sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

dsdb: collapse wrong password and no-password-hash errors into one handler

Browse Source 
This avoids giving away too much information to an attacker.

Andrew Bartlett

Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2013-11-26 17:04:46 +13:00 committed by Stefan Metzmacher
parent 2dd71de11a
commit 3ed55210ff
1 changed files with 3 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
source4/dsdb/samdb/ldb_modules/password_hash.c
View File

@ -1895,18 +1895,7 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
/* The password modify through the NT hash is encouraged and
has no problems at all */
if (io->og.nt_hash) {
if (!io->o.nt_hash) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
"There's no old nt_hash, which is needed "
"in order to change your password!",
W_ERROR_V(WERR_INVALID_PASSWORD),
ldb_strerror(ret));
return ret;
}
if (memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) {
if (!io->o.nt_hash || memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
@ -1924,19 +1913,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
* the NT hash was already checked - otherwise it's mandatory.
* (as the SAMR operations request it). */
if (io->og.lm_hash) {
if (!io->o.lm_hash && !nt_hash_checked) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
"There's no old lm_hash, which is needed "
"in order to change your password!",
W_ERROR_V(WERR_INVALID_PASSWORD),
ldb_strerror(ret));
return ret;
}
if (io->o.lm_hash &&
memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) {
if ((!io->o.lm_hash && !nt_hash_checked)
|| (io->o.lm_hash && memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0)) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "