lib/crypto: Add GnuTLS helper function samba_gnutls_arcfour_confounded_md5()

This will avoid duplicated code as we convert arcfour_crypt_blob() into
direct GnuTLS calls

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/lib/crypto/gnutls_arcfour_confounded_md5.c b/lib/crypto/gnutls_arcfour_confounded_md5.c
new file mode 100644 (file)
index 0000000..27fede2
--- /dev/null
+++ b/lib/crypto/gnutls_arcfour_confounded_md5.c
@@ -0,0 +1,75 @@
+/*
+   Unix SMB/CIFS implementation.
+   Wrapper for gnutls hash and encryption functions
+
+   Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009-2019
+   Copyright (c) Andreas Schneider <asn@samba.org> 2019
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+/*
+ * This (arcfour over data with a key combined from two imputs, one
+ * the key another the confounder), is a common pattern in pre-AES
+ * windows cryptography
+ *
+ * Some protocols put the confounder first, others second so both
+ * parameters are named key_input here.
+ *
+ */
+
+#include "includes.h"
+#include "lib/util/data_blob.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include "gnutls_helpers.h"
+#include "arcfour.h"
+#include "lib/util/memory.h"
+
+int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
+                                       const DATA_BLOB *key_input2,
+                                       DATA_BLOB *data)
+{
+       int rc;
+       gnutls_hash_hd_t hash_hnd = NULL;
+       uint8_t confounded_key[16];
+       DATA_BLOB confounded_key_as_blob
+               = data_blob_const(confounded_key,
+                                 sizeof(confounded_key));
+       rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       if (rc < 0) {
+               return rc;
+       }
+       rc = gnutls_hash(hash_hnd, key_input1->data, key_input1->length);
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return rc;
+       }
+       rc = gnutls_hash(hash_hnd, key_input2->data, key_input2->length);
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return rc;
+       }
+
+       gnutls_hash_deinit(hash_hnd, confounded_key_as_blob.data);
+
+       arcfour_crypt_blob(data->data, data->length,
+                          &confounded_key_as_blob);
+
+       ZERO_ARRAY(confounded_key);
+
+       return 0;
+}

diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index e1a1716829757b915e06e18970939b66bf959aa5..fedbb5307e0697acfacf52cadb8b8aa29407b142 100644 (file)
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -36,4 +36,9 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
 #define gnutls_error_to_werror(gnutls_rc, blocked_werr) \
        _gnutls_error_to_werror(gnutls_rc, blocked_werr, \
                                __FUNCTION__, __location__)
+
+int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
+                                       const DATA_BLOB *key_input2,
+                                       DATA_BLOB *data);
+
 #endif /* _GNUTLS_HELPERS_H */

diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index e482bbfd487799a7612f5bf0b88c77423e9ad044..a263d08f6389fc787ca6ff253cc57ec4010af99a 100644 (file)
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -6,8 +6,11 @@ if bld.CONFIG_SET("HAVE_AESNI_INTEL"):
         extra_deps += ' aesni-intel'
 
 bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
-                    source='gnutls_error.c',
-                    deps='gnutls samba-errors');
+                    source='''
+                    gnutls_error.c
+                    gnutls_arcfour_confounded_md5.c
+                    ''',
+                    deps='gnutls samba-errors LIBCRYPTO');
 
 bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
         source='''md4.c arcfour.c