[SAMLIB]

SamChangePasswordUser: Encrypt the old and the new password hashes before calling the remote function. [SAMSRV] SamrChangePasswordUser: Decrypt the old and the new password hashes before checking the old password and storing the new password. svn path=/trunk/; revision=62080
2025-08-02 00:03:22 +00:00 · 2014-02-09 20:51:39 +00:00 · 2014-02-09 20:51:39 +00:00 · d37199d4cc
commit d37199d4cc
parent 5a930877dd
3 changed files with 123 additions and 21 deletions
--- a/reactos/dll/win32/samlib/samlib.c
+++ b/reactos/dll/win32/samlib/samlib.c
@ -45,6 +45,12 @@ WINAPI
 SystemFunction007(PUNICODE_STRING string,
                  LPBYTE hash);

+NTSTATUS
+WINAPI
+SystemFunction012(const BYTE *in,
+                  const BYTE *key,
+                  LPBYTE out);
+
 /* GLOBALS *******************************************************************/


@ -254,6 +260,13 @@ SamChangePasswordUser(IN SAM_HANDLE UserHandle,
    BOOLEAN NewLmPasswordPresent = FALSE;
    NTSTATUS Status;

+    ENCRYPTED_LM_OWF_PASSWORD OldLmEncryptedWithNewLm;
+    ENCRYPTED_LM_OWF_PASSWORD NewLmEncryptedWithOldLm;
+    ENCRYPTED_LM_OWF_PASSWORD OldNtEncryptedWithNewNt;
+    ENCRYPTED_LM_OWF_PASSWORD NewNtEncryptedWithOldNt;
+    PENCRYPTED_LM_OWF_PASSWORD pOldLmEncryptedWithNewLm = NULL;
+    PENCRYPTED_LM_OWF_PASSWORD pNewLmEncryptedWithOldLm = NULL;
+
    /* Calculate the NT hash for the old password */
    Status = SystemFunction007(OldPassword,
                               (LPBYTE)&OldNtPassword);
@ -312,15 +325,57 @@ SamChangePasswordUser(IN SAM_HANDLE UserHandle,
        }
    }

+    if (OldLmPasswordPresent && NewLmPasswordPresent)
+    {
+        Status = SystemFunction012((const BYTE *)&OldLmPassword,
+                                   (const BYTE *)&NewLmPassword,
+                                   (LPBYTE)&OldLmEncryptedWithNewLm);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction012 failed (Status 0x%08lx)\n", Status);
+            return Status;
+        }
+
+        Status = SystemFunction012((const BYTE *)&NewLmPassword,
+                                   (const BYTE *)&OldLmPassword,
+                                   (LPBYTE)&NewLmEncryptedWithOldLm);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction012 failed (Status 0x%08lx)\n", Status);
+            return Status;
+        }
+
+        pOldLmEncryptedWithNewLm = &OldLmEncryptedWithNewLm;
+        pNewLmEncryptedWithOldLm = &NewLmEncryptedWithOldLm;
+    }
+
+    Status = SystemFunction012((const BYTE *)&OldNtPassword,
+                               (const BYTE *)&NewNtPassword,
+                               (LPBYTE)&OldNtEncryptedWithNewNt);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SystemFunction012 failed (Status 0x%08lx)\n", Status);
+        return Status;
+    }
+
+    Status = SystemFunction012((const BYTE *)&NewNtPassword,
+                               (const BYTE *)&OldNtPassword,
+                               (LPBYTE)&NewNtEncryptedWithOldNt);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SystemFunction012 failed (Status 0x%08lx)\n", Status);
+        return Status;
+    }
+
    RpcTryExcept
    {
        Status = SamrChangePasswordUser((SAMPR_HANDLE)UserHandle,
                                        OldLmPasswordPresent && NewLmPasswordPresent,
-                                        &OldLmPassword,
-                                        &NewLmPassword,
+                                        pOldLmEncryptedWithNewLm,
+                                        pNewLmEncryptedWithOldLm,
                                        TRUE,
-                                        &OldNtPassword,
-                                        &NewNtPassword,
+                                        &OldNtEncryptedWithNewNt,
+                                        &NewNtEncryptedWithOldNt,
                                        FALSE,
                                        NULL,
                                        FALSE,
--- a/reactos/dll/win32/samsrv/samrpc.c
+++ b/reactos/dll/win32/samsrv/samrpc.c
@ -8047,10 +8047,10 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
 {
    ENCRYPTED_LM_OWF_PASSWORD StoredLmPassword;
    ENCRYPTED_NT_OWF_PASSWORD StoredNtPassword;
-    PENCRYPTED_LM_OWF_PASSWORD OldLmPassword;
-    PENCRYPTED_LM_OWF_PASSWORD NewLmPassword;
-    PENCRYPTED_NT_OWF_PASSWORD OldNtPassword;
-    PENCRYPTED_NT_OWF_PASSWORD NewNtPassword;
+    ENCRYPTED_LM_OWF_PASSWORD OldLmPassword;
+    ENCRYPTED_LM_OWF_PASSWORD NewLmPassword;
+    ENCRYPTED_NT_OWF_PASSWORD OldNtPassword;
+    ENCRYPTED_NT_OWF_PASSWORD NewNtPassword;
    BOOLEAN StoredLmPresent = FALSE;
    BOOLEAN StoredNtPresent = FALSE;
    BOOLEAN StoredLmEmpty = TRUE;
@ -8153,21 +8153,62 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
        if (!NT_SUCCESS(Status))
        {
            TRACE("SampGetObjectAttribute failed to retrieve the fixed domain data (Status 0x%08lx)\n", Status);
-            return Status;
+            goto done;
        }

