s3:rpc_server: Allow to use RC4 for setting passwords

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

3 files changed, 81 insertions, 2 deletions

diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index cb9837ecf01..e326745169e 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -769,11 +769,13 @@ static NTSTATUS check_oem_password(const char *user,
 		.size = 16,
 	};
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
 	rc = gnutls_cipher_init(&cipher_hnd,
 				GNUTLS_CIPHER_ARCFOUR_128,
 				&enc_key,
 				NULL);
 	if (rc < 0) {
+		GNUTLS_FIPS140_SET_STRICT_MODE();
 		return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 	}
 
@@ -781,6 +783,7 @@ static NTSTATUS check_oem_password(const char *user,
 				   password_encrypted,
 				   516);
 	gnutls_cipher_deinit(cipher_hnd);
+	GNUTLS_FIPS140_SET_STRICT_MODE();
 	if (rc < 0) {
 		return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 	}
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 5ffc3331185..77cb18b6a88 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -46,6 +46,8 @@
 #include "rpc_server/srv_access_check.h"
 #include "../lib/tsocket/tsocket.h"
 #include "lib/util/base64.h"
+#include "param/param.h"
+#include "librpc/rpc/dcerpc_helper.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -1887,6 +1889,7 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
 	char *user_name = NULL;
 	char *rhost;
 	const char *wks = NULL;
+	bool encrypted;
 
 	DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
 
@@ -1915,6 +1918,12 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	encrypted = dcerpc_is_transport_encrypted(p->session_info);
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+	    !encrypted) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	/*
 	 * UNIX username case mangling not required, pass_oem_change
 	 * is case insensitive.
@@ -1948,6 +1957,7 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
 	char *user_name = NULL;
 	const char *wks = NULL;
 	char *rhost;
+	bool encrypted;
 
 	DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
 
@@ -1985,6 +1995,12 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	encrypted = dcerpc_is_transport_encrypted(p->session_info);
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+	    !encrypted) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	status = pass_oem_change(user_name,
 				 rhost,
 				 r->in.password->data,
@@ -5200,8 +5216,13 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
 	char *rhost;
 	DATA_BLOB session_key;
 	struct dom_sid_buf buf;
+	struct loadparm_context *lp_ctx = NULL;
+	bool encrypted;
 
-	DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	/* This is tricky.  A WinXP domain join sets
 	  (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
@@ -5390,13 +5411,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
 			break;
 
 		case 23:
+			encrypted =
+				dcerpc_is_transport_encrypted(p->session_info);
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+			    !encrypted) {
+				status = NT_STATUS_ACCESS_DENIED;
+				break;
+			}
+
 			status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
+			/*
+			 * This can be allowed as it requires a session key
+			 * which we only have if we have a SMB session.
+			 */
+			GNUTLS_FIPS140_SET_LAX_MODE();
 			status = arc4_decrypt_data(session_key,
 						   info->info23.password.data,
 						   516);
+			GNUTLS_FIPS140_SET_STRICT_MODE();
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
@@ -5412,14 +5447,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
 			break;
 
 		case 24:
+			encrypted =
+				dcerpc_is_transport_encrypted(p->session_info);
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+			    !encrypted) {
+				status = NT_STATUS_ACCESS_DENIED;
+				break;
+			}
 
 			status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
+			/*
+			 * This can be allowed as it requires a session key
+			 * which we only have if we have a SMB session.
+			 */
+			GNUTLS_FIPS140_SET_LAX_MODE();
 			status = arc4_decrypt_data(session_key,
 						   info->info24.password.data,
 						   516);
+			GNUTLS_FIPS140_SET_STRICT_MODE();
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
@@ -5434,12 +5482,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
 			break;
 
 		case 25:
+			encrypted =
+				dcerpc_is_transport_encrypted(p->session_info);
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+			    !encrypted) {
+				status = NT_STATUS_ACCESS_DENIED;
+				break;
+			}
+
 			status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
+			/*
+			 * This can be allowed as it requires a session key
+			 * which we only have if we have a SMB session.
+			 */
+			GNUTLS_FIPS140_SET_LAX_MODE();
 			status = decode_rc4_passwd_buffer(&session_key,
 					&info->info25.password);
+			GNUTLS_FIPS140_SET_STRICT_MODE();
 			if (!NT_STATUS_IS_OK(status)) {
 				break;
 			}
@@ -5454,12 +5516,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
 			break;
 
 		case 26:
+			encrypted =
+				dcerpc_is_transport_encrypted(p->session_info);
+			if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+			    !encrypted) {
+				status = NT_STATUS_ACCESS_DENIED;
+				break;
+			}
+
 			status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
 			if(!NT_STATUS_IS_OK(status)) {
 				break;
 			}
+			/*
+			 * This can be allowed as it requires a session key
+			 * which we only have if we have a SMB session.
+			 */
+			GNUTLS_FIPS140_SET_LAX_MODE();
 			status = decode_rc4_passwd_buffer(&session_key,
 					&info->info26.password);
+			GNUTLS_FIPS140_SET_STRICT_MODE();
 			if (!NT_STATUS_IS_OK(status)) {
 				break;
 			}
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
index e61c362ef72..6adf15486ce 100644
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@@ -85,7 +85,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_SAMR',
                     source='''samr/srv_samr_nt.c
                     samr/srv_samr_util.c
                     samr/srv_samr_chgpasswd.c''',
-                    deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK')
+                    deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK DCERPC_HELPER')
 
 bld.SAMBA3_SUBSYSTEM('RPC_SPOOLSS',
                     source='''spoolss/srv_spoolss_nt.c