import samba-4.11.2-13.el8

This commit is contained in:
CentOS Sources 2020-04-28 05:33:08 -04:00 committed by Andrew Lukoshko
commit 98dbf420db
226 changed files with 33172 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
SOURCES/samba-4.11.2.tar.xz

2
.samba.metadata Normal file
View File

@ -0,0 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
e920c3d96119b51c1d12a2428e8830000b331fe5 SOURCES/samba-4.11.2.tar.xz

View File

@ -0,0 +1,61 @@
From 826e500242004b269219ad3deeacf0e01d136933 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Jul 2019 16:54:15 +0200
Subject: [PATCH 001/187] s3:profile: Use SHA1 for hashing in profiling
functions.
This can use SHA NI instructions if the CPU supports it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 6fe2193b17ac2d57c559d3b936b37238d06d6be8)
---
source3/profile/profile.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index df0ba5b0af3..90a30f01f58 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -124,7 +124,7 @@ static void reqprofile_message(struct messaging_context *msg_ctx,
******************************************************************/
bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
{
- unsigned char tmp[16] = {};
+ uint8_t digest[gnutls_hash_get_len(GNUTLS_DIG_SHA1)];
gnutls_hash_hd_t hash_hnd = NULL;
char *db_name;
bool ok = false;
@@ -154,7 +154,7 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
reqprofile_message);
}
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
if (rc < 0) {
goto out;
}
@@ -210,15 +210,14 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
goto out;
}
- gnutls_hash_deinit(hash_hnd, tmp);
+ gnutls_hash_deinit(hash_hnd, digest);
profile_p = &smbprofile_state.stats.global;
- profile_p->magic = BVAL(tmp, 0);
+ profile_p->magic = BVAL(digest, 0);
if (profile_p->magic == 0) {
- profile_p->magic = BVAL(tmp, 8);
+ profile_p->magic = BVAL(digest, 8);
}
- ZERO_ARRAY(tmp);
ok = true;
out:
--
2.23.0

View File

@ -0,0 +1,33 @@
From bb29683ddc7cdacfe9129074652d97a11a9084af Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 16:28:27 +0200
Subject: [PATCH 002/187] lib:crypto: Fix path to header file in
gnutls_helpers.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a31a40b41a18ae09a4e2e76f41c95b011ed30bea)
---
lib/crypto/gnutls_helpers.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index b8288c25649..7c950c79525 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,8 +18,8 @@
#ifndef _GNUTLS_HELPERS_H
#define _GNUTLS_HELPERS_H
-#include "ntstatus.h"
-#include "werror.h"
+#include "libcli/util/ntstatus.h"
+#include "libcli/util/werror.h"
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
--
2.23.0

View File

@ -0,0 +1,65 @@
From bd6da0ff651385f14f8414ecb440e228d5a8a7d1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:38:44 +0200
Subject: [PATCH 003/187] lib:crypto: Add GNUTLS_FIPS140_SET_(LAX|STRICT)_MODE
to helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 31a943fa0890438cffc67a566373f36c94c0a5a8)
---
lib/crypto/gnutls_helpers.h | 11 +++++++++++
source3/modules/hash_inode.c | 10 +---------
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 7c950c79525..8a2a49baf73 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -18,9 +18,20 @@
#ifndef _GNUTLS_HELPERS_H
#define _GNUTLS_HELPERS_H
+#include <gnutls/gnutls.h>
+
#include "libcli/util/ntstatus.h"
#include "libcli/util/werror.h"
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
+
NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
NTSTATUS blocked_status,
const char *function,
diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c
index 231538c72cb..a9144621901 100644
--- a/source3/modules/hash_inode.c
+++ b/source3/modules/hash_inode.c
@@ -22,15 +22,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-
-/* Those macros are only available in GnuTLS >= 3.6.4 */
-#ifndef GNUTLS_FIPS140_SET_LAX_MODE
-#define GNUTLS_FIPS140_SET_LAX_MODE()
-#endif
-
-#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
-#define GNUTLS_FIPS140_SET_STRICT_MODE()
-#endif
+#include "lib/crypto/gnutls_helpers.h"
SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
{
--
2.23.0

View File

@ -0,0 +1,63 @@
From 4728c82b9a9d857bac4cf04434856daa8d739995 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 08:41:12 +0200
Subject: [PATCH 004/187] s3:profile: Allow profile subsystem to use SHA1 in
FIPS mode
This is non-cryptographic use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 9 13:31:46 UTC 2019 on sn-devel-184
(cherry picked from commit ccf3e76625c42f5aceea0882971a232a9f56a971)
---
source3/profile/profile.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/profile/profile.c b/source3/profile/profile.c
index 90a30f01f58..7e17d065d75 100644
--- a/source3/profile/profile.c
+++ b/source3/profile/profile.c
@@ -35,6 +35,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#include "lib/crypto/gnutls_helpers.h"
struct profile_stats *profile_p;
struct smbprofile_global_state smbprofile_state;
@@ -154,6 +155,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
reqprofile_message);
}
+ GNUTLS_FIPS140_SET_LAX_MODE();
+
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
if (rc < 0) {
goto out;
@@ -212,6 +215,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
gnutls_hash_deinit(hash_hnd, digest);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
profile_p = &smbprofile_state.stats.global;
profile_p->magic = BVAL(digest, 0);
@@ -221,6 +226,8 @@ bool profile_setup(struct messaging_context *msg_ctx, bool rdonly)
ok = true;
out:
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+
return ok;
}
--
2.23.0

View File

@ -0,0 +1,114 @@
From 290c078652ffcacd69b0b00ea5e5413515c5de22 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Mar 2019 17:03:30 +0100
Subject: [PATCH 005/187] lib:util: Use GnuTLS random number generator in
genrand.c
FIPS requires that a random number generator from a certified crypto
library is used.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 18 01:30:20 UTC 2019 on sn-devel-184
(cherry picked from commit 664eed2e926f8f572b81e6d7c8e09b7ccbafb908)
---
lib/util/genrand.c | 31 +++++++------------------------
lib/util/genrand.h | 11 ++++-------
lib/util/wscript_build | 2 +-
3 files changed, 12 insertions(+), 32 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index a775535c49e..55997c3dd55 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -20,35 +20,17 @@
*/
#include "replace.h"
-#include "system/filesys.h"
#include "lib/util/genrand.h"
-#include "sys_rw_data.h"
-#include "lib/util/blocking.h"
-static int urand_fd = -1;
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
-static void open_urandom(void)
-{
- if (urand_fd != -1) {
- return;
- }
- urand_fd = open( "/dev/urandom", O_RDONLY,0);
- if (urand_fd == -1) {
- abort();
- }
- smb_set_close_on_exec(urand_fd);
-}
+/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
- ssize_t rw_ret;
-
- open_urandom();
-
- rw_ret = read_data(urand_fd, out, len);
- if (rw_ret != len) {
- abort();
- }
+ /* Thread and fork safe random number generator for temporary keys. */
+ gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
/*
@@ -57,5 +39,6 @@ _PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
*/
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- generate_random_buffer(out, len);
+ /* Thread and fork safe random number generator for long term keys. */
+ gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index ef6bbc64157..899ce8badc0 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -20,14 +20,11 @@
*/
/**
- Interface to the (hopefully) good crypto random number generator.
- Will use our internal PRNG if more than 40 bytes of random generation
- has been requested, otherwise tries to read from /dev/random
-**/
+ * Thread and fork safe random number generator for temporary keys.
+ */
void generate_random_buffer(uint8_t *out, int len);
/**
- Interface to the (hopefully) good crypto random number generator.
- Will always use /dev/urandom if available.
-**/
+ * Thread and fork safe random number generator for long term keys.
+ */
void generate_secret_buffer(uint8_t *out, int len);
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index ff1c76e3686..5f005c41e49 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -104,7 +104,7 @@ else:
bld.SAMBA_LIBRARY('genrand',
source='genrand.c',
- deps='replace socket-blocking sys_rw',
+ deps='replace gnutls',
local_include=False,
private_library=True)
--
2.23.0

View File

@ -0,0 +1,49 @@
From 8391caf4f4aa8fed5167b5e5cf04197a29ba40e8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 18 Jul 2019 13:27:57 +0200
Subject: [PATCH 006/187] lib:crypto: Document gnutls_error_to_werror()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e43678b84a3434b977f44b265599f1d9207d3b78)
---
lib/crypto/gnutls_helpers.h | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index 8a2a49baf73..debaa701554 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -40,6 +40,21 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc,
_gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \
__FUNCTION__, __location__)
+#ifdef DOXYGEN
+/**
+ * @brief Convert a gnutls error code to a corresponding WERROR.
+ *
+ * @param[in] gnutls_rc The GnuTLS return code.
+ *
+ * @param[in] blocked_werr The WERROR code which should be returned if e.g
+ * the cipher we want to used it not allowed to be
+ * used because of FIPS mode.
+ *
+ * @return A corresponding WERROR code.
+ */
+WERROR gnutls_error_to_werror(int gnutls_rc,
+ WERROR blocked_werr);
+#else
WERROR _gnutls_error_to_werror(int gnutls_rc,
WERROR blocked_werr,
const char *function,
@@ -47,6 +62,7 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
#define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
_gnutls_error_to_werror(gnutls_rc, blocked_werr, \
__FUNCTION__, __location__)
+#endif
enum samba_gnutls_direction {
SAMBA_GNUTLS_ENCRYPT,
--
2.23.0

View File

@ -0,0 +1,45 @@
From 47f922c797006a3158fa3e077a7086086917b5e4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 18 Jul 2019 13:33:54 +0200
Subject: [PATCH 007/187] lib:crypto: Document
samba_gnutls_arcfour_confounded_md5()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit baa96ef20945638fb5ee76b03543c7b611e9c7d7)
---
lib/crypto/gnutls_helpers.h | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index debaa701554..d6000c7b316 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -69,6 +69,24 @@ enum samba_gnutls_direction {
SAMBA_GNUTLS_DECRYPT
};
+/**
+ * @brief Encrypt or decrypt a data blob using RC4 with a key and salt.
+ *
+ * One of the key input should be a session key and the other a confounder
+ * (aka salt). Which one depends on the implementation details of the
+ * protocol.
+ *
+ * @param[in] key_input1 Either a session_key or a confounder.
+ *
+ * @param[in] key_input2 Either a session_key or a confounder.
+ *
+ * @param[in] data The data blob ot either encrypt or decrypt. The data
+ * will be encrypted or decrypted in place.
+ *
+ * @param[in] encrypt The encryption direction.
+ *
+ * @return A gnutls error code.
+ */
int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
const DATA_BLOB *key_input2,
DATA_BLOB *data,
--
2.23.0

View File

@ -0,0 +1,150 @@
From bcbc9eca11583426d9b0e7ce4d4e51b16bda32f0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 16:22:11 +0200
Subject: [PATCH 008/187] s3:rpc_client: Return NTSTATUS for
init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4b9b1dbe9c8c988a39b1318a4f7aac031bc1ea8b)
---
source3/lib/netapi/user.c | 9 ++++++---
source3/libnet/libnet_join.c | 10 +++++++---
source3/rpc_client/init_samr.c | 14 ++++++++++----
source3/rpc_client/init_samr.h | 6 +++---
source3/rpcclient/cmd_samr.c | 5 ++++-
source3/utils/net_rpc.c | 9 ++++++---
6 files changed, 36 insertions(+), 17 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 4b66dab2f99..2136ef47ee6 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -326,9 +326,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info23.info = info21;
- init_samr_CryptPassword(uX->usriX_password,
- session_key,
- &user_info.info23.password);
+ status = init_samr_CryptPassword(uX->usriX_password,
+ session_key,
+ &user_info.info23.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
user_handle,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 9d4f656ffec..abf8672d050 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1570,9 +1570,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
/* retry with level 24 */
- init_samr_CryptPassword(r->in.machine_password,
- &session_key,
- &crypt_pwd);
+ status = init_samr_CryptPassword(r->in.machine_password,
+ &session_key,
+ &crypt_pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
user_info.info24.password = crypt_pwd;
user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
@@ -1584,6 +1587,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
&result);
}
+error:
old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index d116ece576f..8b41ec2f10f 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -81,12 +81,18 @@ out:
inits a samr_CryptPassword structure
*************************************************************************/
-void init_samr_CryptPassword(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPassword *pwd_buf)
+NTSTATUS init_samr_CryptPassword(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPassword *pwd_buf)
{
/* samr_CryptPassword */
+ bool ok;
- encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+ ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
arcfour_crypt_blob(pwd_buf->data, 516, session_key);
+
+ return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 223fa91e3d9..4214ab55a04 100644
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -25,8 +25,8 @@
void init_samr_CryptPasswordEx(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPasswordEx *pwd_buf);
-void init_samr_CryptPassword(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPassword *pwd_buf);
+NTSTATUS init_samr_CryptPassword(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPassword *pwd_buf);
#endif /* _RPC_CLIENT_INIT_SAMR_H_ */
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 8cbf8ab24bd..ccaec1ada40 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3063,7 +3063,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return status;
}
- init_samr_CryptPassword(param, &session_key, &pwd_buf);
+ status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
nt_lm_owf_gen(param, nt_hash, lm_hash);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index a56190f7be5..f6fb892a2d9 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6195,9 +6195,12 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
ZERO_STRUCT(info.info23);
- init_samr_CryptPassword(argv[1],
- &session_key,
- &crypt_pwd);
+ status = init_samr_CryptPassword(argv[1],
+ &session_key,
+ &crypt_pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
info.info23.info.fields_present = SAMR_FIELD_ACCT_FLAGS |
SAMR_FIELD_NT_PASSWORD_PRESENT;
--
2.23.0

View File

@ -0,0 +1,199 @@
From 97f9ec9431ebf22ae06f61c97c183e04b59d6e7f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 17:16:26 +0200
Subject: [PATCH 009/187] s3:rpc_client: Return NTSTATUS for
init_samr_CryptPasswordEx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7915a48e53c8f72ba56da2f433427b961feeb16f)
---
source3/lib/netapi/user.c | 9 ++++---
source3/libnet/libnet_join.c | 9 ++++---
source3/rpc_client/init_samr.c | 27 +++++++++++++++------
source3/rpc_client/init_samr.h | 6 ++---
source3/rpc_server/netlogon/srv_netlog_nt.c | 9 ++++---
source3/rpcclient/cmd_samr.c | 5 +++-
6 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 2136ef47ee6..827b7902040 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -313,9 +313,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info25.info = info21;
- init_samr_CryptPasswordEx(uX->usriX_password,
- session_key,
- &user_info.info25.password);
+ status = init_samr_CryptPasswordEx(uX->usriX_password,
+ session_key,
+ &user_info.info25.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
user_handle,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index abf8672d050..eb8e0ea17f7 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1553,9 +1553,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
*/
old_timeout = rpccli_set_timeout(pipe_hnd, 600000);
- init_samr_CryptPasswordEx(r->in.machine_password,
- &session_key,
- &crypt_pwd_ex);
+ status = init_samr_CryptPasswordEx(r->in.machine_password,
+ &session_key,
+ &crypt_pwd_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
user_info.info26.password = crypt_pwd_ex;
user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 8b41ec2f10f..5f6cbc5d3c7 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -22,6 +22,7 @@
#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_samr.h"
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -29,9 +30,9 @@
inits a samr_CryptPasswordEx structure
*************************************************************************/
-void init_samr_CryptPasswordEx(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPasswordEx *pwd_buf)
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *pwd_buf)
{
/* samr_CryptPasswordEx */
@@ -39,42 +40,52 @@ void init_samr_CryptPasswordEx(const char *pwd,
gnutls_hash_hd_t hash_hnd = NULL;
uint8_t confounder[16];
DATA_BLOB confounded_session_key = data_blob(NULL, 16);
+ NTSTATUS status;
+ bool ok;
int rc;
- encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+ ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
generate_random_buffer((uint8_t *)confounder, 16);
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, confounder, 16);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
arcfour_crypt_blob(pwbuf, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
+ data_blob_clear_free(&confounded_session_key);
memcpy(&pwbuf[516], confounder, 16);
ZERO_ARRAY(confounder);
memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
ZERO_ARRAY(pwbuf);
+
+ status = NT_STATUS_OK;
out:
- return;
+ data_blob_clear_free(&confounded_session_key);
+ return status;
}
/*************************************************************************
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 4214ab55a04..3f0dc847dd2 100644
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -22,9 +22,9 @@
/* The following definitions come from rpc_client/init_samr.c */
-void init_samr_CryptPasswordEx(const char *pwd,
- DATA_BLOB *session_key,
- struct samr_CryptPasswordEx *pwd_buf);
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *pwd_buf);
NTSTATUS init_samr_CryptPassword(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPassword *pwd_buf);
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c9aaa90cbb9..d5267bf7062 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1226,9 +1226,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
infolevel = UserInternal5InformationNew;
- init_samr_CryptPasswordEx(cr->creds.password,
- &session_key,
- &info26.password);
+ status = init_samr_CryptPasswordEx(cr->creds.password,
+ &session_key,
+ &info26.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
info->info26 = info26;
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index ccaec1ada40..b1b7c06515c 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3067,7 +3067,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+ status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
nt_lm_owf_gen(param, nt_hash, lm_hash);
switch (level) {
--
2.23.0

View File

@ -0,0 +1,115 @@
From 6125794925d054da191cf6c21a76ceb904848710 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 14:57:52 +0200
Subject: [PATCH 010/187] libcli:auth: Return NTSTATUS for
encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 57dd415ba49b9621deddf604a5bf148c10ebc37e)
---
libcli/auth/proto.h | 3 ++-
libcli/auth/smbencrypt.c | 10 ++++++++--
source3/rpc_server/samr/srv_samr_nt.c | 10 ++++++++--
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index afd7f0d148d..651f1139cf5 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,7 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key);
+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index a74ccf09b02..ae97f3cc93e 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,27 +843,32 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key)
+NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key)
{
gnutls_hash_hd_t hash_hnd = NULL;
unsigned char key_out[16];
+ NTSTATUS status;
int rc;
/* Confounder is last 16 bytes. */
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, &pw_buf[516], 16);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
gnutls_hash_deinit(hash_hnd, key_out);
@@ -873,8 +878,9 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
ZERO_ARRAY(key_out);
+ status = NT_STATUS_OK;
out:
- return;
+ return status;
}
/***********************************************************
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 124d6d38cd7..c2be8bfc19a 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,9 +5185,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- encode_or_decode_arc4_passwd_buffer(
+ status = encode_or_decode_arc4_passwd_buffer(
info->info25.password.data,
&session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info25.password.data, 532);
@@ -5201,9 +5204,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- encode_or_decode_arc4_passwd_buffer(
+ status = encode_or_decode_arc4_passwd_buffer(
info->info26.password.data,
&session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info26.password.data, 516);
--
2.23.0

View File

@ -0,0 +1,234 @@
From f0d4f6ec31079506b01502f7b515245ace03227d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 09:39:02 +0200
Subject: [PATCH 011/187] libcli:auth: Add test for decoding an RC4 password
buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7ccc76f951a626a25d553ac85c5bf30eb29ffa2b)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 177 +++++++++++++++++++++
libcli/auth/wscript_build | 9 ++
selftest/tests.py | 2 +
3 files changed, 188 insertions(+)
create mode 100644 libcli/auth/tests/test_rc4_passwd_buffer.c
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
new file mode 100644
index 00000000000..f40ac3a5655
--- /dev/null
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -0,0 +1,177 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2018-2019 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "libcli/auth/libcli_auth.h"
+#include "rpc_client/init_samr.h"
+
+#define PASSWORD "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+static const uint8_t encrypted_test_blob[] = {
+ 0x37, 0x8e, 0x1d, 0xd5, 0xd3, 0x9f, 0xca, 0x8e,
+ 0x2f, 0x2d, 0xee, 0xc3, 0xb5, 0x50, 0xcd, 0x4e,
+ 0xc9, 0x08, 0x04, 0x68, 0x32, 0xc3, 0xac, 0x8e,
+ 0x53, 0x69, 0xd6, 0xb7, 0x56, 0xcc, 0xc0, 0xbe,
+ 0x4e, 0x96, 0xa7, 0x74, 0xe9, 0xaa, 0x10, 0x3d,
+ 0xd5, 0x8c, 0xaa, 0x12, 0x56, 0xb6, 0xf1, 0x85,
+ 0x21, 0xfa, 0xe9, 0xa1, 0x76, 0xe6, 0xa5, 0x33,
+ 0x33, 0x2f, 0x47, 0x29, 0xd6, 0xbd, 0xde, 0x64,
+ 0x4d, 0x15, 0x3e, 0x6a, 0x11, 0x9b, 0x52, 0xbf,
+ 0x7e, 0x3a, 0xeb, 0x1c, 0x55, 0xd1, 0xb2, 0xa4,
+ 0x35, 0x03, 0x6c, 0x39, 0x61, 0x28, 0x98, 0xc3,
+ 0x2d, 0xd4, 0x70, 0x69, 0x8b, 0x83, 0xe9, 0x62,
+ 0xbe, 0xd8, 0x72, 0x4e, 0xdf, 0xd4, 0xe9, 0xe3,
+ 0x46, 0x2a, 0xf9, 0x3c, 0x0f, 0x41, 0x62, 0xe1,
+ 0x43, 0xf0, 0x91, 0xbe, 0x72, 0xa0, 0xc9, 0x08,
+ 0x73, 0x20, 0x1f, 0x0d, 0x68, 0x2e, 0x32, 0xa1,
+ 0xb8, 0x9b, 0x08, 0xa1, 0xb4, 0x81, 0x6b, 0xf1,
+ 0xde, 0x0c, 0x28, 0x34, 0xe2, 0x65, 0x62, 0x54,
+ 0xeb, 0xc0, 0x71, 0x14, 0xad, 0x36, 0x43, 0x0e,
+ 0x92, 0x4d, 0x11, 0xe8, 0xdd, 0x2d, 0x5f, 0x05,
+ 0xff, 0x07, 0xda, 0x81, 0x4e, 0x27, 0x42, 0xa8,
+ 0xa9, 0x64, 0x4c, 0x74, 0xc8, 0x05, 0xbb, 0x83,
+ 0x5a, 0xd9, 0x90, 0x3e, 0x0d, 0x9d, 0xe5, 0x2f,
+ 0x08, 0xf9, 0x1b, 0xbd, 0x26, 0xc3, 0x0d, 0xac,
+ 0x43, 0xd5, 0x17, 0xf2, 0x61, 0xf5, 0x74, 0x9b,
+ 0xf3, 0x5b, 0x5f, 0xe1, 0x8a, 0xa6, 0xfd, 0xdf,
+ 0xff, 0xb5, 0x8b, 0xf1, 0x26, 0xf7, 0xe0, 0xa7,
+ 0x4f, 0x5b, 0xb8, 0x6d, 0xeb, 0xf6, 0x52, 0x68,
+ 0x8d, 0xa3, 0xd4, 0x7f, 0x56, 0x43, 0xaa, 0xec,
+ 0x58, 0x47, 0x03, 0xee, 0x9b, 0x59, 0xd9, 0x78,
+ 0x9a, 0xfb, 0x9e, 0xe9, 0xa6, 0x61, 0x4e, 0x6d,
+ 0x92, 0x35, 0xd3, 0x37, 0x6e, 0xf2, 0x34, 0x39,
+ 0xd4, 0xd2, 0xeb, 0xcf, 0x1c, 0x10, 0xb3, 0x2b,
+ 0x3e, 0x07, 0x42, 0x3e, 0x20, 0x90, 0x07, 0x3e,
+ 0xc7, 0xed, 0xd4, 0xdf, 0x50, 0xe5, 0xff, 0xaf,
+ 0x05, 0xce, 0x29, 0xbe, 0x01, 0xf8, 0xb0, 0x30,
+ 0x96, 0xae, 0x1b, 0x62, 0x23, 0x93, 0x91, 0x1a,
+ 0x52, 0x98, 0xd9, 0x59, 0xb8, 0x11, 0xec, 0xb8,
+ 0xcf, 0x20, 0x32, 0x90, 0x9e, 0xf2, 0x06, 0x43,
+ 0xb8, 0x36, 0xe3, 0x33, 0x4e, 0x6f, 0x75, 0xeb,
+ 0xf7, 0x6c, 0xac, 0x06, 0x5f, 0x24, 0x8e, 0x4a,
+ 0x03, 0xdf, 0x50, 0x31, 0xaa, 0x91, 0xd5, 0x85,
+ 0x95, 0x78, 0x5b, 0xf4, 0x7f, 0x3e, 0xbc, 0x41,
+ 0xfa, 0x10, 0xd3, 0x0f, 0x86, 0x8b, 0x23, 0xed,
+ 0xfc, 0xcc, 0x3e, 0x7d, 0x8c, 0xb4, 0x7c, 0xec,
+ 0x04, 0x7d, 0x12, 0x53, 0xa1, 0x30, 0xc5, 0xac,
+ 0xf3, 0x1e, 0x54, 0x1f, 0x97, 0x05, 0x86, 0x74,
+ 0x51, 0x13, 0x45, 0x98, 0xb8, 0x50, 0x62, 0x18,
+ 0x0f, 0x6d, 0x66, 0xa4, 0x88, 0x31, 0x76, 0xa3,
+ 0xb0, 0x75, 0x55, 0x44, 0x18, 0x7c, 0x67, 0xc7,
+ 0x09, 0x9c, 0xab, 0x53, 0x49, 0xc0, 0xc9, 0x27,
+ 0x53, 0xa6, 0x99, 0x01, 0x10, 0x49, 0x67, 0x8e,
+ 0x5b, 0x12, 0x96, 0x40, 0x16, 0x39, 0x11, 0x53,
+ 0x44, 0x8f, 0xa9, 0xbe, 0x84, 0xbe, 0xe0, 0x45,
+ 0xe3, 0xfd, 0x48, 0x46, 0x43, 0x53, 0x13, 0x5f,
+ 0xfa, 0xcf, 0x09, 0x67, 0x90, 0xa3, 0x94, 0xaa,
+ 0x0d, 0x1f, 0xc2, 0xc3, 0xd4, 0x7e, 0xc8, 0x14,
+ 0xbe, 0x84, 0xa5, 0x55, 0xee, 0x49, 0x8e, 0x03,
+ 0x1d, 0xaf, 0xad, 0x65, 0x2f, 0xf0, 0xd5, 0x90,
+ 0x5e, 0x8d, 0x29, 0x40, 0xba, 0x57, 0x26, 0xa8,
+ 0x6c, 0x4b, 0x59, 0x40, 0x4e, 0xc2, 0xc4, 0x88,
+ 0x0a, 0x06, 0x2b, 0x6c, 0x2a, 0xc7, 0x3f, 0xfe,
+ 0x37, 0x2c, 0x41, 0x58, 0xfe, 0x7e, 0xaf, 0xd1,
+ 0xd9, 0xd2, 0x9c, 0xd7, 0x8a, 0x01, 0x0e, 0x8c,
+ 0x9e, 0x8b, 0x5d, 0x72, 0x54, 0x00, 0xbe, 0xb2,
+ 0x9a, 0xc7, 0xfd, 0x83, 0x1e, 0x9c, 0x79, 0xdd,
+ 0x15, 0x13, 0xdc, 0x15,
+};
+
+static void torture_decode_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ memcpy(out_pwd_buf.data,
+ encrypted_test_blob,
+ sizeof(out_pwd_buf.data));
+
+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
+ &session_key);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+}
+
+static void torture_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ status = init_samr_CryptPasswordEx(PASSWORD,
+ &session_key,
+ &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
+ &session_key);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(torture_decode_rc4_passwd_buffer),
+ cmocka_unit_test(torture_rc4_passwd_buffer),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests, NULL, NULL);
+
+ return rc;
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 04e2b09eadf..eabf3814ba1 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -62,3 +62,12 @@ bld.SAMBA_BINARY('test_schannel',
cmocka
''',
install=False)
+
+bld.SAMBA_BINARY('test_rc4_passwd_buffer',
+ source='tests/test_rc4_passwd_buffer.c',
+ deps='''
+ INIT_SAMR
+ LIBCLI_AUTH
+ cmocka
+ ''',
+ install=False)
diff --git a/selftest/tests.py b/selftest/tests.py
index bbb5709ee47..c91d9b445fe 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -392,6 +392,8 @@ plantestsuite("samba.unittests.ntlm_check", "none",
[os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
plantestsuite("samba.unittests.schannel", "none",
[os.path.join(bindir(), "default/libcli/auth/test_schannel")])
+plantestsuite("samba.unittests.rc4_passwd_buffer", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_rc4_passwd_buffer")])
plantestsuite("samba.unittests.test_registry_regfio", "none",
[os.path.join(bindir(), "default/source3/test_registry_regfio")])
plantestsuite("samba.unittests.test_oLschema2ldif", "none",
--
2.23.0

View File

@ -0,0 +1,94 @@
From 6546e97d27e45db9cbfd2f7d8c4838b2fd8d6a6a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 Jul 2019 16:22:48 +0200
Subject: [PATCH 012/187] s3:rpc_client: Use
samba_gnutls_arcfour_confounded_md5 in init_samr_CryptPasswordEx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2075019ca90d7d474003c87b2f0202239891eba5)
---
source3/rpc_client/init_samr.c | 50 ++++++++++------------------------
1 file changed, 15 insertions(+), 35 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 5f6cbc5d3c7..3968dfea99f 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -36,56 +36,36 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
{
/* samr_CryptPasswordEx */
- uint8_t pwbuf[532];
- gnutls_hash_hd_t hash_hnd = NULL;
- uint8_t confounder[16];
- DATA_BLOB confounded_session_key = data_blob(NULL, 16);
- NTSTATUS status;
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 16);
+ uint8_t pwbuf[532] = {0};
+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
bool ok;
int rc;
ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
if (!ok) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto out;
+ return NT_STATUS_INTERNAL_ERROR;
}
- generate_random_buffer((uint8_t *)confounder, 16);
+ generate_random_buffer(_confounder, sizeof(_confounder));
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ session_key,
+ &encrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ ZERO_ARRAY(_confounder);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
}
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
-
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(pwbuf, 516, &confounded_session_key);
- data_blob_clear_free(&confounded_session_key);
-
- memcpy(&pwbuf[516], confounder, 16);
- ZERO_ARRAY(confounder);
+ memcpy(&pwbuf[516], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
ZERO_ARRAY(pwbuf);
- status = NT_STATUS_OK;
-out:
- data_blob_clear_free(&confounded_session_key);
- return status;
+ return NT_STATUS_OK;
}
/*************************************************************************
--
2.23.0

View File

@ -0,0 +1,65 @@
From 9913d8e981dd39fd1f7e260644f35aa6718c9bd2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 13:15:08 +0100
Subject: [PATCH 013/187] s3:rpc_client: Use GnuTLS RC4 in
init_samr_CryptPassword()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 95db9a81db093488e625b4ef385a184a5e517ede)
---
source3/rpc_client/init_samr.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 3968dfea99f..0eb50c54525 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -19,7 +19,6 @@
#include "includes.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_samr.h"
#include "lib/crypto/gnutls_helpers.h"
@@ -77,13 +76,33 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
struct samr_CryptPassword *pwd_buf)
{
/* samr_CryptPassword */
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t sess_key = {
+ .data = session_key->data,
+ .size = session_key->length,
+ };
bool ok;
+ int rc;
ok = encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
if (!ok) {
return NT_STATUS_INTERNAL_ERROR;
}
- arcfour_crypt_blob(pwd_buf->data, 516, session_key);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sess_key,
+ NULL);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ pwd_buf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
return NT_STATUS_OK;
}
--
2.23.0

View File

@ -0,0 +1,73 @@
From 15ca4ae322f88f797c571ad7801a9e44a6262d73 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:09:32 +0200
Subject: [PATCH 014/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() for rc4 passwd buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dea160820a393be51985a4e761a3f73da83972e7)
---
libcli/auth/smbencrypt.c | 39 +++++++++------------------------------
1 file changed, 9 insertions(+), 30 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index ae97f3cc93e..17c1e1f69ff 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -846,41 +846,20 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
const DATA_BLOB *psession_key)
{
- gnutls_hash_hd_t hash_hnd = NULL;
- unsigned char key_out[16];
- NTSTATUS status;
- int rc;
-
/* Confounder is last 16 bytes. */
+ DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
+ DATA_BLOB pw_data = data_blob_const(pw_buf, 516);
+ int rc;
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ psession_key,
+ &pw_data,
+ SAMBA_GNUTLS_DECRYPT);
if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
}
- rc = gnutls_hash(hash_hnd, &pw_buf[516], 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, psession_key->data, psession_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- gnutls_hash_deinit(hash_hnd, key_out);
-
- /* arc4 with key_out. */
- arcfour_crypt(pw_buf, key_out, 516);
-
- ZERO_ARRAY(key_out);
-
- status = NT_STATUS_OK;
-out:
- return status;
+ return NT_STATUS_OK;
}
/***********************************************************
--
2.23.0

View File

@ -0,0 +1,97 @@
From 228c16e06b82a3d7a33c2d4440aa258518c8c29f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 Jul 2019 10:12:43 +0200
Subject: [PATCH 015/187] libcli:auth: Rename
encode_or_decode_arc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 89f8b028e2d595348f9996854488d7aa552ae905)
---
libcli/auth/proto.h | 4 ++--
libcli/auth/smbencrypt.c | 4 ++--
libcli/auth/tests/test_rc4_passwd_buffer.c | 6 ++----
source3/rpc_server/samr/srv_samr_nt.c | 4 ++--
4 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 651f1139cf5..1bcbeddb228 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key);
+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 17c1e1f69ff..7e343f71577 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,8 +843,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key)
+NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
+ const DATA_BLOB *psession_key)
{
/* Confounder is last 16 bytes. */
DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index f40ac3a5655..eb737703230 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -114,8 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state)
encrypted_test_blob,
sizeof(out_pwd_buf.data));
- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -144,8 +143,7 @@ static void torture_rc4_passwd_buffer(void **state)
&out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
- status = encode_or_decode_arc4_passwd_buffer(out_pwd_buf.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index c2be8bfc19a..4dc9132511f 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,7 +5185,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = encode_or_decode_arc4_passwd_buffer(
+ status = decode_rc4_passwd_buffer(
info->info25.password.data,
&session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -5204,7 +5204,7 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = encode_or_decode_arc4_passwd_buffer(
+ status = decode_rc4_passwd_buffer(
info->info26.password.data,
&session_key);
if (!NT_STATUS_IS_OK(status)) {
--
2.23.0

View File

@ -0,0 +1,115 @@
From 3eb3f3bdabd103c3858323e08a9180913c223e16 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 12:53:31 +0200
Subject: [PATCH 016/187] libcli:auth: Pass samr_CryptPasswordEx to
decode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 79ca72ec3d13fea5d2ad608415757ca9870035a3)
---
libcli/auth/proto.h | 4 ++--
libcli/auth/smbencrypt.c | 8 ++++----
libcli/auth/tests/test_rc4_passwd_buffer.c | 5 +++--
source3/rpc_server/samr/srv_samr_nt.c | 10 ++++------
4 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 1bcbeddb228..a67c89d8552 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key);
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
+ struct samr_CryptPasswordEx *inout_crypt_pwd);
/***********************************************************
encode a password buffer with an already unicode password. The
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 7e343f71577..b7b17130f07 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -843,12 +843,12 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
Decode an arc4 encrypted password change buffer.
************************************************************/
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
- const DATA_BLOB *psession_key)
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
+ struct samr_CryptPasswordEx *inout_crypt_pwd)
{
/* Confounder is last 16 bytes. */
- DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
- DATA_BLOB pw_data = data_blob_const(pw_buf, 516);
+ DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16);
+ DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516);
int rc;
rc = samba_gnutls_arcfour_confounded_md5(&confounder,
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index eb737703230..3bf371c5dd5 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -114,7 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state)
encrypted_test_blob,
sizeof(out_pwd_buf.data));
- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -143,7 +143,7 @@ static void torture_rc4_passwd_buffer(void **state)
&out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
- status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
assert_true(NT_STATUS_IS_OK(status));
ok = decode_pw_buffer(NULL,
@@ -154,6 +154,7 @@ static void torture_rc4_passwd_buffer(void **state)
assert_true(ok);
assert_int_equal(password_decoded_len, strlen(PASSWORD));
assert_string_equal(password_decoded, PASSWORD);
+ talloc_free(password_decoded);
}
int main(int argc, char *argv[])
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 4dc9132511f..fd5c453e0eb 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5185,9 +5185,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = decode_rc4_passwd_buffer(
- info->info25.password.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(&session_key,
+ &info->info25.password);
if (!NT_STATUS_IS_OK(status)) {
break;
}
@@ -5204,9 +5203,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- status = decode_rc4_passwd_buffer(
- info->info26.password.data,
- &session_key);
+ status = decode_rc4_passwd_buffer(&session_key,
+ &info->info26.password);
if (!NT_STATUS_IS_OK(status)) {
break;
}
--
2.23.0

View File

@ -0,0 +1,89 @@
From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:01:10 +0200
Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf)
---
libcli/auth/proto.h | 7 +++++++
libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index a67c89d8552..67caaca8c41 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
size_t *new_pw_len,
charset_t string_charset);
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+ const DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *out_crypt_pwd);
+
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index b7b17130f07..793012553b2 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
return true;
}
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+ const DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *out_crypt_pwd)
+{
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 16);
+ DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516);
+ bool ok;
+ int rc;
+
+ ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ generate_random_buffer(confounder.data, confounder.length);
+
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ session_key,
+ &pw_data,
+ SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ ZERO_ARRAY(_confounder);
+ data_blob_clear(&pw_data);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
+
+ /*
+ * The packet format is the 516 byte RC4 encrypted
+ * pasword followed by the 16 byte counfounder
+ * The confounder is a salt to prevent pre-computed hash attacks on the
+ * database.
+ */
+ memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
+
+ return NT_STATUS_OK;
+}
+
/***********************************************************
Decode an arc4 encrypted password change buffer.
************************************************************/
--
2.23.0

View File

@ -0,0 +1,65 @@
From fe1f6278c7a5c54d948f6ca031686745ad653a94 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:06:49 +0200
Subject: [PATCH 018/187] libcli:auth: Add test for encode_rc4_passwd_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fe00b3735a7e8ae16fb6443965769f1e947a6aa6)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 31 ++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index 3bf371c5dd5..db6ca3f3f4c 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -157,12 +157,43 @@ static void torture_rc4_passwd_buffer(void **state)
talloc_free(password_decoded);
}
+static void torture_endode_decode_rc4_passwd_buffer(void **state)
+{
+ char *password_decoded = NULL;
+ size_t password_decoded_len = 0;
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct samr_CryptPasswordEx out_pwd_buf = {
+ .data = {0},
+ };
+ NTSTATUS status;
+ bool ok;
+
+ status = encode_rc4_passwd_buffer(PASSWORD,
+ &session_key,
+ &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
+ assert_true(NT_STATUS_IS_OK(status));
+
+ ok = decode_pw_buffer(NULL,
+ out_pwd_buf.data,
+ &password_decoded,
+ &password_decoded_len,
+ CH_UTF16);
+ assert_true(ok);
+ assert_int_equal(password_decoded_len, strlen(PASSWORD));
+ assert_string_equal(password_decoded, PASSWORD);
+ talloc_free(password_decoded);
+}
+
int main(int argc, char *argv[])
{
int rc;
const struct CMUnitTest tests[] = {
cmocka_unit_test(torture_decode_rc4_passwd_buffer),
cmocka_unit_test(torture_rc4_passwd_buffer),
+ cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer),
};
if (argc == 2) {
--
2.23.0

View File

@ -0,0 +1,60 @@
From 26b7ab9339d9e6530244bf35e38a3658d7fc8aa9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 11:44:51 +0200
Subject: [PATCH 019/187] s3:rpc_client: Use encode_rc4_passwd_buffer() in
init_samr_CryptPasswordEx()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f0c0cf299eb99e7b78be2f04141b6d415bf525e2)
---
source3/rpc_client/init_samr.c | 33 +--------------------------------
1 file changed, 1 insertion(+), 32 deletions(-)
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 0eb50c54525..a98d50e3f6a 100644
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -33,38 +33,7 @@ NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
DATA_BLOB *session_key,
struct samr_CryptPasswordEx *pwd_buf)
{
- /* samr_CryptPasswordEx */
-
- uint8_t _confounder[16] = {0};
- DATA_BLOB confounder = data_blob_const(_confounder, 16);
- uint8_t pwbuf[532] = {0};
- DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
- bool ok;
- int rc;
-
- ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
- if (!ok) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- generate_random_buffer(_confounder, sizeof(_confounder));
-
- rc = samba_gnutls_arcfour_confounded_md5(&confounder,
- session_key,
- &encrypt_pwbuf,
- SAMBA_GNUTLS_ENCRYPT);
- if (rc < 0) {
- ZERO_ARRAY(_confounder);
- return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
- }
-
- memcpy(&pwbuf[516], confounder.data, confounder.length);
- ZERO_ARRAY(_confounder);
-
- memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
- ZERO_ARRAY(pwbuf);
-
- return NT_STATUS_OK;
+ return encode_rc4_passwd_buffer(pwd, session_key, pwd_buf);
}
/*************************************************************************
--
2.23.0

View File

@ -0,0 +1,108 @@
From c82322be0012f8bf467d75681bd82322eba11145 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:01:49 +0200
Subject: [PATCH 020/187] s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_26()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5afa402bb7ba11a8eefc6e14047eeec1f3327681)
---
source4/libnet/libnet_passwd.c | 47 ++++++++--------------------------
1 file changed, 11 insertions(+), 36 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 97ce7f58ddf..0beea077bd0 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -23,6 +23,7 @@
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "source4/librpc/rpc/dcerpc.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -276,10 +277,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd = NULL;
- int rc;
if (r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -287,9 +284,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
/* prepare samr_SetUserInfo2 level 26 */
ZERO_STRUCT(u_info);
- encode_pw_buffer(u_info.info26.password.data, r->samr_handle.in.newpassword, STR_UNICODE);
u_info.info26.password_expired = 0;
-
+
status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
r->samr_handle.out.error_string = talloc_asprintf(mem_ctx,
@@ -297,38 +293,18 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
nt_errstr(status));
return status;
}
-
- generate_random_buffer((uint8_t *)confounder, 16);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword,
+ &session_key,
+ &u_info.info26.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string =
+ talloc_asprintf(mem_ctx,
+ "encode_rc4_passwd_buffer failed: %s",
+ nt_errstr(status));
+ return status;
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info26.password.data, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
-
- memcpy(&u_info.info26.password.data[516], confounder, 16);
- ZERO_ARRAY(confounder);
-
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
sui.in.level = 26;
@@ -346,7 +322,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA
r->samr_handle.in.account_name, nt_errstr(status));
}
-out:
return status;
}
--
2.23.0

View File

@ -0,0 +1,95 @@
From c162d52b14947990fb6102180a7e2fd6a7d8d1d5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:11:54 +0200
Subject: [PATCH 021/187] s4:libnet: Use encode_rc4_passwd_buffer() in
libnet_SetPassword_samr_handle_25()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e44ba0397c7558e1da6a46cc38237a3b0e5cef49)
---
source4/libnet/libnet_passwd.c | 43 +++++++---------------------------
1 file changed, 9 insertions(+), 34 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 0beea077bd0..b2105121523 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -331,10 +331,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd = NULL;
- int rc;
if (!r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -344,7 +340,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
ZERO_STRUCT(u_info);
u_info.info25.info = *r->samr_handle.in.info21;
u_info.info25.info.fields_present |= SAMR_FIELD_NT_PASSWORD_PRESENT;
- encode_pw_buffer(u_info.info25.password.data, r->samr_handle.in.newpassword, STR_UNICODE);
status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -354,36 +349,17 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
return status;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, confounder, 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
+ status = encode_rc4_passwd_buffer(r->samr_handle.in.newpassword,
+ &session_key,
+ &u_info.info25.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string =
+ talloc_asprintf(mem_ctx,
+ "encode_rc4_passwd_buffer failed: %s",
+ nt_errstr(status));
+ return status;
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info25.password.data, 516, &confounded_session_key);
- ZERO_ARRAY_LEN(confounded_session_key.data,
- confounded_session_key.length);
- data_blob_free(&confounded_session_key);
-
- memcpy(&u_info.info25.password.data[516], confounder, 16);
- ZERO_ARRAY(confounder);
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -401,7 +377,6 @@ static NTSTATUS libnet_SetPassword_samr_handle_25(struct libnet_context *ctx, TA
r->samr_handle.in.account_name, nt_errstr(status));
}
-out:
return status;
}
--
2.23.0

