summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-11-25 01:13:44 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:07 -0500
commitcf91ad8122055bb5be4906fe89dc007ab44326de (patch)
treea326b4ff3ccbc721666d699d47b885e740a49c4d /source4/rpc_server
parent9e5bee246f4317898f302faa755d074a932c84bf (diff)
downloadsamba-cf91ad8122055bb5be4906fe89dc007ab44326de.tar.gz
samba-cf91ad8122055bb5be4906fe89dc007ab44326de.tar.bz2
samba-cf91ad8122055bb5be4906fe89dc007ab44326de.zip
r3952: added validation of the lm and nt verifiers to our server side password change code.
(This used to be commit f70e8f02d6164046781a5d63fa5c0b86b8ab8df9)
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/samr/samr_password.c43
1 files changed, 41 insertions, 2 deletions
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 6f99508122..745d2cfc05 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -143,6 +143,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
const char *domain_sid;
struct samr_Password *lm_pwd;
DATA_BLOB lm_pwd_blob;
+ uint8_t new_lm_hash[16];
+ struct samr_Password lm_verifier;
if (pwbuf == NULL) {
return NT_STATUS_WRONG_PASSWORD;
@@ -184,6 +186,17 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_WRONG_PASSWORD;
}
+ /* check LM verifier */
+ if (lm_pwd == NULL || r->in.hash == NULL) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ E_deshash(new_pass, new_lm_hash);
+ E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
+ if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
/* work out the domain dn */
domain_sid = samdb_result_sid_prefix(mem_ctx, res[0], "objectSid");
if (domain_sid == NULL) {
@@ -243,11 +256,13 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
"pwdProperties", "minPwdAge", "maxPwdAge",
NULL };
const char *domain_sid;
- struct samr_Password *nt_pwd;
+ struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo;
struct samr_ChangeReject *reject;
uint32_t reason = 0;
+ uint8_t new_nt_hash[16], new_lm_hash[16];
+ struct samr_Password nt_verifier, lm_verifier;
ZERO_STRUCT(r->out);
@@ -279,7 +294,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
user_dn = res[0]->dn;
- status = samdb_result_passwords(mem_ctx, res[0], NULL, &nt_pwd);
+ status = samdb_result_passwords(mem_ctx, res[0], &lm_pwd, &nt_pwd);
if (!NT_STATUS_IS_OK(status) ) {
goto failed;
}
@@ -301,6 +316,30 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
goto failed;
}
+ if (r->in.nt_verifier == NULL) {
+ status = NT_STATUS_WRONG_PASSWORD;
+ goto failed;
+ }
+
+ /* check NT verifier */
+ E_md4hash(new_pass, new_nt_hash);
+ E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
+ if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
+ status = NT_STATUS_WRONG_PASSWORD;
+ goto failed;
+ }
+
+ /* check LM verifier */
+ if (lm_pwd && r->in.lm_verifier != NULL) {
+ E_deshash(new_pass, new_lm_hash);
+ E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
+ if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
+ status = NT_STATUS_WRONG_PASSWORD;
+ goto failed;
+ }
+ }
+
+
/* work out the domain dn */
domain_sid = samdb_result_sid_prefix(mem_ctx, res[0], "objectSid");
if (domain_sid == NULL) {