
This removes the dual-stack mode that encrypted with one and decrypted
with the other in the testsuite.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Commit message clarified by Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7bf3c5d7640daaf5dc799eaf698618903ec09127)
---
.../samdb/ldb_modules/encrypted_secrets.c | 16 ++----
.../tests/test_encrypted_secrets.c | 49 ++-----------------
2 files changed, 10 insertions(+), 55 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index deaa03cbb35..5f8cd8747ea 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -39,18 +39,12 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/samdb/ldb_modules/util.h"
-#ifdef TEST_ENCRYPTED_SECRETS
+/* Build either with GnuTLS crypto or Samba crypto. */
+#ifdef HAVE_GNUTLS_AEAD
+ #define BUILD_WITH_GNUTLS_AEAD
+#else /* !HAVE_GNUTLS_AEAD */
#define BUILD_WITH_SAMBA_AES_GCM
- #ifdef HAVE_GNUTLS_AEAD
- #define BUILD_WITH_GNUTLS_AEAD
- #endif
-#else
- #ifdef HAVE_GNUTLS_AEAD
- #define BUILD_WITH_GNUTLS_AEAD
- #else
- #define BUILD_WITH_SAMBA_AES_GCM
- #endif
-#endif
+#endif /* HAVE_GNUTLS_AEAD */
#ifdef BUILD_WITH_GNUTLS_AEAD
#include <gnutls/gnutls.h>
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
index cfea95ae544..a33781d703d 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
@@ -390,26 +390,6 @@ static void test_gnutls_value_encryption(void **state)
&decrypted->cleartext,
&plain_text));
}
-
- {
- struct PlaintextSecret *decrypted =
- talloc_zero(test_ctx, struct PlaintextSecret);
- samba_decrypt_aead(
- &err,
- test_ctx,
- test_ctx->ldb,
- &es,
- decrypted,
- data);
- assert_int_equal(LDB_SUCCESS, err);
- assert_int_equal(
- plain_text.length,
- decrypted->cleartext.length);
- assert_int_equal(0,
- data_blob_cmp(
- &decrypted->cleartext,
- &plain_text));
- }
}
#endif /* HAVE_GNUTLS_AEAD */
@@ -613,9 +593,11 @@ static void test_gnutls_altered_iv(void **state)
}
}
#endif /* HAVE_GNUTLS_AEAD */
+
/*
* Test samba encryption and decryption and decryption.
*/
+#ifndef HAVE_GNUTLS_AEAD
static void test_samba_value_encryption(void **state)
{
struct ldbtest_ctx *test_ctx =
@@ -647,29 +629,6 @@ static void test_samba_value_encryption(void **state)
assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
assert_true(check_header(&es));
-#ifdef HAVE_GNUTLS_AEAD
- {
- struct PlaintextSecret *decrypted =
- talloc_zero(test_ctx, struct PlaintextSecret);
- gnutls_decrypt_aead(
- &err,
- test_ctx,
- test_ctx->ldb,
- &es,
- decrypted,
- data);
- assert_int_equal(LDB_SUCCESS, err);
- assert_int_equal(
- plain_text.length,
- decrypted->cleartext.length);
- assert_int_equal(0,
- data_blob_cmp(
- &decrypted->cleartext,
- &plain_text));
- }
-#endif /* HAVE_GNUTLS_AEAD */
-
-
{
struct PlaintextSecret *decrypted =
talloc_zero(test_ctx, struct PlaintextSecret);
@@ -886,6 +845,7 @@ static void test_samba_altered_iv(void **state)
assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
}
}
+#endif
/*
* Test message encryption.
@@ -1188,7 +1148,7 @@ int main(void) {
test_gnutls_altered_iv,
setup_with_key,
teardown),
-#endif /* HAVE_GNUTLS_AEAD */
+#else
cmocka_unit_test_setup_teardown(
test_samba_value_encryption,
setup_with_key,
@@ -1205,6 +1165,7 @@ int main(void) {
test_samba_altered_iv,
setup_with_key,
teardown),
+#endif /* HAVE_GNUTLS_AEAD */
cmocka_unit_test_setup_teardown(
test_message_encryption_decryption,
setup_with_key,
--
2.23.0

