From 31bac316daa1b5bbf70d62950cebee655b3c1d95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 27 Jun 2019 15:05:49 +1200 Subject: [PATCH] lib/crypto: Add GnuTLS helper function samba_gnutls_arcfour_confounded_md5() This will avoid duplicated code as we convert arcfour_crypt_blob() into direct GnuTLS calls Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider --- lib/crypto/gnutls_arcfour_confounded_md5.c | 75 ++++++++++++++++++++++ lib/crypto/gnutls_helpers.h | 5 ++ lib/crypto/wscript_build | 7 +- 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 lib/crypto/gnutls_arcfour_confounded_md5.c diff --git a/lib/crypto/gnutls_arcfour_confounded_md5.c b/lib/crypto/gnutls_arcfour_confounded_md5.c new file mode 100644 index 00000000000..27fede2656e --- /dev/null +++ b/lib/crypto/gnutls_arcfour_confounded_md5.c @@ -0,0 +1,75 @@ +/* + Unix SMB/CIFS implementation. + Wrapper for gnutls hash and encryption functions + + Copyright (C) Stefan Metzmacher 2007 + Copyright (C) Andrew Bartlett 2009-2019 + Copyright (c) Andreas Schneider 2019 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +*/ + +/* + * This (arcfour over data with a key combined from two imputs, one + * the key another the confounder), is a common pattern in pre-AES + * windows cryptography + * + * Some protocols put the confounder first, others second so both + * parameters are named key_input here. + * + */ + +#include "includes.h" +#include "lib/util/data_blob.h" +#include +#include +#include "gnutls_helpers.h" +#include "arcfour.h" +#include "lib/util/memory.h" + +int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, + const DATA_BLOB *key_input2, + DATA_BLOB *data) +{ + int rc; + gnutls_hash_hd_t hash_hnd = NULL; + uint8_t confounded_key[16]; + DATA_BLOB confounded_key_as_blob + = data_blob_const(confounded_key, + sizeof(confounded_key)); + rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); + if (rc < 0) { + return rc; + } + rc = gnutls_hash(hash_hnd, key_input1->data, key_input1->length); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return rc; + } + rc = gnutls_hash(hash_hnd, key_input2->data, key_input2->length); + if (rc < 0) { + gnutls_hash_deinit(hash_hnd, NULL); + return rc; + } + + gnutls_hash_deinit(hash_hnd, confounded_key_as_blob.data); + + arcfour_crypt_blob(data->data, data->length, + &confounded_key_as_blob); + + ZERO_ARRAY(confounded_key); + + return 0; +} diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h index e1a17168297..fedbb5307e0 100644 --- a/lib/crypto/gnutls_helpers.h +++ b/lib/crypto/gnutls_helpers.h @@ -36,4 +36,9 @@ WERROR _gnutls_error_to_werror(int gnutls_rc, #define gnutls_error_to_werror(gnutls_rc, blocked_werr) \ _gnutls_error_to_werror(gnutls_rc, blocked_werr, \ __FUNCTION__, __location__) + +int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, + const DATA_BLOB *key_input2, + DATA_BLOB *data); + #endif /* _GNUTLS_HELPERS_H */ diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build index e482bbfd487..a263d08f638 100644 --- a/lib/crypto/wscript_build +++ b/lib/crypto/wscript_build @@ -6,8 +6,11 @@ if bld.CONFIG_SET("HAVE_AESNI_INTEL"): extra_deps += ' aesni-intel' bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', - source='gnutls_error.c', - deps='gnutls samba-errors'); + source=''' + gnutls_error.c + gnutls_arcfour_confounded_md5.c + ''', + deps='gnutls samba-errors LIBCRYPTO'); bld.SAMBA_SUBSYSTEM('LIBCRYPTO', source='''md4.c arcfour.c -- 2.34.1