The branch, master has been updated via 83ffe6752d5 pidl: Remove Parse/Yapp/Driver.pm via fe2577a40c1 smbdes: remove old unused DES builtin-crypto via b5d8f1f78a0 sess_crypt_blob can only crypt blobs whose size divides by 8 via a75ca8d5d51 session: convert sess_crypt_blob to use gnutls via dcc33103d5c smbdes: convert des_crypt112_16 to use gnutls via 254739137bd smbdes: convert des_crypt112 to use gnutls via dce944e8a11 smbdes: convert E_old_pw_hash to use gnutls via c57f4295742 smbdes: convert des_crypt128() to use gnutls via a5548af0186 smbdes: convert E_P24() and SMBOWFencrypt to use gnutls via 2eef12904f2 smbdes: remove D_P16() (not used) via 9fb6361a8b0 smbdes: convert E_P16() to use gnutls via ecee1998034 smbdes: convert sam_rid_crypt() to use gnutls via bbcf568f317 SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUS via 38189f76d8b netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUS via 0f855f1ab95 smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV via 2c470c8035b selftest: test sess_crypt_blob via 6c5f153e479 selftest: test SMBsesskeygen_lm_sess_key via a4ec427e54b selftest: test des_crypt112_16 via 394debac6b2 selftest: test des_crypt112 and fix (unused) decryption via e2f8f686d1e selftest: test des_crypt128 via 8f042ba532f selftest: test E_old_pw_hash via dfad082596a selftest: test E_P24 and SMBOWFencrypt via 0923f94bdc2 selftest: test sam_rid_crypt via 7044a41a30e selftest: test E_P16 via 07b4606f893 libcli/auth: test des_crypt56() and add test_gnutls to selftest via 01f531ba6ba auth:tests: Only enable torture_gnutls_aes_128_cfb() on GnuTLS >= 3.6.11 via 1c65f1fddba auth:tests: Improve debug output of test_gnutls via adfdcc4791b s3:lib: Move NULL check before messaging_dgm_out_rearm_idle_timer() via 8753d5f4567 s3:smbd: Fix possible NULL deref in smbd_do_qfilepathinfo() via cfa05261005 s3:torture: Do not segfault if cli is NULL via 94c3c12df11 s3:rpc_server: Fix string compare for utmp entries via c2e55821bc5 s4:lib: Make sure we close fd's in error path from bb2296f68a3 build: Fix the build without system gssapi headers
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 83ffe6752d589180eac96d7b8e7d1a54e3476bfd Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 5 13:48:52 2019 +0100 pidl: Remove Parse/Yapp/Driver.pm This file is provided by Parse::Yapp and on install we overwrite the orignal file. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Dec 10 01:54:02 UTC 2019 on sn-devel-184 commit fe2577a40c19c99c29dd54c7c43e12f3d43493be Author: Isaac Boukris <ibouk...@gmail.com> Date: Mon Oct 21 20:03:04 2019 +0300 smbdes: remove old unused DES builtin-crypto Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5d8f1f78a04719c6a5d15aa92ae398be326fe56 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 21 15:13:19 2019 +0100 sess_crypt_blob can only crypt blobs whose size divides by 8 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 21 14:02:03 2019 +0100 session: convert sess_crypt_blob to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dcc33103d5c0927bb3757974d4663df888dce95e Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Nov 20 16:02:16 2019 +0100 smbdes: convert des_crypt112_16 to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 254739137bdaebca31163f1683bfd7111dfefe67 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Nov 20 15:41:02 2019 +0100 smbdes: convert des_crypt112 to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dce944e8a1119034f184336f6b71a28080152a0a Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Nov 20 15:28:39 2019 +0100 smbdes: convert E_old_pw_hash to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c57f429574243adbcd43dca4f35d125df8d69ba0 Author: Isaac Boukris <ibouk...@gmail.com> Date: Fri Nov 8 17:49:48 2019 +0100 smbdes: convert des_crypt128() to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a5548af018643f2e78c482e33ef0e6073db149e4 Author: Isaac Boukris <ibouk...@gmail.com> Date: Fri Nov 8 15:40:01 2019 +0100 smbdes: convert E_P24() and SMBOWFencrypt to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2eef12904f2c08257394a2ee869960f7c2e09112 Author: Isaac Boukris <ibouk...@gmail.com> Date: Fri Nov 8 12:04:48 2019 +0100 smbdes: remove D_P16() (not used) Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9fb6361a8b09fd575bab2f5572fa9e10bd538eed Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 7 16:16:26 2019 +0100 smbdes: convert E_P16() to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ecee1998034b84026ab604dbe4400d9e53dcafd4 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 7 18:40:03 2019 +0100 smbdes: convert sam_rid_crypt() to use gnutls Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bbcf568f317960229caa7486322858093f5d0d04 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 7 13:39:20 2019 +0100 SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUS Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 38189f76d8b958fff8a6351f3fb21f6ed04b76da Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Nov 7 12:53:52 2019 +0100 netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUS Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0f855f1ab955e3ecf47689c5e4578eb67ebe8f27 Author: Isaac Boukris <ibouk...@gmail.com> Date: Sat Oct 19 23:48:19 2019 +0300 smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2c470c8035be6d70ce3fc8d1e12be284566a7037 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Nov 20 23:44:10 2019 +0100 selftest: test sess_crypt_blob Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6c5f153e4793c0613dd843b1566bd27632912a7c Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Nov 20 00:14:31 2019 +0100 selftest: test SMBsesskeygen_lm_sess_key Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a4ec427e54b52307ee2e22079449ff3e59279298 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 20:02:49 2019 +0100 selftest: test des_crypt112_16 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 394debac6b2f0838cde5d850335e0cdff14b411d Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 19:49:09 2019 +0100 selftest: test des_crypt112 and fix (unused) decryption Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e2f8f686d1e3fce91f10aadb9667854cf2a1219a Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 19:10:18 2019 +0100 selftest: test des_crypt128 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f042ba532fc645f2389a0a9d3e83d27c070fde4 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 18:49:58 2019 +0100 selftest: test E_old_pw_hash Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dfad082596a53a7c6225da427447922fd4b7f0e2 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 18:26:13 2019 +0100 selftest: test E_P24 and SMBOWFencrypt Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0923f94bdc21a80cbf40aaa65c4928c13c298d82 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 16:08:49 2019 +0100 selftest: test sam_rid_crypt Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7044a41a30e43dda34eecb6df3da82ed5d568eec Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Nov 19 09:46:18 2019 +0100 selftest: test E_P16 Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 07b4606f893fabd50c2685307d58e86f55defae5 Author: Isaac Boukris <ibouk...@gmail.com> Date: Sat Nov 9 17:47:33 2019 +0100 libcli/auth: test des_crypt56() and add test_gnutls to selftest Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01f531ba6ba1306e99d2e4715dadae073eb0a8ec Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 6 08:49:54 2019 +0100 auth:tests: Only enable torture_gnutls_aes_128_cfb() on GnuTLS >= 3.6.11 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1c65f1fddba77e94edc5338af81c9a25e0d4e970 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 6 08:12:34 2019 +0100 auth:tests: Improve debug output of test_gnutls Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit adfdcc4791b9a5706c48789bfbb46f256ee10538 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 9 10:47:46 2019 +0100 s3:lib: Move NULL check before messaging_dgm_out_rearm_idle_timer() We dereference out in messaging_dgm_out_rearm_idle_timer(). Found by covscan. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8753d5f4567e1bc39c25ea11d444bed6d0afea46 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 9 10:45:31 2019 +0100 s3:smbd: Fix possible NULL deref in smbd_do_qfilepathinfo() Found by covscan. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cfa0526100575a7684879bb64f5e492c578bef87 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 9 10:35:55 2019 +0100 s3:torture: Do not segfault if cli is NULL This can happen if we fail early and cli hasn't been initialized yet. Found by covscan. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 94c3c12df11dccdc34ef91f3065240f34a7244be Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 9 10:22:52 2019 +0100 s3:rpc_server: Fix string compare for utmp entries The members of struct utmp are marked as nonstring. This means they might not be nil-terminated. Found by covscan. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c2e55821bc5db1a33ecd2f7550a75ebdbe7613f9 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 9 09:58:42 2019 +0100 s4:lib: Make sure we close fd's in error path Found by covscan. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_ntlm.c | 31 +- auth/ntlmssp/ntlmssp_client.c | 16 +- auth/ntlmssp/ntlmssp_server.c | 15 +- libcli/auth/credentials.c | 88 +++-- libcli/auth/netlogon_creds_cli.c | 24 +- libcli/auth/ntlm_check.c | 6 +- libcli/auth/proto.h | 53 +-- libcli/auth/session.c | 51 ++- libcli/auth/smbdes.c | 399 +++++++--------------- libcli/auth/smbencrypt.c | 49 ++- libcli/auth/tests/test_gnutls.c | 297 +++++++++++++++- libcli/auth/wscript_build | 3 +- libcli/drsuapi/repl_decrypt.c | 16 +- libcli/samsync/decrypt.c | 36 +- pidl/lib/Parse/Yapp/Driver.pm | 471 -------------------------- selftest/tests.py | 2 + source3/auth/auth_util.c | 19 +- source3/lib/messages_dgm.c | 2 +- source3/libsmb/clirap.c | 6 +- source3/passdb/wscript_build | 2 +- source3/rpc_client/cli_netlogon.c | 8 +- source3/rpc_client/cli_samr.c | 66 +++- source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +- source3/rpc_server/samr/srv_samr_chgpasswd.c | 18 +- source3/rpc_server/samr/srv_samr_nt.c | 27 +- source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 