[Freeipa-devel] [PATCHES] 122-123 Remove generation and handling of LM hashes
Sumit Bose
sbose at redhat.com
Wed Oct 30 21:44:51 UTC 2013
On Wed, Oct 30, 2013 at 02:12:23PM +0100, Martin Kosek wrote:
> On 10/30/2013 01:28 PM, Alexander Bokovoy wrote:
> > On Wed, 30 Oct 2013, Sumit Bose wrote:
> >
> >> Hi,
> >>
> >> those two patches try to fix
> >> https://fedorahosted.org/freeipa/ticket/3795 (Remove LANMAN hash
> >> support). The first patch removes to option to enable the support while
> >> the second removes all the related C-code.
> > ACK on these patches but see below.
>
> I have few comments on the patches:
>
> 1) In util/ipa_pwd_ntlm.c, we can now also remove parity_table.
>
> 2) In util/ipa_pwd_ntlm.c, in encode_ntlm_keys, upperPasswd is no longer needed
> (i.e. the UTF upper-casing calls in caller functions are not needed either). I
> am thinking we could simplify the function just to:
>
> int encode_nt_key(char *newPasswd,
> uint8_t *ntHash)
>
> i.e. it seems to me that ntlm_keys structure may not be needed now, since we
> removed one item of two in it. keys->lm is not used anywhere anyway.
I removed/changed the code as you suggested. New version attached.
>
> >> Although the ticket is schedule for the 3.3.x bugfix release I'm not
> >> sure if it is a good idea to remove the support in a minor release.
> >> Since the LM hashes are not enabled by default I would expect that in
> >> setups where it is enabled the hashes are needed one way or the other.
> >> Those setup should get time to adopt.
> > We should add removal of the 'allowlmhash' from the IPA config with
> > upgrade plugin.
>
> Not sure this is the best way. With Sumit's patches, generation of the LM hash
> is not stopped despite the configuration. So if someone still needs an old IPA
> server where these hashes are used, they are still generated and used there.
>
> If you remove allowlmhash from the config, once you install a patched IPA
> replica, the value would get replicated and old IPA server would not generate
> the hashes.
We discussed this and came to the conclusion that we might want to add a
script which removes existing LM hashes and config entries from the
directory tree. This way the admin can decide based on his environment
when is the best time to remove them.
bye,
Sumit
>
> Martin
-------------- next part --------------
From b4d725f527a50bd2b067cc6a88ef51118da1ff30 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 29 Oct 2013 11:37:03 +0100
Subject: [PATCH 122/123] Remove AllowLMhash from the allowed IPA config
strings
Fixes https://fedorahosted.org/freeipa/ticket/3795
---
API.txt | 2 +-
install/ui/src/freeipa/serverconfig.js | 2 +-
install/ui/test/data/ipa_init_commands.json | 1 -
install/ui/test/data/ipa_init_objects.json | 1 -
ipalib/plugins/config.py | 2 +-
5 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index 40871f6a8b105a7b161df34ce4f6feaf785a6107..605f9ee30b7a945e529dc208c8e719cd04ec3a87 100644
--- a/API.txt
+++ b/API.txt
@@ -499,7 +499,7 @@ args: 0,24,3
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 94e1454adebc3dd6848b0251db5e3e460211084e..7dea5d1f5344d187e746333824416b85874414e3 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -69,7 +69,7 @@ return {
name: 'ipaconfigstring',
$type: 'checkboxes',
options: IPA.create_options([
- 'AllowLMhash', 'AllowNThash',
+ 'AllowNThash',
'KDC:Disable Last Success', 'KDC:Disable Lockout'
])
},
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 4f28701fb1db2913a8317a9299a4cc7de73155da..207318115cc9a0d9f7cbd2c6f1bf31aae9aa8814 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2278,7 +2278,6 @@
"name": "ipaconfigstring",
"type": "unicode",
"values": [
- "AllowLMhash",
"AllowNThash",
"KDC:Disable Last Success",
"KDC:Disable Lockout"
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index bef3cc65d45a8473f7fed3b67124bbc892213ca5..8550e8280a69d4eafdac5529ba39f162f3dbc9eb 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -580,7 +580,6 @@
"name": "ipaconfigstring",
"type": "unicode",
"values": [
- "AllowLMhash",
"AllowNThash",
"KDC:Disable Last Success",
"KDC:Disable Lockout"
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index b9cf05016bf80cd48134cca5a50cdca7db423ca9..fbaacb7b9daafac4de49f23794b807e99aab6fc3 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -178,7 +178,7 @@ class config(LDAPObject):
