b6b438
From 3eb3f3bdabd103c3858323e08a9180913c223e16 Mon Sep 17 00:00:00 2001
b6b438
From: Andreas Schneider <asn@samba.org>
b6b438
Date: Tue, 9 Jul 2019 12:53:31 +0200
b6b438
Subject: [PATCH 016/187] libcli:auth: Pass samr_CryptPasswordEx to
b6b438
 decode_rc4_passwd_buffer()
b6b438
b6b438
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
b6b438
b6b438
Signed-off-by: Andreas Schneider <asn@samba.org>
b6b438
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
b6b438
(cherry picked from commit 79ca72ec3d13fea5d2ad608415757ca9870035a3)
b6b438
---
b6b438
 libcli/auth/proto.h                        |  4 ++--
b6b438
 libcli/auth/smbencrypt.c                   |  8 ++++----
b6b438
 libcli/auth/tests/test_rc4_passwd_buffer.c |  5 +++--
b6b438
 source3/rpc_server/samr/srv_samr_nt.c      | 10 ++++------
b6b438
 4 files changed, 13 insertions(+), 14 deletions(-)
b6b438
b6b438
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
b6b438
index 1bcbeddb228..a67c89d8552 100644
b6b438
--- a/libcli/auth/proto.h
b6b438
+++ b/libcli/auth/proto.h
b6b438
@@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
b6b438
 /***********************************************************
b6b438
  Decode an arc4 encrypted password change buffer.
b6b438
 ************************************************************/
b6b438
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
b6b438
-				  const DATA_BLOB *psession_key);
b6b438
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
b6b438
+				  struct samr_CryptPasswordEx *inout_crypt_pwd);
b6b438
 
b6b438
 /***********************************************************
b6b438
  encode a password buffer with an already unicode password.  The
b6b438
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
b6b438
index 7e343f71577..b7b17130f07 100644
b6b438
--- a/libcli/auth/smbencrypt.c
b6b438
+++ b/libcli/auth/smbencrypt.c
b6b438
@@ -843,12 +843,12 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
b6b438
  Decode an arc4 encrypted password change buffer.
b6b438
 ************************************************************/
b6b438
 
b6b438
-NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532],
b6b438
-				  const DATA_BLOB *psession_key)
b6b438
+NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key,
b6b438
+				  struct samr_CryptPasswordEx *inout_crypt_pwd)
b6b438
 {
b6b438
 	/* Confounder is last 16 bytes. */
b6b438
-	DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16);
b6b438
-	DATA_BLOB pw_data = data_blob_const(pw_buf, 516);
b6b438
+	DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16);
b6b438
+	DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516);
b6b438
 	int rc;
b6b438
 
b6b438
 	rc = samba_gnutls_arcfour_confounded_md5(&confounder,
b6b438
diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c
b6b438
index eb737703230..3bf371c5dd5 100644
b6b438
--- a/libcli/auth/tests/test_rc4_passwd_buffer.c
b6b438
+++ b/libcli/auth/tests/test_rc4_passwd_buffer.c
b6b438
@@ -114,7 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state)
b6b438
 	       encrypted_test_blob,
b6b438
 	       sizeof(out_pwd_buf.data));
b6b438
 
b6b438
-	status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
b6b438
+	status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
b6b438
 	assert_true(NT_STATUS_IS_OK(status));
b6b438
 
b6b438
 	ok = decode_pw_buffer(NULL,
b6b438
@@ -143,7 +143,7 @@ static void torture_rc4_passwd_buffer(void **state)
b6b438
 					   &out_pwd_buf);
b6b438
 	assert_true(NT_STATUS_IS_OK(status));
b6b438
 
b6b438
-	status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key);
b6b438
+	status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf);
b6b438
 	assert_true(NT_STATUS_IS_OK(status));
b6b438
 
b6b438
 	ok = decode_pw_buffer(NULL,
b6b438
@@ -154,6 +154,7 @@ static void torture_rc4_passwd_buffer(void **state)
b6b438
 	assert_true(ok);
b6b438
 	assert_int_equal(password_decoded_len, strlen(PASSWORD));
b6b438
 	assert_string_equal(password_decoded, PASSWORD);
b6b438
+	talloc_free(password_decoded);
b6b438
 }
b6b438
 
b6b438
 int main(int argc, char *argv[])
b6b438
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
b6b438
index 4dc9132511f..fd5c453e0eb 100644
b6b438
--- a/source3/rpc_server/samr/srv_samr_nt.c
b6b438
+++ b/source3/rpc_server/samr/srv_samr_nt.c
b6b438
@@ -5185,9 +5185,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
b6b438
 			if(!NT_STATUS_IS_OK(status)) {
b6b438
 				break;
b6b438
 			}
b6b438
-			status = decode_rc4_passwd_buffer(
b6b438
-				info->info25.password.data,
b6b438
-				&session_key);
b6b438
+			status = decode_rc4_passwd_buffer(&session_key,
b6b438
+					&info->info25.password);
b6b438
 			if (!NT_STATUS_IS_OK(status)) {
b6b438
 				break;
b6b438
 			}
b6b438
@@ -5204,9 +5203,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
b6b438
 			if(!NT_STATUS_IS_OK(status)) {
b6b438
 				break;
b6b438
 			}
b6b438
-			status = decode_rc4_passwd_buffer(
b6b438
-				info->info26.password.data,
b6b438
-				&session_key);
b6b438
+			status = decode_rc4_passwd_buffer(&session_key,
b6b438
+					&info->info26.password);
b6b438
 			if (!NT_STATUS_IS_OK(status)) {
b6b438
 				break;
b6b438
 			}
b6b438
-- 
b6b438
2.23.0
b6b438