5 files changed, 69 insertions, 22 deletions

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 5f65428a1d7..c541eeff470 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -302,21 +302,37 @@ NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState
 /*
   DES encrypt a 16 byte password buffer using the session key
 */
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
+				    struct samr_Password *pass)
 {
 	struct samr_Password tmp;
-	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
+	int rc;
+
+	rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_ENCRYPT);
+	if (rc < 0) {
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
 	*pass = tmp;
+
+	return NT_STATUS_OK;
 }
 
 /*
   DES decrypt a 16 byte password buffer using the session key
 */
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
+				    struct samr_Password *pass)
 {
 	struct samr_Password tmp;
-	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
+	int rc;
+
+	rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_DECRYPT);
+	if (rc < 0) {
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
 	*pass = tmp;
+
+	return NT_STATUS_OK;
 }
 
 /*
@@ -993,17 +1009,23 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
 			p = &logon->password->lmpassword;
 			if (!all_zero(p->hash, 16)) {
 				if (do_encrypt) {
-					netlogon_creds_des_encrypt(creds, p);
+					status = netlogon_creds_des_encrypt(creds, p);
 				} else {
-					netlogon_creds_des_decrypt(creds, p);
+					status = netlogon_creds_des_decrypt(creds, p);
+				}
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
 				}
 			}
 			p = &logon->password->ntpassword;
 			if (!all_zero(p->hash, 16)) {
 				if (do_encrypt) {
-					netlogon_creds_des_encrypt(creds, p);
+					status = netlogon_creds_des_encrypt(creds, p);
 				} else {
-					netlogon_creds_des_decrypt(creds, p);
+					status = netlogon_creds_des_decrypt(creds, p);
+				}
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
 				}
 			}
 		}
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 6f043d774cd..407cb471cbc 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -2032,8 +2032,12 @@ static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subre
 			return;
 		}
 	} else {
-		netlogon_creds_des_encrypt(&state->tmp_creds,
-					   &state->samr_password);
+		status = netlogon_creds_des_encrypt(&state->tmp_creds,
+						    &state->samr_password);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+			return;
+		}
 
 		subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
 					state->binding_handle,
@@ -3187,14 +3191,22 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq
 	cmp = memcmp(state->new_owf_password.hash,
 		     zero.hash, sizeof(zero.hash));
 	if (cmp != 0) {
-		netlogon_creds_des_decrypt(&state->tmp_creds,
-					   &state->new_owf_password);
+		status = netlogon_creds_des_decrypt(&state->tmp_creds,
+						    &state->new_owf_password);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status);
+			return;
+		}
 	}
 	cmp = memcmp(state->old_owf_password.hash,
 		     zero.hash, sizeof(zero.hash));
 	if (cmp != 0) {
-		netlogon_creds_des_decrypt(&state->tmp_creds,
-					   &state->old_owf_password);
+		status = netlogon_creds_des_decrypt(&state->tmp_creds,
+						    &state->old_owf_password);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status);
+			return;
+		}
 	}
 
 	*state->creds = state->tmp_creds;
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 3994db20a36..4c6d7af6763 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -17,8 +17,10 @@ NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState
 					  struct netr_LMSessionKey *key);
 NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
 					  struct netr_LMSessionKey *key);
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
+				    struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
+				    struct samr_Password *pass);
 NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
 				      uint8_t *data,
 				      size_t len);
@@ -229,7 +231,8 @@ int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
 int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
 int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
 		 enum samba_gnutls_direction encrypt);
-void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
+		    enum samba_gnutls_direction encrypt);
 int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
 		  enum samba_gnutls_direction encrypt);
 #undef _PRINTF_ATTRIBUTE
diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c
index 8dc4fc4097c..8fc79dc5c71 100644
--- a/libcli/auth/smbdes.c
+++ b/libcli/auth/smbdes.c
@@ -442,10 +442,17 @@ int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
 }
 
 /* des encryption of a 16 byte lump of data with a 112 bit key */
-void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw)
+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
+		    enum samba_gnutls_direction encrypt)
 {
-        des_crypt56(out, in, key, forw);
-        des_crypt56(out + 8, in + 8, key+7, forw);
+	int ret;
+
+	ret = des_crypt56_gnutls(out, in, key, encrypt);
+	if (ret != 0) {
+		return ret;
+	}
+
+	return des_crypt56_gnutls(out + 8, in + 8, key+7, encrypt);
 }
 
 /* Decode a sam password hash into a password.  The password hash is the
diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
index 68a27adc894..a6692b9a913 100644
--- a/libcli/auth/tests/test_gnutls.c
+++ b/libcli/auth/tests/test_gnutls.c
@@ -414,11 +414,14 @@ static void torture_gnutls_des_crypt112_16(void **state)
 
 	uint8_t crypt[16];
 	uint8_t decrypt[16];
+	int rc;
 
-	des_crypt112_16(crypt, clear, key, 1);
+	rc = des_crypt112_16(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT);
+	assert_int_equal(rc, 0);
 	assert_memory_equal(crypt, crypt_expected, 16);
 
-	des_crypt112_16(decrypt, crypt, key, 0);
+	rc = des_crypt112_16(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT);
+	assert_int_equal(rc, 0);
 	assert_memory_equal(decrypt, clear, 16);
 }