sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

s3:rpc_server: Allow to use RC4 for setting passwords

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
Andreas Schneider 2019-11-12 16:56:45 +01:00 committed by Andreas Schneider
parent 5f1a73be63
commit c6a21e1897
3 changed files with 81 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source3/rpc_server/samr/srv_samr_chgpasswd.c
View File

@ -769,11 +769,13 @@ static NTSTATUS check_oem_password(const char *user,
.size = 16,
};
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_cipher_init(&cipher_hnd,
GNUTLS_CIPHER_ARCFOUR_128,
&enc_key,
NULL);
if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
@ -781,6 +783,7 @@ static NTSTATUS check_oem_password(const char *user,
password_encrypted,
516);
gnutls_cipher_deinit(cipher_hnd);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}

78
source3/rpc_server/samr/srv_samr_nt.c
View File

@ -46,6 +46,8 @@
#include "rpc_server/srv_access_check.h"
#include "../lib/tsocket/tsocket.h"
#include "lib/util/base64.h"
#include "param/param.h"
#include "librpc/rpc/dcerpc_helper.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@ -1887,6 +1889,7 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
char *user_name = NULL;
char *rhost;
const char *wks = NULL;
bool encrypted;
DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
@ -1915,6 +1918,12 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
return NT_STATUS_NO_MEMORY;
}
encrypted = dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
return NT_STATUS_ACCESS_DENIED;
}
/*
* UNIX username case mangling not required, pass_oem_change
* is case insensitive.
@ -1948,6 +1957,7 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
char *user_name = NULL;
const char *wks = NULL;
char *rhost;
bool encrypted;
DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
@ -1985,6 +1995,12 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
return NT_STATUS_NO_MEMORY;
}
encrypted = dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
return NT_STATUS_ACCESS_DENIED;
}
status = pass_oem_change(user_name,
rhost,
r->in.password->data,
@ -5200,8 +5216,13 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
char *rhost;
DATA_BLOB session_key;
struct dom_sid_buf buf;
struct loadparm_context *lp_ctx = NULL;
bool encrypted;
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
/* This is tricky. A WinXP domain join sets
(SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
@ -5390,13 +5411,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 23:
encrypted =
dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
status = NT_STATUS_ACCESS_DENIED;
break;
}
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
/*
* This can be allowed as it requires a session key
* which we only have if we have a SMB session.
*/
GNUTLS_FIPS140_SET_LAX_MODE();
status = arc4_decrypt_data(session_key,
info->info23.password.data,
516);
GNUTLS_FIPS140_SET_STRICT_MODE();
if(!NT_STATUS_IS_OK(status)) {
break;
}
@ -5412,14 +5447,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 24:
encrypted =
dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
status = NT_STATUS_ACCESS_DENIED;
break;
}
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
/*
* This can be allowed as it requires a session key
* which we only have if we have a SMB session.
*/
GNUTLS_FIPS140_SET_LAX_MODE();
status = arc4_decrypt_data(session_key,
info->info24.password.data,
516);
GNUTLS_FIPS140_SET_STRICT_MODE();
if(!NT_STATUS_IS_OK(status)) {
break;
}
@ -5434,12 +5482,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 25:
encrypted =
dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
status = NT_STATUS_ACCESS_DENIED;
break;
}
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
/*
* This can be allowed as it requires a session key
* which we only have if we have a SMB session.
*/
GNUTLS_FIPS140_SET_LAX_MODE();
status = decode_rc4_passwd_buffer(&session_key,
&info->info25.password);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (!NT_STATUS_IS_OK(status)) {
break;
}
@ -5454,12 +5516,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
break;
case 26:
encrypted =
dcerpc_is_transport_encrypted(p->session_info);
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
!encrypted) {
status = NT_STATUS_ACCESS_DENIED;
break;
}
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
if(!NT_STATUS_IS_OK(status)) {
break;
}
/*
* This can be allowed as it requires a session key
* which we only have if we have a SMB session.
*/
GNUTLS_FIPS140_SET_LAX_MODE();
status = decode_rc4_passwd_buffer(&session_key,
&info->info26.password);
GNUTLS_FIPS140_SET_STRICT_MODE();
if (!NT_STATUS_IS_OK(status)) {
break;
}

2
source3/rpc_server/wscript_build
View File

@ -85,7 +85,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_SAMR',
source='''samr/srv_samr_nt.c
samr/srv_samr_util.c
samr/srv_samr_chgpasswd.c''',
deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK')
deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK DCERPC_HELPER')
bld.SAMBA3_SUBSYSTEM('RPC_SPOOLSS',
source='''spoolss/srv_spoolss_nt.c