From 3eb3f3bdabd103c3858323e08a9180913c223e16 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 9 Jul 2019 12:53:31 +0200 Subject: [PATCH 016/187] libcli:auth: Pass samr_CryptPasswordEx to decode_rc4_passwd_buffer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 79ca72ec3d13fea5d2ad608415757ca9870035a3) --- libcli/auth/proto.h | 4 ++-- libcli/auth/smbencrypt.c | 8 ++++---- libcli/auth/tests/test_rc4_passwd_buffer.c | 5 +++-- source3/rpc_server/samr/srv_samr_nt.c | 10 ++++------ 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 1bcbeddb228..a67c89d8552 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -184,8 +184,8 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, /*********************************************************** Decode an arc4 encrypted password change buffer. ************************************************************/ -NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], - const DATA_BLOB *psession_key); +NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key, + struct samr_CryptPasswordEx *inout_crypt_pwd); /*********************************************************** encode a password buffer with an already unicode password. The diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index 7e343f71577..b7b17130f07 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -843,12 +843,12 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, Decode an arc4 encrypted password change buffer. ************************************************************/ -NTSTATUS decode_rc4_passwd_buffer(unsigned char pw_buf[532], - const DATA_BLOB *psession_key) +NTSTATUS decode_rc4_passwd_buffer(const DATA_BLOB *psession_key, + struct samr_CryptPasswordEx *inout_crypt_pwd) { /* Confounder is last 16 bytes. */ - DATA_BLOB confounder = data_blob_const(&pw_buf[516], 16); - DATA_BLOB pw_data = data_blob_const(pw_buf, 516); + DATA_BLOB confounder = data_blob_const(&inout_crypt_pwd->data[516], 16); + DATA_BLOB pw_data = data_blob_const(&inout_crypt_pwd->data, 516); int rc; rc = samba_gnutls_arcfour_confounded_md5(&confounder, diff --git a/libcli/auth/tests/test_rc4_passwd_buffer.c b/libcli/auth/tests/test_rc4_passwd_buffer.c index eb737703230..3bf371c5dd5 100644 --- a/libcli/auth/tests/test_rc4_passwd_buffer.c +++ b/libcli/auth/tests/test_rc4_passwd_buffer.c @@ -114,7 +114,7 @@ static void torture_decode_rc4_passwd_buffer(void **state) encrypted_test_blob, sizeof(out_pwd_buf.data)); - status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); + status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf); assert_true(NT_STATUS_IS_OK(status)); ok = decode_pw_buffer(NULL, @@ -143,7 +143,7 @@ static void torture_rc4_passwd_buffer(void **state) &out_pwd_buf); assert_true(NT_STATUS_IS_OK(status)); - status = decode_rc4_passwd_buffer(out_pwd_buf.data, &session_key); + status = decode_rc4_passwd_buffer(&session_key, &out_pwd_buf); assert_true(NT_STATUS_IS_OK(status)); ok = decode_pw_buffer(NULL, @@ -154,6 +154,7 @@ static void torture_rc4_passwd_buffer(void **state) assert_true(ok); assert_int_equal(password_decoded_len, strlen(PASSWORD)); assert_string_equal(password_decoded, PASSWORD); + talloc_free(password_decoded); } int main(int argc, char *argv[]) diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 4dc9132511f..fd5c453e0eb 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -5185,9 +5185,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, if(!NT_STATUS_IS_OK(status)) { break; } - status = decode_rc4_passwd_buffer( - info->info25.password.data, - &session_key); + status = decode_rc4_passwd_buffer(&session_key, + &info->info25.password); if (!NT_STATUS_IS_OK(status)) { break; } @@ -5204,9 +5203,8 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, if(!NT_STATUS_IS_OK(status)) { break; } - status = decode_rc4_passwd_buffer( - info->info26.password.data, - &session_key); + status = decode_rc4_passwd_buffer(&session_key, + &info->info26.password); if (!NT_STATUS_IS_OK(status)) { break; } -- 2.23.0