|
 |
1524bc |
From 6e0fa4cf34ffb9a3f453269f8bd19b4aaf4be030 Mon Sep 17 00:00:00 2001
|
|
|
1524bc |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
1524bc |
Date: Wed, 20 Nov 2019 15:28:39 +0100
|
|
|
1524bc |
Subject: [PATCH 182/187] smbdes: convert E_old_pw_hash to use gnutls
|
|
|
1524bc |
|
|
|
1524bc |
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
|
1524bc |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
1524bc |
(cherry picked from commit dce944e8a1119034f184336f6b71a28080152a0a)
|
|
|
1524bc |
---
|
|
|
1524bc |
libcli/auth/proto.h | 2 +-
|
|
|
1524bc |
libcli/auth/smbdes.c | 12 +++-
|
|
|
1524bc |
libcli/auth/tests/test_gnutls.c | 4 +-
|
|
|
1524bc |
source3/libsmb/clirap.c | 6 +-
|
|
|
1524bc |
source3/rpc_client/cli_samr.c | 66 +++++++++++++++++---
|
|
|
1524bc |
source3/rpc_server/samr/srv_samr_chgpasswd.c | 18 +++++-
|
|
|
1524bc |
source3/utils/ntlm_auth.c | 14 ++++-
|
|
|
1524bc |
source4/libnet/libnet_passwd.c | 30 +++++++--
|
|
|
1524bc |
source4/rpc_server/samr/samr_password.c | 16 ++++-
|
|
|
1524bc |
9 files changed, 140 insertions(+), 28 deletions(-)
|
|
|
1524bc |
|
|
|
1524bc |
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
|
|
|
1524bc |
index 2ea4eca822a..5e88d7527fd 100644
|
|
|
1524bc |
--- a/libcli/auth/proto.h
|
|
|
1524bc |
+++ b/libcli/auth/proto.h
|
|
|
1524bc |
@@ -225,7 +225,7 @@ int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], const uint8_t key[7]
|
|
|
1524bc |
enum samba_gnutls_direction encrypt);
|
|
|
1524bc |
int E_P16(const uint8_t *p14,uint8_t *p16);
|
|
|
1524bc |
int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
|
|
|
1524bc |
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
|
|
|
1524bc |
+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
|
|
|
1524bc |
int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
|
|
|
1524bc |
void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw);
|
|
|
1524bc |
void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
|
|
|
1524bc |
diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c
|
|
|
1524bc |
index 6a4f4d1d42a..ec922da4727 100644
|
|
|
1524bc |
--- a/libcli/auth/smbdes.c
|
|
|
1524bc |
+++ b/libcli/auth/smbdes.c
|
|
|
1524bc |
@@ -391,10 +391,16 @@ int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
|
|
|
1524bc |
return des_crypt56_gnutls(p24+16, c8, p21+14, SAMBA_GNUTLS_ENCRYPT);
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
|
|
|
1524bc |
+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
|
|
|
1524bc |
{
|
|
|
1524bc |
- des_crypt56(out, in, p14, 1);
|
|
|
1524bc |
- des_crypt56(out+8, in+8, p14+7, 1);
|
|
|
1524bc |
+ int ret;
|
|
|
1524bc |
+
|
|
|
1524bc |
+ ret = des_crypt56_gnutls(out, in, p14, SAMBA_GNUTLS_ENCRYPT);
|
|
|
1524bc |
+ if (ret != 0) {
|
|
|
1524bc |
+ return ret;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+
|
|
|
1524bc |
+ return des_crypt56_gnutls(out+8, in+8, p14+7, SAMBA_GNUTLS_ENCRYPT);
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
/* des encryption with a 128 bit key */
|
|
|
1524bc |
diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
|
|
|
1524bc |
index d9acfb67075..087afee09db 100644
|
|
|
1524bc |
--- a/libcli/auth/tests/test_gnutls.c
|
|
|
1524bc |
+++ b/libcli/auth/tests/test_gnutls.c
|
|
|
1524bc |
@@ -343,8 +343,10 @@ static void torture_gnutls_E_old_pw_hash(void **state)
|
|
|
1524bc |
0x37, 0xEF, 0xBE, 0x58, 0xC2, 0x59, 0x33, 0xEC
|
|
|
1524bc |
};
|
|
|
1524bc |
uint8_t crypt[16];
|
|
|
1524bc |
+ int rc;
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(key, clear, crypt);
|
|
|
1524bc |
+ rc = E_old_pw_hash(key, clear, crypt);
|
|
|
1524bc |
+ assert_int_equal(rc, 0);
|
|
|
1524bc |
assert_memory_equal(crypt, crypt_expected, 16);
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
|
|
|
1524bc |
index c0b9dcdff39..bf2a9ed4fdc 100644
|
|
|
1524bc |
--- a/source3/libsmb/clirap.c
|
|
|
1524bc |
