s3:rpc_client: Implement init_samr_CryptPasswordAES()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index a98d50e3f6a714de24516463546958a160e73ebe..68f42b602b3bf1da6877b27d5797fc0fbb020020 100644 (file)
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "rpc_client/init_samr.h"
+#include "librpc/rpc/dcerpc_samr.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -75,3 +76,58 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
 
        return NT_STATUS_OK;
 }
+
+NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+                                   const char *password,
+                                   DATA_BLOB *session_key,
+                                   struct samr_EncryptedPasswordAES *ppwd_buf)
+{
+       uint8_t pw_data[514] = {0};
+       DATA_BLOB plaintext = {
+               .data = pw_data,
+               .length = sizeof(pw_data),
+       };
+       size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC);
+       uint8_t iv_data[iv_size];
+       DATA_BLOB iv = {
+               .data = iv_data,
+               .length = iv_size,
+       };
+       DATA_BLOB ciphertext = data_blob_null;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       bool ok;
+
+       if (ppwd_buf == NULL) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       generate_nonce_buffer(iv.data, iv.length);
+
+       ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE);
+       if (!ok) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       status = samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(
+                       mem_ctx,
+                       &plaintext,
+                       session_key,
+                       &samr_aes256_enc_key_salt,
+                       &samr_aes256_mac_key_salt,
+                       &iv,
+                       &ciphertext,
+                       ppwd_buf->auth_data);
+       BURN_DATA(pw_data);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       ppwd_buf->cipher_len = ciphertext.length;
+       ppwd_buf->cipher = ciphertext.data;
+       ppwd_buf->PBKDF2Iterations = 0;
+
+       SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt));
+       memcpy(ppwd_buf->salt, iv.data, iv.length);
+
+       return NT_STATUS_OK;
+}

diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 3f0dc847dd29149370071e1bd04e9f19ab1abb58..940534e71681a3d0a91fd7f30f30e6eb0ba646e0 100644 (file)
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -29,4 +29,25 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
                                 DATA_BLOB *session_key,
                                 struct samr_CryptPassword *pwd_buf);
 
+/**
+ * @brief Initialize a AES encrypted password structure.
+ *
+ * This takes a password and a session key and encrypts the password. The
+ * encrypted password is then stored in the encrypted passwors structure.
+ *
+ * @param mem_ctx       The memory context to allocate the password buffer on.
+ *
+ * @param password      The password to encrypt.
+ *
+ * @param session_key   The session key used to encrypt the password.
+ *
+ * @param ppwd_buf      A pointer to the talloc allocated password structure.
+ *
+ * @return On success NT_STATUS_OK, an error status code otherwise.
+ */
+NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+                                   const char *password,
+                                   DATA_BLOB *session_key,
+                                   struct samr_EncryptedPasswordAES *ppwd_buf);
+
 #endif /* _RPC_CLIENT_INIT_SAMR_H_ */