s3: Factor password_in_history() out of check_passwd_history()

2 files changed, 44 insertions, 25 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b16120294..c0ca96bb92 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6116,6 +6116,9 @@ NTSTATUS pass_oem_change(char *user,
 			 uchar password_encrypted_with_nt_hash[516],
 			 const uchar old_nt_hash_encrypted[16],
 			 enum samPwdChangeReason *reject_reason);
+bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
+			 uint32_t pw_history_len,
+			 const uint8_t *pw_history);
 NTSTATUS check_password_complexity(const char *username,
 				   const char *password,
 				   enum samPwdChangeReason *samr_reject_reason);
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 70ce75c552..c858c2dfa0 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1008,6 +1008,41 @@ static NTSTATUS check_oem_password(const char *user,
 	return NT_STATUS_WRONG_PASSWORD;
 }
 
+bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
+			 uint32_t pw_history_len,
+			 const uint8_t *pw_history)
+{
+	static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, };
+	int i;
+
+	dump_data(100, nt_pw, NT_HASH_LEN);
+	dump_data(100, pw_history, PW_HISTORY_ENTRY_LEN * pw_history_len);
+
+	for (i=0; i<pw_history_len; i++) {
+		uint8_t new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN];
+		const uint8_t *current_salt;
+		const uint8_t *old_nt_pw_salted_md5_hash;
+
+		current_salt = &pw_history[i*PW_HISTORY_ENTRY_LEN];
+		old_nt_pw_salted_md5_hash = current_salt + PW_HISTORY_SALT_LEN;
+
+		if (memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash,
+			   SALTED_MD5_HASH_LEN) == 0) {
+			/* Ignore zero valued entries. */
+			continue;
+		}
+		/* Create salted versions of new to compare. */
+		E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
+
+		if (memcmp(new_nt_pw_salted_md5_hash,
+			   old_nt_pw_salted_md5_hash,
+			   SALTED_MD5_HASH_LEN) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+
 /***********************************************************
  This routine takes the given password and checks it against
  the password history. Returns True if this password has been
@@ -1017,11 +1052,8 @@ static NTSTATUS check_oem_password(const char *user,
 static bool check_passwd_history(struct samu *sampass, const char *plaintext)
 {
 	uchar new_nt_p16[NT_HASH_LEN];
-	static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, };
 	const uint8 *nt_pw;
 	const uint8 *pwhistory;
-	bool found = False;
-	int i;
 	uint32 pwHisLen, curr_pwHisLen;
 
 	pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHisLen);
@@ -1048,29 +1080,13 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
 		return True;
 	}
 
-	dump_data(100, new_nt_p16, NT_HASH_LEN);
-	dump_data(100, pwhistory, PW_HISTORY_ENTRY_LEN*pwHisLen);
-
-	for (i=0; i<pwHisLen; i++) {
-		uchar new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN];
-		const uchar *current_salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN];
-		const uchar *old_nt_pw_salted_md5_hash = &pwhistory[(i*PW_HISTORY_ENTRY_LEN)+
-							PW_HISTORY_SALT_LEN];
-		if (!memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
-			/* Ignore zero valued entries. */
-			continue;
-		}
-		/* Create salted versions of new to compare. */
-		E_md5hash(current_salt, new_nt_p16, new_nt_pw_salted_md5_hash);
-
-		if (!memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
-			DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n",
-				pdb_get_username(sampass) ));
-			found = True;
-			break;
-		}
+	if (password_in_history(new_nt_p16, pwHisLen, pwhistory)) {
+		DEBUG(1,("check_passwd_history: proposed new password for "
+			 "user %s found in history list !\n",
+			 pdb_get_username(sampass) ));
+		return true;
 	}
-	return found;
+	return false;
 }
 
 /***********************************************************