lib/crypto: Use GnuTLS RC4 for samba_gnutls_arcfour_confounded_md5()
authorAndrew Bartlett <abartlet@samba.org>
Thu, 27 Jun 2019 04:45:33 +0000 (16:45 +1200)
committerAndreas Schneider <asn@cryptomilk.org>
Thu, 27 Jun 2019 12:54:23 +0000 (12:54 +0000)
This allows Samba to use GnuTLS for drsuapi_{en,de}crypt_attribute_value()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
lib/crypto/gnutls_arcfour_confounded_md5.c
lib/crypto/gnutls_helpers.h
lib/crypto/wscript_build
libcli/drsuapi/repl_decrypt.c

index 27fede2..b99e611 100644 (file)
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 #include "gnutls_helpers.h"
-#include "arcfour.h"
 #include "lib/util/memory.h"
 
 int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
                                        const DATA_BLOB *key_input2,
-                                       DATA_BLOB *data)
+                                       DATA_BLOB *data,
+                                       enum samba_gnutls_direction encrypt)
 {
        int rc;
        gnutls_hash_hd_t hash_hnd = NULL;
        uint8_t confounded_key[16];
-       DATA_BLOB confounded_key_as_blob
-               = data_blob_const(confounded_key,
-                                 sizeof(confounded_key));
+       gnutls_cipher_hd_t cipher_hnd = NULL;
+       gnutls_datum_t confounded_key_datum = {
+               .data = confounded_key,
+               .size = sizeof(confounded_key),
+       };
+
        rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
        if (rc < 0) {
                return rc;
@@ -64,12 +67,27 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
                return rc;
        }
 
-       gnutls_hash_deinit(hash_hnd, confounded_key_as_blob.data);
+       gnutls_hash_deinit(hash_hnd, confounded_key);
 
-       arcfour_crypt_blob(data->data, data->length,
-                          &confounded_key_as_blob);
+       rc = gnutls_cipher_init(&cipher_hnd,
+                               GNUTLS_CIPHER_ARCFOUR_128,
+                               &confounded_key_datum,
+                               NULL);
+       if (rc < 0) {
+               return rc;
+       }
 
+       if (encrypt == SAMBA_GNUTLS_ENCRYPT) {
+               rc = gnutls_cipher_encrypt(cipher_hnd,
+                                          data->data,
+                                          data->length);
+       } else {
+               rc = gnutls_cipher_decrypt(cipher_hnd,
+                                          data->data,
+                                          data->length);
+       }
+       gnutls_cipher_deinit(cipher_hnd);
        ZERO_ARRAY(confounded_key);
 
-       return 0;
+       return rc;
 }
index fedbb53..b8288c2 100644 (file)
@@ -37,8 +37,14 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
        _gnutls_error_to_werror(gnutls_rc, blocked_werr, \
                                __FUNCTION__, __location__)
 
+enum samba_gnutls_direction {
+       SAMBA_GNUTLS_ENCRYPT,
+       SAMBA_GNUTLS_DECRYPT
+};
+
 int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
                                        const DATA_BLOB *key_input2,
-                                       DATA_BLOB *data);
+                                       DATA_BLOB *data,
+                                       enum samba_gnutls_direction encrypt);
 
 #endif /* _GNUTLS_HELPERS_H */
index a263d08..2ad8dfe 100644 (file)
@@ -10,7 +10,7 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
                     gnutls_error.c
                     gnutls_arcfour_confounded_md5.c
                     ''',
-                    deps='gnutls samba-errors LIBCRYPTO');
+                    deps='gnutls samba-errors');
 
 bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
         source='''md4.c arcfour.c
index 5425eef..8327536 100644 (file)
@@ -88,7 +88,8 @@ static WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
 
        rc = samba_gnutls_arcfour_confounded_md5(gensec_skey,
                                                 &confounder,
-                                                &dec_buffer);
+                                                &dec_buffer,
+                                                SAMBA_GNUTLS_DECRYPT);
        if (rc < 0) {
                result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
                goto out;
@@ -302,7 +303,8 @@ static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx,
 
        rc = samba_gnutls_arcfour_confounded_md5(gensec_skey,
                                                 &confounder,
-                                                &to_encrypt);
+                                                &to_encrypt,
+                                                SAMBA_GNUTLS_ENCRYPT);
        if (rc < 0) {
                result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
                goto out;