3 +- source3/rpc_server/wscript_build | 3 +- source3/rpcclient/cmd_samr.c | 25 +- source3/smbd/trans2.c | 2 +- source3/torture/pdbtest.c | 9 +- source3/torture/torture.c | 8 +- source3/utils/ntlm_auth.c | 14 +- source3/winbindd/winbindd_pam.c | 9 +- source4/auth/ntlm/auth_util.c | 13 +- source4/lib/policy/gp_filesys.c | 10 +- source4/libnet/libnet_passwd.c | 30 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 +- source4/rpc_server/samr/samr_password.c | 29 +- source4/torture/rpc/samr.c | 16 +- source4/torture/rpc/samsync.c | 14 +- 40 files changed, 1001 insertions(+), 925 deletions(-) delete mode 100644 pidl/lib/Parse/Yapp/Driver.pm Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index bf55ab97b04..f1b22a6c9e2 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -51,6 +51,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred DATA_BLOB lm_session_key = data_blob_null; DATA_BLOB session_key = data_blob_null; const struct samr_Password *nt_hash = NULL; + int rc; if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) { TALLOC_FREE(frame); @@ -159,7 +160,6 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred uint8_t session_nonce[16]; uint8_t session_nonce_hash[16]; uint8_t user_session_key[16]; - int rc; lm_response = data_blob_talloc_zero(frame, 24); if (lm_response.data == NULL) { @@ -188,9 +188,13 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - SMBOWFencrypt(nt_hash->hash, - session_nonce_hash, - nt_response.data); + rc = SMBOWFencrypt(nt_hash->hash, + session_nonce_hash, + nt_response.data); + if (rc != 0) { + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } ZERO_ARRAY(session_nonce_hash); @@ -228,8 +232,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - SMBOWFencrypt(nt_hash->hash, challenge.data, - nt_response.data); + rc = SMBOWFencrypt(nt_hash->hash, challenge.data, + nt_response.data); + if (rc != 0) { + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } session_key = data_blob_talloc_zero(frame, 16); if (session_key.data == NULL) { @@ -254,9 +262,14 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred return NT_STATUS_NO_MEMORY; } - SMBencrypt_hash(lm_hash, - challenge.data, - lm_response.data); + rc = SMBencrypt_hash(lm_hash, + challenge.data, + lm_response.data); + if (rc != 0) { + ZERO_STRUCT(lm_hash); + TALLOC_FREE(frame); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } } else { /* just copy the nt_response */ lm_response = data_blob_dup_talloc(frame, nt_response); diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index 2a80feb4fed..58e4e3d6f42 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -673,12 +673,20 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) { DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { - SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, - new_session_key.data); + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + lm_response.data, + new_session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } } else { static const uint8_t zeros[24]; - SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros, - new_session_key.data); + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + zeros, + new_session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } } session_key = new_session_key; dump_data_pw("LM session key\n", session_key.data, session_key.length); diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 5a56a4db99f..29559b3fe02 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -970,8 +970,12 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, if (session_key.data == NULL) { return NT_STATUS_NO_MEMORY; } - SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data, - session_key.data); + nt_status = SMBsesskeygen_lm_sess_key(lm_session_key.data, + ntlmssp_state->lm_resp.data, + session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); } else { static const uint8_t zeros[24] = {0, }; @@ -980,8 +984,11 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, if (session_key.data == NULL) { return NT_STATUS_NO_MEMORY; } - SMBsesskeygen_lm_sess_key(zeros, zeros, - session_key.data); + nt_status = SMBsesskeygen_lm_sess_key(zeros, zeros, + session_key.data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n")); } dump_data_pw("LM session key:\n", session_key.data, diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index f1088a1d8e0..c541eeff470 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -38,6 +38,8 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState struct netr_Credential *out) { NTSTATUS status; + int rc; + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { memcpy(out->data, in->data, sizeof(out->data)); @@ -48,7 +50,11 @@ static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState return status; } } else { - des_crypt112(out->data, in->data, creds->session_key, 1); + rc = des_crypt112(out->data, in->data, creds->session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } } return NT_STATUS_OK; @@ -66,6 +72,7 @@ static NTSTATUS netlogon_creds_init_64bit(struct netlogon_creds_CredentialState { uint32_t sum[2]; uint8_t sum2[8]; + int