struct netlogon_creds_CredentialState *state,
DATA_BLOB data)
{
+ NTSTATUS status;
+
if (data.data == NULL || data.length == 0) {
DBG_ERR("Nothing to encrypt "
"data.data == NULL or data.length == 0");
data.data,
data.length);
} else if (state->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(state,
- data.data,
- data.length);
+ status = netlogon_creds_arcfour_crypt(state,
+ data.data,
+ data.length);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
} else {
DBG_ERR("Unsupported encryption option negotiated");
return NT_STATUS_NOT_SUPPORTED;
/*
ARCFOUR encrypt/decrypt a password buffer using the session key
*/
-void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
+NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len)
{
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t session_key = {
&session_key,
NULL);
if (rc < 0) {
- return;
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
- gnutls_cipher_encrypt(cipher_hnd,
- data,
- len);
+ rc = gnutls_cipher_encrypt(cipher_hnd,
+ data,
+ len);
gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ return NT_STATUS_OK;
}
/*
bool do_encrypt)
{
struct netr_SamBaseInfo *base = NULL;
+ NTSTATUS status;
if (validation == NULL) {
return NT_STATUS_INVALID_PARAMETER;
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
if (!all_zero(base->key.key, sizeof(base->key.key))) {
- netlogon_creds_arcfour_crypt(creds,
- base->key.key,
- sizeof(base->key.key));
+ status = netlogon_creds_arcfour_crypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
if (!all_zero(base->LMSessKey.key,
sizeof(base->LMSessKey.key))) {
- netlogon_creds_arcfour_crypt(creds,
- base->LMSessKey.key,
- sizeof(base->LMSessKey.key));
+ status = netlogon_creds_arcfour_crypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
} else {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
union netr_LogonLevel *logon,
bool do_encrypt)
{
+ NTSTATUS status;
+
if (logon == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
h = logon->password->lmpassword.hash;
if (!all_zero(h, 16)) {
- netlogon_creds_arcfour_crypt(creds, h, 16);
+ status = netlogon_creds_arcfour_crypt(creds,
+ h,
+ 16);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
h = logon->password->ntpassword.hash;
if (!all_zero(h, 16)) {
- netlogon_creds_arcfour_crypt(creds, h, 16);
+ status = netlogon_creds_arcfour_crypt(creds,
+ h,
+ 16);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
} else {
struct samr_Password *p;
logon->generic->length);
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- logon->generic->data,
- logon->generic->length);
+ status = netlogon_creds_arcfour_crypt(creds,
+ logon->generic->data,
+ logon->generic->length);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
} else {
/* Using DES to verify kerberos tickets makes no sense */
}
state->samr_crypt_password.data,
516);
} else {
- netlogon_creds_arcfour_crypt(&state->tmp_creds,
- state->samr_crypt_password.data,
- 516);
+ status = netlogon_creds_arcfour_crypt(&state->tmp_creds,
+ state->samr_crypt_password.data,
+ 516);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+ return;
+ }
}
memcpy(state->netr_crypt_password.data,
state->opaque.data,
state->opaque.length);
} else {
- netlogon_creds_arcfour_crypt(&state->tmp_creds,
- state->opaque.data,
- state->opaque.length);
+ status = netlogon_creds_arcfour_crypt(&state->tmp_creds,
+ state->opaque.data,
+ state->opaque.length);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_SendToSam_cleanup(req, status);
+ return;
+ }
}
subreq = dcerpc_netr_NetrLogonSendToSam_send(state, state->ev,
void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
-void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
+NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
+ uint8_t *data,
+ size_t len);
void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len);
DATA_BLOB data;
struct netr_USER_KEYS keys;
enum ndr_err_code ndr_err;
+ NTSTATUS status;
+
data.data = user->user_private_info.SensitiveData;
data.length = user->user_private_info.DataLength;
- netlogon_creds_arcfour_crypt(creds, data.data, data.length);
+
+ status = netlogon_creds_arcfour_crypt(creds,
+ data.data,
+ data.length);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
user->user_private_info.SensitiveData = data.data;
user->user_private_info.DataLength = data.length;
struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
- netlogon_creds_arcfour_crypt(creds, secret->current_cipher.cipher_data,
- secret->current_cipher.maxlen);
+ NTSTATUS status;
- netlogon_creds_arcfour_crypt(creds, secret->old_cipher.cipher_data,
- secret->old_cipher.maxlen);
+ status = netlogon_creds_arcfour_crypt(creds,
+ secret->current_cipher.cipher_data,
+ secret->current_cipher.maxlen);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = netlogon_creds_arcfour_crypt(creds,
+ secret->old_cipher.cipher_data,
+ secret->old_cipher.maxlen);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
return NT_STATUS_OK;
}
struct netr_CryptPassword *pwd_buf)
{
struct samr_CryptPassword password_buf;
+ NTSTATUS status;
encode_pw_buffer(password_buf.data, pwd, STR_UNICODE);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ status = netlogon_creds_arcfour_crypt(creds,
+ password_buf.data,
+ 516);
+ if (!NT_STATUS_IS_OK(status)) {
+ return;
+ }
}
memcpy(pwd_buf->data, password_buf.data, 512);
pwd_buf->length = IVAL(password_buf.data, 512);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
} else {
- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ status = netlogon_creds_arcfour_crypt(creds,
+ password_buf.data,
+ 516);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
if (!decode_pw_buffer(p->mem_ctx,
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
} else {
- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ nt_status = netlogon_creds_arcfour_crypt(creds,
+ password_buf.data,
+ 516);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
switch (creds->secure_channel_type) {
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_decrypt(creds, r->in.opaque_buffer, r->in.buffer_len);
} else {
- netlogon_creds_arcfour_crypt(creds, r->in.opaque_buffer, r->in.buffer_len);
+ nt_status = netlogon_creds_arcfour_crypt(creds,
+ r->in.opaque_buffer,
+ r->in.buffer_len);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
decrypted_blob.data = r->in.opaque_buffer;