s4:torture: Use GnuTLS MD5 in samr password tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index cb4778ecd79870f74a6a52a6544de25351aa1bd0..b9afce460c16055a77802a2897fd26cfe42c5ccd 100644 (file)
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -48,6 +48,18 @@
 #define TEST_MACHINENAME "samrtestmach$"
 #define TEST_DOMAINNAME "samrtestdom$"
 
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
+
 enum torture_samr_choice {
        TORTURE_SAMR_PASSWORDS,
        TORTURE_SAMR_PASSWORDS_PWDLASTSET,
@@ -766,7 +778,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
-       MD5_CTX ctx;
+       gnutls_hash_hd_t hash_hnd;
        struct samr_GetUserPwInfo pwp;
        struct samr_PwInfo info;
        int policy_min_pw_len = 0;
@@ -800,10 +812,14 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
 
        generate_random_buffer((uint8_t *)confounder, 16);
 
-       MD5Init(&ctx);
-       MD5Update(&ctx, confounder, 16);
-       MD5Update(&ctx, session_key.data, session_key.length);
-       MD5Final(confounded_session_key.data, &ctx);
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
+       gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       gnutls_hash(hash_hnd, confounder, 16);
+       gnutls_hash(hash_hnd, session_key.data, session_key.length);
+       gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+
+       GNUTLS_FIPS140_SET_STRICT_MODE();
 
        arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key);
        memcpy(&u.info26.password.data[516], confounder, 16);
@@ -857,7 +873,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
        bool ret = true;
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
-       MD5_CTX ctx;
+       gnutls_hash_hd_t hash_hnd;
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
@@ -893,10 +909,14 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
 
        generate_random_buffer((uint8_t *)confounder, 16);
 
-       MD5Init(&ctx);
-       MD5Update(&ctx, confounder, 16);
-       MD5Update(&ctx, session_key.data, session_key.length);
-       MD5Final(confounded_session_key.data, &ctx);
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
+       gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       gnutls_hash(hash_hnd, confounder, 16);
+       gnutls_hash(hash_hnd, session_key.data, session_key.length);
+       gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+
+       GNUTLS_FIPS140_SET_STRICT_MODE();
 
        arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
        memcpy(&u.info25.password.data[516], confounder, 16);
@@ -1147,7 +1167,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
        bool ret = true;
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
-       MD5_CTX ctx;
+       gnutls_hash_hd_t hash_hnd;
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1258,10 +1278,14 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
 
        generate_random_buffer((uint8_t *)confounder, 16);
 
-       MD5Init(&ctx);
-       MD5Update(&ctx, confounder, 16);
-       MD5Update(&ctx, session_key.data, session_key.length);
-       MD5Final(confounded_session_key.data, &ctx);
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
+       gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       gnutls_hash(hash_hnd, confounder, 16);
+       gnutls_hash(hash_hnd, session_key.data, session_key.length);
+       gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+
+       GNUTLS_FIPS140_SET_STRICT_MODE();
 
        switch (level) {
        case 18:
@@ -2631,7 +2655,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
        uint8_t confounder[16];
-       MD5_CTX ctx;
+       gnutls_hash_hd_t hash_hnd;
 
        bool ret = true;
        struct lsa_String server, account;
@@ -2674,10 +2698,14 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 
        generate_random_buffer((uint8_t *)confounder, 16);
 
-       MD5Init(&ctx);
-       MD5Update(&ctx, confounder, 16);
-       MD5Update(&ctx, session_key.data, session_key.length);
-       MD5Final(confounded_session_key.data, &ctx);
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
+       gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       gnutls_hash(hash_hnd, confounder, 16);
+       gnutls_hash(hash_hnd, session_key.data, session_key.length);
+       gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
+
+       GNUTLS_FIPS140_SET_STRICT_MODE();
 
        arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key);
        memcpy(&u.info25.password.data[516], confounder, 16);