#include "auth/gensec/gensec_toplevel_proto.h"
#include "libds/common/roles.h"
-#ifndef HAVE_GNUTLS_AES_CFB8
-#include "lib/crypto/aes.h"
-#endif
-
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
uint8_t seq_num[8])
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t key = {
.data = state->creds->session_key,
NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE];
-
- AES_set_encrypt_key(state->creds->session_key, 128, &key);
- ZERO_STRUCT(iv);
- memcpy(iv+0, checksum, 8);
- memcpy(iv+8, checksum, 8);
-
- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
} else {
static const uint8_t zeros[4];
uint8_t _sequence_key[16];
bool forward)
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
uint8_t sess_kf0[16] = {0};
gnutls_datum_t key = {
}
}
gnutls_cipher_deinit(cipher_hnd);
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE];
- uint8_t sess_kf0[16];
- int i;
-
- for (i = 0; i < 16; i++) {
- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
- }
-
- AES_set_encrypt_key(sess_kf0, 128, &key);
- ZERO_STRUCT(iv);
- memcpy(iv+0, seq_num, 8);
- memcpy(iv+8, seq_num, 8);
-
- if (forward) {
- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
- } else {
- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
- }
-#endif /* HAVE_GNUTLS_AES_CFB8 */
} else {
gnutls_cipher_hd_t cipher_hnd;
uint8_t _sealing_key[16];
#include "../libcli/security/dom_sid.h"
#include "lib/util/util_str_escape.h"
-#ifndef HAVE_GNUTLS_AES_CFB8
-#include "lib/crypto/aes.h"
-#endif
-
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
uint8_t *data,
size_t len)
{
-#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t key = {
.data = creds->session_key,
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE] = {0};
-
- AES_set_encrypt_key(creds->session_key, 128, &key);
-
- aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
-
return NT_STATUS_OK;
}
*/
NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
{
-#ifdef HAVE_GNUTLS_AES_CFB8
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t key = {
.data = creds->session_key,
NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
- AES_KEY key;
- uint8_t iv[AES_BLOCK_SIZE] = {0};
-
- AES_set_encrypt_key(creds->session_key, 128, &key);
-
- aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
-
return NT_STATUS_OK;
}
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
-#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a
static void torture_gnutls_aes_128_cfb_flags(void **state,
const DATA_BLOB session_key,
const DATA_BLOB seq_num_initial,
assert_memory_equal(io.data, clear_initial.data, clear_initial.length);
assert_memory_equal(confounder, confounder_initial.data, confounder_initial.length);
}
-#endif
static void torture_gnutls_aes_128_cfb(void **state)
{
-#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a
const uint8_t _session_key[16] = {
0x8E, 0xE8, 0x27, 0x85, 0x83, 0x41, 0x3C, 0x8D,
0xC9, 0x54, 0x70, 0x75, 0x8E, 0xC9, 0x69, 0x91
clear_initial_trunc,
crypt_expected_trunc);
}
-#endif
}
static void torture_gnutls_des_crypt56(void **state)
msg='Checking for gnutls fips mode support')
del os.environ['GNUTLS_FORCE_FIPS_MODE']
-if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h', lib='gnutls'):
- conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
-else:
- Logs.warn('No gnutls support for AES CFB8')
-
if conf.CHECK_VALUEOF('GNUTLS_MAC_AES_CMAC_128', headers='gnutls/gnutls.h', lib='gnutls'):
conf.DEFINE('HAVE_GNUTLS_AES_CMAC', 1)
else: