From ad4505624e07f7a31c27a92c3867d343f2d9e9c3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 27 Jun 2019 16:45:33 +1200
Subject: [PATCH] lib/crypto: Use GnuTLS RC4 for
 samba_gnutls_arcfour_confounded_md5()

This allows Samba to use GnuTLS for drsuapi_{en,de}crypt_attribute_value()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 lib/crypto/gnutls_arcfour_confounded_md5.c | 36 ++++++++++++++++------
 lib/crypto/gnutls_helpers.h                |  8 ++++-
 lib/crypto/wscript_build                   |  2 +-
 libcli/drsuapi/repl_decrypt.c              |  6 ++--
 4 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/lib/crypto/gnutls_arcfour_confounded_md5.c b/lib/crypto/gnutls_arcfour_confounded_md5.c
index 27fede2656e..b99e611df75 100644
--- a/lib/crypto/gnutls_arcfour_confounded_md5.c
+++ b/lib/crypto/gnutls_arcfour_confounded_md5.c
@@ -36,19 +36,22 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 #include "gnutls_helpers.h"
-#include "arcfour.h"
 #include "lib/util/memory.h"
 
 int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
 					const DATA_BLOB *key_input2,
-					DATA_BLOB *data)
+					DATA_BLOB *data,
+					enum samba_gnutls_direction encrypt)
 {
 	int rc;
 	gnutls_hash_hd_t hash_hnd = NULL;
 	uint8_t confounded_key[16];
-	DATA_BLOB confounded_key_as_blob
-		= data_blob_const(confounded_key,
-				  sizeof(confounded_key));
+	gnutls_cipher_hd_t cipher_hnd = NULL;
+	gnutls_datum_t confounded_key_datum = {
+		.data = confounded_key,
+		.size = sizeof(confounded_key),
+	};
+
 	rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
 	if (rc < 0) {
 		return rc;
@@ -64,12 +67,27 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
 		return rc;
 	}
 
-	gnutls_hash_deinit(hash_hnd, confounded_key_as_blob.data);
+	gnutls_hash_deinit(hash_hnd, confounded_key);
 
-	arcfour_crypt_blob(data->data, data->length,
-			   &confounded_key_as_blob);
+	rc = gnutls_cipher_init(&cipher_hnd,
+				GNUTLS_CIPHER_ARCFOUR_128,
+				&confounded_key_datum,
+				NULL);
+	if (rc < 0) {
+		return rc;
+	}
 
+	if (encrypt == SAMBA_GNUTLS_ENCRYPT) {
+		rc = gnutls_cipher_encrypt(cipher_hnd,
+					   data->data,
+					   data->length);
+	} else {
+		rc = gnutls_cipher_decrypt(cipher_hnd,
+					   data->data,
+					   data->length);
+	}
+	gnutls_cipher_deinit(cipher_hnd);
 	ZERO_ARRAY(confounded_key);
 
-	return 0;
+	return rc;
 }
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h
index fedbb5307e0..b8288c25649 100644
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -37,8 +37,14 @@ WERROR _gnutls_error_to_werror(int gnutls_rc,
 	_gnutls_error_to_werror(gnutls_rc, blocked_werr, \
 				__FUNCTION__, __location__)
 
+enum samba_gnutls_direction {
+	SAMBA_GNUTLS_ENCRYPT,
+	SAMBA_GNUTLS_DECRYPT
+};
+
 int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1,
 					const DATA_BLOB *key_input2,
-					DATA_BLOB *data);
+					DATA_BLOB *data,
+					enum samba_gnutls_direction encrypt);
 
 #endif /* _GNUTLS_HELPERS_H */
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index a263d08f638..2ad8dfe2cd0 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -10,7 +10,7 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS',
                     gnutls_error.c
                     gnutls_arcfour_confounded_md5.c
                     ''',
-                    deps='gnutls samba-errors LIBCRYPTO');
+                    deps='gnutls samba-errors');
 
 bld.SAMBA_SUBSYSTEM('LIBCRYPTO',
         source='''md4.c arcfour.c
diff --git a/libcli/drsuapi/repl_decrypt.c b/libcli/drsuapi/repl_decrypt.c
index 5425eef9631..83275360c7d 100644
--- a/libcli/drsuapi/repl_decrypt.c
+++ b/libcli/drsuapi/repl_decrypt.c
@@ -88,7 +88,8 @@ static WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
 
 	rc = samba_gnutls_arcfour_confounded_md5(gensec_skey,
 						 &confounder,
-						 &dec_buffer);
+						 &dec_buffer,
+						 SAMBA_GNUTLS_DECRYPT);
 	if (rc < 0) {
 		result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 		goto out;
@@ -302,7 +303,8 @@ static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx,
 
 	rc = samba_gnutls_arcfour_confounded_md5(gensec_skey,
 						 &confounder,
-						 &to_encrypt);
+						 &to_encrypt,
+						 SAMBA_GNUTLS_ENCRYPT);
 	if (rc < 0) {
 		result = gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 		goto out;
-- 
2.47.2