diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-11-26 17:04:46 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:47 +0200 |
| commit | 3ed55210ff5301ca06ec924c5fb4b08bc8832d4b (patch) | |
| tree | 80b8e1726ea68c749f178d7e2bd27bb607de6cb3 | |
| parent | 2dd71de11ac8c5bb5b1a3a68b7971adf75d9a8d3 (diff) | |
| download | samba-3ed55210ff5301ca06ec924c5fb4b08bc8832d4b.tar.gz samba-3ed55210ff5301ca06ec924c5fb4b08bc8832d4b.tar.xz samba-3ed55210ff5301ca06ec924c5fb4b08bc8832d4b.zip | |
dsdb: collapse wrong password and no-password-hash errors into one handler
This avoids giving away too much information to an attacker.
Andrew Bartlett
Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 28 |
1 files changed, 3 insertions, 25 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index a8d3272405..a4e663ee36 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1895,18 +1895,7 @@ static int check_password_restrictions(struct setup_password_fields_io *io) /* The password modify through the NT hash is encouraged and has no problems at all */ if (io->og.nt_hash) { - if (!io->o.nt_hash) { - ret = LDB_ERR_CONSTRAINT_VIOLATION; - ldb_asprintf_errstring(ldb, - "%08X: %s - check_password_restrictions: " - "There's no old nt_hash, which is needed " - "in order to change your password!", - W_ERROR_V(WERR_INVALID_PASSWORD), - ldb_strerror(ret)); - return ret; - } - - if (memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) { + if (!io->o.nt_hash || memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) { ret = LDB_ERR_CONSTRAINT_VIOLATION; ldb_asprintf_errstring(ldb, "%08X: %s - check_password_restrictions: " @@ -1924,19 +1913,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io) * the NT hash was already checked - otherwise it's mandatory. * (as the SAMR operations request it). */ if (io->og.lm_hash) { - if (!io->o.lm_hash && !nt_hash_checked) { - ret = LDB_ERR_CONSTRAINT_VIOLATION; - ldb_asprintf_errstring(ldb, - "%08X: %s - check_password_restrictions: " - "There's no old lm_hash, which is needed " - "in order to change your password!", - W_ERROR_V(WERR_INVALID_PASSWORD), - ldb_strerror(ret)); - return ret; - } - - if (io->o.lm_hash && - memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) { + if ((!io->o.lm_hash && !nt_hash_checked) + || (io->o.lm_hash && memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0)) { ret = LDB_ERR_CONSTRAINT_VIOLATION; ldb_asprintf_errstring(ldb, "%08X: %s - check_password_restrictions: " |