From 46784b4d99c00d98811c1e6be43bda78eae77fe6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 10 Nov 2009 12:48:52 +0100 Subject: s3-chgpasswd: split out a check_password_complexity() function. Guenther --- source3/include/proto.h | 3 +++ source3/smbd/chgpasswd.c | 64 +++++++++++++++++++++++++++++++----------------- 2 files changed, 45 insertions(+), 22 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index e46fe3c1fd..6955593179 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6107,6 +6107,9 @@ NTSTATUS pass_oem_change(char *user, uchar password_encrypted_with_nt_hash[516], const uchar old_nt_hash_encrypted[16], enum samPwdChangeReason *reject_reason); +NTSTATUS check_password_complexity(const char *username, + const char *password, + enum samPwdChangeReason *samr_reject_reason); NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, enum samPwdChangeReason *samr_reject_reason); /* The following definitions come from smbd/close.c */ diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index e2069060aa..2da36b2fe6 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1074,6 +1074,43 @@ static bool check_passwd_history(struct samu *sampass, const char *plaintext) return found; } +/*********************************************************** +************************************************************/ + +NTSTATUS check_password_complexity(const char *username, + const char *password, + enum samPwdChangeReason *samr_reject_reason) +{ + TALLOC_CTX *tosctx = talloc_tos(); + + /* Use external script to check password complexity */ + if (lp_check_password_script() && *(lp_check_password_script())) { + int check_ret; + char *cmd; + + cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username); + if (!cmd) { + return NT_STATUS_PASSWORD_RESTRICTION; + } + + check_ret = smbrunsecret(cmd, password); + DEBUG(5,("check_password_complexity: check password script (%s) returned [%d]\n", + cmd, check_ret)); + TALLOC_FREE(cmd); + + if (check_ret != 0) { + DEBUG(1,("check_password_complexity: " + "check password script said new password is not good enough!\n")); + if (samr_reject_reason) { + *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; + } + return NT_STATUS_PASSWORD_RESTRICTION; + } + } + + return NT_STATUS_OK; +} + /*********************************************************** Code to change the oem password. Changes both the lanman and NT hashes. Old_passwd is almost always NULL. @@ -1089,6 +1126,7 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw struct passwd *pass = NULL; const char *username = pdb_get_username(hnd); time_t can_change_time = pdb_get_pass_can_change_time(hnd); + NTSTATUS status; if (samr_reject_reason) { *samr_reject_reason = SAM_PWD_CHANGE_NO_ERROR; @@ -1154,28 +1192,10 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw return NT_STATUS_ACCESS_DENIED; } - /* Use external script to check password complexity */ - if (lp_check_password_script() && *(lp_check_password_script())) { - int check_ret; - char *cmd; - - cmd = talloc_string_sub(tosctx, lp_check_password_script(), "%u", username); - if (!cmd) { - return NT_STATUS_PASSWORD_RESTRICTION; - } - - check_ret = smbrunsecret(cmd, new_passwd); - DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", cmd, check_ret)); - TALLOC_FREE(cmd); - - if (check_ret != 0) { - DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n")); - if (samr_reject_reason) { - *samr_reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX; - } - TALLOC_FREE(pass); - return NT_STATUS_PASSWORD_RESTRICTION; - } + status = check_password_complexity(username, new_passwd, samr_reject_reason); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(pass); + return status; } /* -- cgit