From d876a22732d83ddf8e37ead89e6f23bf7aa0d69c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 29 Oct 2013 12:19:01 +0100 Subject: Remove generation and handling of LM hashes https://fedorahosted.org/freeipa/ticket/3795 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +------ daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 48 +++++++--------------- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 17 +------- 4 files changed, 19 insertions(+), 63 deletions(-) (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index f0339c47c..2538a4094 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) slapi_entry_free(config_entry); /* get the ipa etc/ipaConfig entry */ - config->allow_lm_hash = false; config->allow_nt_hash = false; ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); if (ret != LDAP_SUCCESS) { @@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) tmparray = slapi_entry_attr_get_charray(config_entry, "ipaConfigString"); for (i = 0; tmparray && tmparray[i]; i++) { - if (strcasecmp(tmparray[i], "AllowLMhash") == 0) { - config->allow_lm_hash = true; - continue; - } if (strcasecmp(tmparray[i], "AllowNThash") == 0) { config->allow_nt_hash = true; continue; @@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, Slapi_Value **pwvals = NULL; struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; - char *lm = NULL; char *nt = NULL; int is_smb = 0; int is_ipant = 0; @@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, ret = ipapwd_gen_hashes(krbcfg, data, data->password, is_krb, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (ret) { goto free_and_return; } @@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, } } - if (lm && is_smb) { - slapi_mods_add_string(smods, LDAP_MOD_REPLACE, - "sambaLMPassword", lm); - } - if (nt && is_smb) { slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); @@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, LOG_TRACE("<= result: %d\n", ret); free_and_return: - if (lm) slapi_ch_free((void **)&lm); if (nt) slapi_ch_free((void **)&nt); if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index a92eaf0da..28f164eb8 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -201,15 +201,13 @@ enc_error: int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals, - char **nthash, char **lmhash, Slapi_Value ***ntvals, + char **nthash, Slapi_Value ***ntvals, char **errMesg) { int rc; - char *userpw_uc = NULL; *svals = NULL; *nthash = NULL; - *lmhash = NULL; *errMesg = NULL; if (is_krb) { @@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, } if (is_smb || is_ipant) { - char lm[33], nt[33]; - struct ntlm_keys ntlm; + char nt[33]; + uint8_t nt_key[16]; int ret; - userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw); - if (!userpw_uc) { - *errMesg = "Failed to generate upper case password\n"; - LOG_FATAL("%s", *errMesg); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - ret = encode_ntlm_keys(userpw, - userpw_uc, - krbcfg->allow_lm_hash, - krbcfg->allow_nt_hash, - &ntlm); - memset(userpw_uc, 0, strlen(userpw_uc)); - slapi_ch_free_string(&userpw_uc); - if (ret) { - *errMesg = "Failed to generate NT/LM hashes\n"; - LOG_FATAL("%s", *errMesg); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - if (krbcfg->allow_lm_hash) { - hexbuf(lm, ntlm.lm); - lm[32] = '\0'; - *lmhash = slapi_ch_strdup(lm); - } if (krbcfg->allow_nt_hash) { - hexbuf(nt, ntlm.nt); + ret = encode_nt_key(userpw, nt_key); + if (ret) { + *errMesg = "Failed to generate NT/LM hashes\n"; + LOG_FATAL("%s", *errMesg); + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + hexbuf(nt, nt_key); nt[32] = '\0'; *nthash = slapi_ch_strdup(nt); + } else { + memset(nt_key, 0, 16); } if (is_ipant) { @@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, goto done; } (*ntvals)[0] = slapi_value_new(); - if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) { + if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) { rc = LDAP_OPERATIONS_ERROR; goto done; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 74b636276..b4087488c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -132,7 +132,6 @@ struct ipapwd_krbcfg { krb5_key_salt_tuple *pref_encsalts; char **passsync_mgrs; int num_passsync_mgrs; - bool allow_lm_hash; bool allow_nt_hash; }; @@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset); int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, int is_krb, int is_smb, int is_ipant, - Slapi_Value ***svals, char **nthash, char **lmhash, + Slapi_Value ***svals, char **nthash, Slapi_Value ***ntvals, char **errMesg); /* from prepost.c */ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 64a9d3140..ef37b5e17 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -325,13 +325,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) Slapi_Value **svals = NULL; Slapi_Value **ntvals = NULL; char *nt = NULL; - char *lm = NULL; pwdop->is_krb = is_krb; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, userpw, is_krb, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (rc != LDAP_SUCCESS) { goto done; } @@ -349,11 +348,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm && is_smb) { - /* set value */ - slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm); - slapi_ch_free_string(&lm); - } if (nt && is_smb) { /* set value */ slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); @@ -814,11 +808,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) Slapi_Value **svals = NULL; Slapi_Value **ntvals = NULL; char *nt = NULL; - char *lm = NULL; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw, gen_krb_keys, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (rc) { goto done; } @@ -830,12 +823,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm && is_smb) { - /* replace value */ - slapi_mods_add_string(smods, LDAP_MOD_REPLACE, - "sambaLMPassword", lm); - slapi_ch_free_string(&lm); - } if (nt && is_smb) { /* replace value */ slapi_mods_add_string(smods, LDAP_MOD_REPLACE, -- cgit