30
SOURCES/0086-s4-samdb-Only-include-necessary-header-files-in-encr.patch
View File

@ -1,30 +0,0 @@
From 23e2849f8f5b119ebce9cb0aeee098a8c1a388e0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:33:09 +0100
Subject: [PATCH 086/187] s4:samdb: Only include necessary header files in
encrypted_secrets
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d46e538d52433f5f30a5696e5b18bc4b82101951)
---
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index 5f8cd8747ea..e0932858588 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -52,7 +52,8 @@
#endif /* BUILD_WITH_GNUTLS_AEAD */
#ifdef BUILD_WITH_SAMBA_AES_GCM
- #include "lib/crypto/crypto.h"
+ #include "lib/crypto/aes.h"
+ #include "lib/crypto/aes_gcm_128.h"
#endif /* BUILD_WITH_SAMBA_AES_GCM */
static const char * const secret_attributes[] = {DSDB_SECRET_ATTRIBUTES};
--
2.23.0

29
SOURCES/0087-waf-Check-for-GNUTLS-AES-CFB-support.patch
View File

@ -1,29 +0,0 @@
From ea3711fc1f4459a9654dd237ffbc71a42375629c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:35:02 +0100
Subject: [PATCH 087/187] waf: Check for GNUTLS AES CFB support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 20a42459df4fdd57cdf1807a3d97dc5b1c553476)
---
wscript_configure_system_gnutls | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index cc9a2b035a2..85824aad4ed 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -36,3 +36,9 @@ if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_init',
conf.DEFINE('HAVE_GNUTLS_AEAD', '1')
else:
Logs.warn('No gnutls support for AEAD encryption')
+
+if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
+ conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
+ conf.DEFINE('HAVE_GNUTLS_3_4_7', 1)
+else:
+ Logs.warn('No gnutls support for AES CFB8')
--
2.23.0

35
SOURCES/0088-libcli-auth-Use-netlogon_creds_aes_encrypt-in-netlog.patch
View File

@ -1,35 +0,0 @@
From 563e6a454706f29171b4bf06473cc40c557b0eed Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:33:01 +0100
Subject: [PATCH 088/187] libcli:auth: Use netlogon_creds_aes_encrypt() in
netlogon_creds_step_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd97c47873007bfc502926070a758b520d95abf1)
---
libcli/auth/credentials.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 319dacdac0b..3b31d1e0300 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -35,12 +35,9 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre
struct netr_Credential *out)
{
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE] = {0};
+ memcpy(out->data, in->data, sizeof(out->data));
- AES_set_encrypt_key(creds->session_key, 128, &key);
-
- aes_cfb8_encrypt(in->data, out->data, 8, &key, iv, AES_ENCRYPT);
+ netlogon_creds_aes_encrypt(creds, out->data, sizeof(out->data));
} else {
des_crypt112(out->data, in->data, creds->session_key, 1);
}
--
2.23.0

69
SOURCES/0089-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch
View File

@ -1,69 +0,0 @@
From efe2ed9aa8d1a1be574149f591015cc063c24fb7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:41:11 +0100
Subject: [PATCH 089/187] libcli:auth: Use GnuTLS AES128 CFB for
netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 054efd118d7500e28f118722312aaae0df2749b0)
---
libcli/auth/credentials.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 3b31d1e0300..5a1692ef436 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -295,12 +295,48 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
*/
void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = creds->session_key,
+ .size = sizeof(creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
+ ZERO_ARRAY(_iv);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd, data, len);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
AES_set_encrypt_key(creds->session_key, 128, &key);
aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
+#endif /* HAVE_GNUTLS_AES_CFB8 */
}
/*
--
2.23.0

82
SOURCES/0090-libcli-auth-Return-NTSTATUS-for-netlogon_creds_aes_e.patch
View File

@ -1,82 +0,0 @@
From cd45ceb7c38ef77ad9d6cc42ad8184ebc6829cf7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 16:38:09 +0200
Subject: [PATCH 090/187] libcli:auth: Return NTSTATUS for
netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ded5aad21b54b8783f7390fb2eca483d3861eeff)
---
libcli/auth/credentials.c | 15 ++++++++-------
libcli/auth/proto.h | 4 +++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 5a1692ef436..87f8820238e 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -293,7 +293,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
/*
AES encrypt a password buffer using the session key
*/
-void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len)
{
#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
@@ -317,18 +319,15 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui
&key,
&iv);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_encrypt(cipher_hnd, data, len);
gnutls_cipher_deinit(cipher_hnd);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+
#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
@@ -337,6 +336,8 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui
aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
#endif /* HAVE_GNUTLS_AES_CFB8 */
+
+ return NT_STATUS_OK;
}
/*
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 65ee06215dc..639a50425e5 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -18,7 +18,9 @@ void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, st
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
uint8_t *data,
size_t len);
-void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len);
void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
/*****************************************************************
--
2.23.0

