The branch, master has been updated
via 83ffe6752d5 pidl: Remove Parse/Yapp/Driver.pm
via fe2577a40c1 smbdes: remove old unused DES builtin-crypto
via b5d8f1f78a0 sess_crypt_blob can only crypt blobs whose size divides
by 8
via a75ca8d5d51 session: convert sess_crypt_blob to use gnutls
via dcc33103d5c smbdes: convert des_crypt112_16 to use gnutls
via 254739137bd smbdes: convert des_crypt112 to use gnutls
via dce944e8a11 smbdes: convert E_old_pw_hash to use gnutls
via c57f4295742 smbdes: convert des_crypt128() to use gnutls
via a5548af0186 smbdes: convert E_P24() and SMBOWFencrypt to use gnutls
via 2eef12904f2 smbdes: remove D_P16() (not used)
via 9fb6361a8b0 smbdes: convert E_P16() to use gnutls
via ecee1998034 smbdes: convert sam_rid_crypt() to use gnutls
via bbcf568f317 SMBsesskeygen_lm_sess_key: use gnutls and return
NTSTATUS
via 38189f76d8b netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls
and return NTSTATUS
via 0f855f1ab95 smbdes: add des_crypt56_gnutls() using DES-CBC with
zeroed IV
via 2c470c8035b selftest: test sess_crypt_blob
via 6c5f153e479 selftest: test SMBsesskeygen_lm_sess_key
via a4ec427e54b selftest: test des_crypt112_16
via 394debac6b2 selftest: test des_crypt112 and fix (unused) decryption
via e2f8f686d1e selftest: test des_crypt128
via 8f042ba532f selftest: test E_old_pw_hash
via dfad082596a selftest: test E_P24 and SMBOWFencrypt
via 0923f94bdc2 selftest: test sam_rid_crypt
via 7044a41a30e selftest: test E_P16
via 07b4606f893 libcli/auth: test des_crypt56() and add test_gnutls to
selftest
via 01f531ba6ba auth:tests: Only enable torture_gnutls_aes_128_cfb() on
GnuTLS >= 3.6.11
via 1c65f1fddba auth:tests: Improve debug output of test_gnutls
via adfdcc4791b s3:lib: Move NULL check before
messaging_dgm_out_rearm_idle_timer()
via 8753d5f4567 s3:smbd: Fix possible NULL deref in
smbd_do_qfilepathinfo()
via cfa05261005 s3:torture: Do not segfault if cli is NULL
via 94c3c12df11 s3:rpc_server: Fix string compare for utmp entries
via c2e55821bc5 s4:lib: Make sure we close fd's in error path
from bb2296f68a3 build: Fix the build without system gssapi headers
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 83ffe6752d589180eac96d7b8e7d1a54e3476bfd
Author: Andreas Schneider <a...@samba.org>
Date: Thu Dec 5 13:48:52 2019 +0100
pidl: Remove Parse/Yapp/Driver.pm
This file is provided by Parse::Yapp and on install we overwrite the
orignal file.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Dec 10 01:54:02 UTC 2019 on sn-devel-184
commit fe2577a40c19c99c29dd54c7c43e12f3d43493be
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Mon Oct 21 20:03:04 2019 +0300
smbdes: remove old unused DES builtin-crypto
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b5d8f1f78a04719c6a5d15aa92ae398be326fe56
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 21 15:13:19 2019 +0100
sess_crypt_blob can only crypt blobs whose size divides by 8
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a75ca8d5d515aef1229acf5a30489ee5f5ced3e1
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 21 14:02:03 2019 +0100
session: convert sess_crypt_blob to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dcc33103d5c0927bb3757974d4663df888dce95e
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Wed Nov 20 16:02:16 2019 +0100
smbdes: convert des_crypt112_16 to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 254739137bdaebca31163f1683bfd7111dfefe67
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Wed Nov 20 15:41:02 2019 +0100
smbdes: convert des_crypt112 to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dce944e8a1119034f184336f6b71a28080152a0a
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Wed Nov 20 15:28:39 2019 +0100
smbdes: convert E_old_pw_hash to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c57f429574243adbcd43dca4f35d125df8d69ba0
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Fri Nov 8 17:49:48 2019 +0100
smbdes: convert des_crypt128() to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a5548af018643f2e78c482e33ef0e6073db149e4
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Fri Nov 8 15:40:01 2019 +0100
smbdes: convert E_P24() and SMBOWFencrypt to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2eef12904f2c08257394a2ee869960f7c2e09112
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Fri Nov 8 12:04:48 2019 +0100
smbdes: remove D_P16() (not used)
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9fb6361a8b09fd575bab2f5572fa9e10bd538eed
