samba/SOURCES/0094-libcli-auth-Check-NTST...

From d054df5519b1a25d031f95e098c1f40d59083c3d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 13:55:49 +1200
Subject: [PATCH 094/187] libcli:auth Check NTSTATUS from
 netlogon_creds_aes_{en,de}crypt()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d515b255aa67186ff375af0b465c49722eb56427)
---
 libcli/auth/credentials.c | 76 +++++++++++++++++++++++++++------------
 1 file changed, 53 insertions(+), 23 deletions(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 955e08b7385..baa436df71b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -712,27 +712,36 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
 		/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
 		if (!all_zero(base->key.key, sizeof(base->key.key))) {
 			if (do_encrypt) {
-				netlogon_creds_aes_encrypt(creds,
-					    base->key.key,
-					    sizeof(base->key.key));
+				status = netlogon_creds_aes_encrypt(
+					creds,
+					base->key.key,
+					sizeof(base->key.key));
 			} else {
-				netlogon_creds_aes_decrypt(creds,
-					    base->key.key,
-					    sizeof(base->key.key));
+				status = netlogon_creds_aes_decrypt(
+					creds,
+					base->key.key,
+					sizeof(base->key.key));
+			}
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
 			}
 		}

 		if (!all_zero(base->LMSessKey.key,
 			      sizeof(base->LMSessKey.key))) {
 			if (do_encrypt) {
-				netlogon_creds_aes_encrypt(creds,
-					    base->LMSessKey.key,
-					    sizeof(base->LMSessKey.key));
-
+				status = netlogon_creds_aes_encrypt(
+					creds,
+					base->LMSessKey.key,
+					sizeof(base->LMSessKey.key));
 			} else {
-				netlogon_creds_aes_decrypt(creds,
-					    base->LMSessKey.key,
-					    sizeof(base->LMSessKey.key));
+				status = netlogon_creds_aes_decrypt(
+					creds,
+					base->LMSessKey.key,
+					sizeof(base->LMSessKey.key));
+			}
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
 			}
 		}
 	} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -818,18 +827,34 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
 			h = logon->password->lmpassword.hash;
 			if (!all_zero(h, 16)) {
 				if (do_encrypt) {
-					netlogon_creds_aes_encrypt(creds, h, 16);
+					status = netlogon_creds_aes_encrypt(
+						creds,
+						h,
+						16);
 				} else {
-					netlogon_creds_aes_decrypt(creds, h, 16);
+					status = netlogon_creds_aes_decrypt(
+						creds,
+						h,
+						16);
+				}
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
 				}
 			}

 			h = logon->password->ntpassword.hash;
 			if (!all_zero(h, 16)) {
 				if (do_encrypt) {
-					netlogon_creds_aes_encrypt(creds, h, 16);
+					status = netlogon_creds_aes_encrypt(creds,
+								   h,
+								   16);
 				} else {
-					netlogon_creds_aes_decrypt(creds, h, 16);
+					status = netlogon_creds_aes_decrypt(creds,
+								   h,
+								   16);
+				}
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
 				}
 			}
 		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
@@ -887,13 +912,18 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden

 		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
 			if (do_encrypt) {
-				netlogon_creds_aes_encrypt(creds,
-						logon->generic->data,
-						logon->generic->length);
+				status = netlogon_creds_aes_encrypt(
+					creds,
+					logon->generic->data,
+					logon->generic->length);
 			} else {
-				netlogon_creds_aes_decrypt(creds,
-						logon->generic->data,
-						logon->generic->length);
+				status = netlogon_creds_aes_decrypt(
+					creds,
+					logon->generic->data,
+					logon->generic->length);
+			}
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
 			}
 		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
 			status = netlogon_creds_arcfour_crypt(creds,
--
2.23.0