rc; sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0); sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4); @@ -75,7 +82,10 @@ static NTSTATUS netlogon_creds_init_64bit(struct netlogon_creds_CredentialState ZERO_ARRAY(creds->session_key); - des_crypt128(creds->session_key, sum2, machine_password->hash); + rc = des_crypt128(creds->session_key, sum2, machine_password->hash); + if (rc != 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } return NT_STATUS_OK; } @@ -253,45 +263,76 @@ static NTSTATUS netlogon_creds_step(struct netlogon_creds_CredentialState *creds return NT_STATUS_OK; } - /* DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key */ -void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) +NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, + struct netr_LMSessionKey *key) { + int rc; struct netr_LMSessionKey tmp; - des_crypt56(tmp.key, key->key, creds->session_key, 1); + + rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *key = tmp; + + return NT_STATUS_OK; } /* DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key */ -void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key) +NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, + struct netr_LMSessionKey *key) { + int rc; struct netr_LMSessionKey tmp; - des_crypt56(tmp.key, key->key, creds->session_key, 0); + + rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key, SAMBA_GNUTLS_DECRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *key = tmp; + + return NT_STATUS_OK; } /* DES encrypt a 16 byte password buffer using the session key */ -void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass) { struct samr_Password tmp; - des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1); + int rc; + + rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_ENCRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *pass = tmp; + + return NT_STATUS_OK; } /* DES decrypt a 16 byte password buffer using the session key */ -void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass) +NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass) { struct samr_Password tmp; - des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0); + int rc; + + rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_DECRYPT); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } *pass = tmp; + + return NT_STATUS_OK; } /* @@ -849,11 +890,14 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C if (!all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { if (do_encrypt) { - netlogon_creds_des_encrypt_LMKey(creds, - &base->LMSessKey); + status = netlogon_creds_des_encrypt_LMKey(creds, + &base->LMSessKey); } else { - netlogon_creds_des_decrypt_LMKey(creds, - &base->LMSessKey); + status = netlogon_creds_des_decrypt_LMKey(creds, + &base->LMSessKey); + } + if (!NT_STATUS_IS_OK(status)) { + return status; } } } @@ -965,17 +1009,23 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden p = &logon->password->lmpassword; if (!all_zero(p->hash, 16)) { if (do_encrypt) { - netlogon_creds_des_encrypt(creds, p); + status = netlogon_creds_des_encrypt(creds, p); } else { - netlogon_creds_des_decrypt(creds, p); + status = netlogon_creds_des_decrypt(creds, p); + } + if (!NT_STATUS_IS_OK(status)) { + return status; } } p = &logon->password->ntpassword; if (!all_zero(p->hash, 16)) { if (do_encrypt) { - netlogon_creds_des_encrypt(creds, p); + status = netlogon_creds_des_encrypt(creds, p); } else { - netlogon_creds_des_decrypt(creds, p); + status = netlogon_creds_des_decrypt(creds, p); + } + if (!NT_STATUS_IS_OK(status)) { + return status; } } } diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 6f043d774cd..407cb471cbc 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -2032,8 +2032,12 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre return; } } else { - netlogon_creds_des_encrypt(&state->tmp_creds, - &state->samr_password); + status = netlogon_creds_des_encrypt(&state->tmp_creds, + &state->samr_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerPasswordSet_cleanup(req, status); + return; + } subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev, state->binding_handle, @@ -3187,14 +3191,22 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq cmp = memcmp(state->new_owf_password.hash, zero.hash, sizeof(zero.hash)); if (cmp != 0) { - netlogon_creds_des_decrypt(&state->tmp_creds, - &state->new_owf_password); + status = netlogon_creds_des_decrypt(&state->tmp_creds, + &state->new_owf_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); + return; + } } cmp = memcmp(state->old_owf_password.hash, zero.hash, sizeof(zero.hash)); if (cmp != 0) { - netlogon_creds_des_decrypt(&state->tmp_creds, - &state->old_owf_password); + status = netlogon_creds_des_decrypt(&state->tmp_creds, + &state->old_owf_password); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status); + return; + } } *state->creds = state->tmp_creds; diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index 5058add3811..9f779f85fa1 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -36,6 +36,7 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx, { /* Finish the encryption of part_passwd. */ uint8_t p24[24]; + int rc; if (part_passwd == NULL) { DEBUG(10,("No password set - DISALLOWING access\n")); @@ -55,7 +56,10 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx, return false; } - SMBOWFencrypt(part_passwd, sec_blob->data, p24); + rc = SMBOWFencrypt(part_passwd, sec_blob->data, p24); + if (rc != 0) { + return false; + } #if DEBUG_PASSWORD DEBUG(100,("Part password (P16) was |\n")); diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index eb725c83d15..88f4a7c6c50 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -4,6 +4,8 @@ #undef _PRINTF_ATTRIBUTE #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) +#include "lib/crypto/gnutls_helpers.h" + /* this file contains prototypes for functions that are private * to this subsystem or library. These functions should not be * used outside this particular subsystem! */ @@ -11,10 +13,14 @@ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ -void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); +NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, + struct netr_LMSessionKey *key); +NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, + struct netr_LMSessionKey *key); +NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass); +NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, + struct samr_Password *pass); NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); @@ -84,8 +90,8 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx, /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */ -void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, - bool forward); +int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, + enum samba_gnutls_direction encrypt); DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key); char *sess_decrypt_string(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, const DATA_BLOB *session_key); @@ -95,7 +101,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const DAT /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbencrypt.c */ -void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]); +int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]); bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]); /** @@ -125,9 +131,9 @@ void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16]); bool ntv2_owf_gen(const uint8_t owf[16], const char *user_in, const char *domain_in, uint8_t kr_buf[16]); -void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]); -void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24); -void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24); +int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]); +int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24); +int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24); NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16], const DATA_BLOB *srv_chal, const DATA_BLOB *smbcli_chal, @@ -136,9 +142,9 @@ NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16], const uint8_t *nt_resp, uint8_t sess_key[16]); void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]); -void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], - const uint8_t lm_resp[24], /* only uses 8 */ - uint8_t sess_key[16]); +NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], + const uint8_t lm_resp[24], /* only uses 8 */ + uint8_t sess_key[16]); DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, const char *hostname, const char *domain); @@ -216,15 +222,18 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c */ -void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw); -void E_P16(const uint8_t *p14,uint8_t *p16); -void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); -void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out); -void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); -void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); -void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); -void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); -void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw); +int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], + enum samba_gnutls_direction encrypt); +int E_P16(const uint8_t *p14,uint8_t *p16); +int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); +int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out); +int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]); +int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], + enum samba_gnutls_direction encrypt); +int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], + enum samba_gnutls_direction encrypt); +int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, + enum samba_gnutls_direction encrypt); #undef _PRINTF_ATTRIBUTE #define _PRINTF_ATTRIBUTE(a1, a2) diff --git a/libcli/auth/session.c b/libcli/auth/session.c index 10c728662db..43ce9d54fdc 100644 --- a/libcli/auth/session.c +++ b/libcli/auth/session.c @@ -29,28 +29,35 @@ before calling, the out blob must be initialised to be the same size as the in blob */ -void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, - bool forward) +int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, + enum samba_gnutls_direction encrypt) { -- Samba Shared Repository