View File

@ -0,0 +1,72 @@
From 5b0f5925814742ca8b7e772f1a7f4558b770c45b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Feb 2019 13:38:21 +0100
Subject: [PATCH 022/187] s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_24()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 18937f9ceb5aca23899555c5a34fe359f6fcb126)
---
source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index b2105121523..064ef98879a 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -386,6 +386,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t enc_session_key;
+ int rc;
if (r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -404,7 +407,28 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
return status;
}
- arcfour_crypt_blob(u_info.info24.password.data, 516, &session_key);
+ enc_session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ u_info.info24.password.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -421,6 +445,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA
"SetUserInfo2 level 24 for [%s] failed: %s",
r->samr_handle.in.account_name, nt_errstr(status));
}
+
+out:
+ data_blob_clear(&session_key);
return status;
}
--
2.23.0

View File

@ -0,0 +1,72 @@
From e5e6605b40f80eee699f3fde275a620022979f05 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Feb 2019 13:38:21 +0100
Subject: [PATCH 023/187] s4:libnet: Use GnuTLS RC4 in
libnet_SetPassword_samr_handle_23()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cdb4e12765266ae767021d932870fbfcd55ccbf6)
---
source4/libnet/libnet_passwd.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 064ef98879a..dce3813de38 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -457,6 +457,9 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
struct samr_SetUserInfo2 sui;
union samr_UserInfo u_info;
DATA_BLOB session_key;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t _session_key;
+ int rc;
if (!r->samr_handle.in.info21) {
return NT_STATUS_INVALID_PARAMETER_MIX;
@@ -477,7 +480,29 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
return status;
}
- arcfour_crypt_blob(u_info.info23.password.data, 516, &session_key);
+ _session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ u_info.info23.password.data,
+ 516);
+ data_blob_clear_free(&session_key);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
@@ -494,6 +519,8 @@ static NTSTATUS libnet_SetPassword_samr_handle_23(struct libnet_context *ctx, TA
"SetUserInfo2 level 23 for [%s] failed: %s",
r->samr_handle.in.account_name, nt_errstr(status));
}
+
+out:
return status;
}
--
2.23.0

View File

@ -0,0 +1,174 @@
From 01c0b0ac77baae946d270d44d1c40dbdf17a8ee3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 25 Jul 2019 15:15:46 +1200
Subject: [PATCH 024/187] s4:libnet: Use GnuTLS RC4 in
libnet_ChangePassword_samr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9ea736590d9b22a7518f86b18e8c55b0d0e213d5)
---
source4/libnet/libnet_passwd.c | 110 +++++++++++++++++++++++++++++++--
1 file changed, 104 insertions(+), 6 deletions(-)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index dce3813de38..704a94a5864 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -20,7 +20,6 @@
#include "includes.h"
#include "libnet/libnet.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "source4/librpc/rpc/dcerpc.h"
@@ -57,6 +56,16 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
uint8_t old_lm_hash[16], new_lm_hash[16];
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t nt_session_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+ gnutls_datum_t lm_session_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
+ int rc;
ZERO_STRUCT(c);
@@ -87,11 +96,47 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
/* prepare samr_ChangePasswordUser3 */
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
pw3.in.server = &server;
@@ -125,11 +170,46 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
/* prepare samr_ChangePasswordUser2 */
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
pw2.in.server = &server;
@@ -161,7 +241,25 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
a_account.string = r->samr.in.account_name;
encode_pw_buffer(lm_pass.data, r->samr.in.newpassword, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto disconnect;
+ }
+
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
oe2.in.server = &a_server;
--
2.23.0

View File

@ -0,0 +1,236 @@
From 2d6f95107af7357d1084a4ba272f865c8249510a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 15:50:45 +0200
Subject: [PATCH 025/187] libcli:auth: Return WERROR for
encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 576bcf61555fb641b2919ad84a6b26b242b57061)
---
libcli/auth/proto.h | 8 +++---
libcli/auth/smbencrypt.c | 20 ++++++++++-----
source3/lib/netapi/joindomain.c | 44 +++++++++++++++++++++------------
source4/torture/rpc/wkssvc.c | 20 ++++++++++++---
4 files changed, 62 insertions(+), 30 deletions(-)
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 67caaca8c41..65ee06215dc 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -207,10 +207,10 @@ bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
uint8_t in_buffer[516], DATA_BLOB *new_pass);
struct wkssvc_PasswordBuffer;
-void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf);
+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
+ const char *pwd,
+ DATA_BLOB *session_key,
+ struct wkssvc_PasswordBuffer **pwd_buf);
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
struct wkssvc_PasswordBuffer *pwd_buf,
DATA_BLOB *session_key,
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 793012553b2..745f47999cd 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -965,10 +965,10 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
* buffer), calling MD5Update() first with session_key and then with confounder
* (vice versa in samr) - Guenther */
-void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf)
+WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
+ const char *pwd,
+ DATA_BLOB *session_key,
+ struct wkssvc_PasswordBuffer **pwd_buf)
{
uint8_t buffer[516];
gnutls_hash_hd_t hash_hnd = NULL;
@@ -976,11 +976,12 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
DATA_BLOB confounded_session_key;
int confounder_len = 8;
uint8_t confounder[8];
+ WERROR werr;
int rc;
my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
if (!my_pwd_buf) {
- return;
+ return WERR_NOT_ENOUGH_MEMORY;
}
confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
@@ -991,17 +992,23 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
rc = gnutls_hash(hash_hnd, confounder, confounder_len);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
+ werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+
goto out;
}
gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
@@ -1017,8 +1024,9 @@ void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
*pwd_buf = my_pwd_buf;
+ werr = WERR_OK;
out:
- return;
+ return werr;
}
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index 8d0752f4531..f2d36fc00db 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -137,10 +137,13 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
old_timeout = rpccli_set_timeout(pipe_cli, 600000);
@@ -279,10 +282,13 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
old_timeout = rpccli_set_timeout(pipe_cli, 60000);
@@ -484,10 +490,13 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
status = dcerpc_wkssvc_NetrGetJoinableOus2(b, talloc_tos(),
@@ -537,10 +546,13 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
goto done;
}
- encode_wkssvc_join_password_buffer(ctx,
- r->in.password,
- &session_key,
- &encrypted_password);
+ werr = encode_wkssvc_join_password_buffer(ctx,
+ r->in.password,
+ &session_key,
+ &encrypted_password);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
status = dcerpc_wkssvc_NetrRenameMachineInDomain2(b, talloc_tos(),
diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c
index c98ac92b39b..4bc1f9cd0c7 100644
--- a/source4/torture/rpc/wkssvc.c
+++ b/source4/torture/rpc/wkssvc.c
@@ -1199,6 +1199,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
+ WERROR werr;
DATA_BLOB session_key;
struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1240,8 +1241,13 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
return false;
}
- encode_wkssvc_join_password_buffer(tctx, domain_admin_password,
- &session_key, &pwd_buf);
+ werr = encode_wkssvc_join_password_buffer(tctx,
+ domain_admin_password,
+ &session_key,
+ &pwd_buf);
+ if (!W_ERROR_IS_OK(werr)) {
+ return false;
+ }
r.in.server_name = dcerpc_server_name(p);
r.in.domain_name = domain_name;
@@ -1284,6 +1290,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
+ WERROR werr;
DATA_BLOB session_key;
struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1322,8 +1329,13 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
return false;
}
- encode_wkssvc_join_password_buffer(tctx, domain_admin_password,
- &session_key, &pwd_buf);
+ werr = encode_wkssvc_join_password_buffer(tctx,
+ domain_admin_password,
+ &session_key,
+ &pwd_buf);
+ if (!W_ERROR_IS_OK(werr)) {
+ return false;
+ }
r.in.server_name = dcerpc_server_name(p);
r.in.account = domain_admin_account;
--
2.23.0

View File

@ -0,0 +1,172 @@
From 32004f3011bb6bb45f21d39c6e2830a47ec43f3e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 17:36:58 +0200
Subject: [PATCH 026/187] libcli:auth: Add test for
(encode|decode)_wkssvc_join_password_buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f4a16bfba8d87de883d3d2e54cdc825fc5e01c2b)
---
libcli/auth/tests/test_rc4_passwd_buffer.c | 129 +++++++++++++++++++++
1 file changed, 129 insertions(+)
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
index db6ca3f3f4c..6d97ac6e2f7 100644
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
@@ -99,6 +99,76 @@ static const uint8_t encrypted_test_blob[] = {
0x15, 0x13, 0xdc, 0x15,
};
+
+static const uint8_t encrypted_wkssvc_test_blob[] = {
+ 0x13, 0x79, 0x1f, 0x1a, 0x02, 0x15, 0x72, 0x1c,
+ 0xa6, 0x26, 0x37, 0xeb, 0x1d, 0x41, 0x7f, 0x76,
+ 0x11, 0x3f, 0x49, 0x4c, 0xf9, 0x69, 0x17, 0xc8,
+ 0x90, 0x92, 0x53, 0xb9, 0x3f, 0xcd, 0x06, 0xfe,
+ 0x5c, 0x17, 0x82, 0xbd, 0x86, 0xab, 0x49, 0xee,
+ 0x61, 0x76, 0x55, 0xc0, 0x10, 0x51, 0xcd, 0xd9,
+ 0x6f, 0x12, 0x86, 0xc6, 0x19, 0x59, 0x9a, 0x2f,
+ 0x27, 0x1d, 0x99, 0x30, 0x60, 0x0d, 0x65, 0xc6,
+ 0x43, 0xd6, 0xda, 0x6b, 0x66, 0x95, 0xd4, 0xca,
+ 0xf5, 0x04, 0xf7, 0x01, 0x5a, 0x55, 0xb0, 0x5e,
+ 0x72, 0x8a, 0x75, 0xe5, 0x33, 0x4c, 0xd8, 0xc4,
+ 0x0e, 0xf4, 0x6d, 0x23, 0xdd, 0x05, 0x90, 0xff,
+ 0xe0, 0x91, 0x7b, 0x62, 0x86, 0xee, 0x78, 0x31,
+ 0x07, 0xad, 0x8b, 0xf9, 0xdf, 0x6f, 0x8b, 0xbd,
+ 0x15, 0xde, 0x1b, 0xae, 0x84, 0x68, 0xe5, 0x41,
+ 0x7a, 0xe3, 0x47, 0x99, 0xba, 0x61, 0xe5, 0x51,
+ 0x64, 0x9a, 0xa0, 0x41, 0x44, 0xa1, 0x3a, 0x52,
+ 0x59, 0x7d, 0x6c, 0xcf, 0xcc, 0xf0, 0x11, 0xbc,
+ 0xb7, 0x51, 0xa9, 0xd8, 0xfd, 0xbf, 0x58, 0x77,
+ 0x28, 0x86, 0xa1, 0x27, 0x94, 0xe5, 0xf6, 0x1a,
+ 0x6b, 0x76, 0xf7, 0x72, 0x6e, 0x17, 0x09, 0xd8,
+ 0x3c, 0x6f, 0x39, 0x91, 0xea, 0x48, 0x98, 0xdc,
+ 0x1d, 0x50, 0x2e, 0x02, 0x6e, 0x7f, 0x80, 0x5d,
+ 0x6e, 0x96, 0xe1, 0xcf, 0x8b, 0x6b, 0xb6, 0xed,
+ 0xb4, 0x6a, 0x08, 0xd2, 0x45, 0x09, 0x88, 0x86,
+ 0x32, 0x58, 0xd8, 0x5e, 0x33, 0x8c, 0x29, 0x1a,
+ 0x8f, 0xc5, 0x54, 0x9b, 0xa8, 0x32, 0xb2, 0xc1,
+ 0x72, 0x14, 0x6c, 0x5d, 0x9d, 0xd3, 0xf2, 0x6c,
+ 0x6e, 0xa4, 0x84, 0x52, 0x26, 0x73, 0x7a, 0x30,
+ 0x56, 0x75, 0xef, 0xd1, 0x9d, 0xcd, 0xb7, 0x87,
+ 0xa9, 0x5c, 0xaf, 0xe6, 0xda, 0x1d, 0x3c, 0x9c,
+ 0xa3, 0xb1, 0x03, 0xb0, 0x8e, 0xf6, 0xc8, 0x8f,
+ 0x57, 0x1c, 0xce, 0x05, 0x54, 0x99, 0xf1, 0xf9,
+ 0x35, 0xe6, 0xf7, 0x67, 0x94, 0xb2, 0x67, 0x5b,
+ 0xe7, 0xa0, 0xa2, 0x1e, 0xa2, 0x74, 0xd3, 0x99,
+ 0x9c, 0xd5, 0xd9, 0x90, 0x86, 0x24, 0x0e, 0x1a,
+ 0x0d, 0xc8, 0x9e, 0x68, 0x4c, 0x43, 0x2f, 0x42,
+ 0xb1, 0x7c, 0xce, 0x1e, 0xb6, 0xac, 0x56, 0xb0,
+ 0x8d, 0x93, 0xf1, 0x53, 0x7d, 0x0e, 0x00, 0x46,
+ 0xba, 0x2e, 0x14, 0x7a, 0x0b, 0xaa, 0xcb, 0x07,
+ 0x9b, 0x09, 0x05, 0xa0, 0xd3, 0xa1, 0x80, 0xc2,
+ 0xd3, 0x59, 0x92, 0x27, 0x66, 0x1f, 0xdd, 0x76,
+ 0x36, 0xb3, 0x3c, 0xeb, 0xd7, 0x61, 0x94, 0xb1,
+ 0xf8, 0x3a, 0xe0, 0xba, 0x91, 0x0f, 0xef, 0x72,
+ 0x2b, 0x26, 0xc6, 0xb8, 0x6d, 0x0b, 0xdb, 0x60,
+ 0xf8, 0xb4, 0x98, 0xd7, 0x8b, 0x8d, 0xfb, 0xa7,
+ 0x4e, 0x27, 0xeb, 0x00, 0xe8, 0xf7, 0x5a, 0xec,
+ 0xf5, 0x60, 0x28, 0x37, 0xb2, 0xc4, 0x13, 0x48,
+ 0x2a, 0xe1, 0x34, 0xb2, 0x53, 0xcb, 0x44, 0x34,
+ 0x08, 0x7e, 0x56, 0x5c, 0x2b, 0x9b, 0xe2, 0xca,
+ 0x90, 0xb0, 0x57, 0xee, 0x10, 0x88, 0x39, 0x84,
+ 0xc6, 0x66, 0x07, 0x50, 0x63, 0xcc, 0x2a, 0x7c,
+ 0x99, 0x8c, 0x05, 0xf9, 0xf0, 0xb8, 0x62, 0xf0,
+ 0x92, 0xf7, 0x2a, 0x4a, 0x17, 0x14, 0x78, 0xa1,
+ 0x71, 0xb6, 0x42, 0xf0, 0x87, 0xa8, 0xa4, 0x48,
+ 0xeb, 0xdb, 0xed, 0x8a, 0x15, 0x19, 0x1a, 0xd9,
+ 0xfe, 0x6f, 0x07, 0x93, 0x5d, 0x39, 0xe8, 0x0e,
+ 0x47, 0xe6, 0x7a, 0x7d, 0x52, 0x2e, 0x40, 0x6f,
+ 0x31, 0x1b, 0xf6, 0x0c, 0xc2, 0x83, 0xae, 0xc1,
+ 0xf0, 0xf5, 0x71, 0xcd, 0xe2, 0xf5, 0x19, 0xb6,
+ 0xd8, 0xb0, 0x4d, 0xa9, 0x51, 0x1c, 0xb4, 0xaf,
+ 0x69, 0x9a, 0x89, 0xb6, 0x5b, 0x4d, 0xfa, 0x1b,
+ 0xca, 0xc8, 0x61, 0x92, 0x3a, 0xd6, 0x76, 0xad,
+ 0x5d, 0xa6, 0x17, 0x60, 0x3e, 0xea, 0x94, 0xcf,
+ 0x6d, 0x1b, 0x98, 0x5c, 0x19, 0x9e, 0x4e, 0xd3,
+ 0x21, 0x55, 0xda, 0xe3,
+};
+
static void torture_decode_rc4_passwd_buffer(void **state)
{
char *password_decoded = NULL;
@@ -187,6 +257,63 @@ static void torture_endode_decode_rc4_passwd_buffer(void **state)
talloc_free(password_decoded);
}
+static void torture_decode_wkssvc_join_password_buffer(void **state)
+{
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct wkssvc_PasswordBuffer pwd_buf = {
+ .data = {0},
+ };
+ char *password_decoded = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ WERROR werr;
+
+ mem_ctx = talloc_new(NULL);
+ assert_non_null(mem_ctx);
+
+ memcpy(pwd_buf.data,
+ encrypted_wkssvc_test_blob,
+ sizeof(pwd_buf.data));
+
+ werr = decode_wkssvc_join_password_buffer(mem_ctx,
+ &pwd_buf,
+ &session_key,
+ &password_decoded);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(password_decoded);
+ assert_string_equal(password_decoded, PASSWORD);
+
+ TALLOC_FREE(mem_ctx);
+}
+
+static void torture_wkssvc_join_password_buffer(void **state)
+{
+ DATA_BLOB session_key = data_blob_const("SystemLibraryDTC", 16);
+ struct wkssvc_PasswordBuffer *pwd_buf = NULL;
+ char *password_decoded = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ WERROR werr;
+
+ mem_ctx = talloc_new(NULL);
+ assert_non_null(mem_ctx);
+
+ werr = encode_wkssvc_join_password_buffer(mem_ctx,
+ PASSWORD,
+ &session_key,
+ &pwd_buf);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(pwd_buf);
+
+ werr = decode_wkssvc_join_password_buffer(mem_ctx,
+ pwd_buf,
+ &session_key,
+ &password_decoded);
+ assert_true(W_ERROR_IS_OK(werr));
+ assert_non_null(password_decoded);
+ assert_string_equal(password_decoded, PASSWORD);
+
+ TALLOC_FREE(mem_ctx);
+}
+
int main(int argc, char *argv[])
{
int rc;
@@ -194,6 +321,8 @@ int main(int argc, char *argv[])
cmocka_unit_test(torture_decode_rc4_passwd_buffer),
cmocka_unit_test(torture_rc4_passwd_buffer),
cmocka_unit_test(torture_endode_decode_rc4_passwd_buffer),
+ cmocka_unit_test(torture_decode_wkssvc_join_password_buffer),
+ cmocka_unit_test(torture_wkssvc_join_password_buffer),
};
if (argc == 2) {
--
2.23.0

View File

@ -0,0 +1,111 @@
From cbabf1224f61900eb96ea15841950c26b8b88cb5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 18:03:00 +0200
Subject: [PATCH 027/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() in encode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 85e2a3c96ad9acc1a85db189f6418c9d880b4718)
---
libcli/auth/smbencrypt.c | 69 ++++++++++++++--------------------------
1 file changed, 23 insertions(+), 46 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 745f47999cd..823e16a3387 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -968,65 +968,42 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
WERROR encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
const char *pwd,
DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf)
+ struct wkssvc_PasswordBuffer **out_pwd_buf)
{
- uint8_t buffer[516];
- gnutls_hash_hd_t hash_hnd = NULL;
- struct wkssvc_PasswordBuffer *my_pwd_buf = NULL;
- DATA_BLOB confounded_session_key;
- int confounder_len = 8;
- uint8_t confounder[8];
- WERROR werr;
+ struct wkssvc_PasswordBuffer *pwd_buf = NULL;
+ uint8_t _confounder[8] = {0};
+ DATA_BLOB confounder = data_blob_const(_confounder, 8);
+ uint8_t pwbuf[516] = {0};
+ DATA_BLOB encrypt_pwbuf = data_blob_const(pwbuf, 516);
int rc;
- my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
- if (!my_pwd_buf) {
+ pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
+ if (pwd_buf == NULL) {
return WERR_NOT_ENOUGH_MEMORY;
}
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
- encode_pw_buffer(buffer, pwd, STR_UNICODE);
+ encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
- generate_random_buffer((uint8_t *)confounder, confounder_len);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+ generate_random_buffer(_confounder, sizeof(_confounder));
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, confounder_len);
+ rc = samba_gnutls_arcfour_confounded_md5(session_key,
+ &confounder,
+ &encrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- werr = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
-
- goto out;
+ ZERO_ARRAY(_confounder);
+ TALLOC_FREE(pwd_buf);
+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
- arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
- memcpy(&my_pwd_buf->data[0], confounder, confounder_len);
- ZERO_ARRAY(confounder);
- memcpy(&my_pwd_buf->data[8], buffer, 516);
- ZERO_ARRAY(buffer);
-
- data_blob_clear_free(&confounded_session_key);
+ memcpy(&pwd_buf->data[0], confounder.data, confounder.length);
+ ZERO_ARRAY(_confounder);
+ memcpy(&pwd_buf->data[8], encrypt_pwbuf.data, encrypt_pwbuf.length);
+ ZERO_ARRAY(pwbuf);
- *pwd_buf = my_pwd_buf;
+ *out_pwd_buf = pwd_buf;
- werr = WERR_OK;
-out:
- return werr;
+ return WERR_OK;
}
WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
--
2.23.0

