diff options
| author | Andreas Schneider <asn@samba.org> | 2019-01-17 12:40:21 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2019-07-26 01:48:24 +0000 |
| commit | 359ae5be0d21e7ab235035aab65710c9459e9593 (patch) | |
| tree | 81acd40b206c07c8110f4527c81b2796e2ad9b2d /source3/utils | |
| parent | cd0b5e5d9377bc79b4468081f3999ad39be3cb8f (diff) | |
| download | samba-359ae5be0d21e7ab235035aab65710c9459e9593.tar.gz | |
s3:utils: Use GnuTLS RC4 in ntlm_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3/utils')
| -rw-r--r-- | source3/utils/ntlm_auth.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 2be641c891c..c02e8a70a9e 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -37,7 +37,6 @@ #include "librpc/crypto/gse.h" #include "smb_krb5.h" #include "lib/util/tiniparser.h" -#include "../lib/crypto/arcfour.h" #include "nsswitch/winbind_client.h" #include "librpc/gen_ndr/krb5pac.h" #include "../lib/util/asn1.h" @@ -49,6 +48,9 @@ #include "lib/util/base64.h" #include "cmdline_contexts.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + #ifdef HAVE_KRB5 #include "auth/kerberos/pac_utils.h" #endif @@ -1937,6 +1939,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h uchar new_nt_hash[16]; uchar new_lm_hash[16]; + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_datum_t old_nt_key = { + .data = old_nt_hash, + .size = sizeof(old_nt_hash), + }; + int rc; + new_nt_pswd = data_blob(NULL, 516); old_nt_hash_enc = data_blob(NULL, 16); @@ -1956,6 +1965,19 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h Likewise, obey the admin's restriction */ + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &old_nt_key, + NULL); + if (rc < 0) { + DBG_ERR("gnutls_cipher_init failed: %s\n", + gnutls_strerror(rc)); + if (rc == GNUTLS_E_UNWANTED_ALGORITHM) { + DBG_ERR("Running in FIPS mode, NTLM blocked\n"); + } + return; + } + if (lp_client_lanman_auth() && E_deshash(newpswd, new_lm_hash) && E_deshash(oldpswd, old_lm_hash)) { @@ -1964,7 +1986,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h encode_pw_buffer(new_lm_pswd.data, newpswd, STR_UNICODE); - arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516); + rc = gnutls_cipher_encrypt(cipher_hnd, + new_lm_pswd.data, + 516); + if (rc < 0) { + gnutls_cipher_deinit(cipher_hnd); + return; + } E_old_pw_hash(new_nt_hash, old_lm_hash, old_lm_hash_enc.data); } else { @@ -1977,9 +2005,20 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h encode_pw_buffer(new_nt_pswd.data, newpswd, STR_UNICODE); - arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516); + rc = gnutls_cipher_encrypt(cipher_hnd, + new_nt_pswd.data, + 516); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + return; + } E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.data); + + ZERO_ARRAY(old_nt_hash); + ZERO_ARRAY(old_lm_hash); + ZERO_ARRAY(new_nt_hash); + ZERO_ARRAY(new_lm_hash); } if (!full_username && !username) { |