lib/crypto: Add GnuTLS helper function samba_gnutls_arcfour_confounded_md5()

This will avoid duplicated code as we convert arcfour_crypt_blob() into
direct GnuTLS calls

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

3 files changed, 85 insertions, 2 deletions

diff --git a/lib/crypto/gnutls_arcfour_confounded_md5.c b/lib/crypto/gnutls_arcfour_confounded_md5.c
new file mode 100644
index 00000000000..27fede2656e
--- /dev/null
+++ b/lib/crypto/gnutls_arcfour_confounded_md5.c
@@ -0,0 +1,75 @@
+/*
+   Unix SMB/CIFS implementation.
+   Wrapper for gnutls hash and encryption functions
+
+   Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009-2019
+   Copyright (c) Andreas Schneider <asn@samba.org> 2019
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+/*
+ * This (arcfour over data with a key combined from two imputs, one
+ * the key another the confounder), is a common pattern in pre-AES
+ * windows cryptography
+ *
+ * Some protocols put the confounder first, others second so both
+ * parameters are named key_input here.
+ *
+ */
+
+#include "includes.h"
+#include "lib/util/data_blob.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include "gnutls_helpers.h"
+#include "arcfour.h"
+#include "lib/util/memory.h"
+
+int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
+					const DATA_BLOB *key_input2,
+					DATA_BLOB *data)
+{
+	int rc;
+	gnutls_hash_hd_t hash_hnd = NULL;
+	uint8_t confounded_key[16];
+	DATA_BLOB confounded_key_as_blob
+		= data_blob_const(confounded_key,
+				  sizeof(confounded_key));
+	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+	if (rc < 0) {
+		return rc;
+	}
+	rc = gnutls_hash(hash_hnd, key_input1->data, key_input1->length);
+	if (rc < 0) {
+		gnutls_hash_deinit(hash_hnd, NULL);
+		return rc;
+	}
+	rc = gnutls_hash(hash_hnd, key_input2->data, key_input2->length);
+	if (rc < 0) {
+		gnutls_hash_deinit(hash_hnd, NULL);
+		return rc;
+	}
+
+	gnutls_hash_deinit(hash_hnd, confounded_key_as_blob.data);
+
+	arcfour_crypt_blob(data->data, data->length,
+			   &confounded_key_as_blob);
+
+	ZERO_ARRAY(confounded_key);
+
+	return 0;
+}
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index e1a17168297..fedbb5307e0 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -36,4 +36,9 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
 #define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
 	_gnutls_error_to_werror(gnutls_rc, blocked_werr, \
 				__FUNCTION__, __location__)
+
+int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
+					const DATA_BLOB *key_input2,
+					DATA_BLOB *data);
+
 #endif /* _GNUTLS_HELPERS_H */
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index e482bbfd487..a263d08f638 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -6,8 +6,11 @@ if bld.CONFIG_SET("HAVE_AESNI_INTEL"):
         extra_deps += ' aesni-intel'
 
 bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
-                    source='gnutls_error.c',
-                    deps='gnutls samba-errors');
+                    source='''
+                    gnutls_error.c
+                    gnutls_arcfour_confounded_md5.c
+                    ''',
+                    deps='gnutls samba-errors LIBCRYPTO');
 
 bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
         source='''md4.c arcfour.c