View File

@ -0,0 +1,117 @@
From 0d2898429e7eb2ca144885d5a1f9485cca620464 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Jul 2019 18:21:18 +0200
Subject: [PATCH 028/187] libcli:auth: Use
samba_gnutls_arcfour_confounded_md5() in decode_wkssvc_join_password_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bcf7808d3aa8a5932a40955e4b764f55061e07d7)
---
libcli/auth/smbencrypt.c | 71 ++++++++++++++--------------------------
1 file changed, 24 insertions(+), 47 deletions(-)
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 823e16a3387..cc5e1fbb899 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -1011,70 +1011,47 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
char **pwd)
{
- gnutls_hash_hd_t hash_hnd = NULL;
- uint8_t buffer[516];
- size_t pwd_len;
- WERROR result;
+ uint8_t _confounder[8];
+ DATA_BLOB confounder = data_blob_const(_confounder, 8);
+ uint8_t pwbuf[516] = {0};
+ DATA_BLOB decrypt_pwbuf = data_blob_const(pwbuf, 516);
bool ok;
int rc;
- DATA_BLOB confounded_session_key;
-
- int confounder_len = 8;
- uint8_t confounder[8];
-
- *pwd = NULL;
-
- if (!pwd_buf) {
+ if (pwd_buf == NULL) {
return WERR_INVALID_PASSWORD;
}
+ *pwd = NULL;
+
if (session_key->length != 16) {
DEBUG(10,("invalid session key\n"));
return WERR_INVALID_PASSWORD;
}
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+ confounder = data_blob_const(&pwd_buf->data[0], 8);
+ memcpy(&pwbuf, &pwd_buf->data[8], 516);
- memcpy(&confounder, &pwd_buf->data[0], confounder_len);
- memcpy(&buffer, &pwd_buf->data[8], 516);
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- if (rc < 0) {
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
- }
-
- rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, confounder, confounder_len);
+ rc = samba_gnutls_arcfour_confounded_md5(session_key,
+ &confounder,
+ &decrypt_pwbuf,
+ SAMBA_GNUTLS_ENCRYPT);
if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- result = gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
- goto out;
+ ZERO_ARRAY(_confounder);
+ TALLOC_FREE(pwd_buf);
+ return gnutls_error_to_werror(rc, WERR_CONTENT_BLOCKED);
}
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
- arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
- ok = decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, CH_UTF16);
-
- ZERO_ARRAY(confounder);
- ZERO_ARRAY(buffer);
-
- data_blob_clear_free(&confounded_session_key);
+ ok = decode_pw_buffer(mem_ctx,
+ decrypt_pwbuf.data,
+ pwd,
+ &decrypt_pwbuf.length,
+ CH_UTF16);
+ ZERO_ARRAY(pwbuf);
if (!ok) {
- result = WERR_INVALID_PASSWORD;
- goto out;
+ return WERR_INVALID_PASSWORD;
}
- result = WERR_OK;
-out:
- return result;
+ return WERR_OK;
}
-
--
2.23.0

View File

@ -0,0 +1,66 @@
From ba125c495c950570017d84b1cb2a223679250961 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 9 Nov 2018 12:29:55 +0100
Subject: [PATCH 029/187] auth:ntlmssp: Use GnuTLS RC4 in ntlmssp client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cb4025a50232f24139f21d87e50b6e6ea69238ba)
---
auth/ntlmssp/ntlmssp_client.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index df891f8d933..b8d1190466b 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -690,17 +690,43 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
/* Make up a new session key */
uint8_t client_session_key[16];
+ gnutls_cipher_hd_t cipher_hnd;
+ gnutls_datum_t enc_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
generate_secret_buffer(client_session_key, sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
client_session_key, sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
- arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_session_key,
+ NULL);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ encrypted_session_key.data,
+ encrypted_session_key.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ ZERO_ARRAY(client_session_key);
+ goto done;
+ }
+
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */
session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
+ ZERO_ARRAY(client_session_key);
}
/* this generates the actual auth packet */
--
2.23.0

View File

@ -0,0 +1,411 @@
From 73f0d5f5a62edbcfeb8f79fffa422416b83edf3e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 6 Dec 2018 18:11:14 +0100
Subject: [PATCH 030/187] auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7bd502dcdb44c7d0f8a56b2ba489ae8cf2b886bd)
---
auth/ntlmssp/ntlmssp_private.h | 5 +-
auth/ntlmssp/ntlmssp_sign.c | 212 ++++++++++++++++++++++++++-------
2 files changed, 174 insertions(+), 43 deletions(-)
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 95ec6374f51..4d84e3347b6 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -20,14 +20,15 @@
/* For structures internal to the NTLMSSP implementation that should not be exposed */
-#include "../lib/crypto/arcfour.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
struct auth_session_info;
struct ntlmssp_crypt_direction {
uint32_t seq_num;
uint8_t sign_key[16];
- struct arcfour_state seal_state;
+ gnutls_cipher_hd_t seal_state;
};
union ntlmssp_crypt_state {
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 8ba2e246b34..89f1aa04f7a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -47,9 +47,9 @@
*/
static void dump_arc4_state(const char *description,
- struct arcfour_state *state)
+ gnutls_cipher_hd_t *state)
{
- dump_data_pw(description, state->sbox, sizeof(state->sbox));
+ DBG_DEBUG("%s\n", description);
}
static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
@@ -90,13 +90,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
enum ntlmssp_direction direction,
DATA_BLOB *sig, bool encrypt_sig)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ int rc;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
gnutls_hmac_hd_t hmac_hnd = NULL;
uint8_t digest[16];
uint8_t seq_num[4];
- int rc;
*sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
if (!sig->data) {
@@ -158,14 +158,24 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
switch (direction) {
case NTLMSSP_SEND:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ digest,
+ 8);
break;
case NTLMSSP_RECEIVE:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ digest,
+ 8);
break;
}
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
+ "%s packet signature failed: %s\n",
+ direction == NTLMSSP_SEND ?
+ "send" : "receive",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
@@ -194,8 +204,15 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
dump_arc4_state("ntlmssp hash: \n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
+ "signature failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
return NT_STATUS_OK;
@@ -317,6 +334,8 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ int rc;
+
if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -353,11 +372,25 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
return nt_status;
}
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- sig->data+4, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ sig->data + 4,
+ 8);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
+ "the EXCH signature data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
} else {
NTSTATUS status;
@@ -381,17 +414,30 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
* is not constant, but is is rather updated with
* each iteration
*/
-
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
ntlmssp_state->crypt->ntlm.seq_num++;
}
@@ -412,6 +458,8 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB *sig)
{
NTSTATUS status;
+ int rc;
+
if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -422,14 +470,29 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
/* First unseal the data. */
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv2 clear data\n", data, length);
} else {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv1 clear data\n", data, length);
}
+
status = ntlmssp_check_packet(ntlmssp_state,
data, length,
whole_pdu, pdu_length,
@@ -555,6 +618,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums)
{
+ int rc;
+
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
@@ -584,12 +649,16 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
const char *send_seal_const;
const char *recv_sign_const;
const char *recv_seal_const;
- uint8_t send_seal_key[16];
- DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
- sizeof(send_seal_key));
- uint8_t recv_seal_key[16];
- DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
- sizeof(recv_seal_key));
+ uint8_t send_seal_key[16] = {0};
+ gnutls_datum_t send_seal_blob = {
+ .data = send_seal_key,
+ .size = sizeof(send_seal_key),
+ };
+ uint8_t recv_seal_key[16] = {0};
+ gnutls_datum_t recv_seal_blob = {
+ .data = recv_seal_key,
+ .size = sizeof(recv_seal_key),
+ };
NTSTATUS status;
switch (ntlmssp_state->role) {
@@ -648,10 +717,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
+ dump_data_pw("NTLMSSP send seal key:\n",
+ send_seal_key,
+ sizeof(send_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- &send_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &send_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP send seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.sending.seal_state);
@@ -677,10 +758,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
+ dump_data_pw("NTLMSSP recv seal key:\n",
+ recv_seal_key,
+ sizeof(recv_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- &recv_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &recv_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.receiving.seal_state);
@@ -690,8 +783,10 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
}
} else {
- uint8_t weak_session_key[8];
- DATA_BLOB seal_session_key = ntlmssp_state->session_key;
+ gnutls_datum_t seal_session_key = {
+ .data = ntlmssp_state->session_key.data,
+ .size = ntlmssp_state->session_key.length,
+ };
bool do_weak = false;
DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
@@ -709,14 +804,19 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
* Nothing to weaken.
* We certainly don't want to 'extend' the length...
*/
- if (seal_session_key.length < 16) {
+ if (ntlmssp_state->session_key.length < 16) {
/* TODO: is this really correct? */
do_weak = false;
}
if (do_weak) {
+ uint8_t weak_session_key[8];
+
memcpy(weak_session_key, seal_session_key.data, 8);
- seal_session_key = data_blob_const(weak_session_key, 8);
+ seal_session_key = (gnutls_datum_t) {
+ .data = weak_session_key,
+ .size = sizeof(weak_session_key),
+ };
/*
* LM key doesn't support 128 bit crypto, so this is
@@ -732,8 +832,18 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
}
}
- arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
- &seal_session_key);
+ if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &seal_session_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
@@ -746,6 +856,24 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
return NT_STATUS_OK;
}
+static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
+{
+ if (c->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
+ c->ntlm2.sending.seal_state = NULL;
+ }
+ if (c->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
+ c->ntlm2.receiving.seal_state = NULL;
+ }
+ if (c->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm.seal_state);
+ c->ntlm.seal_state = NULL;
+ }
+
+ return 0;
+}
+
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
{
if (ntlmssp_state->session_key.length < 8) {
@@ -758,6 +886,8 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ talloc_set_destructor(ntlmssp_state->crypt,
+ ntlmssp_crypt_free_gnutls_cipher_state);
return ntlmssp_sign_reset(ntlmssp_state, true);
}
--
2.23.0

View File

@ -0,0 +1,76 @@
From c7e79b33a10a8e393df78fd7adf60a5a3dbebcc6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Jan 2019 18:14:17 +0100
Subject: [PATCH 031/187] s3:libsmb: Use GnuTLS RC4 in clirap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0947d8388def40b01b322d0deee4dba386983410)
---
source3/libsmb/clirap.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index b4b40ebdab4..c0b9dcdff39 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -22,7 +22,6 @@
#include "includes.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/rap.h"
-#include "../lib/crypto/arcfour.h"
#include "../lib/util/tevent_ntstatus.h"
#include "async_smb.h"
#include "libsmb/libsmb.h"
@@ -31,6 +30,9 @@
#include "../libcli/smb/smbXcli_base.h"
#include "cli_smb2_fnum.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#define PIPE_LANMAN "\\PIPE\\LANMAN"
/****************************************************************************
@@ -508,6 +510,12 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
char *rparam = NULL;
char *rdata = NULL;
unsigned int rprcnt, rdrcnt;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_pw_key = {
+ .data = old_pw_hash,
+ .size = sizeof(old_pw_hash),
+ };
+ int rc;
if (strlen(user) >= sizeof(fstring)-1) {
DEBUG(0,("cli_oem_change_password: user name %s is too long.\n", user));
@@ -539,7 +547,22 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
DEBUG(100,("make_oem_passwd_hash\n"));
dump_data(100, data, 516);
#endif
- arcfour_crypt( (unsigned char *)data, (unsigned char *)old_pw_hash, 516);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_pw_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return false;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return false;
+ }
/*
* Now place the old password hash in the data.
--
2.23.0

View File

@ -0,0 +1,160 @@
From 36dfd6496dc9b954b2243bbb5293af8ce332cf4f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 12:41:32 +0100
Subject: [PATCH 032/187] s3:rpc_client: Use init_samr_CryptPassword in
cli_samr rpc_client
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a95647e12ac75ffda42d95b41144596a078aebd6)
---
source3/rpc_client/cli_samr.c | 59 ++++++++++++++++++++++++++++-------
source3/wscript_build | 2 +-
2 files changed, 48 insertions(+), 13 deletions(-)
diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c
index 7764e1a8540..452e9593f6a 100644
--- a/source3/rpc_client/cli_samr.c
+++ b/source3/rpc_client/cli_samr.c
@@ -26,8 +26,8 @@
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "rpc_client/cli_samr.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_lsa.h"
+#include "rpc_client/init_samr.h"
/* User change password */
@@ -128,6 +128,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
uint8_t new_lanman_hash[16];
struct lsa_String server, account;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+
DEBUG(10,("rpccli_samr_chgpasswd_user2\n"));
init_lsa_String(&server, srv_name_slash);
@@ -144,19 +146,25 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_lm_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_nt_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser2(h,
@@ -170,6 +178,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
&old_lanman_hash_enc,
presult);
+ ZERO_STRUCT(new_nt_password);
+ ZERO_STRUCT(new_lm_password);
+ ZERO_STRUCT(old_nt_hash_enc);
+ ZERO_STRUCT(old_lanman_hash_enc);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lanman_hash);
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lanman_hash);
+
return status;
}
@@ -308,6 +325,8 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
struct lsa_String server, account;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+
DEBUG(10,("rpccli_samr_chgpasswd_user3\n"));
init_lsa_String(&server, srv_name_slash);
@@ -324,19 +343,26 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_lm_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- encode_pw_buffer(new_lm_password.data, newpassword, STR_UNICODE);
-
- arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
- encode_pw_buffer(new_nt_password.data, newpassword, STR_UNICODE);
+ status = init_samr_CryptPassword(newpassword,
+ &session_key,
+ &new_nt_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
status = dcerpc_samr_ChangePasswordUser3(h,
@@ -353,6 +379,15 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
reject,
presult);
+ ZERO_STRUCT(new_nt_password);
+ ZERO_STRUCT(new_lm_password);
+ ZERO_STRUCT(old_nt_hash_enc);
+ ZERO_STRUCT(old_lanman_hash_enc);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lanman_hash);
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lanman_hash);
+
return status;
}
diff --git a/source3/wscript_build b/source3/wscript_build
index aa3c7175202..b73f6dc0664 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1009,7 +1009,7 @@ bld.SAMBA3_SUBSYSTEM('errors3',
bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR',
source='rpc_client/cli_samr.c',
- deps='RPC_NDR_SAMR')
+ deps='RPC_NDR_SAMR INIT_SAMR')
bld.SAMBA3_LIBRARY('libcli_lsa3',
source='rpc_client/cli_lsarpc.c',
--
2.23.0

View File

@ -0,0 +1,77 @@
From 07925f22341c508792b3ce8feeae2abc939a61f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 17:40:13 +0100
Subject: [PATCH 033/187] s3:rpc_server: Use GnuTLS RC4 in samr password check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d31f6a6803c86b8de0a97927731091f5a7bee4f1)
---
source3/rpc_server/samr/srv_samr_chgpasswd.c | 30 ++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index 3749edbb044..fc509494ebc 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -50,12 +50,15 @@
#include "system/passwd.h"
#include "system/filesys.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_server/samr/srv_samr_util.h"
#include "passdb.h"
#include "auth.h"
#include "lib/util/sys_rw.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#ifndef ALLOW_CHANGE_PASSWORD
#if (defined(HAVE_TERMIOS_H) && defined(HAVE_DUP2) && defined(HAVE_SETSID))
#define ALLOW_CHANGE_PASSWORD 1
@@ -685,6 +688,10 @@ static NTSTATUS check_oem_password(const char *user,
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t enc_key;
+ int rc;
+
/* this call should be disabled without NTLM auth */
if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
DBG_WARNING("NTLM password changes not"
@@ -752,7 +759,26 @@ static NTSTATUS check_oem_password(const char *user,
/*
* Decrypt the password with the key
*/
- arcfour_crypt( password_encrypted, encryption_key, 516);
+ enc_key = (gnutls_datum_t) {
+ .data = discard_const_p(unsigned char, encryption_key),
+ .size = 16,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_key,
+ NULL);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ password_encrypted,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
if (!decode_pw_buffer(talloc_tos(),
password_encrypted,
--
2.23.0

View File

@ -0,0 +1,119 @@
From 6eb8a45387ae6400d4b48d838ec89510afe2b37a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 14:04:31 +0200
Subject: [PATCH 034/187] s3:rpc_server: Use GnuTLS RC4 to decrypt samr
password buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f)
---
source3/rpc_server/samr/srv_samr_nt.c | 58 ++++++++++++++++++++++++---
1 file changed, 52 insertions(+), 6 deletions(-)
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index fd5c453e0eb..ad1d1853bda 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -37,7 +37,6 @@
#include "ntdomain.h"
#include "../librpc/gen_ndr/srv_samr.h"
#include "rpc_server/samr/srv_samr_util.h"
-#include "../lib/crypto/arcfour.h"
#include "secrets.h"
#include "rpc_client/init_lsa.h"
#include "../libcli/security/security.h"
@@ -47,6 +46,10 @@
#include "../lib/tsocket/tsocket.h"
#include "lib/util/base64.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -4946,6 +4949,41 @@ static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
return acc_required;
}
+static NTSTATUS arc4_decrypt_data(DATA_BLOB session_key,
+ uint8_t *data,
+ size_t data_size)
+{
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t my_session_key = {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+ int rc;
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &my_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ data,
+ data_size);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ status = NT_STATUS_OK;
+out:
+ return status;
+}
+
/*******************************************************************
samr_SetUserInfo
********************************************************************/
@@ -5153,8 +5191,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
if(!NT_STATUS_IS_OK(status)) {
break;
}
- arcfour_crypt_blob(info->info23.password.data, 516,
- &session_key);
+ status = arc4_decrypt_data(session_key,
+ info->info23.password.data,
+ 516);
+ if(!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info23.password.data, 516);
@@ -5165,13 +5207,17 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 24:
+
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
- arcfour_crypt_blob(info->info24.password.data,
- 516,
- &session_key);
+ status = arc4_decrypt_data(session_key,
+ info->info24.password.data,
+ 516);
+ if(!NT_STATUS_IS_OK(status)) {
+ break;
+ }
dump_data(100, info->info24.password.data, 516);
--
2.23.0

View File

@ -0,0 +1,110 @@
From ef374b9b3b98b498545d40f0aa2e537bdf81ae59 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 12:40:21 +0100
Subject: [PATCH 035/187] s3:utils: Use GnuTLS RC4 in ntlm_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 359ae5be0d21e7ab235035aab65710c9459e9593)
---
source3/utils/ntlm_auth.c | 45 ++++++++++++++++++++++++++++++++++++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 87f6554ae4f..8a6218ac9ec 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -37,7 +37,6 @@
#include "librpc/crypto/gse.h"
#include "smb_krb5.h"
#include "lib/util/tiniparser.h"
-#include "../lib/crypto/arcfour.h"
#include "nsswitch/winbind_client.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "../lib/util/asn1.h"
@@ -49,6 +48,9 @@
#include "lib/util/base64.h"
#include "cmdline_contexts.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#ifdef HAVE_KRB5
#include "auth/kerberos/pac_utils.h"
#endif
@@ -1937,6 +1939,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
uchar new_nt_hash[16];
uchar new_lm_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+ int rc;
+
new_nt_pswd = data_blob(NULL, 516);
old_nt_hash_enc = data_blob(NULL, 16);
@@ -1956,6 +1965,19 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
Likewise, obey the admin's restriction
*/
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_nt_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+ DBG_ERR("Running in FIPS mode, NTLM blocked\n");
+ }
+ return;
+ }
+
if (lp_client_lanman_auth() &&
E_deshash(newpswd, new_lm_hash) &&
E_deshash(oldpswd, old_lm_hash)) {
@@ -1964,7 +1986,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
encode_pw_buffer(new_lm_pswd.data, newpswd,
STR_UNICODE);
- arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ new_lm_pswd.data,
+ 516);
+ if (rc < 0) {
+ gnutls_cipher_deinit(cipher_hnd);
+ return;
+ }
E_old_pw_hash(new_nt_hash, old_lm_hash,
old_lm_hash_enc.data);
} else {
@@ -1977,9 +2005,20 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
encode_pw_buffer(new_nt_pswd.data, newpswd,
STR_UNICODE);
- arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ new_nt_pswd.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return;
+ }
E_old_pw_hash(new_nt_hash, old_nt_hash,
old_nt_hash_enc.data);
+
+ ZERO_ARRAY(old_nt_hash);
+ ZERO_ARRAY(old_lm_hash);
+ ZERO_ARRAY(new_nt_hash);
+ ZERO_ARRAY(new_lm_hash);
}
if (!full_username && !username) {
--
2.23.0

View File

@ -0,0 +1,76 @@
From e81c7a540896c9a3fed8d6a8b080f76c83d70369 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 12:50:57 +1200
Subject: [PATCH 036/187] s4:rpc_server: Use
samba_gnutls_arcfour_confounded_md5() in samr_set_password_ex()
This allows the use of GnuTLS for the underlying RC4 crypto operations.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9363abfb5fcfeff30295ce0cf94c18941a6c4e9f)
---
source4/rpc_server/samr/samr_password.c | 34 ++++++-------------------
1 file changed, 8 insertions(+), 26 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 7c441f38ce2..fde0de2c3cc 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -586,9 +586,11 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
{
NTSTATUS nt_status;
DATA_BLOB new_password;
- DATA_BLOB co_session_key;
+
+ /* The confounder is in the last 16 bytes of the buffer */
+ DATA_BLOB confounder = data_blob_const(&pwbuf->data[516], 16);
+ DATA_BLOB pw_data = data_blob_const(pwbuf->data, 516);
DATA_BLOB session_key = data_blob(NULL, 0);
- gnutls_hash_hd_t hash_hnd = NULL;
int rc;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
@@ -599,35 +601,15 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
return NT_STATUS_WRONG_PASSWORD;
}
- co_session_key = data_blob_talloc(mem_ctx, NULL, 16);
- if (!co_session_key.data) {
- return NT_STATUS_NO_MEMORY;
- }
-
- rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+ &session_key,
+ &pw_data,
+ SAMBA_GNUTLS_DECRYPT);
if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
}
- rc = gnutls_hash(hash_hnd, &pwbuf->data[516], 16);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
- if (rc < 0) {
- gnutls_hash_deinit(hash_hnd, NULL);
- nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
- goto out;
- }
- gnutls_hash_deinit(hash_hnd, co_session_key.data);
-
- arcfour_crypt_blob(pwbuf->data, 516, &co_session_key);
- ZERO_ARRAY_LEN(co_session_key.data,
- co_session_key.length);
-
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
nt_status = NT_STATUS_WRONG_PASSWORD;
--
2.23.0

