From: Andreas Schneider Date: Fri, 30 Jul 2021 14:24:37 +0000 (+0200) Subject: s3:rpc_client: Implement init_samr_CryptPasswordAES() X-Git-Tag: samba-4.17.0rc1~228 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2454b86c8825db21e366bfeaf431e1a0d69d1e49;p=thirdparty%2Fsamba.git s3:rpc_client: Implement init_samr_CryptPasswordAES() Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c index a98d50e3f6a..68f42b602b3 100644 --- a/source3/rpc_client/init_samr.c +++ b/source3/rpc_client/init_samr.c @@ -20,6 +20,7 @@ #include "includes.h" #include "../libcli/auth/libcli_auth.h" #include "rpc_client/init_samr.h" +#include "librpc/rpc/dcerpc_samr.h" #include "lib/crypto/gnutls_helpers.h" #include @@ -75,3 +76,58 @@ NTSTATUS init_samr_CryptPassword(const char *pwd, return NT_STATUS_OK; } + +NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, + const char *password, + DATA_BLOB *session_key, + struct samr_EncryptedPasswordAES *ppwd_buf) +{ + uint8_t pw_data[514] = {0}; + DATA_BLOB plaintext = { + .data = pw_data, + .length = sizeof(pw_data), + }; + size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC); + uint8_t iv_data[iv_size]; + DATA_BLOB iv = { + .data = iv_data, + .length = iv_size, + }; + DATA_BLOB ciphertext = data_blob_null; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + bool ok; + + if (ppwd_buf == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + generate_nonce_buffer(iv.data, iv.length); + + ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE); + if (!ok) { + return NT_STATUS_INTERNAL_ERROR; + } + + status = samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt( + mem_ctx, + &plaintext, + session_key, + &samr_aes256_enc_key_salt, + &samr_aes256_mac_key_salt, + &iv, + &ciphertext, + ppwd_buf->auth_data); + BURN_DATA(pw_data); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + ppwd_buf->cipher_len = ciphertext.length; + ppwd_buf->cipher = ciphertext.data; + ppwd_buf->PBKDF2Iterations = 0; + + SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt)); + memcpy(ppwd_buf->salt, iv.data, iv.length); + + return NT_STATUS_OK; +} diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h index 3f0dc847dd2..940534e7168 100644 --- a/source3/rpc_client/init_samr.h +++ b/source3/rpc_client/init_samr.h @@ -29,4 +29,25 @@ NTSTATUS init_samr_CryptPassword(const char *pwd, DATA_BLOB *session_key, struct samr_CryptPassword *pwd_buf); +/** + * @brief Initialize a AES encrypted password structure. + * + * This takes a password and a session key and encrypts the password. The + * encrypted password is then stored in the encrypted passwors structure. + * + * @param mem_ctx The memory context to allocate the password buffer on. + * + * @param password The password to encrypt. + * + * @param session_key The session key used to encrypt the password. + * + * @param ppwd_buf A pointer to the talloc allocated password structure. + * + * @return On success NT_STATUS_OK, an error status code otherwise. + */ +NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx, + const char *password, + DATA_BLOB *session_key, + struct samr_EncryptedPasswordAES *ppwd_buf); + #endif /* _RPC_CLIENT_INIT_SAMR_H_ */