|           Line data    Source code 
       1             : /* 
       2             :    ldb database module
       3             : 
       4             :    Copyright (C) Simo Sorce  2004-2008
       5             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
       6             :    Copyright (C) Andrew Tridgell 2004
       7             :    Copyright (C) Stefan Metzmacher 2007-2010
       8             :    Copyright (C) Matthias Dieter Wallnöfer 2009-2010
       9             : 
      10             :    This program is free software; you can redistribute it and/or modify
      11             :    it under the terms of the GNU General Public License as published by
      12             :    the Free Software Foundation; either version 3 of the License, or
      13             :    (at your option) any later version.
      14             :    
      15             :    This program is distributed in the hope that it will be useful,
      16             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      18             :    GNU General Public License for more details.
      19             :    
      20             :    You should have received a copy of the GNU General Public License
      21             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      22             : */
      23             : 
      24             : /*
      25             :  *  Name: ldb
      26             :  *
      27             :  *  Component: ldb password_hash module
      28             :  *
      29             :  *  Description: correctly handle AD password changes fields
      30             :  *
      31             :  *  Author: Andrew Bartlett
      32             :  *  Author: Stefan Metzmacher
      33             :  */
      34             : 
      35             : #include "includes.h"
      36             : #include "ldb_module.h"
      37             : #include "libcli/auth/libcli_auth.h"
      38             : #include "libcli/security/dom_sid.h"
      39             : #include "system/kerberos.h"
      40             : #include "auth/kerberos/kerberos.h"
      41             : #include "dsdb/samdb/samdb.h"
      42             : #include "dsdb/samdb/ldb_modules/util.h"
      43             : #include "dsdb/samdb/ldb_modules/password_modules.h"
      44             : #include "librpc/gen_ndr/ndr_drsblobs.h"
      45             : #include "lib/crypto/md4.h"
      46             : #include "param/param.h"
      47             : #include "lib/krb5_wrap/krb5_samba.h"
      48             : #include "auth/auth_sam.h"
      49             : #include "auth/common_auth.h"
      50             : #include "lib/messaging/messaging.h"
      51             : #include "lib/param/loadparm.h"
      52             : 
      53             : #include "lib/crypto/gnutls_helpers.h"
      54             : #include <gnutls/crypto.h>
      55             : 
      56             : #include "kdc/db-glue.h"
      57             : 
      58             : #ifdef ENABLE_GPGME
      59             : #undef class
      60             : #include <gpgme.h>
      61             : 
      62             : /*
      63             :  * 1.2.0 is what dpkg-shlibdeps generates, based on used symbols and
      64             :  * libgpgme11.symbols
      65             :  * https://salsa.debian.org/debian/gpgme/blob/debian/master/debian/libgpgme11.symbols
      66             :  */
      67             : 
      68             : #define MINIMUM_GPGME_VERSION "1.2.0"
      69             : #endif
      70             : 
      71             : #undef strncasecmp
      72             : #undef strcasecmp
      73             : 
      74             : /* If we have decided there is a reason to work on this request, then
      75             :  * setup all the password hash types correctly.
      76             :  *
      77             :  * If we haven't the hashes yet but the password given as plain-text (attributes
      78             :  * 'unicodePwd', 'userPassword' and 'clearTextPassword') we have to check for
      79             :  * the constraints. Once this is done, we calculate the password hashes.
      80             :  *
      81             :  * Notice: unlike the real AD which only supports the UTF16 special based
      82             :  * 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
      83             :  * understand also a UTF16 based 'clearTextPassword' one.
      84             :  * The latter is also accessible through LDAP so it can also be set by external
      85             :  * tools and scripts. But be aware that this isn't portable on non SAMBA 4 ADs!
      86             :  *
      87             :  * Also when the module receives only the password hashes (possible through
      88             :  * specifying an internal LDB control - for security reasons) some checks are
      89             :  * performed depending on the operation mode (see below) (e.g. if the password
      90             :  * has been in use before if the password memory policy was activated).
      91             :  *
      92             :  * Attention: There is a difference between "modify" and "reset" operations
      93             :  * (see MS-ADTS 3.1.1.3.1.5). If the client sends a "add" and "remove"
      94             :  * operation for a password attribute we thread this as a "modify"; if it sends
      95             :  * only a "replace" one we have an (administrative) reset.
      96             :  *
      97             :  * Finally, if the administrator has requested that a password history
      98             :  * be maintained, then this should also be written out.
      99             :  *
     100             :  */
     101             : 
     102             : /* TODO: [consider always MS-ADTS 3.1.1.3.1.5]
     103             :  * - Check for right connection encryption
     104             :  */
     105             : 
     106             : /* Notice: Definition of "dsdb_control_password_change_status" moved into
     107             :  * "samdb.h" */
     108             : 
     109             : struct ph_context {
     110             :         struct ldb_module *module;
     111             :         struct ldb_request *req;
     112             : 
     113             :         struct ldb_request *dom_req;
     114             :         struct ldb_reply *dom_res;
     115             : 
     116             :         struct ldb_reply *pso_res;
     117             : 
     118             :         struct ldb_reply *search_res;
     119             : 
     120             :         struct ldb_message *update_msg;
     121             : 
     122             :         struct dsdb_control_password_change_status *status;
     123             :         struct dsdb_control_password_change *change;
     124             : 
     125             :         const char **gpg_key_ids;
     126             : 
     127             :         bool pwd_reset;
     128             :         bool change_status;
     129             :         bool hash_values;
     130             :         bool userPassword;
     131             :         bool update_password;
     132             :         bool update_lastset;
     133             :         bool pwd_last_set_bypass;
     134             :         bool pwd_last_set_default;
     135             :         bool smartcard_reset;
     136             :         const char **userPassword_schemes;
     137             : };
     138             : 
     139             : 
     140             : struct setup_password_fields_io {
     141             :         struct ph_context *ac;
     142             : 
     143             :         struct smb_krb5_context *smb_krb5_context;
     144             : 
     145             :         /* info about the user account */
     146             :         struct {
     147             :                 uint32_t userAccountControl;
     148             :                 NTTIME pwdLastSet;
     149             :                 const char *sAMAccountName;
     150             :                 const char *user_principal_name;
     151             :                 const char *displayName; /* full name */
     152             :                 bool is_krbtgt;
     153             :                 uint32_t restrictions;
     154             :                 struct dom_sid *account_sid;
     155             :                 bool store_nt_hash;
     156             :         } u;
     157             : 
     158             :         /* new credentials and old given credentials */
     159             :         struct setup_password_fields_given {
     160             :                 const struct ldb_val *cleartext_utf8;
     161             :                 const struct ldb_val *cleartext_utf16;
     162             : 
     163             :                 struct samr_Password *nt_hash;
     164             : 
     165             :                 /*
     166             :                  * The AES256 kerberos key to confirm the previous password was
     167             :                  * not reused (for n) and to prove the old password was known
     168             :                  * (for og).
     169             :                  *
     170             :                  * We don't have any old salts, so we won't catch password reuse
     171             :                  * if said password was used prior to an account rename and
     172             :                  * another password change.
     173             :                  */
     174             :                 DATA_BLOB aes_256;
     175             :         } n, og;
     176             : 
     177             :         /* old credentials */
     178             :         struct {
     179             :                 struct samr_Password *nt_hash;
     180             :                 uint32_t nt_history_len;
     181             :                 struct samr_Password *nt_history;
     182             :                 const struct ldb_val *supplemental;
     183             :                 struct supplementalCredentialsBlob scb;
     184             : 
     185             :                 /*
     186             :                  * The AES256 kerberos key as stored in the DB.
     187             :                  * Used to confirm the given password was correct
     188             :                  * and in case the previous password was reused.
     189             :                  */
     190             :                 DATA_BLOB aes_256;
     191             :                 DATA_BLOB salt;
     192             :                 uint32_t kvno;
     193             :         } o;
     194             : 
     195             :         /* generated credentials */
     196             :         struct {
     197             :                 struct samr_Password *nt_hash;
     198             :                 uint32_t nt_history_len;
     199             :                 struct samr_Password *nt_history;
     200             :                 const char *salt;
     201             :                 DATA_BLOB aes_256;
     202             :                 DATA_BLOB aes_128;
     203             :                 DATA_BLOB des_md5;
     204             :                 DATA_BLOB des_crc;
     205             :                 struct ldb_val supplemental;
     206             :                 NTTIME last_set;
     207             :         } g;
     208             : };
     209             : 
     210             : static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
     211             :                                         const char *name,
     212             :                                         enum ldb_request_type operation,
     213             :                                         const struct ldb_val **new_val,
     214             :                                         const struct ldb_val **old_val);
     215             : 
     216           2 : static int password_hash_bypass(struct ldb_module *module, struct ldb_request *request)
     217             : {
     218           2 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
     219             :         const struct ldb_message *msg;
     220             :         struct ldb_message_element *nte;
     221             :         struct ldb_message_element *lme;
     222             :         struct ldb_message_element *nthe;
     223             :         struct ldb_message_element *lmhe;
     224             :         struct ldb_message_element *sce;
     225             :         int ret;
     226             : 
     227           2 :         switch (request->operation) {
     228           0 :         case LDB_ADD:
     229           0 :                 msg = request->op.add.message;
     230           0 :                 break;
     231           2 :         case LDB_MODIFY:
     232           2 :                 msg = request->op.mod.message;
     233           2 :                 break;
     234           0 :         default:
     235           0 :                 return ldb_next_request(module, request);
     236             :         }
     237             : 
     238             :         /* nobody must touch password histories and 'supplementalCredentials' */
     239             : 
     240             : #define GET_VALUES(el, attr) do {  \
     241             :         ret = dsdb_get_expected_new_values(request,             \
     242             :                                            msg,                 \
     243             :                                            attr,                \
     244             :                                            &el,                     \
     245             :                                            request->operation);      \
     246             :                                                                 \
     247             :         if (ret != LDB_SUCCESS) {                               \
     248             :                 return ret;                                     \
     249             :         }                                                       \
     250             : } while(0)
     251             : 
     252           2 :         GET_VALUES(nte, "unicodePwd");
     253             : 
     254             :         /*
     255             :          * Even as Samba contiuues to ignore the LM hash, and reset it
     256             :          * when practical, we keep the constraint that it must be a 16
     257             :          * byte value if specified.
