summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h3
-rw-r--r--source3/smbd/chgpasswd.c66
2 files changed, 44 insertions, 25 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b16120294..c0ca96bb92 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6116,6 +6116,9 @@ NTSTATUS pass_oem_change(char *user,
uchar password_encrypted_with_nt_hash[516],
const uchar old_nt_hash_encrypted[16],
enum samPwdChangeReason *reject_reason);
+bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
+ uint32_t pw_history_len,
+ const uint8_t *pw_history);
NTSTATUS check_password_complexity(const char *username,
const char *password,
enum samPwdChangeReason *samr_reject_reason);
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 70ce75c552..c858c2dfa0 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -1008,6 +1008,41 @@ static NTSTATUS check_oem_password(const char *user,
return NT_STATUS_WRONG_PASSWORD;
}
+bool password_in_history(uint8_t nt_pw[NT_HASH_LEN],
+ uint32_t pw_history_len,
+ const uint8_t *pw_history)
+{
+ static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, };
+ int i;
+
+ dump_data(100, nt_pw, NT_HASH_LEN);
+ dump_data(100, pw_history, PW_HISTORY_ENTRY_LEN * pw_history_len);
+
+ for (i=0; i<pw_history_len; i++) {
+ uint8_t new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN];
+ const uint8_t *current_salt;
+ const uint8_t *old_nt_pw_salted_md5_hash;
+
+ current_salt = &pw_history[i*PW_HISTORY_ENTRY_LEN];
+ old_nt_pw_salted_md5_hash = current_salt + PW_HISTORY_SALT_LEN;
+
+ if (memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash,
+ SALTED_MD5_HASH_LEN) == 0) {
+ /* Ignore zero valued entries. */
+ continue;
+ }
+ /* Create salted versions of new to compare. */
+ E_md5hash(current_salt, nt_pw, new_nt_pw_salted_md5_hash);
+
+ if (memcmp(new_nt_pw_salted_md5_hash,
+ old_nt_pw_salted_md5_hash,
+ SALTED_MD5_HASH_LEN) == 0) {
+ return true;
+ }
+ }
+ return false;
+}
+
/***********************************************************
This routine takes the given password and checks it against
the password history. Returns True if this password has been
@@ -1017,11 +1052,8 @@ static NTSTATUS check_oem_password(const char *user,
static bool check_passwd_history(struct samu *sampass, const char *plaintext)
{
uchar new_nt_p16[NT_HASH_LEN];
- static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, };
const uint8 *nt_pw;
const uint8 *pwhistory;
- bool found = False;
- int i;
uint32 pwHisLen, curr_pwHisLen;
pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHisLen);
@@ -1048,29 +1080,13 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext)
return True;
}
- dump_data(100, new_nt_p16, NT_HASH_LEN);
- dump_data(100, pwhistory, PW_HISTORY_ENTRY_LEN*pwHisLen);
-
- for (i=0; i<pwHisLen; i++) {
- uchar new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN];
- const uchar *current_salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN];
- const uchar *old_nt_pw_salted_md5_hash = &pwhistory[(i*PW_HISTORY_ENTRY_LEN)+
- PW_HISTORY_SALT_LEN];
- if (!memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
- /* Ignore zero valued entries. */
- continue;
- }
- /* Create salted versions of new to compare. */
- E_md5hash(current_salt, new_nt_p16, new_nt_pw_salted_md5_hash);
-
- if (!memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
- DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n",
- pdb_get_username(sampass) ));
- found = True;
- break;
- }
+ if (password_in_history(new_nt_p16, pwHisLen, pwhistory)) {
+ DEBUG(1,("check_passwd_history: proposed new password for "
+ "user %s found in history list !\n",
+ pdb_get_username(sampass) ));
+ return true;
}
- return found;
+ return false;
}
/***********************************************************