samba/SOURCES/0175-netlogon_creds_des_encrypt-decrypt_LMKey-use-gnutls-.patch

From a3d360ba0c46c077643559b4eee9df632080ef1a Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 7 Nov 2019 12:53:52 +0100
Subject: [PATCH 175/187] netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls
 and return NTSTATUS

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38189f76d8b958fff8a6351f3fb21f6ed04b76da)
---
 libcli/auth/credentials.c | 36 +++++++++++++++++++++++++++---------
 libcli/auth/proto.h       |  6 ++++--
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index f1088a1d8e0..d9237f3875b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -253,25 +253,40 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds
 	return NT_STATUS_OK;
 }
 
-
 /*
   DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
 */
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+					  struct netr_LMSessionKey *key)
 {
+	int rc;
 	struct netr_LMSessionKey tmp;
-	des_crypt56(tmp.key, key->key, creds->session_key, 1);
+
+	rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_ENCRYPT);
+	if (rc < 0) {
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
 	*key = tmp;
+
+	return NT_STATUS_OK;
 }
 
 /*
   DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
 */
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+					  struct netr_LMSessionKey *key)
 {
+	int rc;
 	struct netr_LMSessionKey tmp;
-	des_crypt56(tmp.key, key->key, creds->session_key, 0);
+
+	rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_DECRYPT);
+	if (rc < 0) {
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
 	*key = tmp;
+
+	return NT_STATUS_OK;
 }
 
 /*
@@ -849,11 +864,14 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
 		if (!all_zero(base->LMSessKey.key,
 			      sizeof(base->LMSessKey.key))) {
 			if (do_encrypt) {
-				netlogon_creds_des_encrypt_LMKey(creds,
-						&base->LMSessKey);
+				status = netlogon_creds_des_encrypt_LMKey(creds,
+									  &base->LMSessKey);
 			} else {
-				netlogon_creds_des_decrypt_LMKey(creds,
-						&base->LMSessKey);
+				status = netlogon_creds_des_decrypt_LMKey(creds,
+									  &base->LMSessKey);
+			}
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
 			}
 		}
 	}
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index e7c9923abf3..4a817e210b2 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -13,8 +13,10 @@
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c  */
 
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+					  struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
+					  struct netr_LMSessionKey *key);
 void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
 void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
 NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
-- 
2.23.0