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 7 16:16:26 2019 +0100
smbdes: convert E_P16() to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ecee1998034b84026ab604dbe4400d9e53dcafd4
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 7 18:40:03 2019 +0100
smbdes: convert sam_rid_crypt() to use gnutls
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit bbcf568f317960229caa7486322858093f5d0d04
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 7 13:39:20 2019 +0100
SMBsesskeygen_lm_sess_key: use gnutls and return NTSTATUS
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 38189f76d8b958fff8a6351f3fb21f6ed04b76da
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Thu Nov 7 12:53:52 2019 +0100
netlogon_creds_des_encrypt/decrypt_LMKey: use gnutls and return NTSTATUS
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0f855f1ab955e3ecf47689c5e4578eb67ebe8f27
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Sat Oct 19 23:48:19 2019 +0300
smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2c470c8035be6d70ce3fc8d1e12be284566a7037
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Wed Nov 20 23:44:10 2019 +0100
selftest: test sess_crypt_blob
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6c5f153e4793c0613dd843b1566bd27632912a7c
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Wed Nov 20 00:14:31 2019 +0100
selftest: test SMBsesskeygen_lm_sess_key
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a4ec427e54b52307ee2e22079449ff3e59279298
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 20:02:49 2019 +0100
selftest: test des_crypt112_16
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 394debac6b2f0838cde5d850335e0cdff14b411d
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 19:49:09 2019 +0100
selftest: test des_crypt112 and fix (unused) decryption
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e2f8f686d1e3fce91f10aadb9667854cf2a1219a
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 19:10:18 2019 +0100
selftest: test des_crypt128
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8f042ba532fc645f2389a0a9d3e83d27c070fde4
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 18:49:58 2019 +0100
selftest: test E_old_pw_hash
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dfad082596a53a7c6225da427447922fd4b7f0e2
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 18:26:13 2019 +0100
selftest: test E_P24 and SMBOWFencrypt
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0923f94bdc21a80cbf40aaa65c4928c13c298d82
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 16:08:49 2019 +0100
selftest: test sam_rid_crypt
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7044a41a30e43dda34eecb6df3da82ed5d568eec
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Tue Nov 19 09:46:18 2019 +0100
selftest: test E_P16
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 07b4606f893fabd50c2685307d58e86f55defae5
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Sat Nov 9 17:47:33 2019 +0100
libcli/auth: test des_crypt56() and add test_gnutls to selftest
Signed-off-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 01f531ba6ba1306e99d2e4715dadae073eb0a8ec
Author: Andreas Schneider <a...@samba.org>
Date: Fri Dec 6 08:49:54 2019 +0100
auth:tests: Only enable torture_gnutls_aes_128_cfb() on GnuTLS >= 3.6.11
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1c65f1fddba77e94edc5338af81c9a25e0d4e970
Author: Andreas Schneider <a...@samba.org>
Date: Fri Dec 6 08:12:34 2019 +0100
auth:tests: Improve debug output of test_gnutls
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit adfdcc4791b9a5706c48789bfbb46f256ee10538
Author: Andreas Schneider <a...@samba.org>
Date: Mon Dec 9 10:47:46 2019 +0100
s3:lib: Move NULL check before messaging_dgm_out_rearm_idle_timer()
We dereference out in messaging_dgm_out_rearm_idle_timer().
Found by covscan.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8753d5f4567e1bc39c25ea11d444bed6d0afea46
Author: Andreas Schneider <a...@samba.org>
Date: Mon Dec 9 10:45:31 2019 +0100
s3:smbd: Fix possible NULL deref in smbd_do_qfilepathinfo()
Found by covscan.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cfa0526100575a7684879bb64f5e492c578bef87
Author: Andreas Schneider <a...@samba.org>
Date: Mon Dec 9 10:35:55 2019 +0100
s3:torture: Do not segfault if cli is NULL
This can happen if we fail early and cli hasn't been initialized yet.
