diff options
author | Michael Adam <obnox@samba.org> | 2010-01-05 16:58:30 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2010-01-07 16:51:17 +0100 |
commit | 667b6f3322ba97bc2e50067dccda9949bb21eaa0 (patch) | |
tree | de5872197f1c0b6256aa78ad8faa959ed37ccc84 /source3 | |
parent | 801edeccc6f529647eaed0dd23728a257cf9479f (diff) | |
download | samba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.tar.gz samba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.tar.bz2 samba-667b6f3322ba97bc2e50067dccda9949bb21eaa0.zip |
s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash
This is to introduce a new format of the password history, maintaining backwards
compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash).
The new format is 16 zero bytes and 16 bytes nt hash.
This will allow us to respect the last X entries of the nt password history
when deciding whether to increment the bad password count.
This is part of the fix for bug #4347 .
Michael
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/chgpasswd.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index c858c2dfa0..dcefc82bba 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1031,13 +1031,31 @@ bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], /* Ignore zero valued entries. */ continue; } - /* Create salted versions of new to compare. */ - E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash); - if (memcmp(new_nt_pw_salted_md5_hash, - old_nt_pw_salted_md5_hash, - SALTED_MD5_HASH_LEN) == 0) { - return true; + if (memcmp(zero_md5_nt_pw, current_salt, + PW_HISTORY_SALT_LEN) == 0) + { + /* + * New format: zero salt and then plain nt hash. + * Directly compare the hashes. + */ + if (memcmp(nt_pw, old_nt_pw_salted_md5_hash, + SALTED_MD5_HASH_LEN) == 0) + { + return true; + } + } else { + /* + * Old format: md5sum of salted nt hash. + * Create salted version of new pw to compare. + */ + E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash); + + if (memcmp(new_nt_pw_salted_md5_hash, + old_nt_pw_salted_md5_hash, + SALTED_MD5_HASH_LEN) == 0) { + return true; + } } } return false; |