DATA_BLOB lm_session_key = data_blob_null;
DATA_BLOB session_key = data_blob_null;
const struct samr_Password *nt_hash = NULL;
+ int rc;
if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
TALLOC_FREE(frame);
uint8_t session_nonce[16];
uint8_t session_nonce_hash[16];
uint8_t user_session_key[16];
- int rc;
lm_response = data_blob_talloc_zero(frame, 24);
if (lm_response.data == NULL) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
- SMBOWFencrypt(nt_hash->hash,
- session_nonce_hash,
- nt_response.data);
+ rc = SMBOWFencrypt(nt_hash->hash,
+ session_nonce_hash,
+ nt_response.data);
+ if (rc != 0) {
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
ZERO_ARRAY(session_nonce_hash);
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
- SMBOWFencrypt(nt_hash->hash, challenge.data,
- nt_response.data);
+ rc = SMBOWFencrypt(nt_hash->hash, challenge.data,
+ nt_response.data);
+ if (rc != 0) {
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
session_key = data_blob_talloc_zero(frame, 16);
if (session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
- SMBencrypt_hash(lm_hash,
- challenge.data,
- lm_response.data);
+ rc = SMBencrypt_hash(lm_hash,
+ challenge.data,
+ lm_response.data);
+ if (rc != 0) {
+ ZERO_STRUCT(lm_hash);
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
} else {
/* just copy the nt_response */
lm_response = data_blob_dup_talloc(frame, nt_response);
{
/* Finish the encryption of part_passwd. */
uint8_t p24[24];
+ int rc;
if (part_passwd == NULL) {
DEBUG(10,("No password set - DISALLOWING access\n"));
return false;
}
- SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+ rc = SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+ if (rc != 0) {
+ return false;
+ }
#if DEBUG_PASSWORD
DEBUG(100,("Part password (P16) was |\n"));
/* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/smbencrypt.c */
-void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]);
+int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24]);
bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]);
/**
bool ntv2_owf_gen(const uint8_t owf[16],
const char *user_in, const char *domain_in,
uint8_t kr_buf[16]);
-void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]);
-void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24);
-void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
+int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24]);
+int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24);
+int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24);
NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
const DATA_BLOB *srv_chal,
const DATA_BLOB *smbcli_chal,
int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7],
enum samba_gnutls_direction encrypt);
int E_P16(const uint8_t *p14,uint8_t *p16);
-void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
+int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw);
return des_crypt56_gnutls(p16+8, sp8, p14+7, SAMBA_GNUTLS_ENCRYPT);
}
-void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
+int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
{
- des_crypt56(p24, c8, p21, 1);
- des_crypt56(p24+8, c8, p21+7, 1);
- des_crypt56(p24+16, c8, p21+14, 1);
+ int ret;
+
+ ret = des_crypt56_gnutls(p24, c8, p21, SAMBA_GNUTLS_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = des_crypt56_gnutls(p24+8, c8, p21+7, SAMBA_GNUTLS_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return des_crypt56_gnutls(p24+16, c8, p21+14, SAMBA_GNUTLS_ENCRYPT);
}
void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
+int SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
uint8_t p21[21];
+ int rc;
memset(p21,'\0',21);
memcpy(p21, lm_hash, 16);
- SMBOWFencrypt(p21, c8, p24);
+ rc = SMBOWFencrypt(p21, c8, p24);
#ifdef DEBUG_PASSWORD
DEBUG(100,("SMBencrypt_hash: lm#, challenge, response\n"));
dump_data(100, c8, 8);
dump_data(100, p24, 24);
#endif
+
+ return rc;
}
/*
{
bool ret;
uint8_t lm_hash[16];
+ int rc;
ret = E_deshash(passwd, lm_hash);
- SMBencrypt_hash(lm_hash, c8, p24);
+ rc = SMBencrypt_hash(lm_hash, c8, p24);
+ if (rc != 0) {
+ ret = false;
+ }
return ret;
}
}
/* Does the des encryption from the NT or LM MD4 hash. */
-void SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24])
+int SMBOWFencrypt(const uint8_t passwd[16], const uint8_t *c8, uint8_t p24[24])
{
uint8_t p21[21];
ZERO_STRUCT(p21);
memcpy(p21, passwd, 16);
- E_P24(p21, c8, p24);
+ return E_P24(p21, c8, p24);
}
/* Does the des encryption. */
-void SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24)
+int SMBNTencrypt_hash(const uint8_t nt_hash[16], const uint8_t *c8, uint8_t *p24)
{
uint8_t p21[21];
+ int rc;
memset(p21,'\0',21);
memcpy(p21, nt_hash, 16);
- SMBOWFencrypt(p21, c8, p24);
+ rc = SMBOWFencrypt(p21, c8, p24);
#ifdef DEBUG_PASSWORD
DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n"));
dump_data(100, c8, 8);
dump_data(100, p24, 24);
#endif
+
+ return rc;
}
