s3-ntlmssp Remove rpccli_get_pwd_hash and auth_ntlmssp_get_nt_hash

The session key we want here (the only one that is availble to the
encryption layer) is the one obtained by cli_get_session_key(), as
NTLMSSP creates a per-session session key via key exchange and NTLMv2
negotiation.

The key was never directly the NT hash anyway (this is simply a
mistake, the extra MD4() was lost during my previous cleanup
f28f113d8e76824b080359c90efd9c92de533740 in 2008), but was MD4(NT
hash) in early implementations of NTLMSSP.

However, regardless this call is not available on domain trusts
between AD domains and Windows 2003 R2, making this less useful.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

6 files changed, 26 insertions, 74 deletions

diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h
index 303595dcdd..789842cc65 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/ntlmssp_wrap.h
@@ -64,8 +64,6 @@ bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *ans);
 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *ans);
 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans);
 const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *ans);
-const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *ans);
-const uint8_t *auth_ntlmssp_get_nt_hash(struct auth_ntlmssp_state *ans);
 NTSTATUS auth_ntlmssp_set_username(struct auth_ntlmssp_state *ans,
 				   const char *user);
 NTSTATUS auth_ntlmssp_set_domain(struct auth_ntlmssp_state *ans,
diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
index 817dc62910..da04ceb245 100644
--- a/source3/libsmb/ntlmssp_wrap.c
+++ b/source3/libsmb/ntlmssp_wrap.c
@@ -120,11 +120,6 @@ const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans)
 	return ans->ntlmssp_state->user;
 }
 
-const uint8_t *auth_ntlmssp_get_nt_hash(struct auth_ntlmssp_state *ans)
-{
-	return ans->ntlmssp_state->nt_hash;
-}
-
 NTSTATUS auth_ntlmssp_set_username(struct auth_ntlmssp_state *ans,
 				   const char *user)
 {
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index c2e28188b9..80e3c4b1ae 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2208,47 +2208,6 @@ struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c)
 	return h;
 }
 
-bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
-{
-	struct auth_ntlmssp_state *a = NULL;
-	struct cli_state *cli;
-
-	if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
-		a = talloc_get_type_abort(rpc_cli->auth->auth_ctx,
-					  struct auth_ntlmssp_state);
-	} else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
-		struct spnego_context *spnego_ctx;
-		enum spnego_mech auth_type;
-		void *auth_ctx;
-		NTSTATUS status;
-
-		spnego_ctx = talloc_get_type_abort(rpc_cli->auth->auth_ctx,
-						   struct spnego_context);
-		status = spnego_get_negotiated_mech(spnego_ctx,
-						    &auth_type, &auth_ctx);
-		if (!NT_STATUS_IS_OK(status)) {
-			return false;
-		}
-
-		if (auth_type == SPNEGO_NTLMSSP) {
-			a = talloc_get_type_abort(auth_ctx,
-						  struct auth_ntlmssp_state);
-		}
-	}
-
-	if (a) {
-		memcpy(nt_hash, auth_ntlmssp_get_nt_hash(a), 16);
-		return true;
-	}
-
-	cli = rpc_pipe_np_smb_conn(rpc_cli);
-	if (cli == NULL) {
-		return false;
-	}
-	E_md4hash(cli->password ? cli->password : "", nt_hash);
-	return true;
-}
-
 NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
 				  struct pipe_auth_data **presult)
 {
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 65cc975806..25a134068f 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -52,8 +52,6 @@ unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli,
 
 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli);
 
-bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16]);
-
 NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
 				  struct pipe_auth_data **presult);
 
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index 3382eb1a5c..8325a61660 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -1162,16 +1162,15 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli,
 }
 
 static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p,
-				     uint8_t session_key[16])
+				     DATA_BLOB session_key)
 {
 	char *pwd, *pwd_old;
 
 	DATA_BLOB data 	   = data_blob_const(p->password->data, p->password->length);
 	DATA_BLOB data_old = data_blob_const(p->old_password->data, p->old_password->length);
-	DATA_BLOB session_key_blob = data_blob_const(session_key, sizeof(session_key));
 