+++ b/source3/libsmb/clirap.c
|
|
|
1524bc |
@@ -569,7 +569,11 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
|
|
|
1524bc |
*/
|
|
|
1524bc |
E_deshash(new_password, new_pw_hash);
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]);
|
|
|
1524bc |
+ rc = E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ DBG_ERR("E_old_pw_hash failed: %s\n", gnutls_strerror(rc));
|
|
|
1524bc |
+ return false;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
data_len = 532;
|
|
|
1524bc |
|
|
|
1524bc |
diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c
|
|
|
1524bc |
index 452e9593f6a..8a151c751f5 100644
|
|
|
1524bc |
--- a/source3/rpc_client/cli_samr.c
|
|
|
1524bc |
+++ b/source3/rpc_client/cli_samr.c
|
|
|
1524bc |
@@ -39,6 +39,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
NTSTATUS *presult)
|
|
|
1524bc |
{
|
|
|
1524bc |
NTSTATUS status;
|
|
|
1524bc |
+ int rc;
|
|
|
1524bc |
struct samr_Password hash1, hash2, hash3, hash4, hash5, hash6;
|
|
|
1524bc |
|
|
|
1524bc |
uint8_t old_nt_hash[16] = {0};
|
|
|
1524bc |
@@ -54,12 +55,36 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
E_deshash(oldpassword, old_lm_hash);
|
|
|
1524bc |
E_deshash(newpassword, new_lm_hash);
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
|
|
|
1524bc |
- E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash);
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash);
|
|
|
1524bc |
- E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash);
|
|
|
1524bc |
- E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash);
|
|
|
1524bc |
- E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ rc = E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ rc = E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ rc = E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
+ rc = E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
status = dcerpc_samr_ChangePasswordUser(h,
|
|
|
1524bc |
mem_ctx,
|
|
|
1524bc |
@@ -76,6 +101,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
&hash6,
|
|
|
1524bc |
presult);
|
|
|
1524bc |
|
|
|
1524bc |
+done:
|
|
|
1524bc |
ZERO_ARRAY(old_nt_hash);
|
|
|
1524bc |
ZERO_ARRAY(old_lm_hash);
|
|
|
1524bc |
ZERO_ARRAY(new_nt_hash);
|
|
|
1524bc |
@@ -117,6 +143,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
NTSTATUS *presult)
|
|
|
1524bc |
{
|
|
|
1524bc |
NTSTATUS status;
|
|
|
1524bc |
+ int rc;
|
|
|
1524bc |
struct samr_CryptPassword new_nt_password;
|
|
|
1524bc |
struct samr_CryptPassword new_lm_password;
|
|
|
1524bc |
struct samr_Password old_nt_hash_enc;
|
|
|
1524bc |
@@ -153,7 +180,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
return status;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
} else {
|
|
|
1524bc |
ZERO_STRUCT(new_lm_password);
|
|
|
1524bc |
ZERO_STRUCT(old_lanman_hash_enc);
|
|
|
1524bc |
@@ -165,7 +196,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
if (!NT_STATUS_IS_OK(status)) {
|
|
|
1524bc |
return status;
|
|
|
1524bc |
}
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
status = dcerpc_samr_ChangePasswordUser2(h,
|
|
|
1524bc |
mem_ctx,
|
|
|
1524bc |
@@ -178,6 +213,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user2(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
&old_lanman_hash_enc,
|
|
|
1524bc |
presult);
|
|
|
1524bc |
|
|
|
1524bc |
+done:
|
|
|
1524bc |
ZERO_STRUCT(new_nt_password);
|
|
|
1524bc |
ZERO_STRUCT(new_lm_password);
|
|
|
1524bc |
ZERO_STRUCT(old_nt_hash_enc);
|
|
|
1524bc |
@@ -312,6 +348,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
NTSTATUS *presult)
|
|
|
1524bc |
{
|
|
|
1524bc |
NTSTATUS status;
|
|
|
1524bc |
+ int rc;
|
|
|
1524bc |
|
|
|
1524bc |
struct samr_CryptPassword new_nt_password;
|
|
|
1524bc |
struct samr_CryptPassword new_lm_password;
|
|
|
1524bc |
@@ -350,7 +387,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
return status;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
