From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jul 2019 13:01:10 +0200
Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf)
---
 libcli/auth/proto.h      |  7 +++++++
 libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index a67c89d8552..67caaca8c41 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
 		      size_t *new_pw_len,
 		      charset_t string_charset);
 
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+				  const DATA_BLOB *session_key,
+				  struct samr_CryptPasswordEx *out_crypt_pwd);
+
 /***********************************************************
  Decode an arc4 encrypted password change buffer.
 ************************************************************/
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index b7b17130f07..793012553b2 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx,
 	return true;
 }
 
+/***********************************************************
+ Encode an arc4 password change buffer.
+************************************************************/
+NTSTATUS encode_rc4_passwd_buffer(const char *passwd,
+				  const DATA_BLOB *session_key,
+				  struct samr_CryptPasswordEx *out_crypt_pwd)
+{
+	uint8_t _confounder[16] = {0};
+	DATA_BLOB confounder = data_blob_const(_confounder, 16);
+	DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516);
+	bool ok;
+	int rc;
+
+	ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE);
+	if (!ok) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	generate_random_buffer(confounder.data, confounder.length);
+
+	rc = samba_gnutls_arcfour_confounded_md5(&confounder,
+						 session_key,
+						 &pw_data,
+						 SAMBA_GNUTLS_ENCRYPT);
+	if (rc < 0) {
+		ZERO_ARRAY(_confounder);
+		data_blob_clear(&pw_data);
+		return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+	}
+
+	/*
+	 * The packet format is the 516 byte RC4 encrypted
+	 * pasword followed by the 16 byte counfounder
+	 * The confounder is a salt to prevent pre-computed hash attacks on the
+	 * database.
+	 */
+	memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length);
+	ZERO_ARRAY(_confounder);
+
+	return NT_STATUS_OK;
+}
+
 /***********************************************************
  Decode an arc4 encrypted password change buffer.
 ************************************************************/
-- 
2.23.0