1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:rpc_server: Allow to use RC4 for setting passwords

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
Andreas Schneider 2019-11-15 13:49:40 +01:00 committed by Andreas Schneider
parent c6a21e1897
commit a9c532c6d3
2 changed files with 31 additions and 1 deletions

View File

@ -31,6 +31,8 @@
#include "../lib/util/util_ldb.h"
#include "rpc_server/samr/proto.h"
#include "auth/auth_sam.h"
#include "lib/param/loadparm.h"
#include "librpc/rpc/dcerpc_helper.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@ -129,6 +131,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
struct dom_sid *user_objectSid = NULL;
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t lm_session_key;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
bool encrypted;
int rc;
if (pwbuf == NULL) {
@ -144,6 +148,12 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
return NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
}
encrypted = dcerpc_is_transport_encrypted(session_info);
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
return NT_STATUS_ACCESS_DENIED;
}
/* Connect to a SAMDB with system privileges for fetching the old pw
* hashes. */
sam_ctx = samdb_connect(mem_ctx,
@ -188,11 +198,13 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
.size = sizeof(lm_pwd->hash),
};
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&lm_session_key,
NULL);
if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto failed;
}
@ -201,6 +213,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
pwbuf->data,
516);
gnutls_cipher_deinit(cipher_hnd);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto failed;
@ -607,7 +620,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
DATA_BLOB session_key = data_blob(NULL, 0);
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t _session_key;
struct auth_session_info *session_info =
dcesrv_call_session_info(dce_call);
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
int rc;
bool encrypted;
encrypted = dcerpc_is_transport_encrypted(session_info);
if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
return NT_STATUS_ACCESS_DENIED;
}
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
@ -621,11 +644,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
.size = session_key.length,
};
/*
* This is safe to support as we only have a session key
* over a SMB connection which we force to be encrypted.
*/
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&_session_key,
NULL);
if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;
}
@ -634,6 +663,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
pwbuf->data,
516);
gnutls_cipher_deinit(cipher_hnd);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
goto out;

View File

@ -87,7 +87,7 @@ bld.SAMBA_MODULE('dcesrv_samr',
autoproto='samr/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_samr_init',
deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS'
deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS DCERPC_HELPER'
)