From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Tue, 9 Jul 2019 13:01:10 +0200

Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf)

---

 libcli/auth/proto.h      |  7 +++++++

 libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++

 2 files changed, 49 insertions(+)

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h

index a67c89d8552..67caaca8c41 100644

--- a/libcli/auth/proto.h

+++ b/libcli/auth/proto.h

@@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,

 		      size_t *new_pw_len,

 		      charset_t string_charset);

+/***********************************************************

+ Encode an arc4 password change buffer.

+************************************************************/

+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,

+				  const DATA_BLOB *session_key,

+				  struct samr_CryptPasswordEx *out_crypt_pwd);

+

 /***********************************************************

  Decode an arc4 encrypted password change buffer.

 ************************************************************/

diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c

index b7b17130f07..793012553b2 100644

--- a/libcli/auth/smbencrypt.c

+++ b/libcli/auth/smbencrypt.c

@@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,

 	return true;

 }

+/***********************************************************

+ Encode an arc4 password change buffer.

+************************************************************/

+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,

+				  const DATA_BLOB *session_key,

+				  struct samr_CryptPasswordEx *out_crypt_pwd)

+{

+	uint8_t _confounder[16] = {0};

+	DATA_BLOB confounder = data_blob_const(_confounder, 16);

+	DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516);

+	bool ok;

+	int rc;

+

+	ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE);

+	if (!ok) {

+		return NT_STATUS_INVALID_PARAMETER;

+	}

+

+	generate_random_buffer(confounder.data, confounder.length);

+

+	rc = samba_gnutls_arcfour_confounded_md5(&confounder,

+						 session_key,

+						 &pw_data,

+						 SAMBA_GNUTLS_ENCRYPT);

+	if (rc < 0) {

+		ZERO_ARRAY(_confounder);

+		data_blob_clear(&pw_data);

+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);

+	}

+

+	/*

+	 * The packet format is the 516 byte RC4 encrypted

+	 * pasword followed by the 16 byte counfounder

+	 * The confounder is a salt to prevent pre-computed hash attacks on the

+	 * database.

+	 */

+	memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length);

+	ZERO_ARRAY(_confounder);

+

+	return NT_STATUS_OK;

+}

+

 /***********************************************************

  Decode an arc4 encrypted password change buffer.

 ************************************************************/

-- 

2.23.0