View File

@ -0,0 +1,195 @@
From 23f422c0df67c0f9e701e0deb5f1708a930a98bd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 19 Feb 2019 17:40:29 +0100
Subject: [PATCH 037/187] s4:rpc_server: Use GnuTLS RC4 for samr password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4326e7de6ba0ce02ab23af7297d2f7242988daa4)
---
source4/rpc_server/samr/samr_password.c | 105 ++++++++++++++++++++----
1 file changed, 89 insertions(+), 16 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index fde0de2c3cc..b04e37f06f3 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -24,7 +24,7 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/samr/dcesrv_samr.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
+#include "lib/crypto/md4.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/auth/libcli_auth.h"
@@ -119,13 +119,15 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
"samAccountName",
NULL };
struct samr_Password *lm_pwd;
- DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
struct samr_Password lm_verifier;
size_t unicode_pw_len;
size_t converted_size = 0;
const char *user_samAccountName = NULL;
struct dom_sid *user_objectSid = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t lm_session_key;
+ int rc;
if (pwbuf == NULL) {
return NT_STATUS_INVALID_PARAMETER;
@@ -179,9 +181,28 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
}
/* decrypt the password we have been given */
- lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash));
- arcfour_crypt_blob(pwbuf->data, 516, &lm_pwd_blob);
- data_blob_free(&lm_pwd_blob);
+ lm_session_key = (gnutls_datum_t) {
+ .data = lm_pwd->hash,
+ .size = sizeof(lm_pwd->hash),
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &lm_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ pwbuf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -315,7 +336,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
"badPwdCount", "badPasswordTime",
"objectSid", NULL };
struct samr_Password *nt_pwd, *lm_pwd;
- DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR;
@@ -325,6 +345,9 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
struct dom_sid *user_objectSid = NULL;
enum ntlm_auth_level ntlm_auth_level
= lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t nt_session_key;
+ int rc;
*r->out.dominfo = NULL;
*r->out.reject = NULL;
@@ -381,9 +404,28 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
}
/* decrypt the password we have been given */
- nt_pwd_blob = data_blob(nt_pwd->hash, sizeof(nt_pwd->hash));
- arcfour_crypt_blob(r->in.nt_password->data, 516, &nt_pwd_blob);
- data_blob_free(&nt_pwd_blob);
+ nt_session_key = (gnutls_datum_t) {
+ .data = nt_pwd->hash,
+ .size = sizeof(nt_pwd->hash),
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &nt_session_key,
+ NULL);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ r->in.nt_password->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto failed;
+ }
if (!extract_pw_from_buffer(mem_ctx, r->in.nt_password->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -547,6 +589,9 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
NTSTATUS nt_status;
DATA_BLOB new_password;
DATA_BLOB session_key = data_blob(NULL, 0);
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t _session_key;
+ int rc;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -556,7 +601,28 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
return NT_STATUS_WRONG_PASSWORD;
}
- arcfour_crypt_blob(pwbuf->data, 516, &session_key);
+ _session_key = (gnutls_datum_t) {
+ .data = session_key.data,
+ .size = session_key.length,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &_session_key,
+ NULL);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ pwbuf->data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
@@ -565,12 +631,19 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
/* set the password - samdb needs to know both the domain and user DNs,
so the domain password policy can be used */
- return samdb_set_password(sam_ctx, mem_ctx,
- account_dn, domain_dn,
- &new_password,
- NULL, NULL,
- NULL, NULL, /* This is a password set, not change */
- NULL, NULL);
+ nt_status = samdb_set_password(sam_ctx,
+ mem_ctx,
+ account_dn,
+ domain_dn,
+ &new_password,
+ NULL,
+ NULL,
+ NULL,
+ NULL, /* This is a password set, not change */
+ NULL,
+ NULL);
+out:
+ return nt_status;
}
--
2.23.0

View File

@ -0,0 +1,64 @@
From 7839408010ba413f766e950192dd5a0632234ce7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 20 Feb 2019 15:52:49 +0100
Subject: [PATCH 038/187] s4:torture: Use GnuTLS RC4 for RAP SAM test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 811c412da5c24d7274f9aa4c7d653bbb1191e6a6)
---
source4/torture/rap/sam.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rap/sam.c b/source4/torture/rap/sam.c
index 4ca7b793dec..3c13849b398 100644
--- a/source4/torture/rap/sam.c
+++ b/source4/torture/rap/sam.c
@@ -26,10 +26,12 @@
#include "torture/util.h"
#include "libcli/rap/rap.h"
#include "torture/rap/proto.h"
-#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
#include "torture/rpc/torture_rpc.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#define TEST_RAP_USER "torture_rap_user"
static char *samr_rand_pass(TALLOC_CTX *mem_ctx, int min_len)
@@ -137,6 +139,11 @@ static bool test_oemchangepassword_args(struct torture_context *tctx,
char *newpass = samr_rand_pass(tctx, 9);
uint8_t old_pw_hash[16];
uint8_t new_pw_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t pw_key = {
+ .data = old_pw_hash,
+ .size = sizeof(old_pw_hash),
+ };
r.in.UserName = username;
@@ -144,7 +151,15 @@ static bool test_oemchangepassword_args(struct torture_context *tctx,
E_deshash(newpass, new_pw_hash);
encode_pw_buffer(r.in.crypt_password, newpass, STR_ASCII);
- arcfour_crypt(r.in.crypt_password, old_pw_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &pw_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ r.in.crypt_password,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_pw_hash, old_pw_hash, r.in.password_hash);
torture_comment(tctx, "Testing rap_NetOEMChangePassword(%s)\n", r.in.UserName);
--
2.23.0

View File

@ -0,0 +1,121 @@
From d68771ee1f47bc238a2967ac43ccded3717d4bb5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 21 Feb 2019 10:21:39 +0100
Subject: [PATCH 039/187] s4:torture: Use init_samr_CryptPassword(Ex) in
samba3rpc test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 80f5beb4804c694ee6e5f5b450e751f538677593)
---
source4/torture/rpc/samba3rpc.c | 43 ++++++++++++++-------------------
1 file changed, 18 insertions(+), 25 deletions(-)
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index bf1de04a5b5..d55d6c47b57 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -36,7 +36,6 @@
#include "libcli/libcli.h"
#include "libcli/smb_composite/smb_composite.h"
#include "libcli/auth/libcli_auth.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/security/security.h"
#include "param/param.h"
#include "lib/registry/registry.h"
@@ -47,9 +46,7 @@
#include "librpc/rpc/dcerpc.h"
#include "librpc/rpc/dcerpc_proto.h"
#include "libcli/smb/smbXcli_base.h"
-
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
+#include "source3/rpc_client/init_samr.h"
/*
* open pipe and bind, given an IPC$ context
@@ -666,7 +663,6 @@ static bool create_user(struct torture_context *tctx,
union samr_UserInfo *info;
DATA_BLOB session_key;
-
ZERO_STRUCT(u_info);
encode_pw_buffer(u_info.info23.password.data, password,
STR_UNICODE);
@@ -676,8 +672,15 @@ static bool create_user(struct torture_context *tctx,
torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
goto done;
}
- arcfour_crypt_blob(u_info.info23.password.data, 516,
- &session_key);
+
+ status = init_samr_CryptPassword(password,
+ &session_key,
+ &u_info.info23.password);
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_comment(tctx, "init_samr_CryptPassword failed\n");
+ goto done;
+ }
+
u_info.info23.info.password_expired = 0;
u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT |
SAMR_FIELD_LM_PASSWORD_PRESENT |
@@ -872,10 +875,6 @@ static bool join3(struct torture_context *tctx,
union samr_UserInfo u_info;
struct samr_UserInfo21 *i21 = &u_info.info25.info;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(
- mem_ctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
ZERO_STRUCT(u_info);
@@ -890,25 +889,16 @@ static bool join3(struct torture_context *tctx,
i21->password_expired = 1;
*/
- encode_pw_buffer(u_info.info25.password.data,
- cli_credentials_get_password(wks_creds),
- STR_UNICODE);
status = dcerpc_fetch_session_key(samr_pipe, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_comment(tctx, "dcerpc_fetch_session_key failed: %s\n",
nt_errstr(status));
goto done;
}
- generate_random_buffer((uint8_t *)confounder, 16);
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u_info.info25.password.data, 516,
- &confounded_session_key);
- memcpy(&u_info.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(cli_credentials_get_password(wks_creds),
+ &session_key,
+ &u_info.info25.password);
sui2.in.user_handle = wks_handle;
sui2.in.level = 25;
@@ -942,8 +932,11 @@ static bool join3(struct torture_context *tctx,
torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
goto done;
}
- arcfour_crypt_blob(u_info.info24.password.data, 516,
- &session_key);
+
+ status = init_samr_CryptPassword(cli_credentials_get_password(wks_creds),
+ &session_key,
+ &u_info.info24.password);
+
sui2.in.user_handle = wks_handle;
sui2.in.info = &u_info;
sui2.in.level = 24;
--
2.23.0

View File

@ -0,0 +1,60 @@
From 92a1bd505e5bb9c793f05b386d4e9ee2b2b74027 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:56:08 +0200
Subject: [PATCH 040/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70e05d7eb78a0c363dbd72cbbf4f3a264636c840)
---
source4/torture/rpc/samr.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index eb1bb14a555..f281be654cc 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -31,7 +31,7 @@
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
-#include "../lib/crypto/crypto.h"
+#include "lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "torture/rpc/torture_rpc.h"
@@ -40,6 +40,8 @@
#include "auth/gensec/gensec_proto.h"
#include "../libcli/auth/schannel.h"
#include "torture/util.h"
+#include "source4/librpc/rpc/dcerpc.h"
+#include "source3/rpc_client/init_samr.h"
#define TEST_ACCOUNT_NAME "samrtorturetest"
#define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
@@ -637,7 +639,6 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
s.in.info = &u;
s.in.level = 24;
- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE);
u.info24.password_expired = 0;
status = dcerpc_fetch_session_key(p, &session_key);
@@ -647,7 +648,12 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
return false;
}
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
torture_comment(tctx, "Testing SetUserInfo level 24 (set password)\n");
--
2.23.0

View File

@ -0,0 +1,72 @@
From 2f7cd9ededefa6499f4fad15758fec27a15a5de3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:57:25 +0200
Subject: [PATCH 041/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_23
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0b9cabc4de64497140d33d0fdaf2927f2915987)
---
source4/torture/rpc/samr.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index f281be654cc..543ef64e9ac 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -706,8 +706,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
u.info23.info.fields_present = fields_present;
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -715,7 +713,12 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
return false;
}
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
torture_comment(tctx, "Testing SetUserInfo level 23 (set password)\n");
@@ -732,8 +735,6 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
*password = newpass;
}
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -742,8 +743,17 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
}
/* This should break the key nicely */
- session_key.length--;
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ session_key.data[0]++;
+
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
+ /* Reset the session key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 23 (set password) with wrong password\n");
--
2.23.0

View File

@ -0,0 +1,87 @@
From d56d8f629ea89a9a3cc7aecc17331ac5c57a61fa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:58:06 +0200
Subject: [PATCH 042/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPassEx
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e398ecbd8e32bb428073f3635d9178abfae28255)
---
source4/torture/rpc/samr.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 543ef64e9ac..0e9989449be 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -781,14 +781,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
- gnutls_hash_hd_t hash_hnd;
struct samr_GetUserPwInfo pwp;
struct samr_PwInfo info;
int policy_min_pw_len = 0;
+
pwp.in.user_handle = handle;
pwp.out.info = &info;
@@ -807,7 +805,6 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
s.in.info = &u;
s.in.level = 26;
- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE);
u.info26.password_expired = 0;
status = dcerpc_fetch_session_key(p, &session_key);
@@ -817,15 +814,12 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex)\n");
@@ -843,10 +837,17 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
}
/* This should break the key nicely */
- confounded_session_key.data[0]++;
+ session_key.data[0]++;
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
+
+ /* Reset the key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 26 (set password ex) with wrong session key\n");
--
2.23.0

View File

@ -0,0 +1,88 @@
From 9f2f94aff0be089658eabd0c62896775332e1acb Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:58:38 +0200
Subject: [PATCH 043/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_25
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3b9496d905408b75c21919b35b2105e2b0b0325f)
---
source4/torture/rpc/samr.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0e9989449be..2f67bcf6be7 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -876,14 +876,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
struct samr_GetUserPwInfo pwp;
struct samr_PwInfo info;
int policy_min_pw_len = 0;
+
pwp.in.user_handle = handle;
pwp.out.info = &info;
@@ -902,8 +900,6 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
u.info25.info.fields_present = fields_present;
- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE);
-
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -911,15 +907,12 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex)\n");
@@ -937,10 +930,17 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
}
/* This should break the key nicely */
- confounded_session_key.data[0]++;
+ session_key.data[0]++;
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
+
+ /* Reset the key */
+ session_key.data[0]--;
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with wrong session key\n");
--
2.23.0

View File

@ -0,0 +1,116 @@
From 905ffa85002a4100172835c550547bab024ef30f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 15:59:19 +0200
Subject: [PATCH 044/187] s4:torture: Use init_samr_CryptPassword in
test_SetUserPass_level_ex
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f45ba47afb11c1f7bbb8c5c84670395500e1afc1)
---
source4/torture/rpc/samr.c | 48 +++++++++++++++++++-------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 2f67bcf6be7..530c457bbd9 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -1166,9 +1166,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
union samr_UserInfo u;
bool ret = true;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- gnutls_hash_hd_t hash_hnd;
- uint8_t confounder[16];
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
struct samr_GetUserPwInfo pwp;
@@ -1244,28 +1241,20 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
u.info23.info.password_expired = password_expired;
u.info23.info.comment.string = comment;
- encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE);
-
break;
case 24:
u.info24.password_expired = password_expired;
- encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE);
-
break;
case 25:
u.info25.info.fields_present = fields_present;
u.info25.info.password_expired = password_expired;
u.info25.info.comment.string = comment;
- encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE);
-
break;
case 26:
u.info26.password_expired = password_expired;
- encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE);
-
break;
}
@@ -1276,13 +1265,6 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
-
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
-
switch (level) {
case 18:
{
@@ -1320,18 +1302,36 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
}
break;
case 23:
- arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info23.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
break;
case 24:
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
break;
case 25:
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info25.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
break;
case 26:
- arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
- memcpy(&u.info26.password.data[516], confounder, 16);
+ status = init_samr_CryptPasswordEx(newpass,
+ &session_key,
+ &u.info26.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPasswordEx failed");
break;
}
--
2.23.0

View File

@ -0,0 +1,91 @@
From 752f6efc6ac65cba6b8ebf125b19a6685a0d40c2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:49:53 +0200
Subject: [PATCH 045/187] s4:torture: Use GnuTLS RC4 in
test_OemChangePasswordUser2
This uses STR_ASCII for password encoding!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b512b5974494fe41010800f60df0f248b8ea850e)
---
source4/torture/rpc/samr.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 530c457bbd9..eb032905dc8 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2032,6 +2032,11 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
char *newpass;
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_lm_hash[16], new_lm_hash[16];
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t session_key = {
+ .data = old_lm_hash,
+ .size = 16
+ };
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
@@ -2065,7 +2070,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
r.in.server = &server;
@@ -2092,7 +2103,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
/* Break the old password */
old_lm_hash[0]++;
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
/* unbreak it for the next operation */
old_lm_hash[0]--;
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
@@ -2116,7 +2132,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
}
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
r.in.server = &server;
r.in.account = &account;
@@ -2192,7 +2213,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &session_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd, lm_pass.data, 516);
+ gnutls_cipher_deinit(cipher_hnd);
E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,53 @@
From 88d136aae60d4aa8b6fe622e0e92a8bddbba1b1e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 16:46:06 +1200
Subject: [PATCH 046/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dfda49472e0b4a81653963e80d8d65788f80a591)
---
source4/torture/rpc/samr.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index eb032905dc8..6cc508a2d44 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2259,11 +2259,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
uint8_t old_lm_hash[16], new_lm_hash[16];
-
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash));
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
struct lsa_String domain_name;
+ NTSTATUS status;
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
@@ -2299,8 +2301,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
arcfour_crypt(lm_pass.data, old_lm_hash, 516);
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,54 @@
From 90bdf8b2063c05576450975df0983953d6febd95 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 16:52:41 +1200
Subject: [PATCH 047/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser2_ntstatus
This allows the use of GnuTLS for the RC4 crypto operation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1b1c302a7db23bf4377b8fa742ebf7ae913e3511)
---
source4/torture/rpc/samr.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 6cc508a2d44..5bf758e2fb2 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2349,11 +2349,15 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
uint8_t old_lm_hash[16], new_lm_hash[16];
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash, sizeof(old_nt_hash));
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
struct lsa_String domain_name;
+ NTSTATUS crypt_status;
+
char *newpass;
int policy_min_pw_len = 0;
@@ -2386,8 +2390,13 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
arcfour_crypt(lm_pass.data, old_lm_hash, 516);
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ crypt_status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ crypt_status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,57 @@
From b21a4ac4a6d92d720e1e04b9eadf50cc59a4ebe5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:24:18 +0200
Subject: [PATCH 048/187] s4_torture: Use GnuTLS RC4 in
test_ChangePasswordUser2
This uses STR_ASCII as string encodings.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9cbdf7b2e5f734e9b5e0e447d54d720d18977950)
---
source4/torture/rpc/samr.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 5bf758e2fb2..7f1da86d19a 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2267,6 +2267,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
struct lsa_String domain_name;
NTSTATUS status;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_lm_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
+
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
dom_pw_info.out.info = &info;
@@ -2298,7 +2308,16 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_lm_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
status = init_samr_CryptPassword(newpass,
--
2.23.0

View File

@ -0,0 +1,61 @@
From b7700aa619a69f652b350b89a5a67a989658a474 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:00:32 +0200
Subject: [PATCH 049/187] s4:torture: Use GnuTLS RC4 in
test_ChangePasswordUser2_ntstatus
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a476a2e3322a550e2857cb5a66096fa3e46416d3)
---
source4/torture/rpc/samr.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 7f1da86d19a..307b0b03594 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2272,10 +2272,6 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
.data = old_lm_hash,
.size = sizeof(old_lm_hash),
};
- gnutls_datum_t old_nt_key = {
- .data = old_nt_hash,
- .size = sizeof(old_nt_hash),
- };
domain_name.string = "";
dom_pw_info.in.domain_name = &domain_name;
@@ -2370,6 +2366,11 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
uint8_t old_lm_hash[16], new_lm_hash[16];
DATA_BLOB old_nt_hash_blob
= data_blob_const(old_nt_hash, sizeof(old_nt_hash));
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_lm_key = {
+ .data = old_lm_hash,
+ .size = sizeof(old_lm_hash),
+ };
struct samr_GetDomPwInfo dom_pw_info;
struct samr_PwInfo info;
@@ -2406,7 +2407,16 @@ static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct tort
E_deshash(newpass, new_lm_hash);
encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE);
- arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_lm_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ lm_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
crypt_status = init_samr_CryptPassword(newpass,
--
2.23.0

View File

@ -0,0 +1,119 @@
From e3c6cd617dc324d86212a50555adbeffb966555c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:01:02 +0200
Subject: [PATCH 050/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordUser3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b7c21fca576bf6e44233d69b47273058b9197c8)
---
source4/torture/rpc/samr.c | 64 +++++++++++++++++++++++++++++---------
1 file changed, 49 insertions(+), 15 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 307b0b03594..55059a26b43 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2472,6 +2472,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+ NTSTATUS status;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
@@ -2500,12 +2502,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
/* Break the verification */
@@ -2534,16 +2546,28 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
ret = false;
}
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- /* Break the NT hash */
- old_nt_hash[0]++;
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ /* Break the session key */
+ session_key.data[0]++;
+
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
/* Unbreak it again */
- old_nt_hash[0]--;
+ session_key.data[0]--;
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
@@ -2590,12 +2614,22 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
- encode_pw_buffer(lm_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(lm_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &lm_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &session_key,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,130 @@
From f0d05dc2dce30f851f9e1eb6a1952730dfe907f6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 17:18:50 +1200
Subject: [PATCH 051/187] s4:torture: clarify comments and variable names in
"ChangePasswordUser3 tests
There is no session key here, the buffers are directly encrypted
with the long-term passwords.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8380668be7963b74cbbd31bfab3d01d1f3089034)
---
source4/torture/rpc/samr.c | 43 +++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 10 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 55059a26b43..20afa9392e2 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2472,7 +2472,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
- DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
+ DATA_BLOB old_nt_hash_blob = data_blob_const(old_nt_hash, 16);
NTSTATUS status;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
@@ -2502,22 +2502,45 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(oldpass, old_lm_hash);
E_deshash(newpass, new_lm_hash);
+ /*
+ * The new plaintext password is encrypted using RC4 with the
+ * old NT password hash (directly, with no confounder). The
+ * password is at the end of the random padded buffer,
+ * offering a little protection.
+ *
+ * This is almost certainly wrong, it should be the old LM
+ * hash, it was switched in an unrelated commit
+ * 579c13da43d5b40ac6d6c1436399fbc1d8dfd054 in 2004.
+ */
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
+ /*
+ * Now we prepare a DES cross-hash of the old LM and new NT
+ * passwords to link the two buffers
+ */
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
+ /*
+ * The new plaintext password is also encrypted using RC4 with
+ * the old NT password hash (directly, with no confounder).
+ * The password is at the end of the random padded buffer,
+ * offering a little protection.
+ */
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
+ /*
+ * Another DES based cross-hash
+ */
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
/* Break the verification */
@@ -2547,7 +2570,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
}
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
@@ -2555,18 +2578,18 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
- /* Break the session key */
- session_key.data[0]++;
+ /* Break the NT Hash */
+ old_nt_hash[0]++;
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
"init_samr_CryptPassword");
/* Unbreak it again */
- session_key.data[0]--;
+ old_nt_hash[0]--;
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
@@ -2615,7 +2638,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_deshash(newpass, new_lm_hash);
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&lm_pass);
torture_assert_ntstatus_ok(tctx,
status,
@@ -2624,7 +2647,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
status = init_samr_CryptPassword(newpass,
- &session_key,
+ &old_nt_hash_blob,
&nt_pass);
torture_assert_ntstatus_ok(tctx,
status,
--
2.23.0

