enum samba_gnutls_direction encrypt);
int E_P16(const uint8_t *p14,uint8_t *p16);
int E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24);
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out);
int des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16]);
void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw);
void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw);
return des_crypt56_gnutls(p24+16, c8, p21+14, SAMBA_GNUTLS_ENCRYPT);
}
-void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
+int E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
{
- des_crypt56(out, in, p14, 1);
- des_crypt56(out+8, in+8, p14+7, 1);
+ int ret;
+
+ ret = des_crypt56_gnutls(out, in, p14, SAMBA_GNUTLS_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return des_crypt56_gnutls(out+8, in+8, p14+7, SAMBA_GNUTLS_ENCRYPT);
}
/* des encryption with a 128 bit key */
0x37, 0xEF, 0xBE, 0x58, 0xC2, 0x59, 0x33, 0xEC
};
uint8_t crypt[16];
+ int rc;
- E_old_pw_hash(key, clear, crypt);
+ rc = E_old_pw_hash(key, clear, crypt);
+ assert_int_equal(rc, 0);
assert_memory_equal(crypt, crypt_expected, 16);
}
*/
E_deshash(new_password, new_pw_hash);
- E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]);
+ rc = E_old_pw_hash( new_pw_hash, old_pw_hash, (uchar *)&data[516]);
+ if (rc != 0) {
+ DBG_ERR("E_old_pw_hash failed: %s\n", gnutls_strerror(rc));
+ return false;
+ }
data_len = 532;
NTSTATUS *presult)
{
NTSTATUS status;
+ int rc;
struct samr_Password hash1, hash2, hash3, hash4, hash5, hash6;
uint8_t old_nt_hash[16] = {0};
E_deshash(oldpassword, old_lm_hash);
E_deshash(newpassword, new_lm_hash);
- E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
- E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash);
- E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash);
- E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash);
- E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash);
- E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash);
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, hash1.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
+ rc = E_old_pw_hash(old_lm_hash, new_lm_hash, hash2.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, hash3.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
+ rc = E_old_pw_hash(old_nt_hash, new_nt_hash, hash4.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
+ rc = E_old_pw_hash(old_lm_hash, new_nt_hash, hash5.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
+ rc = E_old_pw_hash(old_nt_hash, new_lm_hash, hash6.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
status = dcerpc_samr_ChangePasswordUser(h,
mem_ctx,
&hash6,
presult);
+done:
ZERO_ARRAY(old_nt_hash);
ZERO_ARRAY(old_lm_hash);
ZERO_ARRAY(new_nt_hash);
NTSTATUS *presult)
{
NTSTATUS status;
+ int rc;
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
return status;
}
- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
status = dcerpc_samr_ChangePasswordUser2(h,
mem_ctx,
&old_lanman_hash_enc,
presult);
+done:
ZERO_STRUCT(new_nt_password);
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_nt_hash_enc);
NTSTATUS *presult)
{
NTSTATUS status;
+ int rc;
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
return status;
}
- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
return status;
}
- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto done;
+ }
status = dcerpc_samr_ChangePasswordUser3(h,
mem_ctx,
reject,
presult);
+done:
ZERO_STRUCT(new_nt_password);
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_nt_hash_enc);
/*
* check the NT verifier
*/
- E_old_pw_hash(new_nt_hash, nt_pw, verifier);
+ rc = E_old_pw_hash(new_nt_hash, nt_pw, verifier);
+ if (rc != 0) {
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
+ return gnutls_error_to_ntstatus(rc, status);
+ }
if (memcmp(verifier, old_nt_hash_encrypted, 16)) {
DEBUG(0, ("check_oem_password: old nt "
"password doesn't match.\n"));
/*
* check the lm verifier
*/
- E_old_pw_hash(new_nt_hash, lanman_pw, verifier);
+ rc = E_old_pw_hash(new_nt_hash, lanman_pw, verifier);
+ if (rc != 0) {
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
+ return gnutls_error_to_ntstatus(rc, status);
+ }
if (memcmp(verifier, old_lm_hash_encrypted, 16)) {
DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
return NT_STATUS_WRONG_PASSWORD;
/*
* check the lm verifier
*/
- E_old_pw_hash(new_lm_hash, lanman_pw, verifier);
+ rc = E_old_pw_hash(new_lm_hash, lanman_pw, verifier);
+ if (rc != 0) {
+ NTSTATUS status = NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
+ return gnutls_error_to_ntstatus(rc, status);
+ }
if (memcmp(verifier, old_lm_hash_encrypted, 16)) {
DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
return NT_STATUS_WRONG_PASSWORD;
gnutls_cipher_deinit(cipher_hnd);
return;
}
- E_old_pw_hash(new_nt_hash, old_lm_hash,
+ rc = E_old_pw_hash(new_nt_hash, old_lm_hash,
old_lm_hash_enc.data);
+ if (rc != 0) {
+ DBG_ERR("E_old_pw_hash failed: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
} else {
new_lm_pswd.data = NULL;
new_lm_pswd.length = 0;
if (rc < 0) {
return;
}
- E_old_pw_hash(new_nt_hash, old_nt_hash,
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash,
old_nt_hash_enc.data);
+ if (rc != 0) {
+ DBG_ERR("E_old_pw_hash failed: %s\n",
+ gnutls_strerror(rc));
+ return;
+ }
ZERO_ARRAY(old_nt_hash);
ZERO_ARRAY(old_lm_hash);
goto disconnect;
}
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto disconnect;
+ }
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
goto disconnect;
}
- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto disconnect;
+ }
pw3.in.server = &server;
pw3.in.account = &account;
goto disconnect;
}
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto disconnect;
+ }
encode_pw_buffer(nt_pass.data, r->samr.in.newpassword, STR_UNICODE);
goto disconnect;
}
- E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+ rc = E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto disconnect;
+ }
pw2.in.server = &server;
pw2.in.account = &account;
goto disconnect;
}
- E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ rc = E_old_pw_hash(new_lm_hash, old_lm_hash, lm_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto disconnect;
+ }
oe2.in.server = &a_server;
oe2.in.account = &a_account;
new_unicode_password.length = unicode_pw_len;
E_deshash(new_pass, new_lm_hash);
- E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
+ rc = E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto failed;
+ }
if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
authsam_update_bad_pwd_count(sam_ctx, res[0], ldb_get_default_basedn(sam_ctx));
status = NT_STATUS_WRONG_PASSWORD;
mdfour(new_nt_hash, new_password.data, new_password.length);
E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto failed;
+ }
if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
new_password.length,
(void **)&new_pass, &converted_size)) {
E_deshash(new_pass, new_lm_hash);
- E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
+ rc = E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
+ if (rc != 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ goto failed;
+ }
if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;