From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Nov 2019 09:28:59 +0000 (+0100)
Subject: s3:winbind: Replace E_md5hash() with GnuTLS calls
X-Git-Tag: ldb-2.1.0~695
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4199d1040f09b5d95522d0cbdbaeec78b7d7b9a6;p=thirdparty%2Fsamba.git

s3:winbind: Replace E_md5hash() with GnuTLS calls

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 28b77fc2e93..771a130bd6e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -48,6 +48,9 @@
 #include "param/param.h"
 #include "messaging/messaging.h"
 
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
@@ -1086,7 +1089,25 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
 		/* In this case we didn't store the nt_hash itself,
 		   but the MD5 combination of salt + nt_hash. */
 		uchar salted_hash[NT_HASH_LEN];
-		E_md5hash(cached_salt, new_nt_pass, salted_hash);
+		gnutls_hash_hd_t hash_hnd = NULL;
+		int rc;
+
+		rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+		if (rc < 0) {
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+
+		rc = gnutls_hash(hash_hnd, cached_salt, 16);
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+		rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+		}
+		gnutls_hash_deinit(hash_hnd, salted_hash);
 
 		password_good = (memcmp(cached_nt_pass, salted_hash,
 					NT_HASH_LEN) == 0);