84
SOURCES/0091-libcli-auth-Use-GnuTLS-AES128-CFB-for-netlogon_creds.patch
View File

@ -1,84 +0,0 @@
From 9b5fa6c165e98ddec38bc976bac0cfee62fd0d72 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Mar 2019 15:13:08 +0100
Subject: [PATCH 091/187] libcli:auth: Use GnuTLS AES128 CFB for
netlogon_creds_aes_decrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a96728586150768957b88a0714b15f13ee9f81af)
---
libcli/auth/credentials.c | 41 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 87f8820238e..cfeab6efdcd 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -22,10 +22,13 @@
#include "includes.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "../libcli/security/dom_sid.h"
+#ifndef HAVE_GNUTLS_AES_CFB8
+#include "lib/crypto/aes.h"
+#endif
+
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -345,12 +348,48 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
*/
void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = creds->session_key,
+ .size = sizeof(creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
+ ZERO_ARRAY(_iv);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd, data, len);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
AES_set_encrypt_key(creds->session_key, 128, &key);
aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
+#endif /* HAVE_GNUTLS_AES_CFB8 */
}
/*****************************************************************
--
2.23.0

78
SOURCES/0092-libcli-auth-Return-NTSTATUS-from-netlogon_creds_aes_.patch
View File

@ -1,78 +0,0 @@
From a5149014cc8a0da7b8c664a465f6108c390d127d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 12:34:28 +1200
Subject: [PATCH 092/187] libcli:auth Return NTSTATUS from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8ec796f1a1daa444bba06f34a50d2b62ee4a2ef9)
---
libcli/auth/credentials.c | 15 ++++++++-------
libcli/auth/proto.h | 4 +++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index cfeab6efdcd..955e08b7385 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -346,7 +346,7 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
/*
AES decrypt a password buffer using the session key
*/
-void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
@@ -370,18 +370,17 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui
&key,
&iv);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_decrypt(cipher_hnd, data, len);
gnutls_cipher_deinit(cipher_hnd);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+
#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
@@ -390,6 +389,8 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui
aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
#endif /* HAVE_GNUTLS_AES_CFB8 */
+
+ return NT_STATUS_OK;
}
/*****************************************************************
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 639a50425e5..714652bdb76 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -21,7 +21,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
uint8_t *data,
size_t len);
-void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len);
/*****************************************************************
The above functions are common to the client and server interface
--
2.23.0

30
SOURCES/0093-crypto-Update-REQUIREMENTS-file-with-new-minimum-ver.patch
View File

@ -1,30 +0,0 @@
From fb7713126043eaa2bffcf4b73d63fe371781cc1c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 13:52:36 +1200
Subject: [PATCH 093/187] crypto: Update REQUIREMENTS file with new minimum
version
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5ae119e7e9ddcfb3473e14585ba6079147a307bd)
---
lib/crypto/REQUIREMENTS | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index ff91a2f9174..5ebf3ba0e05 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -4,8 +4,7 @@ This list is to allow research into using external crypto libraries.
Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
Those possibly supported in the git version of nettle are indicated as '# NETTLE'
-For Samba AD with Heimdal gnutls >= 3.0.0 is required
-For Samba AD with MIT kerberos gnutls >= 3.4.7 is required
+Samba in general gnutls >= 3.4.7 is required
Samba FS with MS Catalog support will require gnutls >= 3.5.6
GnuTLS Milestone for Samba support:
--
2.23.0

