summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2010-01-05 16:58:30 +0100
committerMichael Adam <obnox@samba.org>2010-01-07 16:51:17 +0100
commit667b6f3322ba97bc2e50067dccda9949bb21eaa0 (patch)
treede5872197f1c0b6256aa78ad8faa959ed37ccc84
parent801edeccc6f529647eaed0dd23728a257cf9479f (diff)
downloadsamba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.tar.gz
samba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.tar.bz2
samba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.zip
s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash
This is to introduce a new format of the password history, maintaining backwards compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash). The new format is 16 zero bytes and 16 bytes nt hash. This will allow us to respect the last X entries of the nt password history when deciding whether to increment the bad password count. This is part of the fix for bug #4347 . Michael
-rw-r--r--source3/smbd/chgpasswd.c30
1 files changed, 24 insertions, 6 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index c858c2dfa0..dcefc82bba 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1031,13 +1031,31 @@ bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
/* Ignore zero valued entries. */
continue;
}
- /* Create salted versions of new to compare. */
- E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
- if (memcmp(new_nt_pw_salted_md5_hash,
- old_nt_pw_salted_md5_hash,
- SALTED_MD5_HASH_LEN) == 0) {
- return true;
+ if (memcmp(zero_md5_nt_pw, current_salt,
+ PW_HISTORY_SALT_LEN) == 0)
+ {
+ /*
+ * New format: zero salt and then plain nt hash.
+ * Directly compare the hashes.
+ */
+ if (memcmp(nt_pw, old_nt_pw_salted_md5_hash,
+ SALTED_MD5_HASH_LEN) == 0)
+ {
+ return true;
+ }
+ } else {
+ /*
+ * Old format: md5sum of salted nt hash.
+ * Create salted version of new pw to compare.
+ */
+ E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
+
+ if (memcmp(new_nt_pw_salted_md5_hash,
+ old_nt_pw_salted_md5_hash,
+ SALTED_MD5_HASH_LEN) == 0) {
+ return true;
+ }
}
}
return false;