     258             :          */
     259           2 :         GET_VALUES(lme, "dBCSPwd");
     260           2 :         GET_VALUES(nthe, "ntPwdHistory");
     261           2 :         GET_VALUES(lmhe, "lmPwdHistory");
     262           2 :         GET_VALUES(sce, "supplementalCredentials");
     263             : 
     264             : #undef GET_VALUES
     265             : #define CHECK_HASH_ELEMENT(e, min, max) do {\
     266             :         if (e && e->num_values) { \
     267             :                 unsigned int _count; \
     268             :                 if (e->num_values != 1) { \
     269             :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
     270             :                                          "num_values != 1"); \
     271             :                 } \
     272             :                 if ((e->values[0].length % 16) != 0) { \
     273             :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
     274             :                                          "length % 16 != 0"); \
     275             :                 } \
     276             :                 _count = e->values[0].length / 16; \
     277             :                 if (_count < min) { \
     278             :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
     279             :                                          "count < min"); \
     280             :                 } \
     281             :                 if (_count > max) { \
     282             :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
     283             :                                          "count > max"); \
     284             :                 } \
     285             :         } \
     286             : } while (0)
     287             : 
     288           2 :         CHECK_HASH_ELEMENT(nte, 1, 1);
     289           2 :         CHECK_HASH_ELEMENT(lme, 1, 1);
     290           2 :         CHECK_HASH_ELEMENT(nthe, 1, INT32_MAX);
     291           2 :         CHECK_HASH_ELEMENT(lmhe, 1, INT32_MAX);
     292             : 
     293           2 :         if (sce && sce->num_values) {
     294             :                 enum ndr_err_code ndr_err;
     295             :                 struct supplementalCredentialsBlob *scb;
     296           0 :                 struct supplementalCredentialsPackage *scpp = NULL;
     297           0 :                 struct supplementalCredentialsPackage *scpk = NULL;
     298           0 :                 struct supplementalCredentialsPackage *scpkn = NULL;
     299           0 :                 struct supplementalCredentialsPackage *scpct = NULL;
     300           0 :                 DATA_BLOB scpbp = data_blob_null;
     301           0 :                 DATA_BLOB scpbk = data_blob_null;
     302           0 :                 DATA_BLOB scpbkn = data_blob_null;
     303           0 :                 DATA_BLOB scpbct = data_blob_null;
     304             :                 DATA_BLOB blob;
     305             :                 uint32_t i;
     306             : 
     307           0 :                 if (sce->num_values != 1) {
     308           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     309             :                                          "num_values != 1");
     310             :                 }
     311             : 
     312           0 :                 scb = talloc_zero(request, struct supplementalCredentialsBlob);
     313           0 :                 if (!scb) {
     314           0 :                         return ldb_module_oom(module);
     315             :                 }
     316             : 
     317           0 :                 ndr_err = ndr_pull_struct_blob_all(&sce->values[0], scb, scb,
     318             :                                 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
     319           0 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     320           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     321             :                                          "ndr_pull_struct_blob_all");
     322             :                 }
     323             : 
     324           0 :                 if (scb->sub.num_packages < 2) {
     325           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     326             :                                          "num_packages < 2");
     327             :                 }
     328             : 
     329           0 :                 for (i=0; i < scb->sub.num_packages; i++) {
     330             :                         DATA_BLOB subblob;
     331             : 
     332           0 :                         subblob = strhex_to_data_blob(scb, scb->sub.packages[i].data);
     333           0 :                         if (subblob.data == NULL) {
     334           0 :                                 return ldb_module_oom(module);
     335             :                         }
     336             : 
     337           0 :                         if (strcmp(scb->sub.packages[i].name, "Packages") == 0) {
     338           0 :                                 if (scpp) {
     339           0 :                                         return ldb_error(ldb,
     340             :                                                          LDB_ERR_CONSTRAINT_VIOLATION,
     341             :                                                          "Packages twice");
     342             :                                 }
     343           0 :                                 scpp = &scb->sub.packages[i];
     344           0 :                                 scpbp = subblob;
     345           0 :                                 continue;
     346             :                         }
     347           0 :                         if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos") == 0) {
     348           0 :                                 if (scpk) {
     349           0 :                                         return ldb_error(ldb,
     350             :                                                          LDB_ERR_CONSTRAINT_VIOLATION,
     351             :                                                          "Primary:Kerberos twice");
     352             :                                 }
     353           0 :                                 scpk = &scb->sub.packages[i];
     354           0 :                                 scpbk = subblob;
     355           0 :                                 continue;
     356             :                         }
     357           0 :                         if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos-Newer-Keys") == 0) {
     358           0 :                                 if (scpkn) {
     359           0 :                                         return ldb_error(ldb,
     360             :                                                          LDB_ERR_CONSTRAINT_VIOLATION,
     361             :                                                          "Primary:Kerberos-Newer-Keys twice");
     362             :                                 }
     363           0 :                                 scpkn = &scb->sub.packages[i];
     364           0 :                                 scpbkn = subblob;
     365           0 :                                 continue;
     366             :                         }
     367           0 :                         if (strcmp(scb->sub.packages[i].name, "Primary:CLEARTEXT") == 0) {
     368           0 :                                 if (scpct) {
     369           0 :                                         return ldb_error(ldb,
     370             :                                                          LDB_ERR_CONSTRAINT_VIOLATION,
     371             :                                                          "Primary:CLEARTEXT twice");
     372             :                                 }
     373           0 :                                 scpct = &scb->sub.packages[i];
     374           0 :                                 scpbct = subblob;
     375           0 :                                 continue;
     376             :                         }
     377             : 
     378           0 :                         data_blob_free(&subblob);
     379             :                 }
     380             : 
     381           0 :                 if (scpp == NULL) {
     382           0 :                         return ldb_error(ldb,
     383             :                                          LDB_ERR_CONSTRAINT_VIOLATION,
     384             :                                          "Primary:Packages missing");
     385             :                 }
     386             : 
     387           0 :                 if (scpk == NULL) {
     388             :                         /*
     389             :                          * If Primary:Kerberos is missing w2k8r2 reboots
     390             :                          * when a password is changed.
     391             :                          */
     392           0 :                         return ldb_error(ldb,
     393             :                                          LDB_ERR_CONSTRAINT_VIOLATION,
     394             :                                          "Primary:Kerberos missing");
     395             :                 }
     396             : 
     397           0 :                 if (scpp) {
     398             :                         struct package_PackagesBlob *p;
     399             :                         uint32_t n;
     400             : 
     401           0 :                         p = talloc_zero(scb, struct package_PackagesBlob);
     402           0 :                         if (p == NULL) {
     403           0 :                                 return ldb_module_oom(module);
     404             :                         }
     405             : 
     406           0 :                         ndr_err = ndr_pull_struct_blob(&scpbp, p, p,
     407             :                                         (ndr_pull_flags_fn_t)ndr_pull_package_PackagesBlob);
     408           0 :                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     409           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     410             :                                                  "ndr_pull_struct_blob Packages");
     411             :                         }
     412             : 
     413           0 :                         if (p->names == NULL) {
     414           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     415             :                                                  "Packages names == NULL");
     416             :                         }
     417             : 
     418           0 :                         for (n = 0; p->names[n]; n++) {
     419             :                                 /* noop */
     420             :                         }
     421             : 
     422           0 :                         if (scb->sub.num_packages != (n + 1)) {
     423           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     424             :                                                  "Packages num_packages != num_names + 1");
     425             :                         }
     426             : 
     427           0 :                         talloc_free(p);
     428             :                 }
     429             : 
     430           0 :                 if (scpk) {
     431             :                         struct package_PrimaryKerberosBlob *k;
     432             : 
     433           0 :                         k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
     434           0 :                         if (k == NULL) {
     435           0 :                                 return ldb_module_oom(module);
     436             :                         }
     437             : 
     438           0 :                         ndr_err = ndr_pull_struct_blob(&scpbk, k, k,
     439             :                                         (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
     440           0 :                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     441           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     442             :                                                  "ndr_pull_struct_blob PrimaryKerberos");
     443             :                         }
     444             : 
     445           0 :                         if (k->version != 3) {
     446           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     447             :                                                  "PrimaryKerberos version != 3");
     448             :                         }
     449             : 
     450           0 :                         if (k->ctr.ctr3.salt.string == NULL) {
     451           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     452             :                                                  "PrimaryKerberos salt == NULL");
     453             :                         }
     454             : 
     455           0 :                         if (strlen(k->ctr.ctr3.salt.string) == 0) {
     456           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     457             :                                                  "PrimaryKerberos strlen(salt) == 0");
     458             :                         }
     459             : 
     460           0 :                         if (k->ctr.ctr3.num_keys != 2) {
     461           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     462             :                                                  "PrimaryKerberos num_keys != 2");
     463             :                         }
     464             : 
     465           0 :                         if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) {
     466           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     467             :                                                  "PrimaryKerberos num_old_keys > num_keys");
     468             :                         }
     469             : 
     470           0 :                         if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) {
     471           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     472             :                                                  "PrimaryKerberos key[0] != DES_CBC_MD5");
     473             :                         }
     474           0 :                         if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) {
     475           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     476             :                                                  "PrimaryKerberos key[1] != DES_CBC_CRC");
     477             :                         }
     478             : 
     479           0 :                         if (k->ctr.ctr3.keys[0].value_len != 8) {
     480           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     481             :                                                  "PrimaryKerberos key[0] value_len != 8");
     482             :                         }
     483           0 :                         if (k->ctr.ctr3.keys[1].value_len != 8) {
     484           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     485             :                                                  "PrimaryKerberos key[1] value_len != 8");
     486             :                         }
     487             : 
     488           0 :                         for (i = 0; i < k->ctr.ctr3.num_old_keys; i++) {
     489           0 :                                 if (k->ctr.ctr3.old_keys[i].keytype ==
     490           0 :                                     k->ctr.ctr3.keys[i].keytype &&
     491           0 :                                     k->ctr.ctr3.old_keys[i].value_len ==
     492           0 :                                     k->ctr.ctr3.keys[i].value_len) {
     493           0 :                                         continue;
     494             :                                 }
     495             : 
     496           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     497             :                                                  "PrimaryKerberos old_keys type/value_len doesn't match");
     498             :                         }
     499             : 
     500           0 :                         talloc_free(k);
     501             :                 }
     502             : 
     503           0 :                 if (scpkn) {
     504             :                         struct package_PrimaryKerberosBlob *k;
     505             : 
     506           0 :                         k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
     507           0 :                         if (k == NULL) {
     508           0 :                                 return ldb_module_oom(module);
     509             :                         }
     510             : 
     511           0 :                         ndr_err = ndr_pull_struct_blob(&scpbkn, k, k,
     512             :                                         (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
     513           0 :                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     514           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     515             :                                                  "ndr_pull_struct_blob PrimaryKerberosNeverKeys");
     516             :                         }
     517             : 
     518           0 :                         if (k->version != 4) {
     519           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     520             :                                                  "KerberosNerverKeys version != 4");
     521             :                         }
     522             : 
     523           0 :                         if (k->ctr.ctr4.salt.string == NULL) {
     524           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     525             :                                                  "KerberosNewerKeys salt == NULL");
     526             :                         }
     527             : 
     528           0 :                         if (strlen(k->ctr.ctr4.salt.string) == 0) {
     529           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     530             :                                                  "KerberosNewerKeys strlen(salt) == 0");
     531             :                         }
     532             : 
     533           0 :                         if (k->ctr.ctr4.num_keys != 4) {
     534           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     535             :                                                  "KerberosNewerKeys num_keys != 2");
     536             :                         }
     537             : 
     538           0 :                         if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) {
     539           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     540             :                                                  "KerberosNewerKeys num_old_keys > num_keys");
     541             :                         }
     542             : 
     543           0 :                         if (k->ctr.ctr4.num_older_keys > k->ctr.ctr4.num_old_keys) {
     544           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     545             :                                                  "KerberosNewerKeys num_older_keys > num_old_keys");
     546             :                         }
     547             : 
     548           0 :                         if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
     549           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     550             :                                                  "KerberosNewerKeys key[0] != AES256");
     551             :                         }
     552           0 :                         if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
     553           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     554             :                                                  "KerberosNewerKeys key[1] != AES128");
     555             :                         }
     556           0 :                         if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) {
     557           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     558             :                                                  "KerberosNewerKeys key[2] != DES_CBC_MD5");
     559             :                         }
     560           0 :                         if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) {
     561           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     562             :                                                  "KerberosNewerKeys key[3] != DES_CBC_CRC");
     563             :                         }
     564             : 
     565           0 :                         if (k->ctr.ctr4.keys[0].value_len != 32) {
     566           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     567             :                                                  "KerberosNewerKeys key[0] value_len != 32");
     568             :                         }
     569           0 :                         if (k->ctr.ctr4.keys[1].value_len != 16) {
     570           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     571             :                                                  "KerberosNewerKeys key[1] value_len != 16");
     572             :                         }
     573           0 :                         if (k->ctr.ctr4.keys[2].value_len != 8) {
     574           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     575             :                                                  "KerberosNewerKeys key[2] value_len != 8");
     576             :                         }
     577           0 :                         if (k->ctr.ctr4.keys[3].value_len != 8) {
     578           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     579             :                                                  "KerberosNewerKeys key[3] value_len != 8");
     580             :                         }
     581             : 
     582             :                         /*
     583             :                          * TODO:
     584             :                          * Maybe we can check old and older keys here.
     585             :                          * But we need to do some tests, if the old keys
     586             :                          * can be taken from the PrimaryKerberos blob
     587             :                          * (with only des keys), when the domain was upgraded
     588             :                          * from w2k3 to w2k8.
     589             :                          */
     590             : 
     591           0 :                         talloc_free(k);
     592             :                 }
     593             : 
     594           0 :                 if (scpct) {
     595             :                         struct package_PrimaryCLEARTEXTBlob *ct;
     596             : 
     597           0 :                         ct = talloc_zero(scb, struct package_PrimaryCLEARTEXTBlob);
     598           0 :                         if (ct == NULL) {
     599           0 :                                 return ldb_module_oom(module);
     600             :                         }
     601             : 
     602           0 :                         ndr_err = ndr_pull_struct_blob(&scpbct, ct, ct,
     603             :                                         (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryCLEARTEXTBlob);
     604           0 :                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     605           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     606             :                                                  "ndr_pull_struct_blob PrimaryCLEARTEXT");
     607             :                         }
     608             : 
     609           0 :                         if ((ct->cleartext.length % 2) != 0) {
     610           0 :                                 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     611             :                                                  "PrimaryCLEARTEXT length % 2 != 0");
     612             :                         }
     613             : 
     614           0 :                         talloc_free(ct);
     615             :                 }
     616             : 
     617           0 :                 ndr_err = ndr_push_struct_blob(&blob, scb, scb,
     618             :                                 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
     619           0 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     620           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     621             :                                          "ndr_pull_struct_blob_all");
     622             :                 }
     623             : 
     624           0 :                 if (sce->values[0].length != blob.length) {
     625           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     626             :                                          "supplementalCredentialsBlob length differ");
     627             :                 }
     628             : 
     629           0 :                 if (!mem_equal_const_time(sce->values[0].data, blob.data, blob.length)) {
     630           0 :                         return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
     631             :                                          "supplementalCredentialsBlob memcmp differ");
     632             :                 }
     633             : 
     634           0 :                 talloc_free(scb);
     635             :         }
     636             : 
     637           2 :         ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_bypass - validated\n");
     638           2 :         return ldb_next_request(module, request);
     639             : }
     640             : 
     641             : /* Get the NT hash, and fill it in as an entry in the password history, 
     642             :    and specify it into io->g.nt_hash */
     643             : 
     644       16235 : static int setup_nt_fields(struct setup_password_fields_io *io)
     645             : {
     646       16235 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
     647             :         uint32_t i;
     648       16235 :         if (io->u.store_nt_hash) {
     649       16235 :                 io->g.nt_hash = io->n.nt_hash;
     650             :         }
     651             : 
     652       16235 :         if (io->ac->status->domain_data.pwdHistoryLength == 0) {
     653          50 :                 return LDB_SUCCESS;
     654             :         }
     655             : 
     656             :         /* We might not have an old NT password */
     657             : 
     658       16185 :         if (io->g.nt_hash == NULL) {
     659             :                 /*
     660             :                  * If there was not an NT hash specified, then don't
     661             :                  * store the NT password history.