Found by covscan.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 94c3c12df11dccdc34ef91f3065240f34a7244be
Author: Andreas Schneider <a...@samba.org>
Date: Mon Dec 9 10:22:52 2019 +0100
s3:rpc_server: Fix string compare for utmp entries
The members of struct utmp are marked as nonstring. This means they
might not be nil-terminated.
Found by covscan.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c2e55821bc5db1a33ecd2f7550a75ebdbe7613f9
Author: Andreas Schneider <a...@samba.org>
Date: Mon Dec 9 09:58:42 2019 +0100
s4:lib: Make sure we close fd's in error path
Found by covscan.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Richard Sharpe <realrichardsha...@gmail.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_ntlm.c | 31 +-
auth/ntlmssp/ntlmssp_client.c | 16 +-
auth/ntlmssp/ntlmssp_server.c | 15 +-
libcli/auth/credentials.c | 88 +++--
libcli/auth/netlogon_creds_cli.c | 24 +-
libcli/auth/ntlm_check.c | 6 +-
libcli/auth/proto.h | 53 +--
libcli/auth/session.c | 51 ++-
libcli/auth/smbdes.c | 399 +++++++---------------
libcli/auth/smbencrypt.c | 49 ++-
libcli/auth/tests/test_gnutls.c | 297 +++++++++++++++-
libcli/auth/wscript_build | 3 +-
libcli/drsuapi/repl_decrypt.c | 16 +-
libcli/samsync/decrypt.c | 36 +-
pidl/lib/Parse/Yapp/Driver.pm | 471 --------------------------
selftest/tests.py | 2 +
source3/auth/auth_util.c | 19 +-
source3/lib/messages_dgm.c | 2 +-
source3/libsmb/clirap.c | 6 +-
source3/passdb/wscript_build | 2 +-
source3/rpc_client/cli_netlogon.c | 8 +-
source3/rpc_client/cli_samr.c | 66 +++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +-
source3/rpc_server/samr/srv_samr_chgpasswd.c | 18 +-
source3/rpc_server/samr/srv_samr_nt.c | 27 +-
source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 3 +-
source3/rpc_server/wscript_build | 3 +-
source3/rpcclient/cmd_samr.c | 25 +-
source3/smbd/trans2.c | 2 +-
source3/torture/pdbtest.c | 9 +-
source3/torture/torture.c | 8 +-
source3/utils/ntlm_auth.c | 14 +-
source3/winbindd/winbindd_pam.c | 9 +-
source4/auth/ntlm/auth_util.c | 13 +-
source4/lib/policy/gp_filesys.c | 10 +-
source4/libnet/libnet_passwd.c | 30 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 +-
source4/rpc_server/samr/samr_password.c | 29 +-
source4/torture/rpc/samr.c | 16 +-
source4/torture/rpc/samsync.c | 14 +-
40 files changed, 1001 insertions(+), 925 deletions(-)
delete mode 100644 pidl/lib/Parse/Yapp/Driver.pm
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_ntlm.c
b/auth/credentials/credentials_ntlm.c
index bf55ab97b04..f1b22a6c9e2 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -51,6 +51,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
DATA_BLOB lm_session_key = data_blob_null;
DATA_BLOB session_key = data_blob_null;
const struct samr_Password *nt_hash = NULL;
+ int rc;
if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
TALLOC_FREE(frame);
@@ -159,7 +160,6 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
uint8_t session_nonce[16];
uint8_t session_nonce_hash[16];
uint8_t user_session_key[16];
- int rc;
lm_response = data_blob_talloc_zero(frame, 24);
if (lm_response.data == NULL) {
@@ -188,9 +188,13 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
- SMBOWFencrypt(nt_hash->hash,
- session_nonce_hash,
- nt_response.data);
+ rc = SMBOWFencrypt(nt_hash->hash,
+ session_nonce_hash,
+ nt_response.data);
+ if (rc != 0) {
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
ZERO_ARRAY(session_nonce_hash);
@@ -228,8 +232,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
- SMBOWFencrypt(nt_hash->hash, challenge.data,
- nt_response.data);
+ rc = SMBOWFencrypt(nt_hash->hash, challenge.data,
+ nt_response.data);
+ if (rc != 0) {
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
session_key = data_blob_talloc_zero(frame, 16);
if (session_key.data == NULL) {
@@ -254,9 +262,14 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
return NT_STATUS_NO_MEMORY;
}
- SMBencrypt_hash(lm_hash,
- challenge.data,
- lm_response.data);
+ rc = SMBencrypt_hash(lm_hash,
+ challenge.data,
+ lm_response.data);
+ if (rc != 0) {
+ ZERO_STRUCT(lm_hash);
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
} else {
/* just copy the nt_response */
lm_response = data_blob_dup_talloc(frame, nt_response);
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 2a80feb4fed..58e4e3d6f42 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -673,12 +673,20 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
&& ntlmssp_state->allow_lm_key && lm_session_key.length == 16) {
DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
if (lm_response.length == 24) {
- SMBsesskeygen_lm_sess_key(lm_session_key.data,
lm_response.data,
- new_session_key.data);
+ nt_status =
SMBsesskeygen_lm_sess_key(lm_session_key.data,
+ lm_response.data,
+
new_session_key.data);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
} else {
static const uint8_t zeros[24];
- SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
- new_session_key.data);
+ nt_status =
SMBsesskeygen_lm_sess_key(lm_session_key.data,
+ zeros,
+
new_session_key.data);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
session_key = new_session_key;
dump_data_pw("LM session key\n", session_key.data,
session_key.length);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 5a56a4db99f..29559b3fe02 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -970,8 +970,12 @@ static NTSTATUS ntlmssp_server_postauth(struct
gensec_security *gensec_security,
if (session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
- SMBsesskeygen_lm_sess_key(lm_session_key.data,
ntlmssp_state->lm_resp.data,
- session_key.data);
+ nt_status =
SMBsesskeygen_lm_sess_key(lm_session_key.data,
+
ntlmssp_state->lm_resp.data,
+
session_key.data);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
DEBUG(10,("ntlmssp_server_auth: Created NTLM
session key.\n"));
} else {
static const uint8_t zeros[24] = {0, };
@@ -980,8 +984,11 @@ static NTSTATUS ntlmssp_server_postauth(struct
gensec_security *gensec_security,
if (session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
- SMBsesskeygen_lm_sess_key(zeros, zeros,
- session_key.data);
+ nt_status = SMBsesskeygen_lm_sess_key(zeros,
zeros,
+
session_key.data);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
DEBUG(10,("ntlmssp_server_auth: Created NTLM
session key.\n"));
}
dump_data_pw("LM session key:\n", session_key.data,
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index f1088a1d8e0..c541eeff470 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -38,6 +38,8 @@ static NTSTATUS netlogon_creds_step_crypt(struct
netlogon_creds_CredentialState
struct netr_Credential *out)
{
NTSTATUS status;
+ int rc;
+
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
memcpy(out->data, in->data, sizeof(out->data));
@@ -48,7 +50,11 @@ static NTSTATUS netlogon_creds_step_crypt(struct
netlogon_creds_CredentialState
return status;
}
} else {
- des_crypt112(out->data, in->data, creds->session_key, 1);
+ rc = des_crypt112(out->data, in->data, creds->session_key,
SAMBA_GNUTLS_ENCRYPT);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
+
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
}
return NT_STATUS_OK;
@@ -66,6 +72,7 @@ static NTSTATUS netlogon_creds_init_64bit(struct
netlogon_creds_CredentialState
{
uint32_t sum[2];
uint8_t sum2[8];
+ int rc;
sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data,
0);
sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data,
4);
@@ -75,7 +82,10 @@ static NTSTATUS netlogon_creds_init_64bit(struct
netlogon_creds_CredentialState
ZERO_ARRAY(creds->session_key);
- des_crypt128(creds->session_key, sum2, machine_password->hash);
+ rc = des_crypt128(creds->session_key, sum2, machine_password->hash);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
return NT_STATUS_OK;
}
@@ -253,45 +263,76 @@ static NTSTATUS netlogon_creds_step(struct
netlogon_creds_CredentialState *creds
return NT_STATUS_OK;
}
-
/*
DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key)
{
+ int rc;
struct netr_LMSessionKey tmp;
- des_crypt56(tmp.key, key->key, creds->session_key, 1);
+
+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key,
SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*key = tmp;
+
+ return NT_STATUS_OK;
}
/*
DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
*/
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key)
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key)
{
+ int rc;
struct netr_LMSessionKey tmp;
- des_crypt56(tmp.key, key->key, creds->session_key, 0);
+
+ rc = des_crypt56_gnutls(tmp.key, key->key, creds->session_key,
SAMBA_GNUTLS_DECRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*key = tmp;
+
+ return NT_STATUS_OK;
}
/*
DES encrypt a 16 byte password buffer using the session key
*/
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState
*creds,
+ struct samr_Password *pass)
{
struct samr_Password tmp;
- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
+ int rc;
+
+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key,
SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*pass = tmp;