-	pwd 	= sess_decrypt_string(talloc_tos(), &data, &session_key_blob);
-	pwd_old = sess_decrypt_string(talloc_tos(), &data_old, &session_key_blob);
+	pwd 	= sess_decrypt_string(talloc_tos(), &data, &session_key);
+	pwd_old = sess_decrypt_string(talloc_tos(), &data_old, &session_key);
 
 	d_printf("Password:\t%s\n", pwd);
 	d_printf("Old Password:\t%s\n", pwd_old);
@@ -1183,11 +1182,11 @@ static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p,
 static void display_trust_dom_info(TALLOC_CTX *mem_ctx,
 				   union lsa_TrustedDomainInfo *info,
 				   enum lsa_TrustDomInfoEnum info_class,
-				   uint8_t nt_hash[16])
+				   DATA_BLOB session_key)
 {
 	switch (info_class) {
 		case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
-			display_trust_dom_info_4(&info->password, nt_hash);
+			display_trust_dom_info_4(&info->password, session_key);
 			break;
 		default: {
 			const char *str = NULL;
@@ -1212,7 +1211,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
 	uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 	union lsa_TrustedDomainInfo *info = NULL;
 	enum lsa_TrustDomInfoEnum info_class = 1;
-	uint8_t nt_hash[16];
+	DATA_BLOB session_key;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
 
 	if (argc > 3 || argc < 2) {
@@ -1244,12 +1243,13 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
 		goto done;
 	}
 
-	if (!rpccli_get_pwd_hash(cli, nt_hash)) {
-		d_fprintf(stderr, "Could not get pwd hash\n");
+	status = cli_get_session_key(mem_ctx, cli, &session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Could not retrieve session key: %s\n", nt_errstr(status)));
 		goto done;
 	}
 
-	display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
+	display_trust_dom_info(mem_ctx, info, info_class, session_key);
 
  done:
 	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
@@ -1267,8 +1267,8 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
 	union lsa_TrustedDomainInfo *info = NULL;
 	enum lsa_TrustDomInfoEnum info_class = 1;
 	struct lsa_String trusted_domain;
-	uint8_t nt_hash[16];
 	struct dcerpc_binding_handle *b = cli->binding_handle;
+	DATA_BLOB session_key;
 
 	if (argc > 3 || argc < 2) {
 		printf("Usage: %s [name] [info_class]\n", argv[0]);
@@ -1298,12 +1298,13 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
 		goto done;
 	}
 
-	if (!rpccli_get_pwd_hash(cli, nt_hash)) {
-		d_fprintf(stderr, "Could not get pwd hash\n");
+	status = cli_get_session_key(mem_ctx, cli, &session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Could not retrieve session key: %s\n", nt_errstr(status)));
 		goto done;
 	}
 
-	display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
+	display_trust_dom_info(mem_ctx, info, info_class, session_key);
 
  done:
 	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
@@ -1321,7 +1322,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
 	union lsa_TrustedDomainInfo *info = NULL;
 	struct dom_sid dom_sid;
 	enum lsa_TrustDomInfoEnum info_class = 1;
-	uint8_t nt_hash[16];
+	DATA_BLOB session_key;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
 
 	if (argc > 3 || argc < 2) {
@@ -1366,12 +1367,13 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
 		goto done;
 	}
 
-	if (!rpccli_get_pwd_hash(cli, nt_hash)) {
-		d_fprintf(stderr, "Could not get pwd hash\n");
+	status = cli_get_session_key(mem_ctx, cli, &session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Could not retrieve session key: %s\n", nt_errstr(status)));
 		goto done;
 	}
 
-	display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
+	display_trust_dom_info(mem_ctx, info, info_class, session_key);
 
  done:
 	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 592885ac7c..c2fc08693c 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6436,8 +6436,7 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
 	NTSTATUS nt_status, result;
 	union lsa_TrustedDomainInfo *info = NULL;
 	char *cleartextpwd = NULL;
-	uint8_t session_key[16];
-	DATA_BLOB session_key_blob;
+	DATA_BLOB session_key;
 	DATA_BLOB data = data_blob_null;
 	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
 
@@ -6462,13 +6461,14 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
 	data = data_blob(info->password.password->data,
 			 info->password.password->length);
 
-	if (!rpccli_get_pwd_hash(pipe_hnd, session_key)) {
-		DEBUG(0, ("Could not retrieve password hash\n"));
+	nt_status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(0, ("Could not retrieve session key: %s\n", nt_errstr(nt_status)));
 		goto done;
 	}
 
-	session_key_blob = data_blob_const(session_key, sizeof(session_key));
-	cleartextpwd = sess_decrypt_string(mem_ctx, &data, &session_key_blob);
+	cleartextpwd = sess_decrypt_string(mem_ctx, &data, &session_key);
+	data_blob_free(&session_key);
 
 	if (cleartextpwd == NULL) {
 		DEBUG(0,("retrieved NULL password\n"));