View File

@ -0,0 +1,48 @@
From 7ce6d4730f7ff8c5008ad91d665a172fec8e5ba8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 17:43:23 +1200
Subject: [PATCH 052/187] s4:torture: Use init_samr_CryptPassword in
test_ChangePasswordRandomBytes
This allows the use of GnuTLS for the underlying RC4 crypto
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 19d9c2c01a54957bc3852e2565d92c1cdd89498b)
---
source4/torture/rpc/samr.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 20afa9392e2..10377850314 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2790,6 +2790,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
char *oldpass;
struct dcerpc_binding_handle *b = p->binding_handle;
uint8_t old_nt_hash[16], new_nt_hash[16];
+ DATA_BLOB old_nt_hash_blob
+ = data_blob_const(old_nt_hash,
+ sizeof(old_nt_hash));
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
@@ -2893,8 +2896,13 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
E_md4hash(newpass, new_nt_hash);
- encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+ status = init_samr_CryptPassword(newpass,
+ &old_nt_hash_blob,
+ &nt_pass);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,51 @@
From 74f61d6ecf74311a12e8454f2ce12a4b63bbfe90 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Jul 2019 16:01:31 +0200
Subject: [PATCH 053/187] s4:torture: Use GnuTLS RC4 in
test_ChangePasswordRandomBytes
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 82a6480611f791a3c26fcf70975e6f8b3b1757ad)
---
source4/torture/rpc/samr.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 10377850314..10bdd52fd47 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2796,6 +2796,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t old_nt_key = {
+ .data = old_nt_hash,
+ .size = sizeof(old_nt_hash),
+ };
new_random_pass = samr_very_rand_pass(tctx, 128);
@@ -2855,7 +2860,16 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
mdfour(new_nt_hash, new_random_pass.data, new_random_pass.length);
set_pw_in_buffer(nt_pass.data, &new_random_pass);
- arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+
+ gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &old_nt_key,
+ NULL);
+ gnutls_cipher_encrypt(cipher_hnd,
+ nt_pass.data,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
r.in.server = &server;
--
2.23.0

View File

@ -0,0 +1,84 @@
From 0f56ee5720764eec28ce23bc82a01c16411df5fb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Jul 2019 13:07:48 +1200
Subject: [PATCH 054/187] s4:torture: Use samba_gnutls_arcfour_confounded_md5()
in test_ChangePasswordRandomBytes
This ensures GnuTLS is used as the underlying RC4 crypto engine
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5740e9516f3587e3a9f72cf52cfe1eedd940b2a9)
---
source4/torture/rpc/samr.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 10bdd52fd47..4b3ad093bf6 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -42,6 +42,7 @@
#include "torture/util.h"
#include "source4/librpc/rpc/dcerpc.h"
#include "source3/rpc_client/init_samr.h"
+#include "lib/crypto/gnutls_helpers.h"
#define TEST_ACCOUNT_NAME "samrtorturetest"
#define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
@@ -2777,9 +2778,6 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
struct samr_SetUserInfo s;
union samr_UserInfo u;
DATA_BLOB session_key;
- DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
- uint8_t confounder[16];
- gnutls_hash_hd_t hash_hnd;
bool ret = true;
struct lsa_String server, account;
@@ -2797,6 +2795,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
gnutls_cipher_hd_t cipher_hnd = NULL;
+ uint8_t _confounder[16] = {0};
+ DATA_BLOB confounder
+ = data_blob_const(_confounder,
+ sizeof(_confounder));
+ DATA_BLOB pw_data;
gnutls_datum_t old_nt_key = {
.data = old_nt_hash,
.size = sizeof(old_nt_hash),
@@ -2821,6 +2824,8 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
set_pw_in_buffer(u.info25.password.data, &new_random_pass);
+ pw_data = data_blob_const(u.info25.password.data, 516);
+
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
@@ -2828,15 +2833,15 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
return false;
}
- generate_random_buffer((uint8_t *)confounder, 16);
+ generate_random_buffer(_confounder,
+ sizeof(_confounder));
- gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
- gnutls_hash(hash_hnd, confounder, 16);
- gnutls_hash(hash_hnd, session_key.data, session_key.length);
- gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+ samba_gnutls_arcfour_confounded_md5(&confounder,
+ &session_key,
+ &pw_data,
+ SAMBA_GNUTLS_ENCRYPT);
- arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
- memcpy(&u.info25.password.data[516], confounder, 16);
+ memcpy(&u.info25.password.data[516], _confounder, sizeof(_confounder));
torture_comment(tctx, "Testing SetUserInfo level 25 (set password ex) with a password made up of only random bytes\n");
--
2.23.0

View File

@ -0,0 +1,68 @@
From e1fd1c24002f30d31367d1caa59ccb057e8c9794 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 13:06:34 +0100
Subject: [PATCH 055/187] s4:torture: Use init_samr_CryptPassword in testjoin
RPC test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 301544ab2b0c85752d5307f2daab59652c08e1e0)
---
source4/torture/rpc/testjoin.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c
index c4e287d579b..11394b1c277 100644
--- a/source4/torture/rpc/testjoin.c
+++ b/source4/torture/rpc/testjoin.c
@@ -26,7 +26,6 @@
#include "includes.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
#include "libnet/libnet.h"
#include "lib/cmdline/popt_common.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
@@ -36,6 +35,7 @@
#include "torture/rpc/torture_rpc.h"
#include "libcli/security/security.h"
#include "param/param.h"
+#include "source3/rpc_client/init_samr.h"
struct test_join {
struct dcerpc_pipe *p;
@@ -145,7 +145,6 @@ struct test_join *torture_create_testuser_max_pwlen(struct torture_context *tctx
char *random_pw;
const char *dc_binding = torture_setting_string(tctx, "dc_binding", NULL);
struct dcerpc_binding_handle *b = NULL;
-
join = talloc(NULL, struct test_join);
if (join == NULL) {
return NULL;
@@ -330,7 +329,6 @@ again:
s.in.info = &u;
s.in.level = 24;
- encode_pw_buffer(u.info24.password.data, random_pw, STR_UNICODE);
u.info24.password_expired = 0;
status = dcerpc_fetch_session_key(join->p, &session_key);
@@ -341,7 +339,12 @@ again:
goto failed;
}
- arcfour_crypt_blob(u.info24.password.data, 516, &session_key);
+ status = init_samr_CryptPassword(random_pw,
+ &session_key,
+ &u.info24.password);
+ torture_assert_ntstatus_ok(tctx,
+ status,
+ "init_samr_CryptPassword failed");
status = dcerpc_samr_SetUserInfo_r(b, join, &s);
if (!NT_STATUS_IS_OK(status)) {
--
2.23.0

View File

@ -0,0 +1,91 @@
From f20d681243aed9c4e2c1a669cb04964b380413f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 12:59:13 +0100
Subject: [PATCH 056/187] lib:crypto: Use GnuTLS RC4 in py_crypto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc4ae06001fbb0045318a8cec7af6af81241c60e)
---
lib/crypto/py_crypto.c | 34 +++++++++++++++++++++++++++++-----
lib/crypto/wscript_build | 7 +++----
2 files changed, 32 insertions(+), 9 deletions(-)
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index 13e2569945d..c85cd2c13d2 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -21,13 +21,18 @@
#include <Python.h>
#include "includes.h"
#include "python/py3compat.h"
-#include "lib/crypto/arcfour.h"
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
{
- DATA_BLOB data, key;
+ DATA_BLOB data;
PyObject *py_data, *py_key, *result;
TALLOC_CTX *ctx;
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key;
+ int rc;
if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
return NULL;
@@ -51,10 +56,29 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
return PyErr_NoMemory();
}
- key.data = (uint8_t *)PyBytes_AsString(py_key);
- key.length = PyBytes_Size(py_key);
+ key = (gnutls_datum_t) {
+ .data = (uint8_t *)PyBytes_AsString(py_key),
+ .size = PyBytes_Size(py_key),
+ };
- arcfour_crypt_blob(data.data, data.length, &key);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &key,
+ NULL);
+ if (rc < 0) {
+ talloc_free(ctx);
+ PyErr_Format(PyExc_OSError, "encryption failed");
+ return NULL;
+ }
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data.data,
+ data.length);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ talloc_free(ctx);
+ PyErr_Format(PyExc_OSError, "encryption failed");
+ return NULL;
+ }
result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
talloc_free(ctx);
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 2ad8dfe2cd0..46b0e084328 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -28,7 +28,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
)
bld.SAMBA_PYTHON('python_crypto',
- source='py_crypto.c',
- deps='LIBCRYPTO',
- realname='samba/crypto.so'
- )
+ source='py_crypto.c',
+ deps='gnutls talloc',
+ realname='samba/crypto.so')
--
2.23.0

View File

@ -0,0 +1,29 @@
From d40afca3d8b1881ecebc171fede2aa36aa0240d0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:18:36 +0100
Subject: [PATCH 057/187] lib:crypto: Remove arcfour.h from crypto.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 14c4a075875860e709a9e2e52aad83aa4c58a5ad)
---
lib/crypto/crypto.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h
index 12aebaecefd..d7409f9a46d 100644
--- a/lib/crypto/crypto.h
+++ b/lib/crypto/crypto.h
@@ -21,7 +21,6 @@
#define _SAMBA_CRYPTO_H_
#include "../lib/crypto/md4.h"
-#include "../lib/crypto/arcfour.h"
#include "../lib/crypto/aes.h"
#include "../lib/crypto/aes_cmac_128.h"
#include "../lib/crypto/aes_ccm_128.h"
--
2.23.0

View File

@ -0,0 +1,59 @@
From 32aea65d8f1c896a78f93d1183fb9bdf88eee7df Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Feb 2019 13:28:01 +0100
Subject: [PATCH 058/187] lib:crypto: Don't build RC4 if we have GnuTLS >=
3.4.7
We have a GnuTLS DCEPRC backupkey implementation for the server and the
test. However this is only working with GnuTLS >= 3.4.7. So we need to
keep this around till we can require at least GnuTLS in a newer version.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9ede63fbada7842cd9ae120936bc6bd4b6ad16ac)
---
lib/crypto/wscript_build | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 46b0e084328..a26c10b627b 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -12,12 +12,27 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
''',
deps='gnutls samba-errors');
+# We have a GnuTLS DCEPRC backupkey implementation for the server and the test.
+# However this is only working with GnuTLS >= 3.4.7. So we need to keep this
+# around till we can require at least GnuTLS in a newer version.
+bld.SAMBA_SUBSYSTEM('LIBCRYPTO_RC4',
+ source='arcfour.c',
+ deps='talloc',
+ enabled=not bld.CONFIG_SET('HAVE_GNUTLS_3_4_7'))
+
bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
- source='''md4.c arcfour.c
- aes.c rijndael-alg-fst.c aes_cmac_128.c aes_ccm_128.c aes_gcm_128.c
- ''',
- deps='talloc' + extra_deps
- )
+ source='''
+ md4.c
+ aes.c
+ rijndael-alg-fst.c
+ aes_cmac_128.c
+ aes_ccm_128.c
+ aes_gcm_128.c
+ ''',
+ deps='''
+ talloc
+ LIBCRYPTO_RC4
+ ''' + extra_deps)
bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
source='''md4test.c
--
2.23.0

View File

@ -0,0 +1,56 @@
From 0fb7a341e75794027de988894da7547a5258d705 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:20:23 +0200
Subject: [PATCH 059/187] s3:lib: Use the passed mem_ctx instead of
talloc_tos()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa09e811ca6fb08a66940380b310ce9794397071)
---
source3/lib/netapi/user.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 827b7902040..fc236e55d1f 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -290,7 +290,7 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level,
/****************************************************************
****************************************************************/
-static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
+static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *pipe_cli,
DATA_BLOB *session_key,
struct policy_handle *user_handle,
@@ -320,7 +320,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
return status;
}
- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
user_handle,
25,
&user_info,
@@ -336,7 +336,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
return status;
}
- status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
user_handle,
23,
&user_info,
@@ -353,7 +353,7 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
user_info.info21 = info21;
- status = dcerpc_samr_SetUserInfo(b, talloc_tos(),
+ status = dcerpc_samr_SetUserInfo(b, mem_ctx,
user_handle,
21,
&user_info,
--
2.23.0

View File

@ -0,0 +1,188 @@
From a2b0dcbb525b7aa3a6f79ca8f8cca4ef7fc2f8f7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:45:51 +0200
Subject: [PATCH 060/187] s3:rpcclient: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9158a6ba8693070f3b2b71dd15089488869ab6cd)
---
source3/rpcclient/cmd_samr.c | 56 +++++++++++++++++++++++++-----------
1 file changed, 39 insertions(+), 17 deletions(-)
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index b1b7c06515c..0cd8b50058e 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3043,6 +3043,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
DATA_BLOB session_key;
uint8_t password_expired = 0;
struct dcerpc_binding_handle *b = cli->binding_handle;
+ TALLOC_CTX *frame = NULL;
if (argc < 4) {
printf("Usage: %s username level password [password_expired]\n",
@@ -3050,6 +3051,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return NT_STATUS_INVALID_PARAMETER;
}
+ frame = talloc_stackframe();
+
user = argv[1];
level = atoi(argv[2]);
param = argv[3];
@@ -3058,18 +3061,18 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
password_expired = atoi(argv[4]);
}
- status = cli_get_session_key(mem_ctx, cli, &session_key);
+ status = cli_get_session_key(frame, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
nt_lm_owf_gen(param, nt_hash, lm_hash);
@@ -3078,14 +3081,22 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
{
DATA_BLOB in,out;
in = data_blob_const(nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(nt_hash, out.data, out.length);
}
{
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 15);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(lm_hash, out.data, out.length);
}
@@ -3118,18 +3129,26 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
{
DATA_BLOB in,out;
in = data_blob_const(nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
info.info21.nt_owf_password.array =
- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16);
+ (uint16_t *)talloc_memdup(frame, out.data, 16);
}
{
DATA_BLOB in,out;
in = data_blob_const(lm_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
sess_crypt_blob(&out, &in, &session_key, true);
info.info21.lm_owf_password.array =
- (uint16_t *)talloc_memdup(mem_ctx, out.data, 16);
+ (uint16_t *)talloc_memdup(frame, out.data, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
}
break;
@@ -3175,7 +3194,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
/* Get sam policy handle */
- status = rpccli_try_samr_connects(cli, mem_ctx,
+ status = rpccli_try_samr_connects(cli, frame,
MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(status)) {
@@ -3184,7 +3203,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
/* Get domain policy handle */
- status = dcerpc_samr_OpenDomain(b, mem_ctx,
+ status = dcerpc_samr_OpenDomain(b, frame,
&connect_pol,
access_mask,
&domain_sid,
@@ -3200,7 +3219,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
user_rid = strtol(user, NULL, 0);
if (user_rid) {
- status = dcerpc_samr_OpenUser(b, mem_ctx,
+ status = dcerpc_samr_OpenUser(b, frame,
&domain_pol,
access_mask,
user_rid,
@@ -3222,7 +3241,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
init_lsa_String(&lsa_acct_name, user);
- status = dcerpc_samr_LookupNames(b, mem_ctx,
+ status = dcerpc_samr_LookupNames(b, frame,
&domain_pol,
1,
&lsa_acct_name,
@@ -3242,7 +3261,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
- status = dcerpc_samr_OpenUser(b, mem_ctx,
+ status = dcerpc_samr_OpenUser(b, frame,
&domain_pol,
access_mask,
rids.ids[0],
@@ -3258,14 +3277,14 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
switch (opcode) {
case NDR_SAMR_SETUSERINFO:
- status = dcerpc_samr_SetUserInfo(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo(b, frame,
&user_pol,
level,
&info,
&result);
break;
case NDR_SAMR_SETUSERINFO2:
- status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo2(b, frame,
&user_pol,
level,
&info,
@@ -3283,7 +3302,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
DEBUG(0,("result: %s\n", nt_errstr(status)));
goto done;
}
+
+ status = NT_STATUS_OK;
done:
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

View File

@ -0,0 +1,104 @@
From 5a4fb7d50cfa71a57ce62fdd0e090b70da56b33c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 15:49:43 +0200
Subject: [PATCH 061/187] s3:utils: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 52b3f921ad2d04cb30232a6aadf261c9fc9aafb2)
---
source3/utils/net_rpc.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index f6fb892a2d9..03462d89e1b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6095,6 +6095,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
unsigned int orig_timeout;
struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
DATA_BLOB session_key = data_blob_null;
+ TALLOC_CTX *frame = NULL;
if (argc != 2) {
d_printf("%s\n%s",
@@ -6104,22 +6105,24 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
return NT_STATUS_INVALID_PARAMETER;
}
+ frame = talloc_stackframe();
+
/*
* Make valid trusting domain account (ie. uppercased and with '$' appended)
*/
if (asprintf(&acct_name, "%s$", argv[0]) < 0) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
}
if (!strupper_m(acct_name)) {
- SAFE_FREE(acct_name);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
}
init_lsa_String(&lsa_acct_name, acct_name);
- status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key);
+ status = cli_get_session_key(frame, pipe_hnd, &session_key);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Error getting session_key of SAM pipe. Error was %s\n",
nt_errstr(status)));
@@ -6127,7 +6130,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
/* Get samr policy handle */
- status = dcerpc_samr_Connect2(b, mem_ctx,
+ status = dcerpc_samr_Connect2(b, frame,
pipe_hnd->desthost,
MAXIMUM_ALLOWED_ACCESS,
&connect_pol,
@@ -6141,7 +6144,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
/* Get domain policy handle */
- status = dcerpc_samr_OpenDomain(b, mem_ctx,
+ status = dcerpc_samr_OpenDomain(b, frame,
&connect_pol,
MAXIMUM_ALLOWED_ACCESS,
discard_const_p(struct dom_sid2, domain_sid),
@@ -6168,7 +6171,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
SAMR_USER_ACCESS_GET_ATTRIBUTES |
SAMR_USER_ACCESS_SET_ATTRIBUTES;
- status = dcerpc_samr_CreateUser2(b, mem_ctx,
+ status = dcerpc_samr_CreateUser2(b, frame,
&domain_pol,
&lsa_acct_name,
acb_info,
@@ -6207,7 +6210,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
info.info23.info.acct_flags = ACB_DOMTRUST;
info.info23.password = crypt_pwd;
- status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
+ status = dcerpc_samr_SetUserInfo2(b, frame,
&user_pol,
23,
&info,
@@ -6224,9 +6227,11 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c,
}
}
+ status = NT_STATUS_OK;
done:
SAFE_FREE(acct_name);
data_blob_clear_free(&session_key);
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

View File

@ -0,0 +1,96 @@
From cb51fd8abb0f0d3fa672452cd15d49af193de6ee Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 16:02:12 +0200
Subject: [PATCH 062/187] s3:rpc_server: Use a stackframe for temporary memory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1c84bda361678cb6c4685cff17a2d5a5026f2bce)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index d5267bf7062..791aa7acaff 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1134,6 +1134,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
int rc;
DATA_BLOB session_key;
enum samr_UserInfoLevel infolevel;
+ TALLOC_CTX *frame = talloc_stackframe();
ZERO_STRUCT(user_handle);
@@ -1144,7 +1145,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
goto out;
}
- rc = tsocket_address_inet_from_strings(mem_ctx,
+ rc = tsocket_address_inet_from_strings(frame,
"ip",
"127.0.0.1",
0,
@@ -1154,7 +1155,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
goto out;
}
- status = rpcint_binding_handle(mem_ctx,
+ status = rpcint_binding_handle(frame,
&ndr_table_samr,
local,
NULL,
@@ -1166,7 +1167,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
}
become_root();
- status = samr_find_machine_account(mem_ctx,
+ status = samr_find_machine_account(frame,
h,
account_name,
SEC_FLAG_MAXIMUM_ALLOWED,
@@ -1179,7 +1180,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
}
status = dcerpc_samr_QueryUserInfo2(h,
- mem_ctx,
+ frame,
&user_handle,
UserControlInformation,
&info,
@@ -1213,7 +1214,11 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
infolevel = UserInternal1Information;
in = data_blob_const(cr->creds.nt_hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
+ out = data_blob_talloc_zero(frame, 16);
+ if (out.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
sess_crypt_blob(&out, &in, &session_key, true);
memcpy(info18.nt_pwd.hash, out.data, out.length);
@@ -1244,7 +1249,7 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
become_root();
status = dcerpc_samr_SetUserInfo2(h,
- mem_ctx,
+ frame,
&user_handle,
infolevel,
info,
@@ -1260,8 +1265,9 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
out:
if (h && is_valid_policy_hnd(&user_handle)) {
- dcerpc_samr_Close(h, mem_ctx, &user_handle, &result);
+ dcerpc_samr_Close(h, frame, &user_handle, &result);
}
+ TALLOC_FREE(frame);
return status;
}
--
2.23.0

View File

@ -0,0 +1,32 @@
From b26c0a881c5a71ee310a942ffd65960974eabea8 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@samba.org>
Date: Fri, 12 Jul 2019 17:29:23 +0200
Subject: [PATCH 063/187] netlogon: Fix potential use of uninitialized variable
The _netr_NetrEnumerateTrustedDomains()->dcerpc_lsa_open_policy2() error
path checks the policy handle and closes it if non-empty. The policy
handle may be uninitialized in this code-path - fix this.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 93d424528f1c3d0d50ebd8a784f4624b2721d416)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 791aa7acaff..08bce367bf0 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -419,6 +419,7 @@ NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
int i;
uint32_t max_size = (uint32_t)-1;
+ ZERO_STRUCT(pol);
DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
status = rpcint_binding_handle(p->mem_ctx,
--
2.23.0