+
+ return NT_STATUS_OK;
}
/*
DES decrypt a 16 byte password buffer using the session key
*/
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState
*creds,
+ struct samr_Password *pass)
{
struct samr_Password tmp;
- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
+ int rc;
+
+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key,
SAMBA_GNUTLS_DECRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*pass = tmp;
+
+ return NT_STATUS_OK;
}
/*
@@ -849,11 +890,14 @@ static NTSTATUS
netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
if (!all_zero(base->LMSessKey.key,
sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
- netlogon_creds_des_encrypt_LMKey(creds,
- &base->LMSessKey);
+ status = netlogon_creds_des_encrypt_LMKey(creds,
+
&base->LMSessKey);
} else {
- netlogon_creds_des_decrypt_LMKey(creds,
- &base->LMSessKey);
+ status = netlogon_creds_des_decrypt_LMKey(creds,
+
&base->LMSessKey);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
}
@@ -965,17 +1009,23 @@ static NTSTATUS
netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
p = &logon->password->lmpassword;
if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
- netlogon_creds_des_encrypt(creds, p);
+ status =
netlogon_creds_des_encrypt(creds, p);
} else {
- netlogon_creds_des_decrypt(creds, p);
+ status =
netlogon_creds_des_decrypt(creds, p);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
p = &logon->password->ntpassword;
if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
- netlogon_creds_des_encrypt(creds, p);
+ status =
netlogon_creds_des_encrypt(creds, p);
} else {
- netlogon_creds_des_decrypt(creds, p);
+ status =
netlogon_creds_des_decrypt(creds, p);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
}
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 6f043d774cd..407cb471cbc 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -2032,8 +2032,12 @@ static void
netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre
return;
}
} else {
- netlogon_creds_des_encrypt(&state->tmp_creds,
- &state->samr_password);
+ status = netlogon_creds_des_encrypt(&state->tmp_creds,
+ &state->samr_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerPasswordSet_cleanup(req,
status);
+ return;
+ }
subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
state->binding_handle,
@@ -3187,14 +3191,22 @@ static void
netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq
cmp = memcmp(state->new_owf_password.hash,
zero.hash, sizeof(zero.hash));
if (cmp != 0) {
- netlogon_creds_des_decrypt(&state->tmp_creds,
- &state->new_owf_password);
+ status = netlogon_creds_des_decrypt(&state->tmp_creds,
+ &state->new_owf_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req,
status);
+ return;
+ }
}
cmp = memcmp(state->old_owf_password.hash,
zero.hash, sizeof(zero.hash));
if (cmp != 0) {
- netlogon_creds_des_decrypt(&state->tmp_creds,
- &state->old_owf_password);
+ status = netlogon_creds_des_decrypt(&state->tmp_creds,
+ &state->old_owf_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req,
status);
+ return;
+ }
}
*state->creds = state->tmp_creds;
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 5058add3811..9f779f85fa1 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -36,6 +36,7 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
{
/* Finish the encryption of part_passwd. */
uint8_t p24[24];
+ int rc;
if (part_passwd == NULL) {
DEBUG(10,("No password set - DISALLOWING access\n"));
@@ -55,7 +56,10 @@ static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
return false;
}
- SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+ rc = SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+ if (rc != 0) {
+ return false;
+ }
#if DEBUG_PASSWORD
DEBUG(100,("Part password (P16) was |\n"));
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index eb725c83d15..88f4a7c6c50 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -4,6 +4,8 @@
#undef _PRINTF_ATTRIBUTE
#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
+#include "lib/crypto/gnutls_helpers.h"
+
/* this file contains prototypes for functions that are private
* to this subsystem or library. These functions should not be
* used outside this particular subsystem! */
@@ -11,10 +13,14 @@
/* The following definitions come from
/home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c
*/
-void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key);
-void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key);
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass);