     662             :                  *
     663             :                  * While the NTLM code on a Windows DC will cope with
     664             :                  * a missing unicodePwd, if it finds a last password
     665             :                  * in the ntPwdHistory, even if the bytes are zero ,
     666             :                  * it will (quite reasonably) treat it as a valid NT
     667             :                  * hash.  NTLM logins with the previous password are
     668             :                  * allowed for a short time after the password is
     669             :                  * changed to allow for password propagation delays.
     670             :                  */
     671           0 :                 return LDB_SUCCESS;
     672             :         }
     673             : 
     674       16185 :         io->g.nt_history = talloc_array(io->ac,
     675             :                                         struct samr_Password,
     676             :                                         io->ac->status->domain_data.pwdHistoryLength);
     677       16185 :         if (!io->g.nt_history) {
     678           0 :                 return ldb_oom(ldb);
     679             :         }
     680             : 
     681       30623 :         for (i = 0; i < MIN(io->ac->status->domain_data.pwdHistoryLength-1,
     682       14438 :                             io->o.nt_history_len); i++) {
     683       14438 :                 io->g.nt_history[i+1] = io->o.nt_history[i];
     684             :         }
     685       16185 :         io->g.nt_history_len = i + 1;
     686             : 
     687       16185 :         io->g.nt_history[0] = *io->g.nt_hash;
     688             : 
     689       16185 :         return LDB_SUCCESS;
     690             : }
     691             : 
     692       15979 : static int setup_kerberos_keys(struct setup_password_fields_io *io)
     693             : {
     694             :         struct ldb_context *ldb;
     695             :         krb5_error_code krb5_ret;
     696       15979 :         krb5_principal salt_principal = NULL;
     697             :         krb5_data salt_data;
     698             :         krb5_data salt;
     699             :         krb5_keyblock key;
     700             :         krb5_data cleartext_data;
     701       15979 :         uint32_t uac_flags = 0;
     702             : 
     703       15979 :         ldb = ldb_module_get_ctx(io->ac->module);
     704       15979 :         cleartext_data.data = (char *)io->n.cleartext_utf8->data;
     705       15979 :         cleartext_data.length = io->n.cleartext_utf8->length;
     706             : 
     707       15979 :         uac_flags = io->u.userAccountControl & UF_ACCOUNT_TYPE_MASK;
     708       15979 :         krb5_ret = smb_krb5_salt_principal(io->smb_krb5_context->krb5_context,
     709       15979 :                                            io->ac->status->domain_data.realm,
     710             :                                            io->u.sAMAccountName,
     711             :                                            io->u.user_principal_name,
     712             :                                            uac_flags,
     713             :                                            &salt_principal);
     714       15979 :         if (krb5_ret) {
     715           2 :                 ldb_asprintf_errstring(ldb,
     716             :                                        "setup_kerberos_keys: "
     717             :                                        "generation of a salting principal failed: %s",
     718           2 :                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
     719           2 :                                                                   krb5_ret, io->ac));
     720           2 :                 return LDB_ERR_OPERATIONS_ERROR;
     721             :         }
     722             : 
     723             :         /*
     724             :          * create salt from salt_principal
     725             :          */
     726       15977 :         krb5_ret = smb_krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
     727             :                                         salt_principal, &salt_data);
     728             : 
     729       15977 :         krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
     730       15977 :         if (krb5_ret) {
     731           0 :                 ldb_asprintf_errstring(ldb,
     732             :                                        "setup_kerberos_keys: "
     733             :                                        "generation of krb5_salt failed: %s",
     734           0 :                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
     735           0 :                                                                   krb5_ret, io->ac));
     736           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     737             :         }
     738             : 
     739             :         /* now use the talloced copy of the salt */
     740       31954 :         salt.data       = talloc_strndup(io->ac,
     741       15977 :                                          (char *)salt_data.data,
     742        5374 :                                          salt_data.length);
     743       15977 :         io->g.salt      = salt.data;
     744       15977 :         salt.length     = strlen(io->g.salt);
     745             : 
     746       15977 :         smb_krb5_free_data_contents(io->smb_krb5_context->krb5_context,
     747             :                                     &salt_data);
     748             : 
     749             :         /*
     750             :          * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
     751             :          * the salt and the cleartext password
     752             :          */
     753       15977 :         krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
     754             :                                                    NULL,
     755             :                                                    &salt,
     756             :                                                    &cleartext_data,
     757             :                                                    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
     758             :                                                    &key);
     759       15977 :         if (krb5_ret) {
     760           0 :                 ldb_asprintf_errstring(ldb,
     761             :                                        "setup_kerberos_keys: "
     762             :                                        "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
     763           0 :                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
     764           0 :                                                                   krb5_ret, io->ac));
     765           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     766             :         }
     767       15977 :         io->g.aes_256 = data_blob_talloc(io->ac,
     768             :                                          KRB5_KEY_DATA(&key),
     769             :                                          KRB5_KEY_LENGTH(&key));
     770       15977 :         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
     771       15977 :         if (!io->g.aes_256.data) {
     772           0 :                 return ldb_oom(ldb);
     773             :         }
     774             : 
     775             :         /*
     776             :          * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
     777             :          * the salt and the cleartext password
     778             :          */
     779       15977 :         krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
     780             :                                                    NULL,
     781             :                                                    &salt,
     782             :                                                    &cleartext_data,
     783             :                                                    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
     784             :                                                    &key);
     785       15977 :         if (krb5_ret) {
     786           0 :                 ldb_asprintf_errstring(ldb,
     787             :                                        "setup_kerberos_keys: "
     788             :                                        "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
     789           0 :                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
     790           0 :                                                                   krb5_ret, io->ac));
     791           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     792             :         }
     793       15977 :         io->g.aes_128 = data_blob_talloc(io->ac,
     794             :                                          KRB5_KEY_DATA(&key),
     795             :                                          KRB5_KEY_LENGTH(&key));
     796       15977 :         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
     797       15977 :         if (!io->g.aes_128.data) {
     798           0 :                 return ldb_oom(ldb);
     799             :         }
     800             : 
     801             :         /*
     802             :          * As per RFC-6649 single DES encryption types are no longer considered
     803             :          * secure to be used in Kerberos, we store random keys instead of the
     804             :          * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys.
     805             :          */
     806       15977 :         io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
     807       15977 :         if (!io->g.des_md5.data) {
     808           0 :                 return ldb_oom(ldb);
     809             :         }
     810       15977 :         generate_secret_buffer(io->g.des_md5.data, 8);
     811             : 
     812       15977 :         io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
     813       15977 :         if (!io->g.des_crc.data) {
     814           0 :                 return ldb_oom(ldb);
     815             :         }
     816       15977 :         generate_secret_buffer(io->g.des_crc.data, 8);
     817             : 
     818       15977 :         return LDB_SUCCESS;
     819             : }
     820             : 
     821       16822 : static int setup_kerberos_key_hash(struct setup_password_fields_io *io,
     822             :                                    struct setup_password_fields_given *g)
     823             : {
     824       16822 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
     825             :         krb5_error_code krb5_ret;
     826             :         krb5_data salt;
     827             :         krb5_keyblock key;
     828             :         krb5_data cleartext_data;
     829             : 
     830       16822 :         if (io->ac->search_res == NULL) {
     831             :                 /* No old data so nothing to do */
     832        1071 :                 return LDB_SUCCESS;
     833             :         }
     834             : 
     835       15751 :         if (io->o.salt.data == NULL) {
     836             :                 /* We didn't fetch the salt in setup_io(), so nothing to do */
     837       13485 :                 return LDB_SUCCESS;
     838             :         }
     839             : 
     840        2266 :         salt.data = (char *)io->o.salt.data;
     841        2266 :         salt.length = io->o.salt.length;
     842             : 
     843        2266 :         cleartext_data.data = (char *)g->cleartext_utf8->data;
     844        2266 :         cleartext_data.length = g->cleartext_utf8->length;
     845             : 
     846             :         /*
     847             :          * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of the salt
     848             :          * and the cleartext password
     849             :          */
     850        2266 :         krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
     851             :                                                    NULL,
     852             :                                                    &salt,
     853             :                                                    &cleartext_data,
     854             :                                                    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
     855             :                                                    &key);
     856        2266 :         if (krb5_ret) {
     857           0 :                 ldb_asprintf_errstring(ldb,
     858             :                                        "setup_kerberos_key_hash: "
     859             :                                        "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
     860           0 :                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
     861           0 :                                                                   krb5_ret, io->ac));
     862           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     863             :         }
     864             : 
     865        2266 :         g->aes_256 = data_blob_talloc(io->ac,
     866             :                                       KRB5_KEY_DATA(&key),
     867             :                                       KRB5_KEY_LENGTH(&key));
     868        2266 :         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
     869        2266 :         if (g->aes_256.data == NULL) {
     870           0 :                 return ldb_oom(ldb);
     871             :         }
     872             : 
     873        2266 :         talloc_keep_secret(g->aes_256.data);
     874             : 
     875        2266 :         return LDB_SUCCESS;
     876             : }
     877             : 
     878       15977 : static int setup_primary_kerberos(struct setup_password_fields_io *io,
     879             :                                   const struct supplementalCredentialsBlob *old_scb,
     880             :                                   struct package_PrimaryKerberosBlob *pkb)
     881             : {
     882             :         struct ldb_context *ldb;
     883       15977 :         struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
     884       15977 :         struct supplementalCredentialsPackage *old_scp = NULL;
     885             :         struct package_PrimaryKerberosBlob _old_pkb;
     886       15977 :         struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
     887             :         uint32_t i;
     888             :         enum ndr_err_code ndr_err;
     889             : 
     890       15977 :         ldb = ldb_module_get_ctx(io->ac->module);
     891             : 
     892             :         /*
     893             :          * prepare generation of keys
     894             :          *
     895             :          * ENCTYPE_DES_CBC_MD5
     896             :          * ENCTYPE_DES_CBC_CRC
     897             :          */
     898       15977 :         pkb->version         = 3;
     899       15977 :         pkb3->salt.string    = io->g.salt;
     900       15977 :         pkb3->num_keys               = 2;
     901       15977 :         pkb3->keys           = talloc_array(io->ac,
     902             :                                                struct package_PrimaryKerberosKey3,
     903             :                                                pkb3->num_keys);
     904       15977 :         if (!pkb3->keys) {
     905           0 :                 return ldb_oom(ldb);
     906             :         }
     907             : 
     908       15977 :         pkb3->keys[0].keytype        = ENCTYPE_DES_CBC_MD5;
     909       15977 :         pkb3->keys[0].value  = &io->g.des_md5;
     910       15977 :         pkb3->keys[1].keytype        = ENCTYPE_DES_CBC_CRC;
     911       15977 :         pkb3->keys[1].value  = &io->g.des_crc;
     912             : 
     913             :         /* initialize the old keys to zero */
     914       15977 :         pkb3->num_old_keys   = 0;
     915       15977 :         pkb3->old_keys               = NULL;
     916             : 
     917             :         /* if there're no old keys, then we're done */
     918       15977 :         if (!old_scb) {
     919       14218 :                 return LDB_SUCCESS;
     920             :         }
     921             : 
     922        3420 :         for (i=0; i < old_scb->sub.num_packages; i++) {
     923        3420 :                 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
     924        1661 :                         continue;
     925             :                 }
     926             : 
     927        1759 :                 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
     928           0 :                         continue;
     929             :                 }
     930             : 
     931        1759 :                 old_scp = &old_scb->sub.packages[i];
     932        1759 :                 break;
     933             :         }
     934             :         /* Primary:Kerberos element of supplementalCredentials */
     935        1759 :         if (old_scp) {
     936             :                 DATA_BLOB blob;
     937             : 
     938        1759 :                 blob = strhex_to_data_blob(io->ac, old_scp->data);
     939        1759 :                 if (!blob.data) {
     940           0 :                         return ldb_oom(ldb);
     941             :                 }
     942             : 
     943             :                 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
     944        1759 :                 ndr_err = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
     945             :                                                (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
     946        1759 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     947           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
     948           0 :                         ldb_asprintf_errstring(ldb,
     949             :                                                "setup_primary_kerberos: "
     950             :                                                "failed to pull old package_PrimaryKerberosBlob: %s",
     951             :                                                nt_errstr(status));
     952           0 :                         return LDB_ERR_OPERATIONS_ERROR;
     953             :                 }