134
SOURCES/0094-libcli-auth-Check-NTSTATUS-from-netlogon_creds_aes_-.patch
View File

@ -1,134 +0,0 @@
From d054df5519b1a25d031f95e098c1f40d59083c3d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 13:55:49 +1200
Subject: [PATCH 094/187] libcli:auth Check NTSTATUS from
netlogon_creds_aes_{en,de}crypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d515b255aa67186ff375af0b465c49722eb56427)
---
libcli/auth/credentials.c | 76 +++++++++++++++++++++++++++------------
1 file changed, 53 insertions(+), 23 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 955e08b7385..baa436df71b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -712,27 +712,36 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (!all_zero(base->key.key, sizeof(base->key.key))) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->key.key,
- sizeof(base->key.key));
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ base->key.key,
+ sizeof(base->key.key));
} else {
- netlogon_creds_aes_decrypt(creds,
- base->key.key,
- sizeof(base->key.key));
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
if (!all_zero(base->LMSessKey.key,
sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
-
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
} else {
- netlogon_creds_aes_decrypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -818,18 +827,34 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
h = logon->password->lmpassword.hash;
if (!all_zero(h, 16)) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds, h, 16);
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ h,
+ 16);
} else {
- netlogon_creds_aes_decrypt(creds, h, 16);
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ h,
+ 16);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
h = logon->password->ntpassword.hash;
if (!all_zero(h, 16)) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds, h, 16);
+ status = netlogon_creds_aes_encrypt(creds,
+ h,
+ 16);
} else {
- netlogon_creds_aes_decrypt(creds, h, 16);
+ status = netlogon_creds_aes_decrypt(creds,
+ h,
+ 16);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -887,13 +912,18 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- logon->generic->data,
- logon->generic->length);
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ logon->generic->data,
+ logon->generic->length);
} else {
- netlogon_creds_aes_decrypt(creds,
- logon->generic->data,
- logon->generic->length);
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ logon->generic->data,
+ logon->generic->length);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
status = netlogon_creds_arcfour_crypt(creds,
--
2.23.0

41
SOURCES/0095-s3-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch
View File

@ -1,41 +0,0 @@
From ca38586a27089b6bf8769b3701e8fc7ccd5f9215 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:05:38 +1200
Subject: [PATCH 095/187] s3-rpc_server: Check NTSTATUS return value from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2f827bec8ca831fb486c8ebedc6b89b7f1cb99e2)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 08bce367bf0..671300676ff 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1369,14 +1369,16 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
SIVAL(password_buf.data, 512, r->in.new_password->length);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ status = netlogon_creds_aes_decrypt(creds,
+ password_buf.data,
+ 516);
} else {
status = netlogon_creds_arcfour_crypt(creds,
password_buf.data,
516);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
if (!decode_pw_buffer(p->mem_ctx,
--
2.23.0

63
SOURCES/0096-s4-rpc_server-Check-NTSTATUS-return-value-from-netlo.patch
View File

@ -1,63 +0,0 @@
From 2558252a6fc918cfe5e9bdfc0d7b98a1324ab61b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:15:45 +1200
Subject: [PATCH 096/187] s4-rpc_server: Check NTSTATUS return value from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1e427f55d71350b25a8a26e94a5cb7895d8efdf6)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 ++++++++++++-------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ac745e32b02..49a075137ff 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -747,14 +747,17 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
SIVAL(password_buf.data, 512, r->in.new_password->length);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ nt_status = netlogon_creds_aes_decrypt(creds,
+ password_buf.data,
+ 516);
} else {
nt_status = netlogon_creds_arcfour_crypt(creds,
password_buf.data,
516);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
switch (creds->secure_channel_type) {
@@ -2803,14 +2806,16 @@ static NTSTATUS dcesrv_netr_NetrLogonSendToSam(struct dcesrv_call_state *dce_cal
/* Buffer is meant to be 16-bit aligned */
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, r->in.opaque_buffer, r->in.buffer_len);
+ nt_status = netlogon_creds_aes_decrypt(creds,
+ r->in.opaque_buffer,
+ r->in.buffer_len);
} else {
nt_status = netlogon_creds_arcfour_crypt(creds,
r->in.opaque_buffer,
r->in.buffer_len);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
decrypted_blob.data = r->in.opaque_buffer;
--
2.23.0

