summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-12-02 09:55:56 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-12-02 11:51:06 +0100
commit573389c8cc8d74ad8560bc3531be5e2207d1bdaa (patch)
tree1b1161255389623f55b1b833be9ce5bcc7c61bb8 /source4/dsdb/samdb/ldb_modules
parentf62972b7617c6349f238f1420e7b7296065e866b (diff)
downloadsamba-573389c8cc8d74ad8560bc3531be5e2207d1bdaa.tar.gz
samba-573389c8cc8d74ad8560bc3531be5e2207d1bdaa.tar.bz2
samba-573389c8cc8d74ad8560bc3531be5e2207d1bdaa.zip
s4:password_hash LDB module - allow empty ("") passwords
This seems to have been broken some time ago - till someone on the mailing list noticed it. I've also added a testsuite (and some additional SamDB python helpers) which should prove this.
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c53
1 files changed, 31 insertions, 22 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 35d2729297..4e2e96fa65 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1298,18 +1298,22 @@ static int setup_given_passwords(struct setup_password_fields_io *io,
(void *)&cleartext_utf16_blob->data,
&cleartext_utf16_blob->length,
false)) {
- talloc_free(cleartext_utf16_blob);
- ldb_asprintf_errstring(ldb,
- "setup_password_fields: "
- "failed to generate UTF16 password from cleartext UTF8 password for user %s", io->u.sAMAccountName);
- return LDB_ERR_CONSTRAINT_VIOLATION;
- } else {
- g->cleartext_utf16 = cleartext_utf16_blob;
+ if (g->cleartext_utf8->length != 0) {
+ talloc_free(cleartext_utf16_blob);
+ ldb_asprintf_errstring(ldb,
+ "setup_password_fields: "
+ "failed to generate UTF16 password from cleartext UTF8 one for user '%s'!",
+ io->u.sAMAccountName);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ } else {
+ /* passwords with length "0" are valid! */
+ cleartext_utf16_blob->data = NULL;
+ cleartext_utf16_blob->length = 0;
+ }
}
+ g->cleartext_utf16 = cleartext_utf16_blob;
} else if (g->cleartext_utf16) {
- char *cleartext_utf8_str;
struct ldb_val *cleartext_utf8_blob;
- size_t converted_pw_len;
cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
if (!cleartext_utf8_blob) {
@@ -1319,20 +1323,25 @@ static int setup_given_passwords(struct setup_password_fields_io *io,
CH_UTF16MUNGED, CH_UTF8,
g->cleartext_utf16->data,
g->cleartext_utf16->length,
- (void *)&cleartext_utf8_str,
- &converted_pw_len, false)) {
- /* We must bail out here, the input wasn't even a
- * multiple of 2 bytes */
- talloc_free(cleartext_utf8_blob);
- ldb_asprintf_errstring(ldb,
- "setup_password_fields: "
- "UTF16 password for user %s had odd length (length must be a multiple of 2)", io->u.sAMAccountName);
- return LDB_ERR_CONSTRAINT_VIOLATION;
- } else {
- *cleartext_utf8_blob = data_blob_const(cleartext_utf8_str,
- converted_pw_len);
- g->cleartext_utf8 = cleartext_utf8_blob;
+ (void *)&cleartext_utf8_blob->data,
+ &cleartext_utf8_blob->length,
+ false)) {
+ if (g->cleartext_utf16->length != 0) {
+ /* We must bail out here, the input wasn't even
+ * a multiple of 2 bytes */
+ talloc_free(cleartext_utf8_blob);
+ ldb_asprintf_errstring(ldb,
+ "setup_password_fields: "
+ "failed to generate UTF8 password from cleartext UTF 16 one for user '%s' - the latter had odd length (length must be a multiple of 2)!",
+ io->u.sAMAccountName);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ } else {
+ /* passwords with length "0" are valid! */
+ cleartext_utf8_blob->data = NULL;
+ cleartext_utf8_blob->length = 0;
+ }
}
+ g->cleartext_utf8 = cleartext_utf8_blob;
}
if (g->cleartext_utf16) {