diff options
author | Andreas Schneider <asn@samba.org> | 2021-08-16 17:14:19 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2022-07-28 11:51:28 +0000 |
commit | 0d059e4425587a196332477ed4e75293ced47296 (patch) | |
tree | 8c279e6f9907430c64ea969a2d36b3db398ad9eb /lib/crypto | |
parent | 10249fbb1c7dd9fef69a0d37249de95a20e2a7e4 (diff) | |
download | samba-0d059e4425587a196332477ed4e75293ced47296.tar.gz |
lib:crypto: Add samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'lib/crypto')
-rw-r--r-- | lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c | 153 | ||||
-rw-r--r-- | lib/crypto/gnutls_helpers.h | 36 |
2 files changed, 189 insertions, 0 deletions
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c index 1771b35ac92..a05aa8a323c 100644 --- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c +++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c @@ -238,3 +238,156 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } + +NTSTATUS +samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx, + const DATA_BLOB *ciphertext, + const DATA_BLOB *cdk, + const DATA_BLOB *key_salt, + const DATA_BLOB *mac_salt, + const DATA_BLOB *iv, + const uint8_t auth_tag[64], + DATA_BLOB *pplaintext) +{ + gnutls_hmac_hd_t hmac_hnd = NULL; + gnutls_mac_algorithm_t hash_algo = GNUTLS_MAC_SHA512; + size_t hmac_size = gnutls_hmac_get_len(hash_algo); + uint8_t dec_key_data[32]; + uint8_t mac_key_data[64]; + gnutls_datum_t mac_key = { + .data = mac_key_data, + .size = sizeof(mac_key_data), + }; + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_cipher_algorithm_t cipher_algo = GNUTLS_CIPHER_AES_256_CBC; + gnutls_datum_t dec_key = { + .data = dec_key_data, + .size = sizeof(dec_key_data), + }; + gnutls_datum_t iv_datum = { + .data = iv->data, + .size = iv->length, + }; + uint8_t version_byte = SAMR_AES_VERSION_BYTE; + uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN; + uint8_t auth_data[hmac_size]; + uint8_t padding; + size_t i; + NTSTATUS status; + int cmp; + int rc; + + if (cdk->length == 0 || ciphertext->length == 0 || + key_salt->length == 0 || mac_salt->length == 0 || iv->length == 0 || + pplaintext == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Calculate mac key */ + status = calculate_mac_key(cdk, mac_salt, mac_key_data); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + rc = gnutls_hmac_init(&hmac_hnd, hash_algo, mac_key.data, mac_key.size); + BURN_DATA(mac_key_data); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, &version_byte, sizeof(uint8_t)); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, iv->data, iv->length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, ciphertext->data, ciphertext->length); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, &version_byte_len, sizeof(uint8_t)); + if (rc < 0) { + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + gnutls_hmac_deinit(hmac_hnd, auth_data); + + cmp = memcmp(auth_data, auth_tag, sizeof(auth_data)); + if (cmp != 0) { + return NT_STATUS_DECRYPTION_FAILED; + } + + *pplaintext = data_blob_talloc_zero(mem_ctx, ciphertext->length); + if (pplaintext->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* Calculate decryption key */ + status = calculate_enc_key(cdk, key_salt, dec_key_data); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + rc = gnutls_cipher_init(&cipher_hnd, cipher_algo, &dec_key, &iv_datum); + BURN_DATA(dec_key_data); + if (rc < 0) { + data_blob_free(pplaintext); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + rc = gnutls_cipher_decrypt2(cipher_hnd, + ciphertext->data, + ciphertext->length, + pplaintext->data, + pplaintext->length); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + data_blob_clear_free(pplaintext); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_DECRYPTION_FAILED); + } + + /* + * PKCS#7 padding + * + * TODO: Use gnutls_cipher_decrypt3() + */ + + /* + * The plaintext is always padded. + * + * We already checked for ciphertext->length == 0 above and the + * pplaintext->length is equal to ciphertext->length here. We need to + * remove the padding from the plaintext size. + */ + padding = pplaintext->data[pplaintext->length - 1]; + if (padding == 0 || padding > 16) { + data_blob_clear_free(pplaintext); + return NT_STATUS_DECRYPTION_FAILED; + } + + for (i = pplaintext->length - padding; i < pplaintext->length; i++) { + if (pplaintext->data[i] != padding) { + data_blob_clear_free(pplaintext); + return NT_STATUS_DECRYPTION_FAILED; + } + } + + pplaintext->length -= padding; + + return NT_STATUS_OK; +} diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h index eb6e469fa0c..6719a599604 100644 --- a/lib/crypto/gnutls_helpers.h +++ b/lib/crypto/gnutls_helpers.h @@ -144,6 +144,42 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, uint8_t pauth_tag[64]); /** + * @brief Decypt cipher text using AEAD_AES_256_CBC_HMAC_SHA512 and the session + * key. + * + * This decrypts the cipher text using AEAD_AES_256_CBC_HMAC_SHA512 with the + * given content decryption key key. The plaintext will be zeroed as soon as the + * data blob is freed. + * + * @param mem_ctx The memory context to allocate the plaintext on. + * + * @param ciphertext The cipher text to decrypt. + * + * @param cdk The content decryption key. + * + * @param key_salt The salt used to calculate the encryption key. + * + * @param key_salt The salt used to calculate the mac key. + + * @param iv The initialization vector used for the encryption. + * + * @param auth_tag[64] The authentication blob to be verified. + * + * @param pplaintext A pointer to a DATA_BLOB to store the plaintext. + * + * @return NT_STATUS_OK on success, an nt status error code otherwise. + */ +NTSTATUS +samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx, + const DATA_BLOB *ciphertext, + const DATA_BLOB *cdk, + const DATA_BLOB *key_salt, + const DATA_BLOB *mac_salt, + const DATA_BLOB *iv, + const uint8_t auth_tag[64], + DATA_BLOB *pplaintext); + +/** * @brief Check if weak crypto is allowed. * * @return true if weak crypo is allowed, false otherwise. |