IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove generation and handling of LM hashes

Browse Source 
https://fedorahosted.org/freeipa/ticket/3795
This commit is contained in:
Sumit Bose
2013-10-29 12:19:01 +01:00
committed by Martin Kosek
parent b5e60c2020
commit d876a22732
7 changed files with 75 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
daemons/ipa-sam/ipa_sam.c
View File

@@ -2637,10 +2637,9 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
char *name;
char *trustpw = NULL;
char *trustpw_utf8 = NULL;
char *trustpw_utf8_uc = NULL;
char *tmp_str = NULL;
int ret;
struct ntlm_keys ntlm_keys;
uint8_t nt_key[16];
size_t converted_size;
bool res;
char *sid_str;
@@ -2706,23 +2705,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
goto done;
}
if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) {
res = false;
goto done;
}
ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
&ntlm_keys);
ret = encode_nt_key(trustpw_utf8, nt_key);
if (ret != 0) {
res = false;
goto done;
}
if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
res = false;
goto done;
}
if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
if (!pdb_set_nt_passwd(user, nt_key, PDB_SET)) {
res = false;
goto done;
}
@@ -2741,10 +2730,6 @@ done:
memset(tmp_str, 0, strlen(tmp_str));
talloc_free(tmp_str);
}
if (trustpw_utf8_uc != NULL) {
memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc));
talloc_free(trustpw_utf8_uc);
}
return res;
}

14
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
View File

@@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
slapi_entry_free(config_entry);
/* get the ipa etc/ipaConfig entry */
config->allow_lm_hash = false;
config->allow_nt_hash = false;
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
@@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
tmparray = slapi_entry_attr_get_charray(config_entry,
"ipaConfigString");
for (i = 0; tmparray && tmparray[i]; i++) {
if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
config->allow_lm_hash = true;
continue;
}
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
@@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **pwvals = NULL;
struct tm utctime;
char timestr[GENERALIZED_TIME_LENGTH+1];
char *lm = NULL;
char *nt = NULL;
int is_smb = 0;
int is_ipant = 0;
@@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
ret = ipapwd_gen_hashes(krbcfg, data,
data->password,
is_krb, is_smb, is_ipant,
&svals, &nt, &lm, &ntvals, &errMesg);
&svals, &nt, &ntvals, &errMesg);
if (ret) {
goto free_and_return;
}
@@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
}
}
if (lm && is_smb) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaLMPassword", lm);
}
if (nt && is_smb) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
@@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
LOG_TRACE("<= result: %d\n", ret);
free_and_return:
if (lm) slapi_ch_free((void **)&lm);
if (nt) slapi_ch_free((void **)&nt);
if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);

48
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
View File

@@ -201,15 +201,13 @@ enc_error:
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
char **nthash, char **lmhash, Slapi_Value ***ntvals,
char **nthash, Slapi_Value ***ntvals,
char **errMesg)
{
int rc;
char *userpw_uc = NULL;
*svals = NULL;
*nthash = NULL;
*lmhash = NULL;
*errMesg = NULL;
if (is_krb) {
@@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
}
if (is_smb || is_ipant) {
char lm[33], nt[33];
struct ntlm_keys ntlm;
char nt[33];
uint8_t nt_key[16];
int ret;
userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw);
if (!userpw_uc) {
*errMesg = "Failed to generate upper case password\n";
LOG_FATAL("%s", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = encode_ntlm_keys(userpw,
userpw_uc,
krbcfg->allow_lm_hash,
krbcfg->allow_nt_hash,
&ntlm);
memset(userpw_uc, 0, strlen(userpw_uc));
slapi_ch_free_string(&userpw_uc);
if (ret) {
*errMesg = "Failed to generate NT/LM hashes\n";
LOG_FATAL("%s", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if (krbcfg->allow_lm_hash) {
hexbuf(lm, ntlm.lm);
lm[32] = '\0';
*lmhash = slapi_ch_strdup(lm);
}
if (krbcfg->allow_nt_hash) {
hexbuf(nt, ntlm.nt);
ret = encode_nt_key(userpw, nt_key);
if (ret) {
*errMesg = "Failed to generate NT/LM hashes\n";
LOG_FATAL("%s", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
hexbuf(nt, nt_key);
nt[32] = '\0';
*nthash = slapi_ch_strdup(nt);
} else {
memset(nt_key, 0, 16);
}
if (is_ipant) {
@@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
goto done;
}
(*ntvals)[0] = slapi_value_new();
if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) {
if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}

3
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
View File

@@ -132,7 +132,6 @@ struct ipapwd_krbcfg {
krb5_key_salt_tuple *pref_encsalts;
char **passsync_mgrs;
int num_passsync_mgrs;
bool allow_lm_hash;
bool allow_nt_hash;
};
@@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant,
Slapi_Value ***svals, char **nthash, char **lmhash,
Slapi_Value ***svals, char **nthash,
Slapi_Value ***ntvals, char **errMesg);
/* from prepost.c */

17
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
View File

@@ -325,13 +325,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
char *lm = NULL;
pwdop->is_krb = is_krb;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
userpw, is_krb, is_smb, is_ipant,
&svals, &nt, &lm, &ntvals, &errMesg);
&svals, &nt, &ntvals, &errMesg);
if (rc != LDAP_SUCCESS) {
goto done;
}
@@ -349,11 +348,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
if (lm && is_smb) {
/* set value */
slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
slapi_ch_free_string(&lm);
}
if (nt && is_smb) {
/* set value */
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
@@ -814,11 +808,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
char *lm = NULL;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
gen_krb_keys, is_smb, is_ipant,
&svals, &nt, &lm, &ntvals, &errMesg);
&svals, &nt, &ntvals, &errMesg);
if (rc) {
goto done;
}
@@ -830,12 +823,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
if (lm && is_smb) {
/* replace value */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaLMPassword", lm);
slapi_ch_free_string(&lm);
}
if (nt && is_smb) {
/* replace value */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,