auth:creds: Use GnuTLS MD5 in ntlm creds

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index eed8924567a214c338076f055080cf571a835c66..fa632fdeda3e48c566c98a01ee0a782ab3f11d6b 100644 (file)
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -28,6 +28,9 @@
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_internal.h"
 
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
@@ -152,10 +155,10 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
                        memset(lm_response.data, 0, lm_response.length);
                }
        } else if (*flags & CLI_CRED_NTLM2) {
-               MD5_CTX md5_session_nonce_ctx;
                uint8_t session_nonce[16];
                uint8_t session_nonce_hash[16];
                uint8_t user_session_key[16];
+               int rc;
 
                lm_response = data_blob_talloc_zero(frame, 24);
                if (lm_response.data == NULL) {
@@ -167,10 +170,16 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
                memcpy(session_nonce, challenge.data, 8);
                memcpy(&session_nonce[8], lm_response.data, 8);
 
-               MD5Init(&md5_session_nonce_ctx);
-               MD5Update(&md5_session_nonce_ctx, session_nonce,
-                         sizeof(session_nonce));
-               MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
+               rc = gnutls_hash_fast(GNUTLS_DIG_MD5,
+                                     session_nonce,
+                                     sizeof(session_nonce),
+                                     session_nonce_hash);
+               if (rc < 0) {
+                       if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+                               return NT_STATUS_NTLM_BLOCKED;
+                       }
+                       return NT_STATUS_INTERNAL_ERROR;
+               }
 
                DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
                DEBUG(5, ("challenge is: \n"));
@@ -185,6 +194,8 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
                              session_nonce_hash,
                              nt_response.data);
 
+               ZERO_ARRAY(session_nonce_hash);
+
                session_key = data_blob_talloc_zero(frame, 16);
                if (session_key.data == NULL) {
                        TALLOC_FREE(frame);
@@ -192,8 +203,22 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
                }
 
                SMBsesskeygen_ntv1(nt_hash->hash, user_session_key);
-               hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
-               ZERO_STRUCT(user_session_key);
+
+               rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
+                                     user_session_key,
+                                     sizeof(user_session_key),
+                                     session_nonce,
+                                     sizeof(session_nonce),
+                                     session_key.data);
+               if (rc < 0) {
+                       if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+                               return NT_STATUS_NTLM_BLOCKED;
+                       }
+                       return NT_STATUS_INTERNAL_ERROR;
+               }
+
+               ZERO_ARRAY(user_session_key);
+
                dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
 
                /* LM Key is incompatible... */