     954             : 
     955        1759 :                 if (_old_pkb.version != 3) {
     956           0 :                         ldb_asprintf_errstring(ldb,
     957             :                                                "setup_primary_kerberos: "
     958             :                                                "package_PrimaryKerberosBlob version[%u] expected[3]",
     959           0 :                                                _old_pkb.version);
     960           0 :                         return LDB_ERR_OPERATIONS_ERROR;
     961             :                 }
     962             : 
     963        1759 :                 old_pkb3 = &_old_pkb.ctr.ctr3;
     964             :         }
     965             : 
     966             :         /* if we didn't found the old keys we're done */
     967        1759 :         if (!old_pkb3) {
     968           0 :                 return LDB_SUCCESS;
     969             :         }
     970             : 
     971             :         /* fill in the old keys */
     972        1759 :         pkb3->num_old_keys   = old_pkb3->num_keys;
     973        1759 :         pkb3->old_keys               = old_pkb3->keys;
     974             : 
     975        1759 :         return LDB_SUCCESS;
     976             : }
     977             : 
     978       10986 : static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
     979             :                                         const struct supplementalCredentialsBlob *old_scb,
     980             :                                         struct package_PrimaryKerberosBlob *pkb)
     981             : {
     982             :         struct ldb_context *ldb;
     983       10986 :         struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
     984       10986 :         struct supplementalCredentialsPackage *old_scp = NULL;
     985             :         struct package_PrimaryKerberosBlob _old_pkb;
     986       10986 :         struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
     987             :         uint32_t i;
     988             :         enum ndr_err_code ndr_err;
     989             : 
     990       10986 :         ldb = ldb_module_get_ctx(io->ac->module);
     991             : 
     992             :         /*
     993             :          * prepare generation of keys
     994             :          *
     995             :          * ENCTYPE_AES256_CTS_HMAC_SHA1_96
     996             :          * ENCTYPE_AES128_CTS_HMAC_SHA1_96
     997             :          * ENCTYPE_DES_CBC_MD5
     998             :          * ENCTYPE_DES_CBC_CRC
     999             :          */
    1000       10986 :         pkb->version                 = 4;
    1001       10986 :         pkb4->salt.string            = io->g.salt;
    1002       10986 :         pkb4->default_iteration_count        = 4096;
    1003       10986 :         pkb4->num_keys                       = 4;
    1004             : 
    1005       10986 :         pkb4->keys = talloc_array(io->ac,
    1006             :                                   struct package_PrimaryKerberosKey4,
    1007             :                                   pkb4->num_keys);
    1008       10986 :         if (!pkb4->keys) {
    1009           0 :                 return ldb_oom(ldb);
    1010             :         }
    1011             : 
    1012       10986 :         pkb4->keys[0].iteration_count        = 4096;
    1013       10986 :         pkb4->keys[0].keytype                = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
    1014       10986 :         pkb4->keys[0].value          = &io->g.aes_256;
    1015       10986 :         pkb4->keys[1].iteration_count        = 4096;
    1016       10986 :         pkb4->keys[1].keytype                = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
    1017       10986 :         pkb4->keys[1].value          = &io->g.aes_128;
    1018       10986 :         pkb4->keys[2].iteration_count        = 4096;
    1019       10986 :         pkb4->keys[2].keytype                = ENCTYPE_DES_CBC_MD5;
    1020       10986 :         pkb4->keys[2].value          = &io->g.des_md5;
    1021       10986 :         pkb4->keys[3].iteration_count        = 4096;
    1022       10986 :         pkb4->keys[3].keytype                = ENCTYPE_DES_CBC_CRC;
    1023       10986 :         pkb4->keys[3].value          = &io->g.des_crc;
    1024             : 
    1025             :         /* initialize the old keys to zero */
    1026       10986 :         pkb4->num_old_keys   = 0;
    1027       10986 :         pkb4->old_keys               = NULL;
    1028       10986 :         pkb4->num_older_keys = 0;
    1029       10986 :         pkb4->older_keys     = NULL;
    1030             : 
    1031             :         /* if there're no old keys, then we're done */
    1032       10986 :         if (!old_scb) {
    1033        9325 :                 return LDB_SUCCESS;
    1034             :         }
    1035             : 
    1036        1661 :         for (i=0; i < old_scb->sub.num_packages; i++) {
    1037        1661 :                 if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
    1038           0 :                         continue;
    1039             :                 }
    1040             : 
    1041        1661 :                 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
    1042           0 :                         continue;
    1043             :                 }
    1044             : 
    1045        1661 :                 old_scp = &old_scb->sub.packages[i];
    1046        1661 :                 break;
    1047             :         }
    1048             :         /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
    1049        1661 :         if (old_scp) {
    1050             :                 DATA_BLOB blob;
    1051             : 
    1052        1661 :                 blob = strhex_to_data_blob(io->ac, old_scp->data);
    1053        1661 :                 if (!blob.data) {
    1054           0 :                         return ldb_oom(ldb);
    1055             :                 }
    1056             : 
    1057             :                 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
    1058        1661 :                 ndr_err = ndr_pull_struct_blob(&blob, io->ac,
    1059             :                                                &_old_pkb,
    1060             :                                                (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
    1061        1661 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    1062           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    1063           0 :                         ldb_asprintf_errstring(ldb,
    1064             :                                                "setup_primary_kerberos_newer: "
    1065             :                                                "failed to pull old package_PrimaryKerberosBlob: %s",
    1066             :                                                nt_errstr(status));
    1067           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    1068             :                 }
    1069             : 
    1070        1661 :                 if (_old_pkb.version != 4) {
    1071           0 :                         ldb_asprintf_errstring(ldb,
    1072             :                                                "setup_primary_kerberos_newer: "
    1073             :                                                "package_PrimaryKerberosBlob version[%u] expected[4]",
    1074           0 :                                                _old_pkb.version);
    1075           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    1076             :                 }
    1077             : 
    1078        1661 :                 old_pkb4 = &_old_pkb.ctr.ctr4;
    1079             :         }
    1080             : 
    1081             :         /* if we didn't found the old keys we're done */
    1082        1661 :         if (!old_pkb4) {
    1083           0 :                 return LDB_SUCCESS;
    1084             :         }
    1085             : 
    1086             :         /* fill in the old keys */
    1087        1661 :         pkb4->num_old_keys   = old_pkb4->num_keys;
    1088        1661 :         pkb4->old_keys               = old_pkb4->keys;
    1089        1661 :         pkb4->num_older_keys = old_pkb4->num_old_keys;
    1090        1661 :         pkb4->older_keys     = old_pkb4->old_keys;
    1091             : 
    1092        1661 :         return LDB_SUCCESS;
    1093             : }
    1094             : 
    1095       15977 : static int setup_primary_wdigest(struct setup_password_fields_io *io,
    1096             :                                  const struct supplementalCredentialsBlob *old_scb,
    1097             :                                  struct package_PrimaryWDigestBlob *pdb)
    1098             : {
    1099       15977 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    1100             :         DATA_BLOB sAMAccountName;
    1101             :         DATA_BLOB sAMAccountName_l;
    1102             :         DATA_BLOB sAMAccountName_u;
    1103       15977 :         const char *user_principal_name = io->u.user_principal_name;
    1104             :         DATA_BLOB userPrincipalName;
    1105             :         DATA_BLOB userPrincipalName_l;
    1106             :         DATA_BLOB userPrincipalName_u;
    1107             :         DATA_BLOB netbios_domain;
    1108             :         DATA_BLOB netbios_domain_l;
    1109             :         DATA_BLOB netbios_domain_u;
    1110             :         DATA_BLOB dns_domain;
    1111             :         DATA_BLOB dns_domain_l;
    1112             :         DATA_BLOB dns_domain_u;
    1113             :         DATA_BLOB digest;
    1114             :         DATA_BLOB delim;
    1115             :         DATA_BLOB backslash;
    1116             :         uint8_t i;
    1117             :         struct {
    1118             :                 DATA_BLOB *user;
    1119             :                 DATA_BLOB *realm;
    1120             :                 DATA_BLOB *nt4dom;
    1121       15977 :         } wdigest[] = {
    1122             :         /*
    1123             :          * See 3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
    1124             :          *     https://msdn.microsoft.com/en-us/library/cc245680.aspx
    1125             :          * for what precalculated hashes are supposed to be stored...
    1126             :          *
    1127             :          * I can't reproduce all values which should contain "Digest" as realm,
    1128             :          * am I doing something wrong or is w2k3 just broken...?
    1129             :          *
    1130             :          * W2K3 fills in following for a user:
    1131             :          *
    1132             :          * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
    1133             :          * sAMAccountName: NewUser2Sam
    1134             :          * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
    1135             :          *
    1136             :          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
    1137             :          * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
    1138             :          * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
    1139             :          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
    1140             :          * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
    1141             :          * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
    1142             :          * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
    1143             :          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1144             :          * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1145             :          * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1146             :          * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1147             :          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1148             :          * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1149             :          * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1150             :          * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
    1151             :          * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
    1152             :          * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
    1153             :          * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
    1154             :          * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
    1155             :          * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
    1156             :          * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
    1157             :          * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
    1158             :          * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
    1159             :          * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
    1160             :          * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
    1161             :          * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
    1162             :          * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
    1163             :          * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
    1164             :          * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
    1165             :          *
    1166             :          * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
    1167             :          * sAMAccountName: NewUser2Sam
    1168             :          *
    1169             :          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
    1170             :          * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
    1171             :          * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
    1172             :          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
    1173             :          * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
    1174             :          * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
    1175             :          * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
    1176             :          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1177             :          * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1178             :          * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1179             :          * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1180             :          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1181             :          * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
    1182             :          * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
    1183             :          * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
    1184             :          * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
    1185             :          * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
    1186             :          * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
    1187             :          * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
    1188             :          * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
    1189             :          * 31dc704d3640335b2123d4ee28aa1f11 => ???M1   changes with NewUser2Sam => NewUser1Sam
    1190             :          * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
    1191             :          * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
    1192             :          * 569b4533f2d9e580211dd040e5e360a8 => ???M2   changes with NewUser2Princ => NewUser1Princ
    1193             :          * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
    1194             :          * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
    1195             :          * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
    1196             :          * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
    1197             :          * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
    1198             :          */
    1199             : 
    1200             :         /*
    1201             :          * sAMAccountName, netbios_domain
    1202             :          */
    1203             :                 {
    1204             :                 .user   = &sAMAccountName,
    1205             :                 .realm  = &netbios_domain,
    1206             :                 },
    1207             :                 {
    1208             :                 .user   = &sAMAccountName_l,
    1209             :                 .realm  = &netbios_domain_l,
    1210             :                 },
    1211             :                 {
    1212             :                 .user   = &sAMAccountName_u,
    1213             :                 .realm  = &netbios_domain_u,
    1214             :                 },
    1215             :                 {
    1216             :                 .user   = &sAMAccountName,
    1217             :                 .realm  = &netbios_domain_u,
    1218             :                 },
    1219             :                 {
    1220             :                 .user   = &sAMAccountName,
    1221             :                 .realm  = &netbios_domain_l,
    1222             :                 },
    1223             :                 {
    1224             :                 .user   = &sAMAccountName_u,
    1225             :                 .realm  = &netbios_domain_l,
    1226             :                 },
    1227             :                 {
    1228             :                 .user   = &sAMAccountName_l,
    1229             :                 .realm  = &netbios_domain_u,
    1230             :                 },
    1231             :         /*
    1232             :          * sAMAccountName, dns_domain
    1233             :          *
    1234             :          * TODO:
    1235             :          * Windows preserves the case of the DNS domain,
    1236             :          * Samba lower cases the domain at provision time
    1237             :          * This means that for mixed case Domains, the WDigest08 hash
    1238             :          * calculated by Samba differs from that calculated by Windows.
    1239             :          * Until we get a real world use case this will remain a known
    1240             :          * bug, as changing the case could have unforeseen impacts.