View File

@ -0,0 +1,64 @@
From 8746734f6874d62825209a49b29b06f28183559d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Jul 2019 16:13:17 +0200
Subject: [PATCH 064/187] s3:rpc_server: Only dump passwords in developer
builds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 26 03:05:01 UTC 2019 on sn-devel-184
(cherry picked from commit 1f923e067dbe358c17cbccfe179baa811aa3b8b3)
---
source3/rpc_server/samr/srv_samr_nt.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index ad1d1853bda..87214b2899e 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -5198,7 +5198,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info23.password.data, 516);
+#endif
status = set_user_info_23(p->mem_ctx,
&info->info23,
@@ -5219,7 +5221,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info24.password.data, 516);
+#endif
status = set_user_info_24(p->mem_ctx,
rhost,
@@ -5237,7 +5241,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info25.password.data, 532);
+#endif
status = set_user_info_25(p->mem_ctx,
rhost,
@@ -5255,7 +5261,9 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
}
+#ifdef DEBUG_PASSWORD
dump_data(100, info->info26.password.data, 516);
+#endif
status = set_user_info_26(p->mem_ctx,
rhost,
--
2.23.0

View File

@ -0,0 +1,38 @@
From 595df06b59c80cbb7a484a893e1ebaf917ddddb6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 8 Aug 2019 11:57:02 +0200
Subject: [PATCH 065/187] libcli:smb: Add forward declaration for
gnutls_hmac_hd_t
This file is basically included everywhere. So use a forward declaration
for gnutls_hmac_hd_t. This way we don't have to link everthing against
gnutls to get access to the header path.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6bf6cb1643ae5e8fff66a7cbec50f58ede632666)
---
libcli/smb/smb2_signing.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
index 6e1682955c9..96a002f4a0c 100644
--- a/libcli/smb/smb2_signing.h
+++ b/libcli/smb/smb2_signing.h
@@ -21,10 +21,10 @@
#ifndef _LIBCLI_SMB_SMB2_SIGNING_H_
#define _LIBCLI_SMB_SMB2_SIGNING_H_
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
-
struct iovec;
+ /* Forward declaration of GnuTLS typedefs */
+struct hmac_hd_st;
+typedef struct hmac_hd_st* gnutls_hmac_hd_t;
struct smb2_signing_key {
gnutls_hmac_hd_t hmac_hnd;
--
2.23.0

View File

@ -0,0 +1,29 @@
From 5132a12a30ccc008644be11fa6af4a3d253a8a27 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 8 Aug 2019 13:14:45 +0200
Subject: [PATCH 066/187] s3:modules: Link vfs_acl_common against gnutls
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b81cb04d03d57b8175d862ba48ac476fedf23636)
---
source3/modules/wscript_build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 80b0ce9ff90..b8b965c8edd 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -10,7 +10,8 @@ bld.SAMBA3_BINARY('test_nfs4_acls',
install=False)
bld.SAMBA3_SUBSYSTEM('vfs_acl_common',
- source='vfs_acl_common.c')
+ source='vfs_acl_common.c',
+ deps='gnutls')
bld.SAMBA3_SUBSYSTEM('POSIXACL_XATTR',
source='posixacl_xattr.c',
--
2.23.0

View File

@ -0,0 +1,62 @@
From 45c34e04c2018d839be71371bee594bc4794de2d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:16:37 +0200
Subject: [PATCH 067/187] lib:util: Add generate_nonce_buffer()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70ff216935acc099b762b527033b6191ba3307d0)
---
lib/util/genrand.c | 12 ++++++++++--
lib/util/genrand.h | 11 +++++++++++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 55997c3dd55..76c2cb81962 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -25,8 +25,6 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-/* TODO: Add API for generating nonce or use gnutls_rnd directly everywhere. */
-
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
/* Thread and fork safe random number generator for temporary keys. */
@@ -42,3 +40,13 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
/* Thread and fork safe random number generator for long term keys. */
gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
+
+_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
+{
+ /*
+ * The nonce generator will reseed after outputting a fixed amount of
+ * bytes (typically few megabytes), or after few hours of operation
+ * without reaching the limit has passed.
+ */
+ gnutls_rnd(GNUTLS_RND_NONCE, out, len);
+}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 899ce8badc0..5af23100596 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -28,3 +28,14 @@ void generate_random_buffer(uint8_t *out, int len);
* Thread and fork safe random number generator for long term keys.
*/
void generate_secret_buffer(uint8_t *out, int len);
+
+/**
+ * @brief Generate random values for a nonce buffer.
+ *
+ * This is also known as initialization vector.
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
+ */
+void generate_nonce_buffer(uint8_t *out, int len);
--
2.23.0

View File

@ -0,0 +1,31 @@
From 85272ea8c52056f559b7bfde79805ce2b7ab4f72 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:25:35 +0200
Subject: [PATCH 068/187] libcli:smb: Use generate_nonce_buffer() for AES-CCM
and AES-GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b2506f2407429efb40c3e4e4c360f5817ac13d27)
---
libcli/smb/smbXcli_base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c9b396106ae..5db86720c9c 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -6253,8 +6253,8 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
*
* NOTE: We assume nonces greater than 8 bytes.
*/
- generate_random_buffer((uint8_t *)&session->smb2->nonce_high_random,
- sizeof(session->smb2->nonce_high_random));
+ generate_nonce_buffer((uint8_t *)&session->smb2->nonce_high_random,
+ sizeof(session->smb2->nonce_high_random));
switch (conn->smb2.server.cipher) {
case SMB2_ENCRYPTION_AES128_CCM:
nonce_size = AES_CCM_128_NONCE_SIZE;
--
2.23.0

View File

@ -0,0 +1,31 @@
From 230457a6c024e236815b6f9f0351b236044ad515 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:28:34 +0200
Subject: [PATCH 069/187] s3:smbd: Use generate_nonce_buffer() for AES-CCM and
AES-GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2df6cd398c9cb62989710f9b1642665ec89406)
---
source3/smbd/smb2_sesssetup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 770c22b00f1..591d5c37160 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -419,8 +419,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
*
* NOTE: We assume nonces greater than 8 bytes.
*/
- generate_random_buffer((uint8_t *)&x->nonce_high_random,
- sizeof(x->nonce_high_random));
+ generate_nonce_buffer((uint8_t *)&x->nonce_high_random,
+ sizeof(x->nonce_high_random));
switch (xconn->smb2.server.cipher) {
case SMB2_ENCRYPTION_AES128_CCM:
nonce_size = AES_CCM_128_NONCE_SIZE;
--
2.23.0

View File

@ -0,0 +1,70 @@
From deeb93c2fb7cc131741ced4877b75bcd3a64cef4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:38:50 +0200
Subject: [PATCH 070/187] lib:util: Add better documentation for
generate_secret_buffer()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bf52ab7d2982de84a68a1b9c6d2f68250b7e7cca)
---
lib/util/genrand.c | 17 ++++++++++++-----
lib/util/genrand.h | 6 +++++-
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 76c2cb81962..a5809aa2bc9 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -25,19 +25,26 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+/*
+ * Details about the GnuTLS CSPRNG:
+ *
+ * https://nikmav.blogspot.com/2017/03/improving-by-simplifying-gnutls-prng.html
+ */
+
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
/* Thread and fork safe random number generator for temporary keys. */
gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
-/*
- * Keep generate_secret_buffer in case we ever want to do something
- * different
- */
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- /* Thread and fork safe random number generator for long term keys. */
+ /* The key generator, will re-seed after a fixed amount of bytes is
+ * generated (typically less than the nonce), and will also re-seed
+ * based on time, i.e., after few hours of operation without reaching
+ * the limit for a re-seed. For its re-seed it mixes mixes data obtained
+ * from the OS random device with the previous key.
+ */
gnutls_rnd(GNUTLS_RND_KEY, out, len);
}
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 5af23100596..abb8ce2c10a 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -25,7 +25,11 @@
void generate_random_buffer(uint8_t *out, int len);
/**
- * Thread and fork safe random number generator for long term keys.
+ * @brief Generate random values for key buffers (e.g. session keys)
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
*/
void generate_secret_buffer(uint8_t *out, int len);
--
2.23.0

View File

@ -0,0 +1,33 @@
From 299dd35d7816770560a17a0e30886c08d9687589 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:40:12 +0200
Subject: [PATCH 071/187] s4:rpc_server: Use generate_secret_buffer() to create
a session key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4b2480518bd3887be3a6cfb713523ac084e09fd5)
---
source4/rpc_server/samr/samr_password.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index b04e37f06f3..6bf907181c8 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -733,9 +733,10 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
nt_errstr(nt_status)));
/*
- * Windows just uses a random key
+ * Windows just uses a random key. We need to use a CSPRNG
+ * which reseeds for generating session keys.
*/
- generate_random_buffer(random_session_key,
+ generate_secret_buffer(random_session_key,
sizeof(random_session_key));
session_key = data_blob_const(random_session_key,
sizeof(random_session_key));
--
2.23.0

View File

@ -0,0 +1,30 @@
From 5cd54770ca2055eee9ae651510b0ff5d1c914f6c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:41:29 +0200
Subject: [PATCH 072/187] s4:rpc_server: Use generate_secret_buffer() for
backupkey wap_key
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a62056b4530e4c509444be9164a1fca1dce193f)
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index a826ae083f4..d192858e468 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1263,7 +1263,8 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
- generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
--
2.23.0

View File

@ -0,0 +1,30 @@
From a9efbcf21a5dc8b8b8195916b8a5eaa03ccbf5a5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:42:26 +0200
Subject: [PATCH 073/187] s4:rpc_server: Use generate_secret_buffer() for
netlogon challange
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a21770cfdffd2a21045a1bc87e489af0f4c6f130)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ac745e32b02..f4e24b7fd7f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -90,7 +90,8 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
pipe_state->client_challenge = *r->in.credentials;
- generate_random_buffer(pipe_state->server_challenge.data,
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(pipe_state->server_challenge.data,
sizeof(pipe_state->server_challenge.data));
*r->out.return_credentials = pipe_state->server_challenge;
--
2.23.0

View File

@ -0,0 +1,34 @@
From 34c4199f21f5d2dfbf3d732fd4da7be390ce095b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:44:24 +0200
Subject: [PATCH 074/187] libcli:auth: Use generate_secret_buffer() for
netlogon challenge
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug 12 10:42:35 UTC 2019 on sn-devel-184
(cherry picked from commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0)
---
libcli/auth/netlogon_creds_cli.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 50a5f50a57d..18143ca36d0 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,7 +1177,8 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- generate_random_buffer(state->client_challenge.data,
+ /* We need to use a CSPRNG which reseeds for generating session keys. */
+ generate_secret_buffer(state->client_challenge.data,
sizeof(state->client_challenge.data));
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
--
2.23.0

View File

@ -0,0 +1,72 @@
From 5d53f417762503b9c73edcdb1364834f3b665e74 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 16:10:20 +0200
Subject: [PATCH 075/187] lib:util: Fix documentation for random number
functions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 97c441d7c28feb29168e81ebbc5c55b09a845087)
---
lib/util/genrand.c | 9 +++++++--
lib/util/genrand.h | 8 ++++++--
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index a5809aa2bc9..18ffa0d95e6 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -33,13 +33,16 @@
_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
{
- /* Thread and fork safe random number generator for temporary keys. */
+ /* Random number generator for temporary keys. */
gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
}
_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
{
- /* The key generator, will re-seed after a fixed amount of bytes is
+ /*
+ * Random number generator for long term keys.
+ *
+ * The key generator, will re-seed after a fixed amount of bytes is
* generated (typically less than the nonce), and will also re-seed
* based on time, i.e., after few hours of operation without reaching
* the limit for a re-seed. For its re-seed it mixes mixes data obtained
@@ -51,6 +54,8 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
{
/*
+ * Random number generator for nonce and initialization vectors.
+ *
* The nonce generator will reseed after outputting a fixed amount of
* bytes (typically few megabytes), or after few hours of operation
* without reaching the limit has passed.
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index abb8ce2c10a..70f36312e58 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -20,12 +20,16 @@
*/
/**
- * Thread and fork safe random number generator for temporary keys.
+ * @brief Generate random values for session and temporary keys.
+ *
+ * @param[in] out A pointer to the buffer to fill with random data.
+ *
+ * @param[in] len The size of the buffer to fill.
*/
void generate_random_buffer(uint8_t *out, int len);
/**
- * @brief Generate random values for key buffers (e.g. session keys)
+ * @brief Generate random values for long term keys and passwords.
*
* @param[in] out A pointer to the buffer to fill with random data.
*
--
2.23.0

View File

@ -0,0 +1,31 @@
From 5b8d3df9856f081cbca601926ca909085cc73f05 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:31 +0200
Subject: [PATCH 076/187] Revert "libcli:auth: Use generate_secret_buffer() for
netlogon challenge"
This reverts commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 689760f26521fe5b4c8964a25ddd3ab1c9e9977c)
---
libcli/auth/netlogon_creds_cli.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 18143ca36d0..50a5f50a57d 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(state->client_challenge.data,
+ generate_random_buffer(state->client_challenge.data,
sizeof(state->client_challenge.data));
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
--
2.23.0

View File

@ -0,0 +1,31 @@
From c08b8c1b2ccbd3c180c730940d7efce8fcef8b5b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:37 +0200
Subject: [PATCH 077/187] Revert "s4:rpc_server: Use generate_secret_buffer()
for netlogon challange"
This reverts commit a21770cfdffd2a21045a1bc87e489af0f4c6f130.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 1c68085404cd467c217640e3eabfc4b7f8b1ce9f)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index f4e24b7fd7f..ac745e32b02 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
pipe_state->client_challenge = *r->in.credentials;
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(pipe_state->server_challenge.data,
+ generate_random_buffer(pipe_state->server_challenge.data,
sizeof(pipe_state->server_challenge.data));
*r->out.return_credentials = pipe_state->server_challenge;
--
2.23.0

View File

@ -0,0 +1,31 @@
From 5576562cc327cfa6cc77d5962ee8ec85d9ca0ad6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:49:52 +0200
Subject: [PATCH 078/187] Revert "s4:rpc_server: Use generate_secret_buffer()
for backupkey wap_key"
This reverts commit 5a62056b4530e4c509444be9164a1fca1dce193f.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 38b0695ddac244c67b2a33eb927ad3e95d2e8bd6)
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index d192858e468..a826ae083f4 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1263,8 +1263,7 @@ static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context
char *secret_name;
TALLOC_CTX *frame = talloc_stackframe();
- /* We need to use a CSPRNG which reseeds for generating session keys. */
- generate_secret_buffer(wrap_key.key, sizeof(wrap_key.key));
+ generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
--
2.23.0

View File

@ -0,0 +1,34 @@
From ea69efd5e269e3ec0c93121d0448a1f6fb4275ac Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:50:02 +0200
Subject: [PATCH 079/187] Revert "s4:rpc_server: Use generate_secret_buffer()
to create a session key"
This reverts commit 4b2480518bd3887be3a6cfb713523ac084e09fd5.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d73be972ea58d564c770698bf6374a6074f111fe)
---
source4/rpc_server/samr/samr_password.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 6bf907181c8..b04e37f06f3 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -733,10 +733,9 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
nt_errstr(nt_status)));
/*
- * Windows just uses a random key. We need to use a CSPRNG
- * which reseeds for generating session keys.
+ * Windows just uses a random key
*/
- generate_secret_buffer(random_session_key,
+ generate_random_buffer(random_session_key,
sizeof(random_session_key));
session_key = data_blob_const(random_session_key,
sizeof(random_session_key));
--
2.23.0

View File

@ -0,0 +1,47 @@
From d2cc9f2ef31092c1ce5e5ad967a6be4f3bc84c06 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:55:56 +0200
Subject: [PATCH 080/187] lib:util: Use generate_secret_buffer() for long term
passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 93196dd823e114f260a68d28bb59eac3909c30d8)
---
lib/util/genrand_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index d7b74c6cf1a..05d1f3ef6e5 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -185,7 +185,7 @@ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const c
char *retstr = talloc_array(mem_ctx, char, len + 1);
if (!retstr) return NULL;
- generate_random_buffer((uint8_t *)retstr, len);
+ generate_secret_buffer((uint8_t *)retstr, len);
for (i = 0; i < len; i++) {
retstr[i] = list[retstr[i] % list_len];
}
@@ -247,7 +247,7 @@ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t
if (diff > 0 ) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
@@ -317,7 +317,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min,
if (diff > 0) {
size_t tmp;
- generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+ generate_secret_buffer((uint8_t *)&tmp, sizeof(tmp));
tmp %= diff;
--
2.23.0

View File

@ -0,0 +1,29 @@
From 3a22faf5aa81b8a2e918e250cb201440094f9757 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:56:35 +0200
Subject: [PATCH 081/187] s4:samdb: Use generate_nonce_buffer() for AEC GCM
nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit a3e36dd8f43a5c06969ae158fa54fbc649f44d03)
---
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index b2df15c08f4..deaa03cbb35 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -447,7 +447,7 @@ static struct ldb_val samba_encrypt_aead(int *err,
goto error_exit;
}
- generate_random_buffer(iv, AES_GCM_128_IV_SIZE);
+ generate_nonce_buffer(iv, AES_GCM_128_IV_SIZE);
es->iv.length = AES_GCM_128_IV_SIZE;
es->iv.data = iv;
--
2.23.0

View File

@ -0,0 +1,30 @@
From 8057d84f33d96a3143b1908b47e65e6a89d4f861 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 18:57:06 +0200
Subject: [PATCH 082/187] s3:passdb: Use generate_secret_buffer() for
generating passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 6fa3e4de7c168dc7c869ec9966729a36bda27f57)
---
source3/passdb/pdb_nds.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/passdb/pdb_nds.c b/source3/passdb/pdb_nds.c
index 349ea0b6c38..216c9e6b50b 100644
--- a/source3/passdb/pdb_nds.c
+++ b/source3/passdb/pdb_nds.c
@@ -814,7 +814,8 @@ static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods,
got_clear_text_pw = True;
}
} else {
- generate_random_buffer((unsigned char *)clear_text_pw, 24);
+ /* This is a long term key */
+ generate_secret_buffer((unsigned char *)clear_text_pw, 24);
clear_text_pw[24] = '\0';
DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw));
}
--
2.23.0

View File

@ -0,0 +1,33 @@
From 9a257522e3c811853b2b9f0b93992b07ecdad5d9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Aug 2019 19:07:15 +0200
Subject: [PATCH 083/187] auth:ntlmssp: Use generate_random_buffer() for
session keys
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 16:26:47 UTC 2019 on sn-devel-184
(cherry picked from commit 9b7825d2d387bcb2515154418a990669ab96358d)
---
auth/ntlmssp/ntlmssp_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b8d1190466b..2a80feb4fed 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -696,7 +696,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
.size = session_key.length,
};
- generate_secret_buffer(client_session_key, sizeof(client_session_key));
+ generate_random_buffer(client_session_key, sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
--
2.23.0

View File

@ -0,0 +1,84 @@
From 40a13974c5279d43fa2e13b8a274ba41ec051533 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 15 Aug 2019 15:27:30 +1200
Subject: [PATCH 084/187] encrypted_secrets: Add known and expected value test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 92b9cdf99da1f8657c166d413c5136c8db938a9e)
---
.../tests/test_encrypted_secrets.c | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
index 258e1ba829f..cfea95ae544 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
@@ -1101,6 +1101,53 @@ static void test_unencrypted_secret(void **state)
assert_int_equal(LDB_ERR_OPERATIONS_ERROR, ret);
}
+/*
+ * Test full decryption of a static value with static key
+ */
+static void test_record_decryption(void **state)
+{
+ struct ldbtest_ctx *test_ctx =
+ talloc_get_type_abort(*state, struct ldbtest_ctx);
+ unsigned char plain_data[] = {
+ 0xe6, 0xa6, 0xb8, 0xff, 0xdf, 0x06, 0x6c, 0xe3,
+ 0xea, 0xd0, 0x94, 0xbb, 0x79, 0xbd, 0x0a, 0x24
+ };
+ unsigned char encrypted_data[] = {
+ 0x0c, 0x00, 0x00, 0x00, 0x33, 0x91, 0x74, 0x25,
+ 0x26, 0xcc, 0x0b, 0x8c, 0x21, 0xc1, 0x13, 0xe2,
+ 0xed, 0xad, 0x5c, 0xca, 0x01, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x1a, 0xdc, 0xc9, 0x11, 0x08, 0xca, 0x2c, 0xfb,
+ 0xc8, 0x32, 0x6b, 0x1b, 0x25, 0x7f, 0x52, 0xbb,
+ 0xae, 0x9b, 0x88, 0x52, 0xb0, 0x18, 0x6d, 0x9d,
+ 0x9b, 0xdd, 0xcd, 0x1b, 0x5f, 0x4a, 0x5c, 0x29,
+ 0xca, 0x0b, 0x36, 0xaa
+ };
+ struct ldb_val cipher_text
+ = data_blob_const(encrypted_data,
+ sizeof(encrypted_data));
+ unsigned char es_keys_blob[] = {
+ 0x1d, 0xae, 0xf5, 0xaa, 0xa3, 0x85, 0x0d, 0x0a,
+ 0x8c, 0x24, 0x5c, 0x4c, 0xa7, 0x0f, 0x81, 0x79
+ };
+ struct es_data data = {
+ .encrypt_secrets = true,
+ .keys[0] = {
+ .data = es_keys_blob,
+ .length = sizeof(es_keys_blob),
+ },
+#ifdef HAVE_GNUTLS_AEAD
+ .encryption_algorithm = GNUTLS_CIPHER_AES_128_GCM,
+#endif
+ };
+ int err = LDB_SUCCESS;
+ struct ldb_val dec = decrypt_value(&err, test_ctx, test_ctx->ldb, cipher_text,
+ &data);
+ assert_int_equal(LDB_SUCCESS, err);
+ assert_int_equal(sizeof(plain_data), dec.length);
+ assert_memory_equal(dec.data, plain_data, sizeof(plain_data));
+}
+
int main(void) {
const struct CMUnitTest tests[] = {
@@ -1166,6 +1213,10 @@ int main(void) {
test_unencrypted_secret,
setup_with_key,
teardown),
+ cmocka_unit_test_setup_teardown(
+ test_record_decryption,
+ setup_with_key,
+ teardown),
};
cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
--
2.23.0

View File

@ -0,0 +1,154 @@
From ce7a5f793d0d5983504be61189ec7c57cfbf07d0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:32:34 +0100
Subject: [PATCH 085/187] s4:samdb: Remove dual-stack mode from
(test_)encrypted_secrets
Now we either build with GnuTLS or Samba crypto. If a modern GnuTLS
version is detected that will be used and Samba crypto wont be
available.
This removes the dual-stack mode that encrypted with one and decrypted
with the other in the testsuite.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Commit message clarified by Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7bf3c5d7640daaf5dc799eaf698618903ec09127)
---
.../samdb/ldb_modules/encrypted_secrets.c | 16 ++----
.../tests/test_encrypted_secrets.c | 49 ++-----------------
2 files changed, 10 insertions(+), 55 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index deaa03cbb35..5f8cd8747ea 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -39,18 +39,12 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/samdb/ldb_modules/util.h"
-#ifdef TEST_ENCRYPTED_SECRETS
+/* Build either with GnuTLS crypto or Samba crypto. */
+#ifdef HAVE_GNUTLS_AEAD
+ #define BUILD_WITH_GNUTLS_AEAD
+#else /* !HAVE_GNUTLS_AEAD */
#define BUILD_WITH_SAMBA_AES_GCM
- #ifdef HAVE_GNUTLS_AEAD
- #define BUILD_WITH_GNUTLS_AEAD
- #endif
-#else
- #ifdef HAVE_GNUTLS_AEAD
- #define BUILD_WITH_GNUTLS_AEAD
- #else
- #define BUILD_WITH_SAMBA_AES_GCM
- #endif
-#endif
+#endif /* HAVE_GNUTLS_AEAD */
#ifdef BUILD_WITH_GNUTLS_AEAD
#include <gnutls/gnutls.h>
diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
index cfea95ae544..a33781d703d 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c
@@ -390,26 +390,6 @@ static void test_gnutls_value_encryption(void **state)
&decrypted->cleartext,
&plain_text));
}
-
- {
- struct PlaintextSecret *decrypted =
- talloc_zero(test_ctx, struct PlaintextSecret);
- samba_decrypt_aead(
- &err,
- test_ctx,
- test_ctx->ldb,
- &es,
- decrypted,
- data);
- assert_int_equal(LDB_SUCCESS, err);
- assert_int_equal(
- plain_text.length,
- decrypted->cleartext.length);
- assert_int_equal(0,
- data_blob_cmp(
- &decrypted->cleartext,
- &plain_text));
- }
}
#endif /* HAVE_GNUTLS_AEAD */
@@ -613,9 +593,11 @@ static void test_gnutls_altered_iv(void **state)
}
}
#endif /* HAVE_GNUTLS_AEAD */
+
/*
* Test samba encryption and decryption and decryption.
*/
+#ifndef HAVE_GNUTLS_AEAD
static void test_samba_value_encryption(void **state)
{
struct ldbtest_ctx *test_ctx =
@@ -647,29 +629,6 @@ static void test_samba_value_encryption(void **state)
assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
assert_true(check_header(&es));
-#ifdef HAVE_GNUTLS_AEAD
- {
- struct PlaintextSecret *decrypted =
- talloc_zero(test_ctx, struct PlaintextSecret);
- gnutls_decrypt_aead(
- &err,
- test_ctx,
- test_ctx->ldb,
- &es,
- decrypted,
- data);
- assert_int_equal(LDB_SUCCESS, err);
- assert_int_equal(
- plain_text.length,
- decrypted->cleartext.length);
- assert_int_equal(0,
- data_blob_cmp(
- &decrypted->cleartext,
- &plain_text));
- }
-#endif /* HAVE_GNUTLS_AEAD */
-
-
{
struct PlaintextSecret *decrypted =
talloc_zero(test_ctx, struct PlaintextSecret);
@@ -886,6 +845,7 @@ static void test_samba_altered_iv(void **state)
assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
}
}
+#endif
/*
* Test message encryption.
@@ -1188,7 +1148,7 @@ int main(void) {
test_gnutls_altered_iv,
setup_with_key,
teardown),
-#endif /* HAVE_GNUTLS_AEAD */
+#else
cmocka_unit_test_setup_teardown(
test_samba_value_encryption,
setup_with_key,
@@ -1205,6 +1165,7 @@ int main(void) {
test_samba_altered_iv,
setup_with_key,
teardown),
+#endif /* HAVE_GNUTLS_AEAD */
cmocka_unit_test_setup_teardown(
test_message_encryption_decryption,
setup_with_key,
--
2.23.0

View File

@ -0,0 +1,30 @@
From 23e2849f8f5b119ebce9cb0aeee098a8c1a388e0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 26 Feb 2019 18:33:09 +0100
Subject: [PATCH 086/187] s4:samdb: Only include necessary header files in
encrypted_secrets
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d46e538d52433f5f30a5696e5b18bc4b82101951)
---
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
index 5f8cd8747ea..e0932858588 100644
--- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
+++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c
@@ -52,7 +52,8 @@
#endif /* BUILD_WITH_GNUTLS_AEAD */
#ifdef BUILD_WITH_SAMBA_AES_GCM
- #include "lib/crypto/crypto.h"
+ #include "lib/crypto/aes.h"
+ #include "lib/crypto/aes_gcm_128.h"
#endif /* BUILD_WITH_SAMBA_AES_GCM */
static const char * const secret_attributes[] = {DSDB_SECRET_ATTRIBUTES};
--
2.23.0

View File

@ -0,0 +1,29 @@
From ea3711fc1f4459a9654dd237ffbc71a42375629c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:35:02 +0100
Subject: [PATCH 087/187] waf: Check for GNUTLS AES CFB support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 20a42459df4fdd57cdf1807a3d97dc5b1c553476)
---
wscript_configure_system_gnutls | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index cc9a2b035a2..85824aad4ed 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -36,3 +36,9 @@ if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_init',
conf.DEFINE('HAVE_GNUTLS_AEAD', '1')
else:
Logs.warn('No gnutls support for AEAD encryption')
+
+if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
+ conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
+ conf.DEFINE('HAVE_GNUTLS_3_4_7', 1)
+else:
+ Logs.warn('No gnutls support for AES CFB8')
--
2.23.0

View File

@ -0,0 +1,35 @@
From 563e6a454706f29171b4bf06473cc40c557b0eed Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:33:01 +0100
Subject: [PATCH 088/187] libcli:auth: Use netlogon_creds_aes_encrypt() in
netlogon_creds_step_crypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd97c47873007bfc502926070a758b520d95abf1)
---
libcli/auth/credentials.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 319dacdac0b..3b31d1e0300 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -35,12 +35,9 @@ static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *cre
struct netr_Credential *out)
{
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE] = {0};
+ memcpy(out->data, in->data, sizeof(out->data));
- AES_set_encrypt_key(creds->session_key, 128, &key);
-
- aes_cfb8_encrypt(in->data, out->data, 8, &key, iv, AES_ENCRYPT);
+ netlogon_creds_aes_encrypt(creds, out->data, sizeof(out->data));
} else {
des_crypt112(out->data, in->data, creds->session_key, 1);
}
--
2.23.0

View File

@ -0,0 +1,69 @@
From efe2ed9aa8d1a1be574149f591015cc063c24fb7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 1 Mar 2019 17:41:11 +0100
Subject: [PATCH 089/187] libcli:auth: Use GnuTLS AES128 CFB for
netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 054efd118d7500e28f118722312aaae0df2749b0)
---
libcli/auth/credentials.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 3b31d1e0300..5a1692ef436 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -295,12 +295,48 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
*/
void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = creds->session_key,
+ .size = sizeof(creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
+ ZERO_ARRAY(_iv);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+
+ rc = gnutls_cipher_encrypt(cipher_hnd, data, len);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
AES_set_encrypt_key(creds->session_key, 128, &key);
aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
+#endif /* HAVE_GNUTLS_AES_CFB8 */
}
/*
--
2.23.0

View File

@ -0,0 +1,82 @@
From cd45ceb7c38ef77ad9d6cc42ad8184ebc6829cf7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 29 May 2019 16:38:09 +0200
Subject: [PATCH 090/187] libcli:auth: Return NTSTATUS for
netlogon_creds_aes_encrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adapted by Andrew Bartlett to use gnutls_error_to_ntstatus()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ded5aad21b54b8783f7390fb2eca483d3861eeff)
---
libcli/auth/credentials.c | 15 ++++++++-------
libcli/auth/proto.h | 4 +++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 5a1692ef436..87f8820238e 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -293,7 +293,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
/*
AES encrypt a password buffer using the session key
*/
-void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len)
{
#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
@@ -317,18 +319,15 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui
&key,
&iv);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_encrypt(cipher_hnd, data, len);
gnutls_cipher_deinit(cipher_hnd);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+
#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
@@ -337,6 +336,8 @@ void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, ui
aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
#endif /* HAVE_GNUTLS_AES_CFB8 */
+
+ return NT_STATUS_OK;
}
/*
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 65ee06215dc..639a50425e5 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -18,7 +18,9 @@ void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, st
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
uint8_t *data,
size_t len);
-void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len);
void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
/*****************************************************************
--
2.23.0

View File

@ -0,0 +1,84 @@
From 9b5fa6c165e98ddec38bc976bac0cfee62fd0d72 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Mar 2019 15:13:08 +0100
Subject: [PATCH 091/187] libcli:auth: Use GnuTLS AES128 CFB for
netlogon_creds_aes_decrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a96728586150768957b88a0714b15f13ee9f81af)
---
libcli/auth/credentials.c | 41 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 87f8820238e..cfeab6efdcd 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -22,10 +22,13 @@
#include "includes.h"
#include "system/time.h"
-#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "../libcli/security/dom_sid.h"
+#ifndef HAVE_GNUTLS_AES_CFB8
+#include "lib/crypto/aes.h"
+#endif
+
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -345,12 +348,48 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
*/
void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
+#ifdef HAVE_GNUTLS_AES_CFB8
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t key = {
+ .data = creds->session_key,
+ .size = sizeof(creds->session_key),
+ };
+ uint32_t iv_size =
+ gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8);
+ uint8_t _iv[iv_size];
+ gnutls_datum_t iv = {
+ .data = _iv,
+ .size = iv_size,
+ };
+ int rc;
+
+ ZERO_ARRAY(_iv);
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_AES_128_CFB8,
+ &key,
+ &iv);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd, data, len);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
+#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
AES_set_encrypt_key(creds->session_key, 128, &key);
aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
+#endif /* HAVE_GNUTLS_AES_CFB8 */
}
/*****************************************************************
--
2.23.0

View File

@ -0,0 +1,78 @@
From a5149014cc8a0da7b8c664a465f6108c390d127d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 12:34:28 +1200
Subject: [PATCH 092/187] libcli:auth Return NTSTATUS from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8ec796f1a1daa444bba06f34a50d2b62ee4a2ef9)
---
libcli/auth/credentials.c | 15 ++++++++-------
libcli/auth/proto.h | 4 +++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index cfeab6efdcd..955e08b7385 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -346,7 +346,7 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
/*
AES decrypt a password buffer using the session key
*/
-void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
@@ -370,18 +370,17 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui
&key,
&iv);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_init: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_decrypt(cipher_hnd, data, len);
gnutls_cipher_deinit(cipher_hnd);
if (rc < 0) {
- DBG_ERR("ERROR: gnutls_cipher_decrypt: %s\n",
- gnutls_strerror(rc));
- return;
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+
#else /* NOT HAVE_GNUTLS_AES_CFB8 */
AES_KEY key;
uint8_t iv[AES_BLOCK_SIZE] = {0};
@@ -390,6 +389,8 @@ void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, ui
aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
#endif /* HAVE_GNUTLS_AES_CFB8 */
+
+ return NT_STATUS_OK;
}
/*****************************************************************
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 639a50425e5..714652bdb76 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -21,7 +21,9 @@ NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *cre
NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds,
uint8_t *data,
size_t len);
-void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len);
/*****************************************************************
The above functions are common to the client and server interface
--
2.23.0

View File

@ -0,0 +1,30 @@
From fb7713126043eaa2bffcf4b73d63fe371781cc1c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 13:52:36 +1200
Subject: [PATCH 093/187] crypto: Update REQUIREMENTS file with new minimum
version
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5ae119e7e9ddcfb3473e14585ba6079147a307bd)
---
lib/crypto/REQUIREMENTS | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index ff91a2f9174..5ebf3ba0e05 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -4,8 +4,7 @@ This list is to allow research into using external crypto libraries.
Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
Those possibly supported in the git version of nettle are indicated as '# NETTLE'
-For Samba AD with Heimdal gnutls >= 3.0.0 is required
-For Samba AD with MIT kerberos gnutls >= 3.4.7 is required
+Samba in general gnutls >= 3.4.7 is required
Samba FS with MS Catalog support will require gnutls >= 3.5.6
GnuTLS Milestone for Samba support:
--
2.23.0

View File

@ -0,0 +1,134 @@
From d054df5519b1a25d031f95e098c1f40d59083c3d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 13:55:49 +1200
Subject: [PATCH 094/187] libcli:auth Check NTSTATUS from
netlogon_creds_aes_{en,de}crypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d515b255aa67186ff375af0b465c49722eb56427)
---
libcli/auth/credentials.c | 76 +++++++++++++++++++++++++++------------
1 file changed, 53 insertions(+), 23 deletions(-)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 955e08b7385..baa436df71b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -712,27 +712,36 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (!all_zero(base->key.key, sizeof(base->key.key))) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->key.key,
- sizeof(base->key.key));
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ base->key.key,
+ sizeof(base->key.key));
} else {
- netlogon_creds_aes_decrypt(creds,
- base->key.key,
- sizeof(base->key.key));
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ base->key.key,
+ sizeof(base->key.key));
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
if (!all_zero(base->LMSessKey.key,
sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
-
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
} else {
- netlogon_creds_aes_decrypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -818,18 +827,34 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
h = logon->password->lmpassword.hash;
if (!all_zero(h, 16)) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds, h, 16);
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ h,
+ 16);
} else {
- netlogon_creds_aes_decrypt(creds, h, 16);
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ h,
+ 16);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
h = logon->password->ntpassword.hash;
if (!all_zero(h, 16)) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds, h, 16);
+ status = netlogon_creds_aes_encrypt(creds,
+ h,
+ 16);
} else {
- netlogon_creds_aes_decrypt(creds, h, 16);
+ status = netlogon_creds_aes_decrypt(creds,
+ h,
+ 16);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -887,13 +912,18 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
if (do_encrypt) {
- netlogon_creds_aes_encrypt(creds,
- logon->generic->data,
- logon->generic->length);
+ status = netlogon_creds_aes_encrypt(
+ creds,
+ logon->generic->data,
+ logon->generic->length);
} else {
- netlogon_creds_aes_decrypt(creds,
- logon->generic->data,
- logon->generic->length);
+ status = netlogon_creds_aes_decrypt(
+ creds,
+ logon->generic->data,
+ logon->generic->length);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
status = netlogon_creds_arcfour_crypt(creds,
--
2.23.0

View File

@ -0,0 +1,41 @@
From ca38586a27089b6bf8769b3701e8fc7ccd5f9215 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:05:38 +1200
Subject: [PATCH 095/187] s3-rpc_server: Check NTSTATUS return value from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2f827bec8ca831fb486c8ebedc6b89b7f1cb99e2)
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 08bce367bf0..671300676ff 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1369,14 +1369,16 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
SIVAL(password_buf.data, 512, r->in.new_password->length);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ status = netlogon_creds_aes_decrypt(creds,
+ password_buf.data,
+ 516);
} else {
status = netlogon_creds_arcfour_crypt(creds,
password_buf.data,
516);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
if (!decode_pw_buffer(p->mem_ctx,
--
2.23.0

View File

@ -0,0 +1,63 @@
From 2558252a6fc918cfe5e9bdfc0d7b98a1324ab61b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:15:45 +1200
Subject: [PATCH 096/187] s4-rpc_server: Check NTSTATUS return value from
netlogon_creds_aes_decrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1e427f55d71350b25a8a26e94a5cb7895d8efdf6)
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 ++++++++++++-------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ac745e32b02..49a075137ff 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -747,14 +747,17 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
SIVAL(password_buf.data, 512, r->in.new_password->length);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ nt_status = netlogon_creds_aes_decrypt(creds,
+ password_buf.data,
+ 516);
} else {
nt_status = netlogon_creds_arcfour_crypt(creds,
password_buf.data,
516);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
switch (creds->secure_channel_type) {
@@ -2803,14 +2806,16 @@ static NTSTATUS dcesrv_netr_NetrLogonSendToSam(struct dcesrv_call_state *dce_cal
/* Buffer is meant to be 16-bit aligned */
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_decrypt(creds, r->in.opaque_buffer, r->in.buffer_len);
+ nt_status = netlogon_creds_aes_decrypt(creds,
+ r->in.opaque_buffer,
+ r->in.buffer_len);
} else {
nt_status = netlogon_creds_arcfour_crypt(creds,
r->in.opaque_buffer,
r->in.buffer_len);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
decrypted_blob.data = r->in.opaque_buffer;
--
2.23.0

View File

@ -0,0 +1,148 @@
From 5913cd056fae4d3a147326a30182a2d30bfe7857 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:22:42 +1200
Subject: [PATCH 097/187] s3-librpc: Remove unused init_netr_CryptPassword()
Unused since 38d4dba37406515181e4d6f1a1faffc18e652e27 in 2013
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1aa249e7f4a1c4222b4cc79bac64c8b95c89d868)
---
source3/rpc_client/cli_netlogon.c | 1 -
source3/rpc_client/init_netlogon.c | 50 ------------------------------
source3/rpc_client/init_netlogon.h | 29 -----------------
source3/wscript_build | 5 ---
4 files changed, 85 deletions(-)
delete mode 100644 source3/rpc_client/init_netlogon.c
delete mode 100644 source3/rpc_client/init_netlogon.h
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 505a1d015bc..ea9cb757048 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -30,7 +30,6 @@
#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "../librpc/gen_ndr/schannel.h"
#include "rpc_client/cli_netlogon.h"
-#include "rpc_client/init_netlogon.h"
#include "rpc_client/util_netlogon.h"
#include "../libcli/security/security.h"
#include "lib/param/param.h"
diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c
deleted file mode 100644
index 26deaba8065..00000000000
--- a/source3/rpc_client/init_netlogon.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * RPC Pipe client / server routines
- * Copyright (C) Guenther Deschner 2008,2012
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/crypto.h"
-#include "rpc_client/init_netlogon.h"
-
-/*************************************************************************
- inits a netr_CryptPassword structure
- *************************************************************************/
-
-void init_netr_CryptPassword(const char *pwd,
- struct netlogon_creds_CredentialState *creds,
- struct netr_CryptPassword *pwd_buf)
-{
- struct samr_CryptPassword password_buf;
- NTSTATUS status;
-
- encode_pw_buffer(password_buf.data, pwd, STR_UNICODE);
-
- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
- } else {
- status = netlogon_creds_arcfour_crypt(creds,
- password_buf.data,
- 516);
- if (!NT_STATUS_IS_OK(status)) {
- return;
- }
- }
- memcpy(pwd_buf->data, password_buf.data, 512);
- pwd_buf->length = IVAL(password_buf.data, 512);
-}
diff --git a/source3/rpc_client/init_netlogon.h b/source3/rpc_client/init_netlogon.h
deleted file mode 100644
index bb4496b4cd9..00000000000
--- a/source3/rpc_client/init_netlogon.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * RPC Pipe client / server routines
- * Copyright (C) Guenther Deschner 2008.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef _RPC_CLIENT_INIT_NETLOGON_H_
-#define _RPC_CLIENT_INIT_NETLOGON_H_
-
-/* The following definitions come from rpc_client/init_netlogon.c */
-
-void init_netr_CryptPassword(const char *pwd,
- struct netlogon_creds_CredentialState *creds,
- struct netr_CryptPassword *pwd_buf);
-
-#endif /* _RPC_CLIENT_INIT_NETLOGON_H_ */
diff --git a/source3/wscript_build b/source3/wscript_build
index b73f6dc0664..ce3fa362bc2 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1024,7 +1024,6 @@ bld.SAMBA3_LIBRARY('libcli_netlogon3',
deps='''
msrpc3
RPC_NDR_NETLOGON
- INIT_NETLOGON
cliauth
smbconf
NETLOGON_CREDS_CLI''',
@@ -1057,10 +1056,6 @@ bld.SAMBA3_SUBSYSTEM('INIT_LSA',
source='rpc_client/init_lsa.c',
deps='samba-util')
-bld.SAMBA3_SUBSYSTEM('INIT_NETLOGON',
- source='rpc_client/init_netlogon.c',
- deps='samba-util')
-
bld.SAMBA3_SUBSYSTEM('INIT_SAMR',
source='rpc_client/init_samr.c',
deps='samba-util GNUTLS_HELPERS')
--
2.23.0

View File

@ -0,0 +1,47 @@
From cef95d8835a04065b9c7422a637f60efdb9a93fe Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 14:29:45 +1200
Subject: [PATCH 098/187] auth/credentials: Check NTSTATUS return from
netlogon_creds_aes_encrypt()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fefd95091cc52f5e2655fa392312a8b1fa1d35fd)
---
auth/credentials/credentials.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 5ebec483705..81f9dbb9eb3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1333,19 +1333,19 @@ _PUBLIC_ NTSTATUS netlogon_creds_session_encrypt(
return NT_STATUS_INVALID_PARAMETER;
}
if (state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- netlogon_creds_aes_encrypt(state,
- data.data,
- data.length);
+ status = netlogon_creds_aes_encrypt(state,
+ data.data,
+ data.length);
} else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
status = netlogon_creds_arcfour_crypt(state,
data.data,
data.length);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
} else {
DBG_ERR("Unsupported encryption option negotiated");
- return NT_STATUS_NOT_SUPPORTED;
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
return NT_STATUS_OK;
}
--
2.23.0

Some files were not shown because too many files have changed in this diff Show More