} else {
|
|
|
1524bc |
ZERO_STRUCT(new_lm_password);
|
|
|
1524bc |
ZERO_STRUCT(old_lanman_hash_enc);
|
|
|
1524bc |
@@ -363,7 +404,11 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
return status;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto done;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
status = dcerpc_samr_ChangePasswordUser3(h,
|
|
|
1524bc |
mem_ctx,
|
|
|
1524bc |
@@ -379,6 +424,7 @@ NTSTATUS dcerpc_samr_chgpasswd_user3(struct dcerpc_binding_handle *h,
|
|
|
1524bc |
reject,
|
|
|
1524bc |
presult);
|
|
|
1524bc |
|
|
|
1524bc |
+done:
|
|
|
1524bc |
ZERO_STRUCT(new_nt_password);
|
|
|
1524bc |
ZERO_STRUCT(new_lm_password);
|
|
|
1524bc |
ZERO_STRUCT(old_nt_hash_enc);
|
|
|
1524bc |
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
|
1524bc |
index 8c9cf73bdd8..79d4b3068e5 100644
|
|
|
1524bc |
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
|
1524bc |
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
|
1524bc |
@@ -804,7 +804,11 @@ static NTSTATUS check_oem_password(const char *user,
|
|
|
1524bc |
/*
|
|
|
1524bc |
* check the NT verifier
|
|
|
1524bc |
*/
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, nt_pw, verifier);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, nt_pw, verifier);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
|
|
|
1524bc |
+ return gnutls_error_to_ntstatus(rc, status);
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(verifier, old_nt_hash_encrypted, 16)) {
|
|
|
1524bc |
DEBUG(0, ("check_oem_password: old nt "
|
|
|
1524bc |
"password doesn't match.\n"));
|
|
|
1524bc |
@@ -831,7 +835,11 @@ static NTSTATUS check_oem_password(const char *user,
|
|
|
1524bc |
/*
|
|
|
1524bc |
* check the lm verifier
|
|
|
1524bc |
*/
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, lanman_pw, verifier);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, lanman_pw, verifier);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
|
|
|
1524bc |
+ return gnutls_error_to_ntstatus(rc, status);
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(verifier, old_lm_hash_encrypted, 16)) {
|
|
|
1524bc |
DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
|
|
|
1524bc |
return NT_STATUS_WRONG_PASSWORD;
|
|
|
1524bc |
@@ -851,7 +859,11 @@ static NTSTATUS check_oem_password(const char *user,
|
|
|
1524bc |
/*
|
|
|
1524bc |
* check the lm verifier
|
|
|
1524bc |
*/
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, lanman_pw, verifier);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, lanman_pw, verifier);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
|
|
|
1524bc |
+ return gnutls_error_to_ntstatus(rc, status);
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(verifier, old_lm_hash_encrypted, 16)) {
|
|
|
1524bc |
DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
|
|
|
1524bc |
return NT_STATUS_WRONG_PASSWORD;
|
|
|
1524bc |
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
|
|
|
1524bc |
index 8a6218ac9ec..22258b3b84c 100644
|
|
|
1524bc |
--- a/source3/utils/ntlm_auth.c
|
|
|
1524bc |
+++ b/source3/utils/ntlm_auth.c
|
|
|
1524bc |
@@ -1993,8 +1993,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
|
|
1524bc |
gnutls_cipher_deinit(cipher_hnd);
|
|
|
1524bc |
return;
|
|
|
1524bc |
}
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_lm_hash,
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_lm_hash,
|
|
|
1524bc |
old_lm_hash_enc.data);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ DBG_ERR("E_old_pw_hash failed: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(rc));
|
|
|
1524bc |
+ return;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
} else {
|
|
|
1524bc |
new_lm_pswd.data = NULL;
|
|
|
1524bc |
new_lm_pswd.length = 0;
|
|
|
1524bc |
@@ -2012,8 +2017,13 @@ static void manage_ntlm_change_password_1_request(enum stdio_helper_mode stdio_h
|
|
|
1524bc |
if (rc < 0) {
|
|
|
1524bc |
return;
