/*
DES encrypt a 16 byte password buffer using the session key
*/
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass)
{
struct samr_Password tmp;
- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
+ int rc;
+
+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*pass = tmp;
+
+ return NT_STATUS_OK;
}
/*
DES decrypt a 16 byte password buffer using the session key
*/
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass)
{
struct samr_Password tmp;
- des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
+ int rc;
+
+ rc = des_crypt112_16(tmp.hash, pass->hash, creds->session_key, SAMBA_GNUTLS_DECRYPT);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
*pass = tmp;
+
+ return NT_STATUS_OK;
}
/*
p = &logon->password->lmpassword;
if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
- netlogon_creds_des_encrypt(creds, p);
+ status = netlogon_creds_des_encrypt(creds, p);
} else {
- netlogon_creds_des_decrypt(creds, p);
+ status = netlogon_creds_des_decrypt(creds, p);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
p = &logon->password->ntpassword;
if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
- netlogon_creds_des_encrypt(creds, p);
+ status = netlogon_creds_des_encrypt(creds, p);
} else {
- netlogon_creds_des_decrypt(creds, p);
+ status = netlogon_creds_des_decrypt(creds, p);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
}
return;
}
} else {
- netlogon_creds_des_encrypt(&state->tmp_creds,
- &state->samr_password);
+ status = netlogon_creds_des_encrypt(&state->tmp_creds,
+ &state->samr_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+ return;
+ }
subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
state->binding_handle,
cmp = memcmp(state->new_owf_password.hash,
zero.hash, sizeof(zero.hash));
if (cmp != 0) {
- netlogon_creds_des_decrypt(&state->tmp_creds,
- &state->new_owf_password);
+ status = netlogon_creds_des_decrypt(&state->tmp_creds,
+ &state->new_owf_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status);
+ return;
+ }
}
cmp = memcmp(state->old_owf_password.hash,
zero.hash, sizeof(zero.hash));
if (cmp != 0) {
- netlogon_creds_des_decrypt(&state->tmp_creds,
- &state->old_owf_password);
+ status = netlogon_creds_des_decrypt(&state->tmp_creds,
+ &state->old_owf_password);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, status);
+ return;
+ }
}
*state->creds = state->tmp_creds;
struct netr_LMSessionKey *key);
NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds,
struct netr_LMSessionKey *key);
-void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
-void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass);
+NTSTATUS netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
+ struct samr_Password *pass);
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds,
uint8_t *data,
size_t len);
int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
int des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14],
enum samba_gnutls_direction encrypt);
-void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
+ enum samba_gnutls_direction encrypt);
int sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out,
enum samba_gnutls_direction encrypt);
#undef _PRINTF_ATTRIBUTE
}
/* des encryption of a 16 byte lump of data with a 112 bit key */
-void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw)
+int des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14],
+ enum samba_gnutls_direction encrypt)
{
- des_crypt56(out, in, key, forw);
- des_crypt56(out + 8, in + 8, key+7, forw);
+ int ret;
+
+ ret = des_crypt56_gnutls(out, in, key, encrypt);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return des_crypt56_gnutls(out + 8, in + 8, key+7, encrypt);
}
/* Decode a sam password hash into a password. The password hash is the
uint8_t crypt[16];
uint8_t decrypt[16];
+ int rc;
- des_crypt112_16(crypt, clear, key, 1);
+ rc = des_crypt112_16(crypt, clear, key, SAMBA_GNUTLS_ENCRYPT);
+ assert_int_equal(rc, 0);
assert_memory_equal(crypt, crypt_expected, 16);
- des_crypt112_16(decrypt, crypt, key, 0);
+ rc = des_crypt112_16(decrypt, crypt, key, SAMBA_GNUTLS_DECRYPT);
+ assert_int_equal(rc, 0);
assert_memory_equal(decrypt, clear, 16);
}
DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
r->in.computer_name, creds->computer_name));
- netlogon_creds_des_decrypt(creds, r->in.new_password);
+ status = netlogon_creds_des_decrypt(creds, r->in.new_password);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
for(i = 0; i < sizeof(r->in.new_password->hash); i++)
{
enum ndr_err_code ndr_err;
struct trustAuthInOutBlob trustAuth;
+ NTSTATUS status;
ndr_err = ndr_pull_struct_blob_all(trustAuth_blob, mem_ctx, &trustAuth,
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
mdfour(current_pw_enc->hash,
trustAuth.current.array[0].AuthInfo.clear.password,
trustAuth.current.array[0].AuthInfo.clear.size);
- netlogon_creds_des_encrypt(creds, current_pw_enc);
+ status = netlogon_creds_des_encrypt(creds, current_pw_enc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
} else {
return NT_STATUS_UNSUCCESSFUL;
}
mdfour(previous_pw_enc->hash,
trustAuth.previous.array[0].AuthInfo.clear.password,
trustAuth.previous.array[0].AuthInfo.clear.size);
- netlogon_creds_des_encrypt(creds, previous_pw_enc);
+ status = netlogon_creds_des_encrypt(creds, previous_pw_enc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
} else {
ZERO_STRUCTP(previous_pw_enc);
}
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- netlogon_creds_des_decrypt(creds, r->in.new_password);
+ nt_status = netlogon_creds_des_decrypt(creds, r->in.new_password);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
/* fetch the old password hashes (the NT hash has to exist) */
if (curNtHash != NULL) {
*r->out.new_owf_password = *curNtHash;
- netlogon_creds_des_encrypt(creds, r->out.new_owf_password);
+ nt_status = netlogon_creds_des_encrypt(creds, r->out.new_owf_password);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
if (prevNtHash != NULL) {
*r->out.old_owf_password = *prevNtHash;
- netlogon_creds_des_encrypt(creds, r->out.old_owf_password);
+ nt_status = netlogon_creds_des_encrypt(creds, r->out.old_owf_password);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
}
if (trust_info != NULL) {