auth/credentials: add cli_credentials_set_old_utf16_password()

This is required to set the previous trust account password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index d875fb575723abbeef23145d5a8897b54228e40a..fdedd6300482ea38a2fd13f813e4b006d9d92706 100644 (file)
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -196,6 +196,8 @@ void cli_credentials_set_kvno(struct cli_credentials *cred,
 bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
                                        const DATA_BLOB *password_utf16,
                                        enum credentials_obtained obtained);
+bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
+                                           const DATA_BLOB *password_utf16);
 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
                                 const struct samr_Password *nt_hash, 
                                 enum credentials_obtained obtained);

diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 327cf1396f68b49faed9786991ca18083bf2d6cf..4e122772dea8c750897e788b004e1c8ad9d09ea9 100644 (file)
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -268,6 +268,53 @@ _PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
        return false;
 }
 
+/*
+ * Set a old utf16 password on the credentials context.
+ *
+ * This is required because the nt_hash is calculated over the raw utf16 blob,
+ * which might not be completely valid utf16, which means the conversion
+ * from CH_UTF16MUNGED to CH_UTF8 might loose information.
+ */
+_PUBLIC_ bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
+                                                    const DATA_BLOB *password_utf16)
+{
+       struct samr_Password *nt_hash = NULL;
+       char *password_talloc = NULL;
+       size_t password_len = 0;
+       bool ok;
+
+       if (password_utf16 == NULL) {
+               return cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED);
+       }
+
+       nt_hash = talloc(cred, struct samr_Password);
+       if (nt_hash == NULL) {
+               return false;
+       }
+
+       ok = convert_string_talloc(cred,
+                                  CH_UTF16MUNGED, CH_UTF8,
+                                  password_utf16->data,
+                                  password_utf16->length,
+                                  (void *)&password_talloc,
+                                  &password_len);
+       if (!ok) {
+               TALLOC_FREE(nt_hash);
+               return false;
+       }
+
+       ok = cli_credentials_set_old_password(cred, password_talloc, CRED_SPECIFIED);
+       TALLOC_FREE(password_talloc);
+       if (!ok) {
+               TALLOC_FREE(nt_hash);
+               return false;
+       }
+
+       mdfour(nt_hash->hash, password_utf16->data, password_utf16->length);
+       cred->old_nt_hash = nt_hash;
+       return true;
+}
+
 _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
                                 const struct samr_Password *nt_hash, 
                                 enum credentials_obtained obtained)