|
|
|
1524bc |
}
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash,
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash,
|
|
|
1524bc |
old_nt_hash_enc.data);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ DBG_ERR("E_old_pw_hash failed: %s\n",
|
|
|
1524bc |
+ gnutls_strerror(rc));
|
|
|
1524bc |
+ return;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
ZERO_ARRAY(old_nt_hash);
|
|
|
1524bc |
ZERO_ARRAY(old_lm_hash);
|
|
|
1524bc |
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
|
|
|
1524bc |
index 704a94a5864..868f9442cd0 100644
|
|
|
1524bc |
--- a/source4/libnet/libnet_passwd.c
|
|
|
1524bc |
+++ b/source4/libnet/libnet_passwd.c
|
|
|
1524bc |
@@ -115,7 +115,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
|
1524bc |
goto disconnect;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto disconnect;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
|
|
|
1524bc |
|
|
|
1524bc |
@@ -137,7 +141,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
|
1524bc |
goto disconnect;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto disconnect;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
pw3.in.server = &server;
|
|
|
1524bc |
pw3.in.account = &account;
|
|
|
1524bc |
@@ -189,7 +197,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
|
1524bc |
goto disconnect;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto disconnect;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
|
|
|
1524bc |
|
|
|
1524bc |
@@ -210,7 +222,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
|
1524bc |
goto disconnect;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto disconnect;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
pw2.in.server = &server;
|
|
|
1524bc |
pw2.in.account = &account;
|
|
|
1524bc |
@@ -260,7 +276,11 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
|
1524bc |
goto disconnect;
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto disconnect;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
|
|
|
1524bc |
oe2.in.server = &a_server;
|
|
|
1524bc |
oe2.in.account = &a_account;
|
|
|
1524bc |
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
|
|
|
1524bc |
index b04e37f06f3..4fa00bf6360 100644
|
|
|
1524bc |
--- a/source4/rpc_server/samr/samr_password.c
|
|
|
1524bc |
+++ b/source4/rpc_server/samr/samr_password.c
|
|
|
1524bc |
@@ -235,7 +235,11 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
|
|
1524bc |
new_unicode_password.length = unicode_pw_len;
|
|
|
1524bc |
|
|
|
1524bc |
E_deshash(new_pass, new_lm_hash);
|
|
|
1524bc |
- E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto failed;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
|
|
|
1524bc |
authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx));
|
|
|
1524bc |
status = NT_STATUS_WRONG_PASSWORD;
|
|
|
1524bc |
@@ -442,6 +446,10 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
|
|
|
1524bc |
mdfour(new_nt_hash, new_password.data, new_password.length);
|
|
|
1524bc |
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto failed;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
|
|
|
1524bc |
status = NT_STATUS_WRONG_PASSWORD;
|
|
|
1524bc |
goto failed;
|
|
|
1524bc |
@@ -460,7 +468,11 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
|
|
|
1524bc |
new_password.length,
|
|
|
1524bc |
(void **)&new_pass, &converted_size)) {
|
|
|
1524bc |
E_deshash(new_pass, new_lm_hash);
|
|
|
1524bc |
- E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
|
|
|
1524bc |
+ rc = E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
|
|
|
1524bc |
+ if (rc != 0) {
|
|
|
1524bc |
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
|
|
|
1524bc |
+ goto failed;
|
|
|
1524bc |
+ }
|
|
|
1524bc |
if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
|
|
|
1524bc |
status = NT_STATUS_WRONG_PASSWORD;
|
|
|
1524bc |
goto failed;
|
|
|
1524bc |
--
|
|
|
1524bc |
2.23.0
|
|
|
1524bc |
|