From 07925f22341c508792b3ce8feeae2abc939a61f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 16 Jan 2019 17:40:13 +0100
Subject: [PATCH 033/187] s3:rpc_server: Use GnuTLS RC4 in samr password check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d31f6a6803c86b8de0a97927731091f5a7bee4f1)
---
source3/rpc_server/samr/srv_samr_chgpasswd.c | 30 ++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index 3749edbb044..fc509494ebc 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -50,12 +50,15 @@
#include "system/passwd.h"
#include "system/filesys.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../lib/crypto/arcfour.h"
#include "rpc_server/samr/srv_samr_util.h"
#include "passdb.h"
#include "auth.h"
#include "lib/util/sys_rw.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
#ifndef ALLOW_CHANGE_PASSWORD
#if (defined(HAVE_TERMIOS_H) && defined(HAVE_DUP2) && defined(HAVE_SETSID))
#define ALLOW_CHANGE_PASSWORD 1
@@ -685,6 +688,10 @@ static NTSTATUS check_oem_password(const char *user,
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+ gnutls_cipher_hd_t cipher_hnd = NULL;
+ gnutls_datum_t enc_key;
+ int rc;
+
/* this call should be disabled without NTLM auth */
if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
DBG_WARNING("NTLM password changes not"
@@ -752,7 +759,26 @@ static NTSTATUS check_oem_password(const char *user,
/*
* Decrypt the password with the key
*/
- arcfour_crypt( password_encrypted, encryption_key, 516);
+ enc_key = (gnutls_datum_t) {
+ .data = discard_const_p(unsigned char, encryption_key),
+ .size = 16,
+ };
+
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &enc_key,
+ NULL);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
+
+ rc = gnutls_cipher_decrypt(cipher_hnd,
+ password_encrypted,
+ 516);
+ gnutls_cipher_deinit(cipher_hnd);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
if (!decode_pw_buffer(talloc_tos(),
password_encrypted,
--
2.23.0