    1241             :          *
    1242             :          */
    1243             :                 {
    1244             :                 .user   = &sAMAccountName,
    1245             :                 .realm  = &dns_domain,
    1246             :                 },
    1247             :                 {
    1248             :                 .user   = &sAMAccountName_l,
    1249             :                 .realm  = &dns_domain_l,
    1250             :                 },
    1251             :                 {
    1252             :                 .user   = &sAMAccountName_u,
    1253             :                 .realm  = &dns_domain_u,
    1254             :                 },
    1255             :                 {
    1256             :                 .user   = &sAMAccountName,
    1257             :                 .realm  = &dns_domain_u,
    1258             :                 },
    1259             :                 {
    1260             :                 .user   = &sAMAccountName,
    1261             :                 .realm  = &dns_domain_l,
    1262             :                 },
    1263             :                 {
    1264             :                 .user   = &sAMAccountName_u,
    1265             :                 .realm  = &dns_domain_l,
    1266             :                 },
    1267             :                 {
    1268             :                 .user   = &sAMAccountName_l,
    1269             :                 .realm  = &dns_domain_u,
    1270             :                 },
    1271             :         /* 
    1272             :          * userPrincipalName, no realm
    1273             :          */
    1274             :                 {
    1275             :                 .user   = &userPrincipalName,
    1276             :                 },
    1277             :                 {
    1278             :                 /* 
    1279             :                  * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
    1280             :                  *       the fallback to the sAMAccountName based userPrincipalName is correct
    1281             :                  */
    1282             :                 .user   = &userPrincipalName_l,
    1283             :                 },
    1284             :                 {
    1285             :                 .user   = &userPrincipalName_u,
    1286             :                 },
    1287             :         /* 
    1288             :          * nt4dom\sAMAccountName, no realm
    1289             :          */
    1290             :                 {
    1291             :                 .user   = &sAMAccountName,
    1292             :                 .nt4dom = &netbios_domain
    1293             :                 },
    1294             :                 {
    1295             :                 .user   = &sAMAccountName_l,
    1296             :                 .nt4dom = &netbios_domain_l
    1297             :                 },
    1298             :                 {
    1299             :                 .user   = &sAMAccountName_u,
    1300             :                 .nt4dom = &netbios_domain_u
    1301             :                 },
    1302             : 
    1303             :         /*
    1304             :          * the following ones are guessed depending on the technet2 article
    1305             :          * but not reproducable on a w2k3 server
    1306             :          */
    1307             :         /* sAMAccountName with "Digest" realm */
    1308             :                 {
    1309             :                 .user   = &sAMAccountName,
    1310             :                 .realm  = &digest
    1311             :                 },
    1312             :                 {
    1313             :                 .user   = &sAMAccountName_l,
    1314             :                 .realm  = &digest
    1315             :                 },
    1316             :                 {
    1317             :                 .user   = &sAMAccountName_u,
    1318             :                 .realm  = &digest
    1319             :                 },
    1320             :         /* userPrincipalName with "Digest" realm */
    1321             :                 {
    1322             :                 .user   = &userPrincipalName,
    1323             :                 .realm  = &digest
    1324             :                 },
    1325             :                 {
    1326             :                 .user   = &userPrincipalName_l,
    1327             :                 .realm  = &digest
    1328             :                 },
    1329             :                 {
    1330             :                 .user   = &userPrincipalName_u,
    1331             :                 .realm  = &digest
    1332             :                 },
    1333             :         /* nt4dom\\sAMAccountName with "Digest" realm */
    1334             :                 {
    1335             :                 .user   = &sAMAccountName,
    1336             :                 .nt4dom = &netbios_domain,
    1337             :                 .realm  = &digest
    1338             :                 },
    1339             :                 {
    1340             :                 .user   = &sAMAccountName_l,
    1341             :                 .nt4dom = &netbios_domain_l,
    1342             :                 .realm  = &digest
    1343             :                 },
    1344             :                 {
    1345             :                 .user   = &sAMAccountName_u,
    1346             :                 .nt4dom = &netbios_domain_u,
    1347             :                 .realm  = &digest
    1348             :                 },
    1349             :         };
    1350       15977 :         int rc = LDB_ERR_OTHER;
    1351             : 
    1352             :         /* prepare DATA_BLOB's used in the combinations array */
    1353       15977 :         sAMAccountName          = data_blob_string_const(io->u.sAMAccountName);
    1354       15977 :         sAMAccountName_l        = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
    1355       15977 :         if (!sAMAccountName_l.data) {
    1356           0 :                 return ldb_oom(ldb);
    1357             :         }
    1358       15977 :         sAMAccountName_u        = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
    1359       15977 :         if (!sAMAccountName_u.data) {
    1360           0 :                 return ldb_oom(ldb);
    1361             :         }
    1362             : 
    1363             :         /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
    1364       15977 :         if (!user_principal_name) {
    1365        3398 :                 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
    1366             :                                                       io->u.sAMAccountName,
    1367        3398 :                                                       io->ac->status->domain_data.dns_domain);
    1368        3398 :                 if (!user_principal_name) {
    1369           0 :                         return ldb_oom(ldb);
    1370             :                 }       
    1371             :         }
    1372       15977 :         userPrincipalName       = data_blob_string_const(user_principal_name);
    1373       15977 :         userPrincipalName_l     = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
    1374       15977 :         if (!userPrincipalName_l.data) {
    1375           0 :                 return ldb_oom(ldb);
    1376             :         }
    1377       15977 :         userPrincipalName_u     = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
    1378       15977 :         if (!userPrincipalName_u.data) {
    1379           0 :                 return ldb_oom(ldb);
    1380             :         }
    1381             : 
    1382       15977 :         netbios_domain          = data_blob_string_const(io->ac->status->domain_data.netbios_domain);
    1383       15977 :         netbios_domain_l        = data_blob_string_const(strlower_talloc(io->ac,
    1384       15977 :                                                                          io->ac->status->domain_data.netbios_domain));
    1385       15977 :         if (!netbios_domain_l.data) {
    1386           0 :                 return ldb_oom(ldb);
    1387             :         }
    1388       15977 :         netbios_domain_u        = data_blob_string_const(strupper_talloc(io->ac,
    1389       15977 :                                                                          io->ac->status->domain_data.netbios_domain));
    1390       15977 :         if (!netbios_domain_u.data) {
    1391           0 :                 return ldb_oom(ldb);
    1392             :         }
    1393             : 
    1394       15977 :         dns_domain              = data_blob_string_const(io->ac->status->domain_data.dns_domain);
    1395       15977 :         dns_domain_l            = data_blob_string_const(io->ac->status->domain_data.dns_domain);
    1396       15977 :         dns_domain_u            = data_blob_string_const(io->ac->status->domain_data.realm);
    1397             : 
    1398       15977 :         digest                  = data_blob_string_const("Digest");
    1399             : 
    1400       15977 :         delim                   = data_blob_string_const(":");
    1401       15977 :         backslash               = data_blob_string_const("\\");
    1402             : 
    1403       15977 :         pdb->num_hashes      = ARRAY_SIZE(wdigest);
    1404       15977 :         pdb->hashes  = talloc_array(io->ac, struct package_PrimaryWDigestHash,
    1405             :                                        pdb->num_hashes);
    1406       15977 :         if (!pdb->hashes) {
    1407           0 :                 return ldb_oom(ldb);
    1408             :         }
    1409             : 
    1410      479310 :         for (i=0; i < ARRAY_SIZE(wdigest); i++) {
    1411      463333 :                 gnutls_hash_hd_t hash_hnd = NULL;
    1412             : 
    1413      463333 :                 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
    1414      463333 :                 if (rc < 0) {
    1415           0 :                         rc = ldb_oom(ldb);
    1416           0 :                         goto out;
    1417             :                 }
    1418             : 
    1419      463333 :                 if (wdigest[i].nt4dom) {
    1420       95862 :                         rc = gnutls_hash(hash_hnd,
    1421       95862 :                                           wdigest[i].nt4dom->data,
    1422       95862 :                                           wdigest[i].nt4dom->length);
    1423       95862 :                         if (rc < 0) {
    1424           0 :                                 gnutls_hash_deinit(hash_hnd, NULL);
    1425           0 :                                 rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1426           0 :                                 goto out;
    1427             :                         }
    1428       95862 :                         rc = gnutls_hash(hash_hnd,
    1429       95862 :                                           backslash.data,
    1430             :                                           backslash.length);
    1431       95862 :                         if (rc < 0) {
    1432           0 :                                 gnutls_hash_deinit(hash_hnd, NULL);
    1433           0 :                                 rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1434           0 :                                 goto out;
    1435             :                         }
    1436             :                 }
    1437      463333 :                 rc = gnutls_hash(hash_hnd,
    1438      463333 :                                  wdigest[i].user->data,
    1439      463333 :                                  wdigest[i].user->length);
    1440      463333 :                 if (rc < 0) {
    1441           0 :                         gnutls_hash_deinit(hash_hnd, NULL);
    1442           0 :                         rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1443           0 :                         goto out;
    1444             :                 }
    1445      463333 :                 rc = gnutls_hash(hash_hnd, delim.data, delim.length);
    1446      463333 :                 if (rc < 0) {
    1447           0 :                         gnutls_hash_deinit(hash_hnd, NULL);
    1448           0 :                         rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1449           0 :                         goto out;
    1450             :                 }
    1451      463333 :                 if (wdigest[i].realm) {
    1452      367471 :                         rc = gnutls_hash(hash_hnd,
    1453      367471 :                                          wdigest[i].realm->data,
    1454      367471 :                                          wdigest[i].realm->length);
    1455      367471 :                         if (rc < 0) {
    1456           0 :                                 gnutls_hash_deinit(hash_hnd, NULL);
    1457           0 :                                 rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1458           0 :                                 goto out;
    1459             :                         }
    1460             :                 }
    1461      463333 :                 rc = gnutls_hash(hash_hnd, delim.data, delim.length);
    1462      463333 :                 if (rc < 0) {
    1463           0 :                         gnutls_hash_deinit(hash_hnd, NULL);
    1464           0 :                         rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1465           0 :                         goto out;
    1466             :                 }
    1467      463333 :                 rc = gnutls_hash(hash_hnd,
    1468      463333 :                                   io->n.cleartext_utf8->data,
    1469      463333 :                                   io->n.cleartext_utf8->length);
    1470      463333 :                 if (rc < 0) {
    1471           0 :                         gnutls_hash_deinit(hash_hnd, NULL);
    1472           0 :                         rc = LDB_ERR_UNWILLING_TO_PERFORM;
    1473           0 :                         goto out;
    1474             :                 }
    1475             : 
    1476      463333 :                 gnutls_hash_deinit(hash_hnd, pdb->hashes[i].hash);
    1477             :         }
    1478             : 
    1479       15977 :         rc = LDB_SUCCESS;
    1480       15977 : out:
    1481       15977 :         return rc;
    1482             : }
    1483             : 
    1484             : #define SHA_SALT_PERMITTED_CHARS "abcdefghijklmnopqrstuvwxyz" \
    1485             :                                  "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
    1486             :                                  "0123456789./"
    1487             : #define SHA_SALT_SIZE 16
    1488             : #define SHA_256_SCHEME "CryptSHA256"
    1489             : #define SHA_512_SCHEME "CryptSHA512"
    1490             : #define CRYPT "{CRYPT}"
    1491             : #define SHA_ID_LEN 3
    1492             : #define SHA_256_ALGORITHM_ID 5
    1493             : #define SHA_512_ALGORITHM_ID 6
    1494             : #define ROUNDS_PARAMETER "rounds="
    1495             : 
    1496             : /*
    1497             :  * Extract the crypt (3) algorithm number and number of hash rounds from the
    1498             :  * supplied scheme string
    1499             :  */
    1500           6 : static bool parse_scheme(const char *scheme, int *algorithm, int *rounds) {
    1501             : 
    1502           6 :         const char *rp = NULL; /* Pointer to the 'rounds=' option */
    1503             :         char digits[21];       /* digits extracted from the rounds option */
    1504           6 :         int i = 0;             /* loop index variable */
    1505             : 
    1506           6 :         if (strncasecmp(SHA_256_SCHEME, scheme, strlen(SHA_256_SCHEME)) == 0) {
    1507           3 :                 *algorithm = SHA_256_ALGORITHM_ID;
    1508           3 :         } else if (strncasecmp(SHA_512_SCHEME, scheme, strlen(SHA_256_SCHEME))
    1509             :                    == 0) {
    1510           3 :                 *algorithm = SHA_512_ALGORITHM_ID;
    1511             :         } else {
    1512           0 :                 return false;
    1513             :         }
    1514             : 
    1515           6 :         rp = strcasestr(scheme, ROUNDS_PARAMETER);
    1516           6 :         if (rp == NULL) {
    1517             :                 /* No options specified, use crypt default number of rounds */
    1518           3 :                 *rounds = 0;
    1519           3 :                 return true;
    1520             :         }
    1521           3 :         rp += strlen(ROUNDS_PARAMETER);
    1522          17 :         for (i = 0; isdigit(rp[i]) && i < (sizeof(digits) - 1); i++) {
    1523          14 :                 digits[i] = rp[i];
    1524             :         }
    1525           3 :         digits[i] = '\0';
    1526           3 :         *rounds = atoi(digits);
    1527           3 :         return true;
    1528             : }
    1529             : 
    1530             : /*
    1531             :  * Calculate the password hash specified by scheme, and return it in
    1532             :  * hash_value
    1533             :  */
    1534           6 : static int setup_primary_userPassword_hash(
    1535             :         TALLOC_CTX *ctx,
    1536             :         struct setup_password_fields_io *io,
    1537             :         const char* scheme,
    1538             :         struct package_PrimaryUserPasswordValue *hash_value)
    1539             : {
    1540           6 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    1541           6 :         const char *salt = NULL;        /* Randomly generated salt */
    1542           6 :         const char *cmd = NULL;         /* command passed to crypt */
    1543           6 :         const char *hash = NULL;        /* password hash generated by crypt */
    1544           6 :         int algorithm = 0;              /* crypt hash algorithm number */
    1545           6 :         int rounds = 0;                 /* The number of hash rounds */
    1546           6 :         DATA_BLOB *hash_blob = NULL;
    1547           6 :         TALLOC_CTX *frame = talloc_stackframe();
    1548             : #if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN)
    1549           6 :         struct crypt_data crypt_data = {
    1550             :                 .initialized = 0        /* working storage used by crypt */
    1551             :         };
    1552             : #endif
    1553             : 
    1554             :         /* Genrate a random password salt */
    1555           6 :         salt = generate_random_str_list(frame,
    1556             :                                         SHA_SALT_SIZE,
    1557             :                                         SHA_SALT_PERMITTED_CHARS);
    1558           6 :         if (salt == NULL) {
    1559           0 :                 TALLOC_FREE(frame);
    1560           0 :                 return ldb_oom(ldb);
    1561             :         }
    1562             : 
    1563             :         /* determine the hashing algoritm and number of rounds*/
    1564           6 :         if (!parse_scheme(scheme, &algorithm, &rounds)) {
    1565           0 :                 ldb_asprintf_errstring(
    1566             :                         ldb,
    1567             :                         "setup_primary_userPassword: Invalid scheme of [%s] "
    1568             :                         "specified for 'password hash userPassword schemes' in "
    1569             :                         "samba.conf",
    1570             :                         scheme);
    1571           0 :                 TALLOC_FREE(frame);
    1572           0 :                 return LDB_ERR_OPERATIONS_ERROR;
    1573             :         }
    1574           6 :         hash_value->scheme = talloc_strdup(ctx, CRYPT);
    1575           6 :         hash_value->scheme_len = strlen(CRYPT) + 1;
    1576             : 
    1577             :         /* generate the id/salt parameter used by crypt */
    1578           6 :         if (rounds) {
    1579           3 :                 cmd = talloc_asprintf(frame,
    1580             :                                       "$%d$rounds=%d$%s",
    1581             :                                       algorithm,
    1582             :                                       rounds,
    1583             :                                       salt);
    1584             :         } else {
    1585           3 :                 cmd = talloc_asprintf(frame, "$%d$%s", algorithm, salt);
    1586             :         }
    1587             : 
    1588             :         /*
    1589             :          * Relies on the assertion that cleartext_utf8->data is a zero
    1590             :          * terminated UTF-8 string
    1591             :          */
    1592             : 
    1593             :         /*
    1594             :          * crypt_r() and crypt() may return a null pointer upon error
    1595             :          * depending on how libcrypt was configured, so we prefer
    1596             :          * crypt_rn() from libcrypt / libxcrypt which always returns
    1597             :          * NULL on error.
