diff options
-rw-r--r-- | source3/include/proto.h | 3 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 66 |
2 files changed, 44 insertions, 25 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 5b16120294..c0ca96bb92 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6116,6 +6116,9 @@ NTSTATUS pass_oem_change(char *user, uchar password_encrypted_with_nt_hash[516], const uchar old_nt_hash_encrypted[16], enum samPwdChangeReason *reject_reason); +bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], + uint32_t pw_history_len, + const uint8_t *pw_history); NTSTATUS check_password_complexity(const char *username, const char *password, enum samPwdChangeReason *samr_reject_reason); diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 70ce75c552..c858c2dfa0 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1008,6 +1008,41 @@ static NTSTATUS check_oem_password(const char *user, return NT_STATUS_WRONG_PASSWORD; } +bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], + uint32_t pw_history_len, + const uint8_t *pw_history) +{ + static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, }; + int i; + + dump_data(100, nt_pw, NT_HASH_LEN); + dump_data(100, pw_history, PW_HISTORY_ENTRY_LEN * pw_history_len); + + for (i=0; i<pw_history_len; i++) { + uint8_t new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN]; + const uint8_t *current_salt; + const uint8_t *old_nt_pw_salted_md5_hash; + + current_salt = &pw_history[i*PW_HISTORY_ENTRY_LEN]; + old_nt_pw_salted_md5_hash = current_salt + PW_HISTORY_SALT_LEN; + + if (memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, + SALTED_MD5_HASH_LEN) == 0) { + /* Ignore zero valued entries. */ + continue; + } + /* Create salted versions of new to compare. */ + E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash); + + if (memcmp(new_nt_pw_salted_md5_hash, + old_nt_pw_salted_md5_hash, + SALTED_MD5_HASH_LEN) == 0) { + return true; + } + } + return false; +} + /*********************************************************** This routine takes the given password and checks it against the password history. Returns True if this password has been @@ -1017,11 +1052,8 @@ static NTSTATUS check_oem_password(const char *user, static bool check_passwd_history(struct samu *sampass, const char *plaintext) { uchar new_nt_p16[NT_HASH_LEN]; - static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, }; const uint8 *nt_pw; const uint8 *pwhistory; - bool found = False; - int i; uint32 pwHisLen, curr_pwHisLen; pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHisLen); @@ -1048,29 +1080,13 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext) return True; } - dump_data(100, new_nt_p16, NT_HASH_LEN); - dump_data(100, pwhistory, PW_HISTORY_ENTRY_LEN*pwHisLen); - - for (i=0; i<pwHisLen; i++) { - uchar new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN]; - const uchar *current_salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN]; - const uchar *old_nt_pw_salted_md5_hash = &pwhistory[(i*PW_HISTORY_ENTRY_LEN)+ - PW_HISTORY_SALT_LEN]; - if (!memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) { - /* Ignore zero valued entries. */ - continue; - } - /* Create salted versions of new to compare. */ - E_md5hash(current_salt, new_nt_p16, new_nt_pw_salted_md5_hash); - - if (!memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) { - DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n", - pdb_get_username(sampass) )); - found = True; - break; - } + if (password_in_history(new_nt_p16, pwHisLen, pwhistory)) { + DEBUG(1,("check_passwd_history: proposed new password for " + "user %s found in history list !\n", + pdb_get_username(sampass) )); + return true; } - return found; + return false; } /*********************************************************** |