120 lines
3.3 KiB
Diff
120 lines
3.3 KiB
Diff
From 6eb8a45387ae6400d4b48d838ec89510afe2b37a Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 15 May 2019 14:04:31 +0200
|
|
Subject: [PATCH 034/187] s3:rpc_server: Use GnuTLS RC4 to decrypt samr
|
|
password buffers
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
(cherry picked from commit cd0b5e5d9377bc79b4468081f3999ad39be3cb8f)
|
|
---
|
|
source3/rpc_server/samr/srv_samr_nt.c | 58 ++++++++++++++++++++++++---
|
|
1 file changed, 52 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
|
|
index fd5c453e0eb..ad1d1853bda 100644
|
|
--- a/source3/rpc_server/samr/srv_samr_nt.c
|
|
+++ b/source3/rpc_server/samr/srv_samr_nt.c
|
|
@@ -37,7 +37,6 @@
|
|
#include "ntdomain.h"
|
|
#include "../librpc/gen_ndr/srv_samr.h"
|
|
#include "rpc_server/samr/srv_samr_util.h"
|
|
-#include "../lib/crypto/arcfour.h"
|
|
#include "secrets.h"
|
|
#include "rpc_client/init_lsa.h"
|
|
#include "../libcli/security/security.h"
|
|
@@ -47,6 +46,10 @@
|
|
#include "../lib/tsocket/tsocket.h"
|
|
#include "lib/util/base64.h"
|
|
|
|
+#include "lib/crypto/gnutls_helpers.h"
|
|
+#include <gnutls/gnutls.h>
|
|
+#include <gnutls/crypto.h>
|
|
+
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_RPC_SRV
|
|
|
|
@@ -4946,6 +4949,41 @@ static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
|
|
return acc_required;
|
|
}
|
|
|
|
+static NTSTATUS arc4_decrypt_data(DATA_BLOB session_key,
|
|
+ uint8_t *data,
|
|
+ size_t data_size)
|
|
+{
|
|
+ gnutls_cipher_hd_t cipher_hnd = NULL;
|
|
+ gnutls_datum_t my_session_key = {
|
|
+ .data = session_key.data,
|
|
+ .size = session_key.length,
|
|
+ };
|
|
+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
|
|
+ int rc;
|
|
+
|
|
+ rc = gnutls_cipher_init(&cipher_hnd,
|
|
+ GNUTLS_CIPHER_ARCFOUR_128,
|
|
+ &my_session_key,
|
|
+ NULL);
|
|
+ if (rc < 0) {
|
|
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ rc = gnutls_cipher_decrypt(cipher_hnd,
|
|
+ data,
|
|
+ data_size);
|
|
+ gnutls_cipher_deinit(cipher_hnd);
|
|
+ if (rc < 0) {
|
|
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ status = NT_STATUS_OK;
|
|
+out:
|
|
+ return status;
|
|
+}
|
|
+
|
|
/*******************************************************************
|
|
samr_SetUserInfo
|
|
********************************************************************/
|
|
@@ -5153,8 +5191,12 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
- arcfour_crypt_blob(info->info23.password.data, 516,
|
|
- &session_key);
|
|
+ status = arc4_decrypt_data(session_key,
|
|
+ info->info23.password.data,
|
|
+ 516);
|
|
+ if(!NT_STATUS_IS_OK(status)) {
|
|
+ break;
|
|
+ }
|
|
|
|
dump_data(100, info->info23.password.data, 516);
|
|
|
|
@@ -5165,13 +5207,17 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
break;
|
|
|
|
case 24:
|
|
+
|
|
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
- arcfour_crypt_blob(info->info24.password.data,
|
|
- 516,
|
|
- &session_key);
|
|
+ status = arc4_decrypt_data(session_key,
|
|
+ info->info24.password.data,
|
|
+ 516);
|
|
+ if(!NT_STATUS_IS_OK(status)) {
|
|
+ break;
|
|
+ }
|
|
|
|
dump_data(100, info->info24.password.data, 516);
|
|
|
|
--
|
|
2.23.0
|
|
|