    1598             :          *
    1599             :          * POSIX specifies returning a null pointer and setting
    1600             :          * errno.
    1601             :          *
    1602             :          * RHEL 7 (which does not use libcrypt / libxcrypt) returns a
    1603             :          * non-NULL pointer from crypt_r() on success but (always?)
    1604             :          * sets errno during internal processing in the NSS crypto
    1605             :          * subsystem.
    1606             :          *
    1607             :          * By preferring crypt_rn we avoid the 'return non-NULL but
    1608             :          * set-errno' that we otherwise cannot tell apart from the
    1609             :          * RHEL 7 behaviour.
    1610             :          */
    1611           6 :         errno = 0;
    1612             : 
    1613             : #ifdef HAVE_CRYPT_RN
    1614           6 :         hash = crypt_rn((char *)io->n.cleartext_utf8->data,
    1615             :                         cmd,
    1616             :                         &crypt_data,
    1617             :                         sizeof(crypt_data));
    1618             : #elif HAVE_CRYPT_R
    1619             :         hash = crypt_r((char *)io->n.cleartext_utf8->data, cmd, &crypt_data);
    1620             : #else
    1621             :         /*
    1622             :          * No crypt_r falling back to crypt, which is NOT thread safe
    1623             :          * Thread safety MT-Unsafe race:crypt
    1624             :          */
    1625             :         hash = crypt((char *)io->n.cleartext_utf8->data, cmd);
    1626             : #endif
    1627             :         /*
    1628             :         * On error, crypt() and crypt_r() may return a null pointer,
    1629             :         * or a pointer to an invalid hash beginning with a '*'.
    1630             :         */
    1631           6 :         if (hash == NULL || hash[0] == '*') {
    1632             :                 char buf[1024];
    1633           0 :                 const char *reason = NULL;
    1634           0 :                 if (errno == ERANGE) {
    1635           0 :                         reason = "Password exceeds maximum length allowed for crypt() hashing";
    1636             :                 } else {
    1637           0 :                         int err = strerror_r(errno, buf, sizeof(buf));
    1638           0 :                         if (err == 0) {
    1639           0 :                                 reason = buf;
    1640             :                         } else {
    1641           0 :                                 reason = "Unknown error";
    1642             :                         }
    1643             :                 }
    1644           0 :                 ldb_asprintf_errstring(
    1645             :                         ldb,
    1646             :                         "setup_primary_userPassword: generation of a %s "
    1647             :                         "password hash failed: (%s)",
    1648             :                         scheme,
    1649             :                         reason);
    1650           0 :                 TALLOC_FREE(frame);
    1651           0 :                 return LDB_ERR_OPERATIONS_ERROR;
    1652             :         }
    1653             : 
    1654           6 :         hash_blob = talloc_zero(ctx, DATA_BLOB);
    1655             : 
    1656           6 :         if (hash_blob == NULL) {
    1657           0 :                 TALLOC_FREE(frame);
    1658           0 :                 return ldb_oom(ldb);
    1659             :         }
    1660             : 
    1661           6 :         *hash_blob =  data_blob_talloc(hash_blob,
    1662             :                                        (const uint8_t *)hash,
    1663             :                                        strlen(hash));
    1664           6 :         if (hash_blob->data == NULL) {
    1665           0 :                 TALLOC_FREE(frame);
    1666           0 :                 return ldb_oom(ldb);
    1667             :         }
    1668           6 :         hash_value->value = hash_blob;
    1669           6 :         TALLOC_FREE(frame);
    1670           6 :         return LDB_SUCCESS;
    1671             : }
    1672             : 
    1673             : /*
    1674             :  * Calculate the desired extra password hashes
    1675             :  */
    1676           6 : static int setup_primary_userPassword(
    1677             :         struct setup_password_fields_io *io,
    1678             :         const struct supplementalCredentialsBlob *old_scb,
    1679             :         struct package_PrimaryUserPasswordBlob *p_userPassword_b)
    1680             : {
    1681           6 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    1682           6 :         TALLOC_CTX *frame = talloc_stackframe();
    1683             :         int i;
    1684             :         int ret;
    1685             : 
    1686             :         /*
    1687             :          * Save the current nt_hash, use this to determine if the password
    1688             :          * has been changed by windows. Which will invalidate the userPassword
    1689             :          * hash. Note once NTLM-Strong-NOWTF becomes available it should be
    1690             :          * used in preference to the NT password hash
    1691             :          */
    1692           6 :         if (io->g.nt_hash == NULL) {
    1693             :                 /*
    1694             :                  * When the NT hash is not available, we use this field to store
    1695             :                  * the first 16 bytes of the AES256 key instead. This allows
    1696             :                  * 'samba-tool user' to verify that the user's password is in
    1697             :                  * sync with the userPassword package.
    1698             :                  */
    1699           0 :                 uint8_t hash_len = MIN(16, io->g.aes_256.length);
    1700             : 
    1701           0 :                 ZERO_STRUCT(p_userPassword_b->current_nt_hash);
    1702           0 :                 memcpy(p_userPassword_b->current_nt_hash.hash,
    1703           0 :                        io->g.aes_256.data,
    1704             :                        hash_len);
    1705             :         } else {
    1706           6 :                 p_userPassword_b->current_nt_hash = *io->g.nt_hash;
    1707             :         }
    1708             : 
    1709             :         /*
    1710             :          * Determine the number of hashes
    1711             :          * Note: that currently there is no limit on the number of hashes
    1712             :          *       no checking is done on the number of schemes specified
    1713             :          *       or for uniqueness.
    1714             :          */
    1715           6 :         p_userPassword_b->num_hashes = 0;
    1716          12 :         for (i = 0; io->ac->userPassword_schemes[i]; i++) {
    1717           6 :                 p_userPassword_b->num_hashes++;
    1718             :         }
    1719             : 
    1720             :         p_userPassword_b->hashes
    1721           6 :                 = talloc_array(io->ac,
    1722             :                                struct package_PrimaryUserPasswordValue,
    1723             :                                p_userPassword_b->num_hashes);
    1724           6 :         if (p_userPassword_b->hashes == NULL) {
    1725           0 :                 TALLOC_FREE(frame);
    1726           0 :                 return ldb_oom(ldb);
    1727             :         }
    1728             : 
    1729          12 :         for (i = 0; io->ac->userPassword_schemes[i]; i++) {
    1730           6 :                 ret = setup_primary_userPassword_hash(
    1731           6 :                         p_userPassword_b->hashes,
    1732             :                         io,
    1733           6 :                         io->ac->userPassword_schemes[i],
    1734           6 :                         &p_userPassword_b->hashes[i]);
    1735           6 :                 if (ret != LDB_SUCCESS) {
    1736           0 :                         TALLOC_FREE(frame);
    1737           0 :                         return ret;
    1738             :                 }
    1739             :         }
    1740           6 :         return LDB_SUCCESS;
    1741             : }
    1742             : 
    1743             : 
    1744        3829 : static int setup_primary_samba_gpg(struct setup_password_fields_io *io,
    1745             :                                    struct package_PrimarySambaGPGBlob *pgb)
    1746        3829 : {
    1747        3829 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    1748             : #ifdef ENABLE_GPGME
    1749             :         gpgme_error_t gret;
    1750        3829 :         gpgme_ctx_t ctx = NULL;
    1751        3829 :         size_t num_keys = str_list_length(io->ac->gpg_key_ids);
    1752        3829 :         gpgme_key_t keys[num_keys+1];
    1753        3829 :         size_t ki = 0;
    1754        3829 :         size_t kr = 0;
    1755        3829 :         gpgme_data_t plain_data = NULL;
    1756        3829 :         gpgme_data_t crypt_data = NULL;
    1757        3829 :         size_t crypt_length = 0;
    1758        3829 :         char *crypt_mem = NULL;
    1759             : 
    1760        3829 :         gret = gpgme_new(&ctx);
    1761        3829 :         if (gret != GPG_ERR_NO_ERROR) {
    1762           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1763             :                           "%s:%s: gret[%u] %s\n",
    1764             :                           __location__, __func__,
    1765             :                           gret, gpgme_strerror(gret));
    1766           0 :                 return ldb_module_operr(io->ac->module);
    1767             :         }
    1768             : 
    1769        3829 :         gpgme_set_armor(ctx, 1);
    1770             : 
    1771        3829 :         gret = gpgme_data_new_from_mem(&plain_data,
    1772        3829 :                                        (const char *)io->n.cleartext_utf16->data,
    1773        3829 :                                        io->n.cleartext_utf16->length,
    1774             :                                        0 /* no copy */);
    1775        3829 :         if (gret != GPG_ERR_NO_ERROR) {
    1776           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1777             :                           "%s:%s: gret[%u] %s\n",
    1778             :                           __location__, __func__,
    1779             :                           gret, gpgme_strerror(gret));
    1780           0 :                 gpgme_release(ctx);
    1781           0 :                 return ldb_module_operr(io->ac->module);
    1782             :         }
    1783        3829 :         gret = gpgme_data_new(&crypt_data);
    1784        3829 :         if (gret != GPG_ERR_NO_ERROR) {
    1785           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1786             :                           "%s:%s: gret[%u] %s\n",
    1787             :                           __location__, __func__,
    1788             :                           gret, gpgme_strerror(gret));
    1789           0 :                 gpgme_data_release(plain_data);
    1790           0 :                 gpgme_release(ctx);
    1791           0 :                 return ldb_module_operr(io->ac->module);
    1792             :         }
    1793             : 
    1794        7658 :         for (ki = 0; ki < num_keys; ki++) {
    1795        3829 :                 const char *key_id = io->ac->gpg_key_ids[ki];
    1796        3829 :                 size_t len = strlen(key_id);
    1797             : 
    1798        3829 :                 keys[ki] = NULL;
    1799             : 
    1800        3829 :                 if (len < 16) {
    1801           0 :                         ldb_debug(ldb, LDB_DEBUG_FATAL,
    1802             :                                   "%s:%s: ki[%zu] key_id[%s] strlen < 16, "
    1803             :                                   "please specify at least the 64bit key id\n",
    1804             :                                   __location__, __func__,
    1805             :                                   ki, key_id);
    1806           0 :                         for (kr = 0; keys[kr] != NULL; kr++) {
    1807           0 :                                 gpgme_key_release(keys[kr]);
    1808             :                         }
    1809           0 :                         gpgme_data_release(crypt_data);
    1810           0 :                         gpgme_data_release(plain_data);
    1811           0 :                         gpgme_release(ctx);
    1812           0 :                         return ldb_module_operr(io->ac->module);
    1813             :                 }
    1814             : 
    1815        3829 :                 gret = gpgme_get_key(ctx, key_id, &keys[ki], 0 /* public key */);
    1816        3829 :                 if (gret != GPG_ERR_NO_ERROR) {
    1817           0 :                         keys[ki] = NULL;
    1818           0 :                         if (gpg_err_source(gret) == GPG_ERR_SOURCE_GPGME
    1819           0 :                             && gpg_err_code(gret) == GPG_ERR_EOF) {
    1820           0 :                                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1821             :                                           "Invalid "
    1822             :                                           "'password hash gpg key ids': "
    1823             :                                           "Public Key ID [%s] "
    1824             :                                           "not found in keyring\n",
    1825             :                                           key_id);
    1826             : 
    1827             :                         } else {
    1828           0 :                                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1829             :                                           "%s:%s: ki[%zu] key_id[%s] "
    1830             :                                           "gret[%u] %s\n",
    1831             :                                           __location__, __func__,
    1832             :                                           ki, key_id,
    1833             :                                           gret, gpgme_strerror(gret));
    1834             :                         }
    1835           0 :                         for (kr = 0; keys[kr] != NULL; kr++) {
    1836           0 :                                 gpgme_key_release(keys[kr]);
    1837             :                         }
    1838           0 :                         gpgme_data_release(crypt_data);
    1839           0 :                         gpgme_data_release(plain_data);
    1840           0 :                         gpgme_release(ctx);
    1841           0 :                         return ldb_module_operr(io->ac->module);
    1842             :                 }
    1843             :         }
    1844        3829 :         keys[ki] = NULL;
    1845             : 
    1846        3829 :         gret = gpgme_op_encrypt(ctx, keys,
    1847             :                                 GPGME_ENCRYPT_ALWAYS_TRUST,
    1848             :                                 plain_data, crypt_data);
    1849        3829 :         gpgme_data_release(plain_data);
    1850        3829 :         plain_data = NULL;
    1851        7658 :         for (kr = 0; keys[kr] != NULL; kr++) {
    1852        3829 :                 gpgme_key_release(keys[kr]);
    1853        3829 :                 keys[kr] = NULL;
    1854             :         }
    1855        3829 :         gpgme_release(ctx);
    1856        3829 :         ctx = NULL;
    1857        3829 :         if (gret != GPG_ERR_NO_ERROR) {
    1858           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    1859             :                           "%s:%s: gret[%u] %s\n",
