diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-10-19 23:48:19 +0300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-12-10 00:30:30 +0000 |
commit | 0f855f1ab955e3ecf47689c5e4578eb67ebe8f27 (patch) | |
tree | 8c2e99e1f4840d6eb52b315f335caabec10b5351 /libcli | |
parent | 2c470c8035be6d70ce3fc8d1e12be284566a7037 (diff) | |
download | samba-0f855f1ab955e3ecf47689c5e4578eb67ebe8f27.tar.gz |
smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/auth/proto.h | 4 | ||||
-rw-r--r-- | libcli/auth/smbdes.c | 57 | ||||
-rw-r--r-- | libcli/auth/tests/test_gnutls.c | 9 | ||||
-rw-r--r-- | libcli/auth/wscript_build | 2 |
4 files changed, 71 insertions, 1 deletions
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index eb725c83d15..e7c9923abf3 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -4,6 +4,8 @@ #undef _PRINTF_ATTRIBUTE #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) +#include "lib/crypto/gnutls_helpers.h" + /* this file contains prototypes for functions that are private * to this subsystem or library. These functions should not be * used outside this particular subsystem! */ @@ -217,6 +219,8 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbdes.c */ void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw); +int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], + enum samba_gnutls_direction encrypt); void E_P16(const uint8_t *p14,uint8_t *p16); void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24); void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out); diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c index 59cb45d81f0..f384ef132a7 100644 --- a/libcli/auth/smbdes.c +++ b/libcli/auth/smbdes.c @@ -23,6 +23,9 @@ #include "includes.h" #include "libcli/auth/libcli_auth.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + /* NOTES: This code makes no attempt to be fast! In fact, it is a very @@ -273,6 +276,60 @@ static void str_to_key(const uint8_t *str,uint8_t *key) } } +int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], + const uint8_t key_in[7], + enum samba_gnutls_direction encrypt) +{ + /* + * A single block DES-CBC op, with an all-zero IV is the same as DES + * because the IV is combined with the data using XOR. + * This allows us to use GNUTLS_CIPHER_DES_CBC from GnuTLS and not + * implement single-DES in Samba. + * + * In turn this is used to build DES-ECB, which is used + * for example in the NTLM challenge/response calculation. + */ + static const uint8_t iv8[8]; + gnutls_datum_t iv = { discard_const(iv8), 8 }; + gnutls_datum_t key; + gnutls_cipher_hd_t ctx; + uint8_t key2[8]; + uint8_t outb[8]; + int ret; + + memset(out, 0, 8); + + str_to_key(key_in, key2); + + key.data = key2; + key.size = 8; + + ret = gnutls_global_init(); + if (ret != 0) { + return ret; + } + + ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv); + if (ret != 0) { + return ret; + } + + memcpy(outb, in, 8); + if (encrypt == SAMBA_GNUTLS_ENCRYPT) { + ret = gnutls_cipher_encrypt(ctx, outb, 8); + } else { + ret = gnutls_cipher_decrypt(ctx, outb, 8); + } + + if (ret == 0) { + memcpy(out, outb, 8); + } + + gnutls_cipher_deinit(ctx); + + return ret; +} + /* basic des crypt using a 56 bit (7 byte) key */ diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c index d9ce8a765cf..121848341e6 100644 --- a/libcli/auth/tests/test_gnutls.c +++ b/libcli/auth/tests/test_gnutls.c @@ -242,12 +242,21 @@ static void torture_gnutls_des_crypt56(void **state) uint8_t crypt[8]; uint8_t decrypt[8]; + int rc; des_crypt56(crypt, clear, key, 1); assert_memory_equal(crypt, crypt_expected, 8); des_crypt56(decrypt, crypt, key, 0); assert_memory_equal(decrypt, clear, 8); + + rc = des_crypt56_gnutls(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT); + assert_int_equal(rc, 0); + assert_memory_equal(crypt, crypt_expected, 8); + + rc = des_crypt56_gnutls(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT); + assert_int_equal(rc, 0); + assert_memory_equal(decrypt, clear, 8); } static void torture_gnutls_E_P16(void **state) diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index dc121950358..41937623630 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -13,7 +13,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE', bld.SAMBA_SUBSYSTEM('NTLM_CHECK', source='ntlm_check.c', - deps = 'talloc' + deps = 'talloc LIBCLI_AUTH' ) bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', |