148
SOURCES/0097-s3-librpc-Remove-unused-init_netr_CryptPassword.patch
View File

@ -1,148 +0,0 @@
From 5913cd056fae4d3a147326a30182a2d30bfe7857 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:22:42 +1200
Subject: [PATCH 097/187] s3-librpc: Remove unused init_netr_CryptPassword()
Unused since 38d4dba37406515181e4d6f1a1faffc18e652e27 in 2013
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1aa249e7f4a1c4222b4cc79bac64c8b95c89d868)
---
source3/rpc_client/cli_netlogon.c | 1 -
source3/rpc_client/init_netlogon.c | 50 ------------------------------
source3/rpc_client/init_netlogon.h | 29 -----------------
source3/wscript_build | 5 ---
4 files changed, 85 deletions(-)
delete mode 100644 source3/rpc_client/init_netlogon.c
delete mode 100644 source3/rpc_client/init_netlogon.h
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 505a1d015bc..ea9cb757048 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -30,7 +30,6 @@
#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "../librpc/gen_ndr/schannel.h"
#include "rpc_client/cli_netlogon.h"
-#include "rpc_client/init_netlogon.h"
#include "rpc_client/util_netlogon.h"
#include "../libcli/security/security.h"
#include "lib/param/param.h"
diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c
deleted file mode 100644
index 26deaba8065..00000000000
--- a/source3/rpc_client/init_netlogon.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * RPC Pipe client / server routines
- * Copyright (C) Guenther Deschner 2008,2012
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/crypto.h"
-#include "rpc_client/init_netlogon.h"
-
-/*************************************************************************
- inits a netr_CryptPassword structure
- *************************************************************************/
-
-void init_netr_CryptPassword(const char *pwd,
- struct netlogon_creds_CredentialState *creds,
- struct netr_CryptPassword *pwd_buf)
-{
- struct samr_CryptPassword password_buf;
- NTSTATUS status;
-
- encode_pw_buffer(password_buf.data, pwd, STR_UNICODE);
-
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
- } else {
- status = netlogon_creds_arcfour_crypt(creds,
- password_buf.data,
- 516);
- if (!NT_STATUS_IS_OK(status)) {
- return;
- }
- }
- memcpy(pwd_buf->data, password_buf.data, 512);
- pwd_buf->length = IVAL(password_buf.data, 512);
-}
diff --git a/source3/rpc_client/init_netlogon.h b/source3/rpc_client/init_netlogon.h
deleted file mode 100644
index bb4496b4cd9..00000000000
--- a/source3/rpc_client/init_netlogon.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * RPC Pipe client / server routines
- * Copyright (C) Guenther Deschner 2008.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef _RPC_CLIENT_INIT_NETLOGON_H_
-#define _RPC_CLIENT_INIT_NETLOGON_H_
-
-/* The following definitions come from rpc_client/init_netlogon.c */
-
-void init_netr_CryptPassword(const char *pwd,
- struct netlogon_creds_CredentialState *creds,
- struct netr_CryptPassword *pwd_buf);
-
-#endif /* _RPC_CLIENT_INIT_NETLOGON_H_ */
diff --git a/source3/wscript_build b/source3/wscript_build
index b73f6dc0664..ce3fa362bc2 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1024,7 +1024,6 @@ bld.SAMBA3_LIBRARY('libcli_netlogon3',
deps='''
msrpc3
RPC_NDR_NETLOGON
- INIT_NETLOGON
cliauth
smbconf
NETLOGON_CREDS_CLI''',
@@ -1057,10 +1056,6 @@ bld.SAMBA3_SUBSYSTEM('INIT_LSA',
source='rpc_client/init_lsa.c',
deps='samba-util')
-bld.SAMBA3_SUBSYSTEM('INIT_NETLOGON',
- source='rpc_client/init_netlogon.c',
- deps='samba-util')
-
bld.SAMBA3_SUBSYSTEM('INIT_SAMR',
source='rpc_client/init_samr.c',
deps='samba-util GNUTLS_HELPERS')
--
2.23.0

47
SOURCES/0098-auth-credentials-Check-NTSTATUS-return-from-netlogon.patch
View File

@ -1,47 +0,0 @@
From cef95d8835a04065b9c7422a637f60efdb9a93fe Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:29:45 +1200
Subject: [PATCH 098/187] auth/credentials: Check NTSTATUS return from
netlogon_creds_aes_encrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fefd95091cc52f5e2655fa392312a8b1fa1d35fd)
---
auth/credentials/credentials.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 5ebec483705..81f9dbb9eb3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1333,19 +1333,19 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
return NT_STATUS_INVALID_PARAMETER;
}
if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(state,
- data.data,
- data.length);
+ status = netlogon_creds_aes_encrypt(state,
+ data.data,
+ data.length);
} else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
status = netlogon_creds_arcfour_crypt(state,
data.data,
data.length);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
} else {
DBG_ERR("Unsupported encryption option negotiated");
- return NT_STATUS_NOT_SUPPORTED;
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
return NT_STATUS_OK;
}
--
2.23.0

Some files were not shown because too many files have changed in this diff Show More