s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections

This is needed for smbtorture to join a domain in FIPS mode.

FYI: The correct way would be to join using LDAP as the s3 code is doing it. But
this requires a bigger rewrite.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index f5c0ce106dd679d2d3167ee2cb756d0d63122d29..2bb7e392bd86f877ca010ec5011b134e0f363b12 100644 (file)
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -23,6 +23,8 @@
 #include "libcli/auth/libcli_auth.h"
 #include "librpc/gen_ndr/ndr_samr_c.h"
 #include "source4/librpc/rpc/dcerpc.h"
+#include "auth/credentials/credentials.h"
+#include "libcli/smb/smb_constants.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -870,28 +872,55 @@ static NTSTATUS libnet_SetPassword_generic(struct libnet_context *ctx, TALLOC_CT
 
 NTSTATUS libnet_SetPassword(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_SetPassword *r)
 {
+       enum smb_encryption_setting encryption_state =
+               cli_credentials_get_smb_encryption(ctx->cred);
+       NTSTATUS status =  NT_STATUS_INVALID_LEVEL;
+
        switch (r->generic.level) {
                case LIBNET_SET_PASSWORD_GENERIC:
-                       return libnet_SetPassword_generic(ctx, mem_ctx, r);
+                       status = libnet_SetPassword_generic(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR:
-                       return libnet_SetPassword_samr(ctx, mem_ctx, r);
+                       status = libnet_SetPassword_samr(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR_HANDLE:
-                       return libnet_SetPassword_samr_handle(ctx, mem_ctx, r);
+                       status = libnet_SetPassword_samr_handle(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR_HANDLE_26:
-                       return libnet_SetPassword_samr_handle_26(ctx, mem_ctx, r);
+                       if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+                               GNUTLS_FIPS140_SET_LAX_MODE();
+                       }
+                       status = libnet_SetPassword_samr_handle_26(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR_HANDLE_25:
-                       return libnet_SetPassword_samr_handle_25(ctx, mem_ctx, r);
+                       if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+                               GNUTLS_FIPS140_SET_LAX_MODE();
+                       }
+                       status = libnet_SetPassword_samr_handle_25(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR_HANDLE_24:
-                       return libnet_SetPassword_samr_handle_24(ctx, mem_ctx, r);
+                       if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+                               GNUTLS_FIPS140_SET_LAX_MODE();
+                       }
+                       status = libnet_SetPassword_samr_handle_24(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_SAMR_HANDLE_23:
-                       return libnet_SetPassword_samr_handle_23(ctx, mem_ctx, r);
+                       if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+                               GNUTLS_FIPS140_SET_LAX_MODE();
+                       }
+                       status = libnet_SetPassword_samr_handle_23(ctx, mem_ctx, r);
+                       break;
                case LIBNET_SET_PASSWORD_KRB5:
-                       return NT_STATUS_NOT_IMPLEMENTED;
+                       status = NT_STATUS_NOT_IMPLEMENTED;
+                       break;
                case LIBNET_SET_PASSWORD_LDAP:
-                       return NT_STATUS_NOT_IMPLEMENTED;
+                       status = NT_STATUS_NOT_IMPLEMENTED;
+                       break;
                case LIBNET_SET_PASSWORD_RAP:
-                       return NT_STATUS_NOT_IMPLEMENTED;
+                       status = NT_STATUS_NOT_IMPLEMENTED;
+                       break;
        }
 
-       return NT_STATUS_INVALID_LEVEL;
+       GNUTLS_FIPS140_SET_STRICT_MODE();
+       return status;
 }