        if (DomainFixedData.MinPasswordAge.QuadPart > 0)
        {
            if (SystemTime.QuadPart < (UserFixedData.PasswordLastSet.QuadPart + DomainFixedData.MinPasswordAge.QuadPart))
-                return STATUS_ACCOUNT_RESTRICTION;
+            {
+                Status = STATUS_ACCOUNT_RESTRICTION;
+                goto done;
+            }
        }
    }

-    /* FIXME: Decrypt passwords */
-    OldLmPassword = OldLmEncryptedWithNewLm;
-    NewLmPassword = NewLmEncryptedWithOldLm;
-    OldNtPassword = OldNtEncryptedWithNewNt;
-    NewNtPassword = NewNtEncryptedWithOldNt;
+    /* Decrypt the LM passwords, if present */
+    if (LmPresent)
+    {
+        Status = SystemFunction013((const BYTE *)NewLmEncryptedWithOldLm,
+                                   (const BYTE *)&StoredLmPassword,
+                                   (LPBYTE)&NewLmPassword);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction013 failed (Status 0x%08lx)\n", Status);
+            goto done;
+        }
+
+        Status = SystemFunction013((const BYTE *)OldLmEncryptedWithNewLm,
+                                   (const BYTE *)&NewLmPassword,
+                                   (LPBYTE)&OldLmPassword);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction013 failed (Status 0x%08lx)\n", Status);
+            goto done;
+        }
+    }
+
+    /* Decrypt the NT passwords, if present */
+    if (NtPresent)
+    {
+        Status = SystemFunction013((const BYTE *)NewNtEncryptedWithOldNt,
+                                   (const BYTE *)&StoredNtPassword,
+                                   (LPBYTE)&NewNtPassword);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction013 failed (Status 0x%08lx)\n", Status);
+            goto done;
+        }
+
+        Status = SystemFunction013((const BYTE *)OldNtEncryptedWithNewNt,
+                                   (const BYTE *)&NewNtPassword,
+                                   (LPBYTE)&OldNtPassword);
+        if (!NT_SUCCESS(Status))
+        {
+            TRACE("SystemFunction013 failed (Status 0x%08lx)\n", Status);
+            goto done;
+        }
+    }

    /* Check if the old passwords match the stored ones */
    if (NtPresent)
@ -8175,7 +8216,7 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
        if (LmPresent)
        {
            if (!RtlEqualMemory(&StoredLmPassword,
-                                OldLmPassword,
+                                &OldLmPassword,
                                sizeof(ENCRYPTED_LM_OWF_PASSWORD)))
            {
                TRACE("Old LM Password does not match!\n");
@ -8184,7 +8225,7 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
            else
            {
                if (!RtlEqualMemory(&StoredNtPassword,
-                                    OldNtPassword,
+                                    &OldNtPassword,
                                    sizeof(ENCRYPTED_LM_OWF_PASSWORD)))
                {
                    TRACE("Old NT Password does not match!\n");
@ -8195,7 +8236,7 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
        else
        {
            if (!RtlEqualMemory(&StoredNtPassword,
-                                OldNtPassword,
+                                &OldNtPassword,
                                sizeof(ENCRYPTED_LM_OWF_PASSWORD)))
            {
                TRACE("Old NT Password does not match!\n");
@ -8208,7 +8249,7 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
        if (LmPresent)
        {
            if (!RtlEqualMemory(&StoredLmPassword,
-                                OldLmPassword,
+                                &OldLmPassword,
                                sizeof(ENCRYPTED_LM_OWF_PASSWORD)))
            {
                TRACE("Old LM Password does not match!\n");
@ -8225,9 +8266,9 @@ SamrChangePasswordUser(IN SAMPR_HANDLE UserHandle,
    if (NT_SUCCESS(Status))
    {
        Status = SampSetUserPassword(UserObject,
-                                     NewNtPassword,
+                                     &NewNtPassword,
                                     NtPresent,
-                                     NewLmPassword,
+                                     &NewLmPassword,
                                     LmPresent);
        if (NT_SUCCESS(Status))
        {
--- a/reactos/dll/win32/samsrv/samsrv.h
+++ b/reactos/dll/win32/samsrv/samsrv.h
@ -434,4 +434,10 @@ WINAPI
 SystemFunction007(PUNICODE_STRING string,
                  LPBYTE hash);

+NTSTATUS
+WINAPI
+SystemFunction013(const BYTE *in,
+                  const BYTE *key,
+                  LPBYTE out);
+
 #endif /* _SAMSRV_PCH_ */