From 13dfa7d5a1c96d78eca81eb0eb97bc0668561738 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 9 Jul 2019 13:01:10 +0200 Subject: [PATCH 017/187] libcli:auth: Add encode_rc4_passwd_buffer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 06d46c447e69a6b384c0089863c343b4924c7caf) --- libcli/auth/proto.h | 7 +++++++ libcli/auth/smbencrypt.c | 42 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index a67c89d8552..67caaca8c41 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -181,6 +181,13 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, size_t *new_pw_len, charset_t string_charset); +/*********************************************************** + Encode an arc4 password change buffer. +************************************************************/ +NTSTATUS encode_rc4_passwd_buffer(const char *passwd, + const DATA_BLOB *session_key, + struct samr_CryptPasswordEx *out_crypt_pwd); + /*********************************************************** Decode an arc4 encrypted password change buffer. ************************************************************/ diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index b7b17130f07..793012553b2 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -839,6 +839,48 @@ bool decode_pw_buffer(TALLOC_CTX *ctx, return true; } +/*********************************************************** + Encode an arc4 password change buffer. +************************************************************/ +NTSTATUS encode_rc4_passwd_buffer(const char *passwd, + const DATA_BLOB *session_key, + struct samr_CryptPasswordEx *out_crypt_pwd) +{ + uint8_t _confounder[16] = {0}; + DATA_BLOB confounder = data_blob_const(_confounder, 16); + DATA_BLOB pw_data = data_blob_const(out_crypt_pwd->data, 516); + bool ok; + int rc; + + ok = encode_pw_buffer(pw_data.data, passwd, STR_UNICODE); + if (!ok) { + return NT_STATUS_INVALID_PARAMETER; + } + + generate_random_buffer(confounder.data, confounder.length); + + rc = samba_gnutls_arcfour_confounded_md5(&confounder, + session_key, + &pw_data, + SAMBA_GNUTLS_ENCRYPT); + if (rc < 0) { + ZERO_ARRAY(_confounder); + data_blob_clear(&pw_data); + return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); + } + + /* + * The packet format is the 516 byte RC4 encrypted + * pasword followed by the 16 byte counfounder + * The confounder is a salt to prevent pre-computed hash attacks on the + * database. + */ + memcpy(&out_crypt_pwd->data[516], confounder.data, confounder.length); + ZERO_ARRAY(_confounder); + + return NT_STATUS_OK; +} + /*********************************************************** Decode an arc4 encrypted password change buffer. ************************************************************/ -- 2.23.0