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_encrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_decrypt_LMKey(struct
netlogon_creds_CredentialState *creds,
+ struct netr_LMSessionKey *key);
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState
*creds,
+ struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState
*creds,
+ struct samr_Password *pass);
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState
*creds,
uint8_t *data,
size_t len);
@@ -84,8 +90,8 @@ union netr_LogonLevel
*netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
/* The following definitions come from
/home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c
*/
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB
*session_key,
- bool forward);
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB
*session_key,
+ enum samba_gnutls_direction encrypt);
DATA_BLOB sess_encrypt_string(const char *str, const DATA_BLOB *session_key);
char *sess_decrypt_string(TALLOC_CTX *mem_ctx,
DATA_BLOB *blob, const DATA_BLOB *session_key);
@@ -95,7 +101,7 @@ NTSTATUS sess_decrypt_blob(TALLOC_CTX *mem_ctx, const
DATA_BLOB *blob, const DAT
/* The following definitions come from
/home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbencrypt.c
*/
-void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t
p24[24]);
+int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t
p24[24]);
bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
/**
@@ -125,9 +131,9 @@ void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16],
uint8_t p16[16]);
bool ntv2_owf_gen(const uint8_t owf[16],
const char *user_in, const char *domain_in,
uint8_t kr_buf[16]);
-void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t
p24[24]);
-void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t
*p24);
-void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
+int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t
p24[24]);
+int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t
*p24);
+int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
const DATA_BLOB *srv_chal,
const DATA_BLOB *smbcli_chal,
@@ -136,9 +142,9 @@ NTSTATUS SMBsesskeygen_ntv2(const uint8_t kr[16],
const uint8_t *nt_resp,
uint8_t sess_key[16]);
void SMBsesskeygen_ntv1(const uint8_t kr[16], uint8_t sess_key[16]);
-void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
- const uint8_t lm_resp[24], /* only uses 8 */
- uint8_t sess_key[16]);
+NTSTATUS SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16],
+ const uint8_t lm_resp[24], /* only uses 8 */
+ uint8_t sess_key[16]);
DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
const char *hostname,
const char *domain);
@@ -216,15 +222,18 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX
*mem_ctx,
/* The following definitions come from
/home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c */
-void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7],
int forw);
-void E_P16(const uint8_t *p14,uint8_t *p16);
-void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
-void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out);
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
-void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
-void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
int forw);
-void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t
key[14], int forw);
-void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int
forw);
+int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t
key[7],
+ enum samba_gnutls_direction encrypt);
+int E_P16(const uint8_t *p14,uint8_t *p16);
+int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
+int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
+int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
+ enum samba_gnutls_direction encrypt);
+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t
key[14],
+ enum samba_gnutls_direction encrypt);
+int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
+ enum samba_gnutls_direction encrypt);
#undef _PRINTF_ATTRIBUTE
#define _PRINTF_ATTRIBUTE(a1, a2)
diff --git a/libcli/auth/session.c b/libcli/auth/session.c
index 10c728662db..43ce9d54fdc 100644
--- a/libcli/auth/session.c
+++ b/libcli/auth/session.c
@@ -29,28 +29,35 @@
before calling, the out blob must be initialised to be the same size
as the in blob
*/
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB
*session_key,
- bool forward)
+int sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB
*session_key,
+ enum samba_gnutls_direction encrypt)
{
--
Samba Shared Repository
