s3:rpc_client: Return NTSTATUS for init_samr_CryptPasswordEx()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 2136ef47ee6000149e1ff7a96022cb5643feb8da..827b79020402abad56a40a7b871fff14f80db9b9 100644 (file)
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -313,9 +313,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
 
                user_info.info25.info = info21;
 
-               init_samr_CryptPasswordEx(uX->usriX_password,
-                                         session_key,
-                                         &user_info.info25.password);
+               status = init_samr_CryptPasswordEx(uX->usriX_password,
+                                                  session_key,
+                                                  &user_info.info25.password);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
 
                status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
                                                  user_handle,

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 4670617d74f1f8f29083f8dae581244faea7d9d8..d2a6ed1876dd3d81880960c1c2430e8465a0c1d4 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1522,9 +1522,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
         */
        old_timeout = rpccli_set_timeout(pipe_hnd, 600000);
 
-       init_samr_CryptPasswordEx(r->in.machine_password,
-                                 &session_key,
-                                 &crypt_pwd_ex);
+       status = init_samr_CryptPasswordEx(r->in.machine_password,
+                                          &session_key,
+                                          &crypt_pwd_ex);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto error;
+       }
 
        user_info.info26.password = crypt_pwd_ex;
        user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;

diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
index 8b41ec2f10f45ec9522c47ec142c97ec041dc0c0..5f6cbc5d3c7fe2c786896a337a1cafa7cdde422d 100644 (file)
--- a/source3/rpc_client/init_samr.c
+++ b/source3/rpc_client/init_samr.c
@@ -22,6 +22,7 @@
 #include "../lib/crypto/arcfour.h"
 #include "rpc_client/init_samr.h"
 
+#include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
@@ -29,9 +30,9 @@
  inits a samr_CryptPasswordEx structure
  *************************************************************************/
 
-void init_samr_CryptPasswordEx(const char *pwd,
-                              DATA_BLOB *session_key,
-                              struct samr_CryptPasswordEx *pwd_buf)
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+                                  DATA_BLOB *session_key,
+                                  struct samr_CryptPasswordEx *pwd_buf)
 {
        /* samr_CryptPasswordEx */
 
@@ -39,42 +40,52 @@ void init_samr_CryptPasswordEx(const char *pwd,
        gnutls_hash_hd_t hash_hnd = NULL;
        uint8_t confounder[16];
        DATA_BLOB confounded_session_key = data_blob(NULL, 16);
+       NTSTATUS status;
+       bool ok;
        int rc;
 
-       encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+       ok = encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+       if (!ok) {
+               status = NT_STATUS_INTERNAL_ERROR;
+               goto out;
+       }
 
        generate_random_buffer((uint8_t *)confounder, 16);
 
        rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
        if (rc < 0) {
+               status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
                goto out;
        }
 
        rc = gnutls_hash(hash_hnd, confounder, 16);
        if (rc < 0) {
                gnutls_hash_deinit(hash_hnd, NULL);
+               status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
                goto out;
        }
        rc = gnutls_hash(hash_hnd, session_key->data, session_key->length);
        if (rc < 0) {
                gnutls_hash_deinit(hash_hnd, NULL);
+               status = gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
                goto out;
        }
 
        gnutls_hash_deinit(hash_hnd, confounded_session_key.data);
 
        arcfour_crypt_blob(pwbuf, 516, &confounded_session_key);
-       ZERO_ARRAY_LEN(confounded_session_key.data,
-                      confounded_session_key.length);
-       data_blob_free(&confounded_session_key);
+       data_blob_clear_free(&confounded_session_key);
 
        memcpy(&pwbuf[516], confounder, 16);
        ZERO_ARRAY(confounder);
 
        memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
        ZERO_ARRAY(pwbuf);
+
+       status = NT_STATUS_OK;
 out:
-       return;
+       data_blob_clear_free(&confounded_session_key);
+       return status;
 }
 
 /*************************************************************************

diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
index 4214ab55a0463487f07b2cc94cee6cc804eee428..3f0dc847dd29149370071e1bd04e9f19ab1abb58 100644 (file)
--- a/source3/rpc_client/init_samr.h
+++ b/source3/rpc_client/init_samr.h
@@ -22,9 +22,9 @@
 
 /* The following definitions come from rpc_client/init_samr.c  */
 
-void init_samr_CryptPasswordEx(const char *pwd,
-                              DATA_BLOB *session_key,
-                              struct samr_CryptPasswordEx *pwd_buf);
+NTSTATUS init_samr_CryptPasswordEx(const char *pwd,
+                                  DATA_BLOB *session_key,
+                                  struct samr_CryptPasswordEx *pwd_buf);
 NTSTATUS init_samr_CryptPassword(const char *pwd,
                                 DATA_BLOB *session_key,
                                 struct samr_CryptPassword *pwd_buf);

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c9aaa90cbb9fbac97929ad6e66d07cf4b5ea2d75..d5267bf70623769e313c3c4d8b32f5231958bf61 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1226,9 +1226,12 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
 
                        infolevel = UserInternal5InformationNew;
 
-                       init_samr_CryptPasswordEx(cr->creds.password,
-                                                 &session_key,
-                                                 &info26.password);
+                       status = init_samr_CryptPasswordEx(cr->creds.password,
+                                                          &session_key,
+                                                          &info26.password);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               goto out;
+                       }
 
                        info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
                        info->info26 = info26;

diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index ccaec1ada407917e51a7f38948548b2592773dbd..b1b7c06515ce5461382b9bc954e247a3c873d17a 100644 (file)
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3067,7 +3067,10 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
-       init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+       status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
        nt_lm_owf_gen(param, nt_hash, lm_hash);
 
        switch (level) {