diff options
| author | Jeremy Allison <jra@samba.org> | 2004-08-05 19:57:41 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2004-08-05 19:57:41 +0000 |
| commit | ce6a549143b8e78aa54529806871fa513b06f98a (patch) | |
| tree | b56413a231a875758b3081ed6e101baabc25fe97 /source/smbd/chgpasswd.c | |
| parent | 8e9ba762faa93eab3dafef042de8a65dbcde7a76 (diff) | |
| download | samba-ce6a549143b8e78aa54529806871fa513b06f98a.tar.gz samba-ce6a549143b8e78aa54529806871fa513b06f98a.tar.xz samba-ce6a549143b8e78aa54529806871fa513b06f98a.zip | |
r1661: Changed the password history format so that each history entry
consists of a 16 byte salt, followed by the 16 byte MD5 hash of
the concatination of the salt plus the NThash of the historical
password. Allows these to be exposed in LDAP without security issues.
Jeremy.
Diffstat (limited to 'source/smbd/chgpasswd.c')
| -rw-r--r-- | source/smbd/chgpasswd.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c index a1b90c8fed4..5c1d66abc44 100644 --- a/source/smbd/chgpasswd.c +++ b/source/smbd/chgpasswd.c @@ -941,7 +941,7 @@ static NTSTATUS check_oem_password(const char *user, static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext) { uchar new_nt_p16[NT_HASH_LEN]; - uchar zero_nt_pw[NT_HASH_LEN]; + uchar zero_md5_nt_pw[SALTED_MD5_HASH_LEN]; const uint8 *nt_pw; const uint8 *pwhistory; BOOL found = False; @@ -972,22 +972,28 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext) } dump_data(100, new_nt_p16, NT_HASH_LEN); - dump_data(100, pwhistory, NT_HASH_LEN*pwHisLen); + dump_data(100, pwhistory, PW_HISTORY_ENTRY_LEN*pwHisLen); - memset(zero_nt_pw, '\0', NT_HASH_LEN); + memset(zero_md5_nt_pw, '\0', SALTED_MD5_HASH_LEN); for (i=0; i<pwHisLen; i++) { - if (!memcmp(&pwhistory[i*NT_HASH_LEN], zero_nt_pw, NT_HASH_LEN)) { - /* Ignore zero entries. */ + uchar new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN]; + const uchar *current_salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN]; + const uchar *old_nt_pw_salted_md5_hash = &pwhistory[(i*PW_HISTORY_ENTRY_LEN)+ + PW_HISTORY_SALT_LEN]; + if (!memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) { + /* Ignore zero valued entries. */ continue; } - if (!memcmp(&pwhistory[i*NT_HASH_LEN], new_nt_p16, NT_HASH_LEN)) { + /* Create salted versions of new to compare. */ + E_md5hash(current_salt, new_nt_p16, new_nt_pw_salted_md5_hash); + + if (!memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) { DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n", pdb_get_username(sampass) )); found = True; break; } } - return found; } |