cli_name='ipaconfigstring',
label=_('Password plugin features'),
doc=_('Extra hashes to generate in password plug-in'),
- values=(u'AllowLMhash', u'AllowNThash',
+ values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
csv=True,
),
--
1.8.1.4
-------------- next part --------------
From 27ff66e180082f0e32f88ac1ef07664ecfe4553b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 29 Oct 2013 12:19:01 +0100
Subject: [PATCH 123/123] Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
---
daemons/ipa-sam/ipa_sam.c | 21 +--
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 48 ++---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 +-
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 17 +-
util/ipa_pwd.h | 11 +-
util/ipa_pwd_ntlm.c | 210 +++++----------------
7 files changed, 74 insertions(+), 250 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 59ddcef2e66f59297d2e42dadb5512e242f60657..674085d2a14c67359df16458dbbb098414a24d8b 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2637,10 +2637,9 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
char *name;
char *trustpw = NULL;
char *trustpw_utf8 = NULL;
- char *trustpw_utf8_uc = NULL;
char *tmp_str = NULL;
int ret;
- struct ntlm_keys ntlm_keys;
+ uint8_t nt_key[16];
size_t converted_size;
bool res;
char *sid_str;
@@ -2706,23 +2705,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
goto done;
}
- if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) {
- res = false;
- goto done;
- }
-
- ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
- &ntlm_keys);
+ ret = encode_nt_key(trustpw_utf8, nt_key);
if (ret != 0) {
res = false;
goto done;
}
- if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
- res = false;
- goto done;
- }
- if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
+ if (!pdb_set_nt_passwd(user, nt_key, PDB_SET)) {
res = false;
goto done;
}
@@ -2741,10 +2730,6 @@ done:
memset(tmp_str, 0, strlen(tmp_str));
talloc_free(tmp_str);
}
- if (trustpw_utf8_uc != NULL) {
- memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc));
- talloc_free(trustpw_utf8_uc);
- }
return res;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index f0339c47c5b242b436d77c4845c5914eae79814f..2538a4094bd9a166e61b0911e5ea93426092d88a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
slapi_entry_free(config_entry);
/* get the ipa etc/ipaConfig entry */
- config->allow_lm_hash = false;
config->allow_nt_hash = false;
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
@@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
tmparray = slapi_entry_attr_get_charray(config_entry,
"ipaConfigString");
for (i = 0; tmparray && tmparray[i]; i++) {
- if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
- config->allow_lm_hash = true;
- continue;
- }
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
@@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **pwvals = NULL;
struct tm utctime;
char timestr[GENERALIZED_TIME_LENGTH+1];
- char *lm = NULL;
char *nt = NULL;
int is_smb = 0;
int is_ipant = 0;
@@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
ret = ipapwd_gen_hashes(krbcfg, data,
data->password,
is_krb, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (ret) {
goto free_and_return;
}
@@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
}
}
- if (lm && is_smb) {
- slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
- "sambaLMPassword", lm);
- }
-
if (nt && is_smb) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
@@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
LOG_TRACE("<= result: %d\n", ret);
free_and_return:
- if (lm) slapi_ch_free((void **)&lm);
if (nt) slapi_ch_free((void **)&nt);
if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index a92eaf0da33809e5a4b81c7f10a801e256880743..28f164eb8990ec9212df726b19e7ddc9db28fb8a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -201,15 +201,13 @@ enc_error:
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
- char **nthash, char **lmhash, Slapi_Value ***ntvals,
+ char **nthash, Slapi_Value ***ntvals,
char **errMesg)
{
int rc;
- char *userpw_uc = NULL;
*svals = NULL;
*nthash = NULL;
- *lmhash = NULL;
*errMesg = NULL;
if (is_krb) {
@@ -225,40 +223,24 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
}
if (is_smb || is_ipant) {
- char lm[33], nt[33];
- struct ntlm_keys ntlm;
+ char nt[33];
+ uint8_t nt_key[16];
int ret;
- userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw);
- if (!userpw_uc) {
- *errMesg = "Failed to generate upper case password\n";
- LOG_FATAL("%s", *errMesg);
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- ret = encode_ntlm_keys(userpw,
- userpw_uc,
- krbcfg->allow_lm_hash,
- krbcfg->allow_nt_hash,
- &ntlm);
- memset(userpw_uc, 0, strlen(userpw_uc));
- slapi_ch_free_string(&userpw_uc);
- if (ret) {
- *errMesg = "Failed to generate NT/LM hashes\n";
- LOG_FATAL("%s", *errMesg);
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- if (krbcfg->allow_lm_hash) {
- hexbuf(lm, ntlm.lm);
- lm[32] = '\0';
- *lmhash = slapi_ch_strdup(lm);
- }
if (krbcfg->allow_nt_hash) {
- hexbuf(nt, ntlm.nt);
+ ret = encode_nt_key(userpw, nt_key);
+ if (ret) {
+ *errMesg = "Failed to generate NT/LM hashes\n";
+ LOG_FATAL("%s", *errMesg);
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ hexbuf(nt, nt_key);
nt[32] = '\0';
*nthash = slapi_ch_strdup(nt);
+ } else {
+ memset(nt_key, 0, 16);
}
if (is_ipant) {
@@ -269,7 +251,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
goto done;
}
(*ntvals)[0] = slapi_value_new();
- if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) {
+ if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 74b63627689da9e519ec15d1e2020fa50ea7f75c..b4087488ccf2081aeed9aa02d1a4f0d37f4cf7f4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -132,7 +132,6 @@ struct ipapwd_krbcfg {
krb5_key_salt_tuple *pref_encsalts;
char **passsync_mgrs;
int num_passsync_mgrs;
- bool allow_lm_hash;
bool allow_nt_hash;
};
@@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant,
- Slapi_Value ***svals, char **nthash, char **lmhash,
+ Slapi_Value ***svals, char **nthash,
Slapi_Value ***ntvals, char **errMesg);
/* from prepost.c */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index f5100a292adcb6db63fcad7b4780d4b2a5ab512e..fa956acebe974a2b07bb2ea6abfdd4c339b6eb47 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -329,13 +329,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
- char *lm = NULL;
pwdop->is_krb = is_krb;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
userpw, is_krb, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (rc != LDAP_SUCCESS) {
goto done;
}
@@ -353,11 +352,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
- if (lm && is_smb) {
- /* set value */
- slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
- slapi_ch_free_string(&lm);
- }
if (nt && is_smb) {
/* set value */
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
@@ -823,11 +817,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
char *nt = NULL;
- char *lm = NULL;
rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
gen_krb_keys, is_smb, is_ipant,
- &svals, &nt, &lm, &ntvals, &errMesg);
+ &svals, &nt, &ntvals, &errMesg);
if (rc) {
goto done;
}
@@ -839,12 +832,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
ipapwd_free_slapi_value_array(&svals);
}
- if (lm && is_smb) {
- /* replace value */
- slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
- "sambaLMPassword", lm);
- slapi_ch_free_string(&lm);
- }
if (nt && is_smb) {
/* replace value */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index a6990cac6333bf2582fb071a507001b10145df6d..bc07549cc864cc9a1ed0b58617b4624fbb9a864b 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -74,15 +74,6 @@ int ipapwd_generate_new_history(char *password,
char ***new_pwd_history,
int *new_pwd_hlen);
-struct ntlm_keys {
- uint8_t lm[16];
- uint8_t nt[16];
-};
-
-int encode_ntlm_keys(char *newPasswd,
- char *upperPasswd,
- bool do_lm_hash,
- bool do_nt_hash,
- struct ntlm_keys *keys);
+int encode_nt_key(char *newPasswd, uint8_t *nt_key);
#endif
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index a3399b58e006e340677fa43773e6282249858062..8ffa66660cac6ca99d4c3631872f96f96fc06b12 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -32,178 +32,70 @@
#define KTF_UTF8 "UTF-8"
#define KTF_UCS2 "UCS-2LE"
-static const uint8_t parity_table[128] = {
- 1, 2, 4, 7, 8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
- 32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
- 64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
- 97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
- 128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
- 161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
- 193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
- 224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
-};
-
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
- out[0] = parity_table[in[0]>>1];
- out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
- out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
- out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
- out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
- out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
- out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
- out[7] = parity_table[in[6] & 0x7F];
-}
-
-/* create the lm and nt hashes
+/* create the nt hash
newPassword: the clear text utf8 password
- upperPasswd: upper case version of clear text utf8 password
- do_lm_hash: determine if LM hash is generated
- do_nt_hash: determine if NT hash is generated
- keys[out]: array with generated hashes
+ nt_key[out]: array with generated hash
*/
-int encode_ntlm_keys(char *newPasswd,
- char *upperPasswd,
- bool do_lm_hash,
- bool do_nt_hash,
- struct ntlm_keys *keys)
+int encode_nt_key(char *newPasswd, uint8_t *nt_key)
{
int ret = 0;
+ iconv_t cd;
+ size_t cs, il, ol, sl;
+ char *inc, *outc;
+ char *ucs2Passwd;
+ MD4_CTX md4ctx;
+
+ /* TODO: must store the dos charset somewhere in the directory */
+ cd = iconv_open(KTF_UCS2, KTF_UTF8);
+ if (cd == (iconv_t)(-1)) {
+ ret = -1;
+ goto done;
+ }
- /* do lanman first */
- if (do_lm_hash) {
- iconv_t cd;
- size_t cs, il, ol;
- char *inc, *outc;
- char *asciiPasswd;
- DES_key_schedule schedule;
- DES_cblock deskey;
- DES_cblock magic = "KGS!@#$%";
-
- if (upperPasswd == NULL) {
- ret = -1;
- goto done;
- }
- il = strlen(upperPasswd);
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- /* an ascii string can only be smaller than or equal to an utf8 one */
- ol = il;
- if (ol < 14) ol = 14;
- asciiPasswd = calloc(ol+1, 1);
- if (!asciiPasswd) {
- iconv_close(cd);
- ret = -1;
- goto done;
- }
-
- inc = upperPasswd;
- outc = asciiPasswd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- free(asciiPasswd);
- iconv_close(cd);
- goto done;
- }
+ il = strlen(newPasswd);
- /* done with these */
+ /* an ucs2 string can be at most double than an utf8 one */
+ sl = ol = (il+1)*2;
+ ucs2Passwd = calloc(ol, 1);
+ if (!ucs2Passwd) {
+ ret = -1;
iconv_close(cd);
-
- /* we are interested only in the first 14 ASCII chars for lanman */
- if (strlen(asciiPasswd) > 14) {
- asciiPasswd[14] = '\0';
- }
-
- /* first half */
- lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
- &schedule, DES_ENCRYPT);
-
- /* second half */
- lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
- &schedule, DES_ENCRYPT);
-
- /* done with it */
- free(asciiPasswd);
-
- } else {
- memset(keys->lm, 0, 16);
+ goto done;
}
- if (do_nt_hash) {
- iconv_t cd;
- size_t cs, il, ol, sl;
- char *inc, *outc;
- char *ucs2Passwd;
- MD4_CTX md4ctx;
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_UCS2, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- il = strlen(newPasswd);
-
- /* an ucs2 string can be at most double than an utf8 one */
- sl = ol = (il+1)*2;
- ucs2Passwd = calloc(ol, 1);
- if (!ucs2Passwd) {
- ret = -1;
- iconv_close(cd);
- goto done;
- }
-
- inc = newPasswd;
- outc = ucs2Passwd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- free(ucs2Passwd);
- iconv_close(cd);
- goto done;
- }
-
- /* done with it */
+ inc = newPasswd;
+ outc = ucs2Passwd;
+ cs = iconv(cd, &inc, &il, &outc, &ol);
+ if (cs == -1) {
+ ret = -1;
+ free(ucs2Passwd);
iconv_close(cd);
+ goto done;
+ }
- /* get the final ucs2 string length */
- sl -= ol;
+ /* done with it */
+ iconv_close(cd);
- ret = MD4_Init(&md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Final(keys->nt, &md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
+ /* get the final ucs2 string length */
+ sl -= ol;
- } else {
- memset(keys->nt, 0, 16);
+ ret = MD4_Init(&md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Final(nt_key, &md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
}
ret = 0;
--
1.8.1.4
More information about the Freeipa-devel
mailing list