diff options
| author | Andreas Schneider <asn@samba.org> | 2019-11-15 13:49:40 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2020-10-29 14:19:36 +0000 |
| commit | a9c532c6d3e85fbe49b7040254cfc66ab54074bc (patch) | |
| tree | 2d9d2ada20836ac7d36243e36050ef074a5cae34 /source4/rpc_server | |
| parent | c6a21e1897985f267bcfc681179cea95165c3c57 (diff) | |
| download | samba-a9c532c6d3e85fbe49b7040254cfc66ab54074bc.tar.gz | |
s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/samr/samr_password.c | 30 | ||||
| -rw-r--r-- | source4/rpc_server/wscript_build | 2 |
2 files changed, 31 insertions, 1 deletions
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 52a644176e2..83b104fbd0e 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -31,6 +31,8 @@ #include "../lib/util/util_ldb.h" #include "rpc_server/samr/proto.h" #include "auth/auth_sam.h" +#include "lib/param/loadparm.h" +#include "librpc/rpc/dcerpc_helper.h" #include "lib/crypto/gnutls_helpers.h" #include <gnutls/gnutls.h> @@ -129,6 +131,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, struct dom_sid *user_objectSid = NULL; gnutls_cipher_hd_t cipher_hnd = NULL; gnutls_datum_t lm_session_key; + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + bool encrypted; int rc; if (pwbuf == NULL) { @@ -144,6 +148,12 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, return NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER; } + encrypted = dcerpc_is_transport_encrypted(session_info); + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED && + !encrypted) { + return NT_STATUS_ACCESS_DENIED; + } + /* Connect to a SAMDB with system privileges for fetching the old pw * hashes. */ sam_ctx = samdb_connect(mem_ctx, @@ -188,11 +198,13 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, .size = sizeof(lm_pwd->hash), }; + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_cipher_init(&cipher_hnd, GNUTLS_CIPHER_ARCFOUR_128, &lm_session_key, NULL); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto failed; } @@ -201,6 +213,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, pwbuf->data, 516); gnutls_cipher_deinit(cipher_hnd); + GNUTLS_FIPS140_SET_STRICT_MODE(); if (rc < 0) { status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto failed; @@ -607,7 +620,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, DATA_BLOB session_key = data_blob(NULL, 0); gnutls_cipher_hd_t cipher_hnd = NULL; gnutls_datum_t _session_key; + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; int rc; + bool encrypted; + + encrypted = dcerpc_is_transport_encrypted(session_info); + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED && + !encrypted) { + return NT_STATUS_ACCESS_DENIED; + } nt_status = dcesrv_transport_session_key(dce_call, &session_key); if (!NT_STATUS_IS_OK(nt_status)) { @@ -621,11 +644,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, .size = session_key.length, }; + /* + * This is safe to support as we only have a session key + * over a SMB connection which we force to be encrypted. + */ + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_cipher_init(&cipher_hnd, GNUTLS_CIPHER_ARCFOUR_128, &_session_key, NULL); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; } @@ -634,6 +663,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, pwbuf->data, 516); gnutls_cipher_deinit(cipher_hnd); + GNUTLS_FIPS140_SET_STRICT_MODE(); if (rc < 0) { nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); goto out; diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index de55ad6239a..c9c1978f223 100644 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -87,7 +87,7 @@ bld.SAMBA_MODULE('dcesrv_samr', autoproto='samr/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_samr_init', - deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS' + deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS DCERPC_HELPER' ) |