/* Does the NT MD4 hash then des encryption. Plaintext version of the above. */
-void SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24)
+int SMBNTencrypt(const char *passwd, const uint8_t *c8, uint8_t *p24)
{
uint8_t nt_hash[16];
E_md4hash(passwd, nt_hash);
- SMBNTencrypt_hash(nt_hash, c8, p24);
+ return SMBNTencrypt_hash(nt_hash, c8, p24);
}
};
uint8_t crypt[24];
+ int rc;
- E_P24(key, c8, crypt);
+ rc = E_P24(key, c8, crypt);
+ assert_int_equal(rc, 0);
assert_memory_equal(crypt, crypt_expected, 24);
}
};
uint8_t crypt[24];
+ int rc;
- SMBOWFencrypt(password, c8, crypt);
+ rc = SMBOWFencrypt(password, c8, crypt);
+ assert_int_equal(rc, 0);
assert_memory_equal(crypt, crypt_expected, 24);
}
struct samr_Password nt_pwd;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
+ int rc;
if (lm_interactive_pwd)
memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
if (nt_interactive_pwd)
memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
- if (lm_interactive_pwd)
- SMBOWFencrypt(lm_pwd.hash, chal,
- local_lm_response);
+ if (lm_interactive_pwd) {
+ rc = SMBOWFencrypt(lm_pwd.hash, chal,
+ local_lm_response);
+ if (rc != 0) {
+ return false;
+ }
+ }
- if (nt_interactive_pwd)
- SMBOWFencrypt(nt_pwd.hash, chal,
+ if (nt_interactive_pwd) {
+ rc = SMBOWFencrypt(nt_pwd.hash, chal,
local_nt_response);
+ if (rc != 0) {
+ return false;
+ }
+ }
{
bool ret;
#include "dbwrap/dbwrap.h"
#include "dbwrap/dbwrap_open.h"
#include "util_tdb.h"
+#include "lib/crypto/gnutls_helpers.h"
NTSTATUS rpccli_pre_open_netlogon_creds(void)
case NetlogonNetworkTransitiveInformation: {
struct netr_NetworkInfo *network_info;
uint8_t chal[8];
+ int rc;
ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
generate_random_buffer(chal, 8);
SMBencrypt(password, chal, local_lm_response);
- SMBNTencrypt(password, chal, local_nt_response);
+ rc = SMBNTencrypt(password, chal, local_nt_response);
+ if (rc != 0) {
+ TALLOC_FREE(frame);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
lm.length = 24;
lm.data = local_lm_response;
NTSTATUS status;
bool ok;
uint8_t authoritative = 0;
+ int rc;
+
+ rc = SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
+ local_nt_response);
+ if (rc != 0) {
+ return False;
+ }
- SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
- local_nt_response);
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &remote_address) != 0) {
#include "libads/krb5_errs.h"
#include "param/param.h"
#include "messaging/messaging.h"
+#include "lib/crypto/gnutls_helpers.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/crypto.h>
}
data_blob_free(&names_blob);
} else {
+ int rc;
lm_resp = data_blob_null;
- SMBNTencrypt(pass, chal, local_nt_response);
+ rc = SMBNTencrypt(pass, chal, local_nt_response);
+ if (rc != 0) {
+ DEBUG(0, ("winbindd_pam_auth: SMBNTencrypt() failed!\n"));
+ result = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
sizeof(local_nt_response));
#include "auth/ntlm/auth_proto.h"
#include "librpc/gen_ndr/drsuapi.h"
#include "dsdb/samdb/samdb.h"
+#include "lib/crypto/gnutls_helpers.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
const struct auth_usersupplied_info *user_info_in,
const struct auth_usersupplied_info **user_info_encrypted)
{
+ int rc;
NTSTATUS nt_status;
struct auth_usersupplied_info *user_info_temp;
switch (to_state) {
data_blob_free(&ntlmv2_session_key);
} else {
DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24);
- SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data);
-
+ rc = SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
user_info_temp->password.response.nt = blob;
if (lpcfg_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
- SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data);
+ rc = SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
user_info_temp->password.response.lanman = lm_blob;
} else {
/* if not sending the LM password, send the NT password twice */
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
+#include "lib/crypto/gnutls_helpers.h"
#define TEST_MACHINE_NAME "samsynctest"
#define TEST_WKSTA_MACHINE_NAME "samsynctest2"
union netr_Validation validation;
uint8_t authoritative;
struct dcerpc_binding_handle *b = p->binding_handle;
+ int rc;
ninfo.identity_info.domain_name.string = domain;
ninfo.identity_info.parameter_control = 0;
if (nt_hash) {
ninfo.nt.length = 24;
ninfo.nt.data = talloc_array(mem_ctx, uint8_t, 24);
- SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
+ rc = SMBOWFencrypt(nt_hash->hash, ninfo.challenge,
+ ninfo.nt.data);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
} else {
ninfo.nt.length = 0;
ninfo.nt.data = NULL;
if (lm_hash) {
ninfo.lm.length = 24;
ninfo.lm.data = talloc_array(mem_ctx, uint8_t, 24);
- SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
+ rc = SMBOWFencrypt(lm_hash->hash, ninfo.challenge,
+ ninfo.lm.data);
+ if (rc != 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
} else {
ninfo.lm.length = 0;
ninfo.lm.data = NULL;