From 6eb8a45387ae6400d4b48d838ec89510afe2b37a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 15 May 2019 14:04:31 +0200 Subject: [PATCH 034/187] s3:rpc_server: Use GnuTLS RC4 to decrypt samr password buffers BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f) --- source3/rpc_server/samr/srv_samr_nt.c | 58 ++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 6 deletions(-) diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index fd5c453e0eb..ad1d1853bda 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -37,7 +37,6 @@ #include "ntdomain.h" #include "../librpc/gen_ndr/srv_samr.h" #include "rpc_server/samr/srv_samr_util.h" -#include "../lib/crypto/arcfour.h" #include "secrets.h" #include "rpc_client/init_lsa.h" #include "../libcli/security/security.h" @@ -47,6 +46,10 @@ #include "../lib/tsocket/tsocket.h" #include "lib/util/base64.h" +#include "lib/crypto/gnutls_helpers.h" +#include +#include + #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -4946,6 +4949,41 @@ static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields) return acc_required; } +static NTSTATUS arc4_decrypt_data(DATA_BLOB session_key, + uint8_t *data, + size_t data_size) +{ + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_datum_t my_session_key = { + .data = session_key.data, + .size = session_key.length, + }; + NTSTATUS status = NT_STATUS_INTERNAL_ERROR; + int rc; + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_ARCFOUR_128, + &my_session_key, + NULL); + if (rc < 0) { + status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + goto out; + } + + rc = gnutls_cipher_decrypt(cipher_hnd, + data, + data_size); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + goto out; + } + + status = NT_STATUS_OK; +out: + return status; +} + /******************************************************************* samr_SetUserInfo ********************************************************************/ @@ -5153,8 +5191,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, if(!NT_STATUS_IS_OK(status)) { break; } - arcfour_crypt_blob(info->info23.password.data, 516, - &session_key); + status = arc4_decrypt_data(session_key, + info->info23.password.data, + 516); + if(!NT_STATUS_IS_OK(status)) { + break; + } dump_data(100, info->info23.password.data, 516); @@ -5165,13 +5207,17 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p, break; case 24: + status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES); if(!NT_STATUS_IS_OK(status)) { break; } - arcfour_crypt_blob(info->info24.password.data, - 516, - &session_key); + status = arc4_decrypt_data(session_key, + info->info24.password.data, + 516); + if(!NT_STATUS_IS_OK(status)) { + break; + } dump_data(100, info->info24.password.data, 516); -- 2.23.0