    1860             :                           __location__, __func__,
    1861             :                           gret, gpgme_strerror(gret));
    1862           0 :                 gpgme_data_release(crypt_data);
    1863           0 :                 return ldb_module_operr(io->ac->module);
    1864             :         }
    1865             : 
    1866        3829 :         crypt_mem = gpgme_data_release_and_get_mem(crypt_data, &crypt_length);
    1867        3829 :         crypt_data = NULL;
    1868        3829 :         if (crypt_mem == NULL) {
    1869           0 :                 return ldb_module_oom(io->ac->module);
    1870             :         }
    1871             : 
    1872        3829 :         pgb->gpg_blob = data_blob_talloc(io->ac,
    1873             :                                          (const uint8_t *)crypt_mem,
    1874             :                                          crypt_length);
    1875        3829 :         gpgme_free(crypt_mem);
    1876        3829 :         crypt_mem = NULL;
    1877        3829 :         crypt_length = 0;
    1878        3829 :         if (pgb->gpg_blob.data == NULL) {
    1879           0 :                 return ldb_module_oom(io->ac->module);
    1880             :         }
    1881             : 
    1882        3829 :         return LDB_SUCCESS;
    1883             : #else /* ENABLE_GPGME */
    1884             :         ldb_debug_set(ldb, LDB_DEBUG_FATAL,
    1885             :                       "You configured 'password hash gpg key ids', "
    1886             :                       "but GPGME support is missing. (%s:%d)",
    1887             :                       __FILE__, __LINE__);
    1888             :         return LDB_ERR_UNWILLING_TO_PERFORM;
    1889             : #endif /* else ENABLE_GPGME */
    1890             : }
    1891             : 
    1892             : #define NUM_PACKAGES 6
    1893       16235 : static int setup_supplemental_field(struct setup_password_fields_io *io)
    1894             : {
    1895             :         struct ldb_context *ldb;
    1896             :         struct supplementalCredentialsBlob scb;
    1897       16235 :         struct supplementalCredentialsBlob *old_scb = NULL;
    1898             :         /*
    1899             :          * Packages +
    1900             :          * ( Kerberos-Newer-Keys, Kerberos,
    1901             :          *   WDigest, CLEARTEXT, userPassword, SambaGPG)
    1902             :          */
    1903       16235 :         uint32_t num_names = 0;
    1904             :         const char *names[1+NUM_PACKAGES];
    1905       16235 :         uint32_t num_packages = 0;
    1906             :         struct supplementalCredentialsPackage packages[1+NUM_PACKAGES];
    1907       16235 :         struct supplementalCredentialsPackage *pp = packages;
    1908             :         int ret;
    1909             :         enum ndr_err_code ndr_err;
    1910       16235 :         bool do_newer_keys = false;
    1911       16235 :         bool do_cleartext = false;
    1912       16235 :         bool do_samba_gpg = false;
    1913       16235 :         struct loadparm_context *lp_ctx = NULL;
    1914             : 
    1915       16235 :         ZERO_STRUCT(names);
    1916       16235 :         ZERO_STRUCT(packages);
    1917             : 
    1918       16235 :         ldb = ldb_module_get_ctx(io->ac->module);
    1919       16235 :         lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
    1920             :                                  struct loadparm_context);
    1921             : 
    1922       16235 :         if (!io->n.cleartext_utf8) {
    1923             :                 /*
    1924             :                  * when we don't have a cleartext password
    1925             :                  * we can't setup a supplementalCredential value
    1926             :                  */
    1927         258 :                 return LDB_SUCCESS;
    1928             :         }
    1929             : 
    1930             :         /* if there's an old supplementaCredentials blob then use it */
    1931       15977 :         if (io->o.supplemental) {
    1932        1759 :                 if (io->o.scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
    1933        1759 :                         old_scb = &io->o.scb;
    1934             :                 } else {
    1935           0 :                         ldb_debug(ldb, LDB_DEBUG_ERROR,
    1936             :                                   "setup_supplemental_field: "
    1937             :                                   "supplementalCredentialsBlob "
    1938             :                                   "signature[0x%04X] expected[0x%04X]",
    1939           0 :                                   io->o.scb.sub.signature,
    1940             :                                   SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
    1941             :                 }
    1942             :         }
    1943             :         /* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
    1944             : 
    1945             : 
    1946             : 
    1947             :         /*
    1948             :          * The ordering is this
    1949             :          *
    1950             :          * Primary:Kerberos-Newer-Keys (optional)
    1951             :          * Primary:Kerberos
    1952             :          * Primary:WDigest
    1953             :          * Primary:CLEARTEXT (optional)
    1954             :          * Primary:userPassword
    1955             :          * Primary:SambaGPG (optional)
    1956             :          *
    1957             :          * And the 'Packages' package is insert before the last
    1958             :          * other package.
    1959             :          *
    1960             :          * Note: it's important that Primary:SambaGPG is added as
    1961             :          * the last element. This is the indication that it matches
    1962             :          * the current password. When a password change happens on
    1963             :          * a Windows DC, it will keep the old Primary:SambaGPG value,
    1964             :          * but as the first element.
    1965             :          */
    1966       15977 :         do_newer_keys = (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008);
    1967       15977 :         if (do_newer_keys) {
    1968             :                 struct package_PrimaryKerberosBlob pknb;
    1969             :                 DATA_BLOB pknb_blob;
    1970             :                 char *pknb_hexstr;
    1971             :                 /*
    1972             :                  * setup 'Primary:Kerberos-Newer-Keys' element
    1973             :                  */
    1974       10986 :                 names[num_names++] = "Kerberos-Newer-Keys";
    1975             : 
    1976       10986 :                 ret = setup_primary_kerberos_newer(io, old_scb, &pknb);
    1977       10986 :                 if (ret != LDB_SUCCESS) {
    1978           0 :                         return ret;
    1979             :                 }
    1980             : 
    1981       10986 :                 ndr_err = ndr_push_struct_blob(
    1982       10986 :                         &pknb_blob, io->ac,
    1983             :                         &pknb,
    1984             :                         (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
    1985       10986 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    1986           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    1987           0 :                         ldb_asprintf_errstring(
    1988             :                                 ldb,
    1989             :                                 "setup_supplemental_field: "
    1990             :                                 "failed to push "
    1991             :                                 "package_PrimaryKerberosNeverBlob: %s",
    1992             :                                 nt_errstr(status));
    1993           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    1994             :                 }
    1995       10986 :                 pknb_hexstr = data_blob_hex_string_upper(io->ac, &pknb_blob);
    1996       10986 :                 if (!pknb_hexstr) {
    1997           0 :                         return ldb_oom(ldb);
    1998             :                 }
    1999       10986 :                 pp->name     = "Primary:Kerberos-Newer-Keys";
    2000       10986 :                 pp->reserved = 1;
    2001       10986 :                 pp->data     = pknb_hexstr;
    2002       10986 :                 pp++;
    2003       10986 :                 num_packages++;
    2004             :         }
    2005             : 
    2006             :         {
    2007             :                 /*
    2008             :                  * setup 'Primary:Kerberos' element
    2009             :                  */
    2010             :                 /* Primary:Kerberos */
    2011             :                 struct package_PrimaryKerberosBlob pkb;
    2012             :                 DATA_BLOB pkb_blob;
    2013             :                 char *pkb_hexstr;
    2014             : 
    2015       15977 :                 names[num_names++] = "Kerberos";
    2016             : 
    2017       15977 :                 ret = setup_primary_kerberos(io, old_scb, &pkb);
    2018       15977 :                 if (ret != LDB_SUCCESS) {
    2019           0 :                         return ret;
    2020             :                 }
    2021             : 
    2022       15977 :                 ndr_err = ndr_push_struct_blob(
    2023       15977 :                         &pkb_blob, io->ac,
    2024             :                         &pkb,
    2025             :                         (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
    2026       15977 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2027           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2028           0 :                         ldb_asprintf_errstring(
    2029             :                                 ldb,
    2030             :                                 "setup_supplemental_field: "
    2031             :                                 "failed to push package_PrimaryKerberosBlob: %s",
    2032             :                                 nt_errstr(status));
    2033           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2034             :                 }
    2035       15977 :                 pkb_hexstr = data_blob_hex_string_upper(io->ac, &pkb_blob);
    2036       15977 :                 if (!pkb_hexstr) {
    2037           0 :                         return ldb_oom(ldb);
    2038             :                 }
    2039       15977 :                 pp->name     = "Primary:Kerberos";
    2040       15977 :                 pp->reserved = 1;
    2041       15977 :                 pp->data     = pkb_hexstr;
    2042       15977 :                 pp++;
    2043       15977 :                 num_packages++;
    2044             :         }
    2045             : 
    2046       15977 :         if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_ALLOWED) {
    2047             :                 /*
    2048             :                  * setup 'Primary:WDigest' element
    2049             :                  */
    2050             :                 struct package_PrimaryWDigestBlob pdb;
    2051             :                 DATA_BLOB pdb_blob;
    2052             :                 char *pdb_hexstr;
    2053             : 
    2054       15977 :                 names[num_names++] = "WDigest";
    2055             : 
    2056       15977 :                 ret = setup_primary_wdigest(io, old_scb, &pdb);
    2057       15977 :                 if (ret != LDB_SUCCESS) {
    2058           0 :                         return ret;
    2059             :                 }
    2060             : 
    2061       15977 :                 ndr_err = ndr_push_struct_blob(
    2062       15977 :                         &pdb_blob, io->ac,
    2063             :                         &pdb,
    2064             :                         (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
    2065       15977 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2066           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2067           0 :                         ldb_asprintf_errstring(
    2068             :                                 ldb,
    2069             :                                 "setup_supplemental_field: "
    2070             :                                 "failed to push package_PrimaryWDigestBlob: %s",
    2071             :                                 nt_errstr(status));
    2072           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2073             :                 }
    2074       15977 :                 pdb_hexstr = data_blob_hex_string_upper(io->ac, &pdb_blob);
    2075       15977 :                 if (!pdb_hexstr) {
    2076           0 :                         return ldb_oom(ldb);
    2077             :                 }
    2078       15977 :                 pp->name     = "Primary:WDigest";
    2079       15977 :                 pp->reserved = 1;
    2080       15977 :                 pp->data     = pdb_hexstr;
    2081       15977 :                 pp++;
    2082       15977 :                 num_packages++;
    2083             :         }
    2084             : 
    2085             :         /*
    2086             :          * setup 'Primary:CLEARTEXT' element
    2087             :          */
    2088       15977 :         if (io->ac->status->domain_data.store_cleartext &&
    2089           6 :             (io->u.userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
    2090           6 :                 do_cleartext = true;
    2091             :         }
    2092       15977 :         if (do_cleartext) {
    2093             :                 struct package_PrimaryCLEARTEXTBlob pcb;
    2094             :                 DATA_BLOB pcb_blob;
    2095             :                 char *pcb_hexstr;
    2096             : 
    2097           6 :                 names[num_names++] = "CLEARTEXT";
    2098             : 
    2099           6 :                 pcb.cleartext   = *io->n.cleartext_utf16;
    2100             : 
    2101           6 :                 ndr_err = ndr_push_struct_blob(
    2102           6 :                         &pcb_blob, io->ac,
    2103             :                         &pcb,
    2104             :                         (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
    2105           6 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2106           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2107           0 :                         ldb_asprintf_errstring(
    2108             :                                 ldb,
    2109             :                                 "setup_supplemental_field: "
    2110             :                                 "failed to push package_PrimaryCLEARTEXTBlob: %s",
    2111             :                                 nt_errstr(status));
    2112           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2113             :                 }
    2114           6 :                 pcb_hexstr = data_blob_hex_string_upper(io->ac, &pcb_blob);
    2115           6 :                 if (!pcb_hexstr) {
    2116           0 :                         return ldb_oom(ldb);
    2117             :                 }
    2118           6 :                 pp->name     = "Primary:CLEARTEXT";
    2119           6 :                 pp->reserved = 1;
    2120           6 :                 pp->data     = pcb_hexstr;
    2121           6 :                 pp++;
    2122           6 :                 num_packages++;
    2123             :         }
    2124             : 
    2125             :         /*
    2126             :          * Don't generate crypt() or similar password for the krbtgt account.
