From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Jul 2022 13:48:36 +0000 (+0200)
Subject: s3:rpcclient: Encrypt the password buffers only if really needed
X-Git-Tag: samba-4.17.0rc1~227
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f60c98c08729d4613d74949c3ff74dd911076a3;p=thirdparty%2Fsamba.git

s3:rpcclient: Encrypt the password buffers only if really needed

If we are in FIPS mode certain ciphers like RC4 are not available, so
we should make sure we do not call them. We will add AES support in the
next patch.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index a048a4f935e..5760ab6c1ff 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -3157,15 +3157,28 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
 		goto done;
 	}
 
-	status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-	status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
+	switch(level) {
+	case 18:
+	case 21:
+		nt_lm_owf_gen(param, nt_hash, lm_hash);
+		break;
+	case 23:
+	case 24:
+		status = init_samr_CryptPassword(param, &session_key, &pwd_buf);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+		break;
+	case 25:
+	case 26:
+		status = init_samr_CryptPasswordEx(param, &session_key, &pwd_buf_ex);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+		break;
+	default:
+		break;
 	}
-	nt_lm_owf_gen(param, nt_hash, lm_hash);
 
 	switch (level) {
 	case 18: