svn commit: samba r21359 - in branches/SAMBA_4_0/source/dsdb/repl: .
metze at samba.org
metze at samba.org
Thu Feb 15 12:40:14 GMT 2007
Author: metze
Date: 2007-02-15 12:40:13 +0000 (Thu, 15 Feb 2007)
New Revision: 21359
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21359
Log:
remove the rid encryption before storing the password hashes
We decided to store them plain in our ldb
metze
Modified:
branches/SAMBA_4_0/source/dsdb/repl/replicated_objects.c
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/repl/replicated_objects.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/repl/replicated_objects.c 2007-02-15 12:10:57 UTC (rev 21358)
+++ branches/SAMBA_4_0/source/dsdb/repl/replicated_objects.c 2007-02-15 12:40:13 UTC (rev 21359)
@@ -28,9 +28,12 @@
#include "librpc/gen_ndr/ndr_drsuapi.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "lib/crypto/crypto.h"
+#include "libcli/auth/libcli_auth.h"
static WERROR dsdb_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
const DATA_BLOB *gensec_skey,
+ bool rid_crypt,
+ uint32_t rid,
DATA_BLOB *in,
DATA_BLOB *out)
{
@@ -49,6 +52,13 @@
DATA_BLOB plain_buffer;
+ /*
+ * users with rid == 0 should not exist
+ */
+ if (rid_crypt && rid == 0) {
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
/*
* the first 16 bytes at the beginning are the confounder
* followed by the 4 byte crc32 checksum
@@ -90,12 +100,21 @@
}
checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
- if (checked_buffer.length) {
- plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
- memset(checked_buffer.data, 0x00, checked_buffer.length);
- W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
- } else {
- plain_buffer = data_blob_const(NULL, 0);
+ plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
+ W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
+
+ if (rid_crypt) {
+ uint32_t i, num_hashes;
+
+ if ((checked_buffer.length % 16) != 0) {
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ num_hashes = plain_buffer.length / 16;
+ for (i = 0; i < num_hashes; i++) {
+ uint32_t offset = i * 16;
+ sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
+ }
}
*out = plain_buffer;
@@ -103,12 +122,14 @@
}
static WERROR dsdb_decrypt_attribute(const DATA_BLOB *gensec_skey,
+ uint32_t rid,
struct drsuapi_DsReplicaAttribute *attr)
{
WERROR status;
TALLOC_CTX *mem_ctx;
DATA_BLOB *enc_data;
DATA_BLOB plain_data;
+ bool rid_crypt = false;
if (attr->value_ctr.num_values == 0) {
return WERR_OK;
@@ -119,6 +140,8 @@
case DRSUAPI_ATTRIBUTE_unicodePwd:
case DRSUAPI_ATTRIBUTE_ntPwdHistory:
case DRSUAPI_ATTRIBUTE_lmPwdHistory:
+ rid_crypt = true;
+ break;
case DRSUAPI_ATTRIBUTE_supplementalCredentials:
case DRSUAPI_ATTRIBUTE_priorValue:
case DRSUAPI_ATTRIBUTE_currentValue:
@@ -144,6 +167,8 @@
status = dsdb_decrypt_attribute_value(mem_ctx,
gensec_skey,
+ rid_crypt,
+ rid,
enc_data,
&plain_data);
W_ERROR_NOT_OK_RETURN(status);
@@ -178,6 +203,8 @@
struct drsuapi_DsReplicaAttribute *name_a = NULL;
struct drsuapi_DsReplicaMetaData *name_d = NULL;
struct replPropertyMetaData1 *rdn_m = NULL;
+ struct dom_sid *sid = NULL;
+ uint32_t rid = 0;
int ret;
if (!in->object.identifier) {
@@ -196,6 +223,11 @@
return WERR_FOOBAR;
}
+ sid = &in->object.identifier->sid;
+ if (sid->num_auths > 0) {
+ rid = sid->sub_auths[sid->num_auths - 1];
+ }
+
msg = ldb_msg_new(mem_ctx);
W_ERROR_HAVE_NO_MEMORY(msg);
@@ -238,7 +270,7 @@
m = &md->ctr.ctr1.array[i];
e = &msg->elements[i];
- status = dsdb_decrypt_attribute(gensec_skey, a);
+ status = dsdb_decrypt_attribute(gensec_skey, rid, a);
W_ERROR_NOT_OK_RETURN(status);
status = dsdb_attribute_drsuapi_to_ldb(schema, a, msg->elements, e);
More information about the samba-cvs
mailing list