diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-10-29 12:19:01 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-11-01 09:28:35 +0100 |
| commit | d876a22732d83ddf8e37ead89e6f23bf7aa0d69c (patch) | |
| tree | 42e30054f3c6586d063c23551f1a9217392f1264 /daemons | |
| parent | b5e60c20201d174cdf4df51a1443ab295cc086b9 (diff) | |
| download | freeipa-d876a22732d83ddf8e37ead89e6f23bf7aa0d69c.tar.gz freeipa-d876a22732d83ddf8e37ead89e6f23bf7aa0d69c.tar.xz freeipa-d876a22732d83ddf8e37ead89e6f23bf7aa0d69c.zip | |
Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-sam/ipa_sam.c | 21 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 48 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 17 |
5 files changed, 22 insertions, 81 deletions
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 59ddcef2..674085d2 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -2637,10 +2637,9 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, char *name; char *trustpw = NULL; char *trustpw_utf8 = NULL; - char *trustpw_utf8_uc = NULL; char *tmp_str = NULL; int ret; - struct ntlm_keys ntlm_keys; + uint8_t nt_key[16]; size_t converted_size; bool res; char *sid_str; @@ -2706,23 +2705,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, goto done; } - if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) { - res = false; - goto done; - } - - ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true, - &ntlm_keys); + ret = encode_nt_key(trustpw_utf8, nt_key); if (ret != 0) { res = false; goto done; } - if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) { - res = false; - goto done; - } - if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) { + if (!pdb_set_nt_passwd(user, nt_key, PDB_SET)) { res = false; goto done; } @@ -2741,10 +2730,6 @@ done: memset(tmp_str, 0, strlen(tmp_str)); talloc_free(tmp_str); } - if (trustpw_utf8_uc != NULL) { - memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc)); - talloc_free(trustpw_utf8_uc); - } return res; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index f0339c47..2538a409 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) slapi_entry_free(config_entry); /* get the ipa etc/ipaConfig entry */ - config->allow_lm_hash = false; config->allow_nt_hash = false; ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); if (ret != LDAP_SUCCESS) { @@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) tmparray = slapi_entry_attr_get_charray(config_entry, "ipaConfigString"); for (i = 0; tmparray && tmparray[i]; i++) { - if (strcasecmp(tmparray[i], "AllowLMhash") == 0) { - config->allow_lm_hash = true; - continue; - } if (strcasecmp(tmparray[i], "AllowNThash") == 0) { config->allow_nt_hash = true; continue; @@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, Slapi_Value **pwvals = NULL; struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; - char *lm = NULL; char *nt = NULL; int is_smb = 0; int is_ipant = 0; @@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, ret = ipapwd_gen_hashes(krbcfg, data, data->password, is_krb, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (ret) { goto free_and_return; } @@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, } } - if (lm && is_smb) { - slapi_mods_add_string(smods, LDAP_MOD_REPLACE, - "sambaLMPassword", lm); - } - if (nt && is_smb) { slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); @@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, LOG_TRACE("<= result: %d\n", ret); free_and_return: - if (lm) slapi_ch_free((void **)&lm); if (nt) slapi_ch_free((void **)&nt); if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index a92eaf0d..28f164eb 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -201,15 +201,13 @@ enc_error: int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals, - char **nthash, char **lmhash, Slapi_Value ***ntvals, + char **nthash, Slapi_Value ***ntvals, char **errMesg) { int rc; - char *userpw_uc = NULL; *svals = NULL; *nthash = NULL; - *lmhash = NULL; *errMesg = NULL; if (is_krb) { @@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, } if (is_smb || is_ipant) { - char lm[33], nt[33]; - struct ntlm_keys ntlm; + char nt[33]; + uint8_t nt_key[16]; int ret; - userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw); - if (!userpw_uc) { - *errMesg = "Failed to generate upper case password\n"; - LOG_FATAL("%s", *errMesg); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - ret = encode_ntlm_keys(userpw, - userpw_uc, - krbcfg->allow_lm_hash, - krbcfg->allow_nt_hash, - &ntlm); - memset(userpw_uc, 0, strlen(userpw_uc)); - slapi_ch_free_string(&userpw_uc); - if (ret) { - *errMesg = "Failed to generate NT/LM hashes\n"; - LOG_FATAL("%s", *errMesg); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - if (krbcfg->allow_lm_hash) { - hexbuf(lm, ntlm.lm); - lm[32] = '\0'; - *lmhash = slapi_ch_strdup(lm); - } if (krbcfg->allow_nt_hash) { - hexbuf(nt, ntlm.nt); + ret = encode_nt_key(userpw, nt_key); + if (ret) { + *errMesg = "Failed to generate NT/LM hashes\n"; + LOG_FATAL("%s", *errMesg); + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + hexbuf(nt, nt_key); nt[32] = '\0'; *nthash = slapi_ch_strdup(nt); + } else { + memset(nt_key, 0, 16); } if (is_ipant) { @@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, goto done; } (*ntvals)[0] = slapi_value_new(); - if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) { + if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) { rc = LDAP_OPERATIONS_ERROR; goto done; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 74b63627..b4087488 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -132,7 +132,6 @@ struct ipapwd_krbcfg { krb5_key_salt_tuple *pref_encsalts; char **passsync_mgrs; int num_passsync_mgrs; - bool allow_lm_hash; bool allow_nt_hash; }; @@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset); int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, int is_krb, int is_smb, int is_ipant, - Slapi_Value ***svals, char **nthash, char **lmhash, + Slapi_Value ***svals, char **nthash, Slapi_Value ***ntvals, char **errMesg); /* from prepost.c */ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 64a9d314..ef37b5e1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -325,13 +325,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) Slapi_Value **svals = NULL; Slapi_Value **ntvals = NULL; char *nt = NULL; - char *lm = NULL; pwdop->is_krb = is_krb; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, userpw, is_krb, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (rc != LDAP_SUCCESS) { goto done; } @@ -349,11 +348,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm && is_smb) { - /* set value */ - slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm); - slapi_ch_free_string(&lm); - } if (nt && is_smb) { /* set value */ slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); @@ -814,11 +808,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) Slapi_Value **svals = NULL; Slapi_Value **ntvals = NULL; char *nt = NULL; - char *lm = NULL; rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw, gen_krb_keys, is_smb, is_ipant, - &svals, &nt, &lm, &ntvals, &errMesg); + &svals, &nt, &ntvals, &errMesg); if (rc) { goto done; } @@ -830,12 +823,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) ipapwd_free_slapi_value_array(&svals); } - if (lm && is_smb) { - /* replace value */ - slapi_mods_add_string(smods, LDAP_MOD_REPLACE, - "sambaLMPassword", lm); - slapi_ch_free_string(&lm); - } if (nt && is_smb) { /* replace value */ slapi_mods_add_string(smods, LDAP_MOD_REPLACE, |