|
 |
ac7d03 |
From 4504cb10cb7bf489be5ce221358b237afc1e52ca Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ac7d03 |
Date: Fri, 16 Jun 2017 16:26:41 +0200
|
|
|
ac7d03 |
Subject: [PATCH] ipa-sam: replace encode_nt_key() with E_md4hash()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Since ipa-sam is running as part of smbd is it safe to use the
|
|
|
ac7d03 |
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
|
|
|
ac7d03 |
libraries which might depend on other rules like e.g. FIPS mode.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Resolves https://pagure.io/freeipa/issue/7026
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
daemons/ipa-sam/ipa_sam.c | 27 ++-------------------------
|
|
|
ac7d03 |
1 file changed, 2 insertions(+), 25 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
|
|
|
ac7d03 |
index 6a29e8e10b4299356b9ead76276eecc8083791a3..59d92f37c9b7104c2fba5bd530b4dbff3ca675db 100644
|
|
|
ac7d03 |
--- a/daemons/ipa-sam/ipa_sam.c
|
|
|
ac7d03 |
+++ b/daemons/ipa-sam/ipa_sam.c
|
|
|
ac7d03 |
@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
|
|
|
ac7d03 |
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
|
|
|
ac7d03 |
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
|
|
|
ac7d03 |
void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
|
|
|
ac7d03 |
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
|
|
|
ac7d03 |
|
|
|
ac7d03 |
#define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
|
|
|
ac7d03 |
#define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
|
|
|
ac7d03 |
@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
|
|
|
ac7d03 |
struct dom_sid *g_sid;
|
|
|
ac7d03 |
char *name;
|
|
|
ac7d03 |
char *trustpw = NULL;
|
|
|
ac7d03 |
- char *trustpw_utf8 = NULL;
|
|
|
ac7d03 |
- char *tmp_str = NULL;
|
|
|
ac7d03 |
- int ret;
|
|
|
ac7d03 |
uint8_t nt_key[16];
|
|
|
ac7d03 |
- size_t converted_size;
|
|
|
ac7d03 |
bool res;
|
|
|
ac7d03 |
char *sid_str;
|
|
|
ac7d03 |
enum idmap_error_code err;
|
|
|
ac7d03 |
@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
|
|
|
ac7d03 |
return false;
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) {
|
|
|
ac7d03 |
- res = false;
|
|
|
ac7d03 |
- goto done;
|
|
|
ac7d03 |
- }
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
- tmp_str = talloc_strdup_upper(user, trustpw);
|
|
|
ac7d03 |
- if (tmp_str == NULL) {
|
|
|
ac7d03 |
- res = false;
|
|
|
ac7d03 |
- goto done;
|
|
|
ac7d03 |
- }
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
- ret = encode_nt_key(trustpw_utf8, nt_key);
|
|
|
ac7d03 |
- if (ret != 0) {
|
|
|
ac7d03 |
+ if (!E_md4hash(trustpw, nt_key)) {
|
|
|
ac7d03 |
res = false;
|
|
|
ac7d03 |
goto done;
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
@@ -2927,14 +2912,6 @@ done:
|
|
|
ac7d03 |
memset(trustpw, 0, strlen(trustpw));
|
|
|
ac7d03 |
talloc_free(trustpw);
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
- if (trustpw_utf8 != NULL) {
|
|
|
ac7d03 |
- memset(trustpw_utf8, 0, strlen(trustpw_utf8));
|
|
|
ac7d03 |
- talloc_free(trustpw_utf8);
|
|
|
ac7d03 |
- }
|
|
|
ac7d03 |
- if (tmp_str != NULL) {
|
|
|
ac7d03 |
- memset(tmp_str, 0, strlen(tmp_str));
|
|
|
ac7d03 |
- talloc_free(tmp_str);
|
|
|
ac7d03 |
- }
|
|
|
ac7d03 |
|
|
|
ac7d03 |
return res;
|
|
|
ac7d03 |
}
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|