s4:rpc_server: Use GnuTLS MD5 for samr password

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index a80ae56b962792b7a2552853a9a8c04f5d99ff91..af71b626cb9218a26f5082e4ed1446930db97a54 100644 (file)
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -32,6 +32,9 @@
 #include "rpc_server/samr/proto.h"
 #include "auth/auth_sam.h"
 
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
 static void log_password_change_event(struct imessaging_context *msg_ctx,
                                      struct loadparm_context *lp_ctx,
                                      const struct tsocket_address *remote_client_address,
@@ -585,7 +588,8 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
        DATA_BLOB new_password;
        DATA_BLOB co_session_key;
        DATA_BLOB session_key = data_blob(NULL, 0);
-       MD5_CTX ctx;
+       gnutls_hash_hd_t hash_hnd = NULL;
+       int rc;
 
        nt_status = dcesrv_transport_session_key(dce_call, &session_key);
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -600,26 +604,54 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
                return NT_STATUS_NO_MEMORY;
        }
 
-       MD5Init(&ctx);
-       MD5Update(&ctx, &pwbuf->data[516], 16);
-       MD5Update(&ctx, session_key.data, session_key.length);
-       MD5Final(co_session_key.data, &ctx);
+       rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+       if (rc < 0) {
+               nt_status = NT_STATUS_NO_MEMORY;
+               goto out;
+       }
+
+       rc = gnutls_hash(hash_hnd, &pwbuf->data[516], 16);
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               nt_status = NT_STATUS_INTERNAL_ERROR;
+               goto out;
+       }
+       rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               nt_status = NT_STATUS_INTERNAL_ERROR;
+               goto out;
+       }
+       gnutls_hash_deinit(hash_hnd, co_session_key.data);
 
        arcfour_crypt_blob(pwbuf->data, 516, &co_session_key);
+       ZERO_ARRAY_LEN(co_session_key.data,
+                      co_session_key.length);
 
        if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
                DEBUG(3,("samr: failed to decode password buffer\n"));
-               return NT_STATUS_WRONG_PASSWORD;
+               nt_status = NT_STATUS_WRONG_PASSWORD;
+               goto out;
        }
 
        /* set the password - samdb needs to know both the domain and user DNs,
           so the domain password policy can be used */
-       return samdb_set_password(sam_ctx, mem_ctx,
-                                 account_dn, domain_dn,
-                                 &new_password,
-                                 NULL, NULL,
-                                 NULL, NULL, /* This is a password set, not change */
-                                 NULL, NULL);
+       nt_status = samdb_set_password(sam_ctx,
+                                      mem_ctx,
+                                      account_dn,
+                                      domain_dn,
+                                      &new_password,
+                                      NULL,
+                                      NULL,
+                                      NULL,
+                                      NULL, /* This is a password set, not change */
+                                      NULL,
+                                      NULL);
+       ZERO_ARRAY_LEN(new_password.data,
+                      new_password.length);
+
+out:
+       return nt_status;
 }
 
 /*