    2127             :          * It's unnecessary, and the length of the cleartext in UTF-8 form
    2128             :          * exceeds the maximum (CRYPT_MAX_PASSPHRASE_SIZE) allowed by crypt().
    2129             :          */
    2130       15977 :         if (io->ac->userPassword_schemes && !io->u.is_krbtgt) {
    2131             :                 /*
    2132             :                  * setup 'Primary:userPassword' element
    2133             :                  */
    2134             :                 struct package_PrimaryUserPasswordBlob
    2135             :                         p_userPassword_b;
    2136             :                 DATA_BLOB p_userPassword_b_blob;
    2137             :                 char *p_userPassword_b_hexstr;
    2138             : 
    2139           6 :                 names[num_names++] = "userPassword";
    2140             : 
    2141           6 :                 ret = setup_primary_userPassword(io,
    2142             :                                                  old_scb,
    2143             :                                                  &p_userPassword_b);
    2144           6 :                 if (ret != LDB_SUCCESS) {
    2145           0 :                         return ret;
    2146             :                 }
    2147             : 
    2148           6 :                 ndr_err = ndr_push_struct_blob(
    2149             :                         &p_userPassword_b_blob,
    2150           6 :                         io->ac,
    2151             :                         &p_userPassword_b,
    2152             :                         (ndr_push_flags_fn_t)
    2153             :                         ndr_push_package_PrimaryUserPasswordBlob);
    2154           6 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2155           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2156           0 :                         ldb_asprintf_errstring(
    2157             :                                 ldb,
    2158             :                                 "setup_supplemental_field: failed to push "
    2159             :                                 "package_PrimaryUserPasswordBlob: %s",
    2160             :                                 nt_errstr(status));
    2161           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2162             :                 }
    2163             :                 p_userPassword_b_hexstr
    2164           6 :                         = data_blob_hex_string_upper(
    2165           6 :                                 io->ac,
    2166             :                                 &p_userPassword_b_blob);
    2167           6 :                 if (!p_userPassword_b_hexstr) {
    2168           0 :                         return ldb_oom(ldb);
    2169             :                 }
    2170           6 :                 pp->name     = "Primary:userPassword";
    2171           6 :                 pp->reserved = 1;
    2172           6 :                 pp->data     = p_userPassword_b_hexstr;
    2173           6 :                 pp++;
    2174           6 :                 num_packages++;
    2175             :         }
    2176             : 
    2177             :         /*
    2178             :          * setup 'Primary:SambaGPG' element
    2179             :          */
    2180       15977 :         if (io->ac->gpg_key_ids != NULL) {
    2181        3829 :                 do_samba_gpg = true;
    2182             :         }
    2183       15977 :         if (do_samba_gpg) {
    2184             :                 struct package_PrimarySambaGPGBlob pgb;
    2185             :                 DATA_BLOB pgb_blob;
    2186             :                 char *pgb_hexstr;
    2187             : 
    2188        3829 :                 names[num_names++] = "SambaGPG";
    2189             : 
    2190        3829 :                 ret = setup_primary_samba_gpg(io, &pgb);
    2191        3829 :                 if (ret != LDB_SUCCESS) {
    2192           0 :                         return ret;
    2193             :                 }
    2194             : 
    2195        3829 :                 ndr_err = ndr_push_struct_blob(&pgb_blob, io->ac, &pgb,
    2196             :                         (ndr_push_flags_fn_t)ndr_push_package_PrimarySambaGPGBlob);
    2197        3829 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2198           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2199           0 :                         ldb_asprintf_errstring(ldb,
    2200             :                                         "setup_supplemental_field: failed to "
    2201             :                                         "push package_PrimarySambaGPGBlob: %s",
    2202             :                                         nt_errstr(status));
    2203           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2204             :                 }
    2205        3829 :                 pgb_hexstr = data_blob_hex_string_upper(io->ac, &pgb_blob);
    2206        3829 :                 if (!pgb_hexstr) {
    2207           0 :                         return ldb_oom(ldb);
    2208             :                 }
    2209        3829 :                 pp->name     = "Primary:SambaGPG";
    2210        3829 :                 pp->reserved = 1;
    2211        3829 :                 pp->data     = pgb_hexstr;
    2212        3829 :                 pp++;
    2213        3829 :                 num_packages++;
    2214             :         }
    2215             : 
    2216             :         /*
    2217             :          * setup 'Packages' element
    2218             :          */
    2219             :         {
    2220             :                 struct package_PackagesBlob pb;
    2221             :                 DATA_BLOB pb_blob;
    2222             :                 char *pb_hexstr;
    2223             : 
    2224       15977 :                 pb.names = names;
    2225       15977 :                 ndr_err = ndr_push_struct_blob(
    2226       15977 :                         &pb_blob, io->ac,
    2227             :                         &pb,
    2228             :                         (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
    2229       15977 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2230           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2231           0 :                         ldb_asprintf_errstring(
    2232             :                                 ldb,
    2233             :                                 "setup_supplemental_field: "
    2234             :                                 "failed to push package_PackagesBlob: %s",
    2235             :                                 nt_errstr(status));
    2236           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2237             :                 }
    2238       15977 :                 pb_hexstr = data_blob_hex_string_upper(io->ac, &pb_blob);
    2239       15977 :                 if (!pb_hexstr) {
    2240           0 :                         return ldb_oom(ldb);
    2241             :                 }
    2242       15977 :                 pp->name     = "Packages";
    2243       15977 :                 pp->reserved = 2;
    2244       15977 :                 pp->data     = pb_hexstr;
    2245       15977 :                 num_packages++;
    2246             :                 /*
    2247             :                  * We don't increment pp so it's pointing to the last package
    2248             :                  */
    2249             :         }
    2250             : 
    2251             :         /*
    2252             :          * setup 'supplementalCredentials' value
    2253             :          */
    2254             :         {
    2255             :                 /*
    2256             :                  * The 'Packages' element needs to be the second last element
    2257             :                  * in supplementalCredentials
    2258             :                  */
    2259             :                 struct supplementalCredentialsPackage temp;
    2260             :                 struct supplementalCredentialsPackage *prev;
    2261             : 
    2262       15977 :                 prev = pp-1;
    2263       15977 :                 temp = *prev;
    2264       15977 :                 *prev = *pp;
    2265       15977 :                 *pp = temp;
    2266             : 
    2267       15977 :                 ZERO_STRUCT(scb);
    2268       15977 :                 scb.sub.signature       = SUPPLEMENTAL_CREDENTIALS_SIGNATURE;
    2269       15977 :                 scb.sub.num_packages    = num_packages;
    2270       15977 :                 scb.sub.packages        = packages;
    2271             : 
    2272       15977 :                 ndr_err = ndr_push_struct_blob(
    2273       15977 :                         &io->g.supplemental, io->ac,
    2274             :                         &scb,
    2275             :                         (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
    2276       15977 :                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2277           0 :                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2278           0 :                         ldb_asprintf_errstring(
    2279             :                                 ldb,
    2280             :                                 "setup_supplemental_field: "
    2281             :                                 "failed to push supplementalCredentialsBlob: %s",
    2282             :                                 nt_errstr(status));
    2283           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    2284             :                 }
    2285             :         }
    2286             : 
    2287       15977 :         return LDB_SUCCESS;
    2288             : }
    2289             : 
    2290       37335 : static int setup_last_set_field(struct setup_password_fields_io *io)
    2291             : {
    2292       37335 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2293       37335 :         const struct ldb_message *msg = NULL;
    2294       37335 :         struct timeval tv = { .tv_sec = 0 };
    2295       37335 :         const struct ldb_val *old_val = NULL;
    2296       37335 :         const struct ldb_val *new_val = NULL;
    2297             :         int ret;
    2298             : 
    2299       37335 :         switch (io->ac->req->operation) {
    2300       21923 :         case LDB_ADD:
    2301       21923 :                 msg = io->ac->req->op.add.message;
    2302       21923 :                 break;
    2303       15412 :         case LDB_MODIFY:
    2304       15412 :                 msg = io->ac->req->op.mod.message;
    2305       15412 :                 break;
    2306           0 :         default:
    2307           0 :                 return LDB_ERR_OPERATIONS_ERROR;
    2308             :                 break;
    2309             :         }
    2310             : 
    2311       37335 :         if (io->ac->pwd_last_set_bypass) {
    2312           4 :                 struct ldb_message_element *el = NULL;
    2313             :                 size_t i;
    2314           4 :                 size_t count = 0;
    2315             :                 /*
    2316             :                  * This is a message from pdb_samba_dsdb_replace_by_sam()
    2317             :                  *
    2318             :                  * We want to ensure there is only one pwdLastSet element, and
    2319             :                  * it isn't deleting.
    2320             :                  */
    2321           4 :                 if (msg == NULL) {
    2322           0 :                         return LDB_ERR_CONSTRAINT_VIOLATION;
    2323             :                 }
    2324             : 
    2325          13 :                 for (i = 0; i < msg->num_elements; i++) {
    2326           9 :                         if (ldb_attr_cmp(msg->elements[i].name,
    2327             :                                          "pwdLastSet") == 0) {
    2328           4 :                                 count++;
    2329           4 :                                 el = &msg->elements[i];
    2330             :                         }
    2331             :                 }
    2332           4 :                 if (count != 1) {
    2333           0 :                         return LDB_ERR_CONSTRAINT_VIOLATION;
    2334             :                 }
    2335             : 
    2336           4 :                 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
    2337           0 :                         return LDB_ERR_CONSTRAINT_VIOLATION;
    2338             :                 }
    2339             : 
    2340           4 :                 io->g.last_set = samdb_result_nttime(msg, "pwdLastSet", 0);
    2341           4 :                 return LDB_SUCCESS;
    2342             :         }
    2343             : 
    2344       37331 :         ret = msg_find_old_and_new_pwd_val(msg, "pwdLastSet",
    2345       37331 :                                            io->ac->req->operation,
    2346             :                                            &new_val, &old_val);
    2347       37331 :         if (ret != LDB_SUCCESS) {
    2348           0 :                 return ret;
    2349             :         }
    2350             : 
    2351       37331 :         if (old_val != NULL && new_val == NULL) {
    2352           0 :                 ldb_set_errstring(ldb,
    2353             :                                   "'pwdLastSet' deletion is not allowed!");
    2354           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    2355             :         }
    2356             : 
    2357       37331 :         io->g.last_set = UINT64_MAX;
    2358       37331 :         if (new_val != NULL) {
    2359       22160 :                 struct ldb_message *tmp_msg = NULL;
    2360             : 
    2361       22160 :                 tmp_msg = ldb_msg_new(io->ac);
    2362       22160 :                 if (tmp_msg == NULL) {
    2363           0 :                         return ldb_module_oom(io->ac->module);
    2364             :                 }
    2365             : 
    2366       22160 :                 if (old_val != NULL) {
    2367          18 :                         NTTIME old_last_set = 0;
    2368             : 
    2369          18 :                         ret = ldb_msg_add_value(tmp_msg, "oldval",
    2370             :                                                 old_val, NULL);
    2371          18 :                         if (ret != LDB_SUCCESS) {
    2372           0 :                                 return ret;
    2373             :                         }
    2374             : 
    2375          18 :                         old_last_set = samdb_result_nttime(tmp_msg,
    2376             :                                                            "oldval",
    2377             :                                                            1);
    2378          18 :                         if (io->u.pwdLastSet != old_last_set) {
    2379           6 :                                 return dsdb_module_werror(io->ac->module,
    2380             :                                         LDB_ERR_NO_SUCH_ATTRIBUTE,
    2381             :                                         WERR_DS_CANT_REM_MISSING_ATT_VAL,
    2382             :                                         "setup_last_set_field: old pwdLastSet "
    2383             :                                         "value not found!");
    2384             :                         }
    2385             :                 }
    2386             : 
    2387       22154 :                 ret = ldb_msg_add_value(tmp_msg, "newval",
    2388             :                                         new_val, NULL);
    2389       22154 :                 if (ret != LDB_SUCCESS) {
    2390           0 :                         return ret;
    2391             :                 }
    2392             : 
    2393       22154 :                 io->g.last_set = samdb_result_nttime(tmp_msg,
    2394             :                                                      "newval",
    2395             :                                                      1);
    2396       15171 :         } else if (ldb_msg_find_element(msg, "pwdLastSet")) {
    2397           0 :                 ldb_set_errstring(ldb,
    2398             :                                   "'pwdLastSet' deletion is not allowed!");
    2399           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    2400       15171 :         } else if (io->ac->smartcard_reset) {
    2401             :                 /*
    2402             :                  * adding UF_SMARTCARD_REQUIRED doesn't update
    2403             :                  * pwdLastSet implicitly.
    2404             :                  */
    2405           9 :                 io->ac->update_lastset = false;
    2406             :         }
    2407             : 
    2408             :         /* only 0 or -1 (0xFFFFFFFFFFFFFFFF) are allowed */
    2409       37325 :         switch (io->g.last_set) {
    2410       22087 :         case 0:
    2411       22087 :                 if (!io->ac->pwd_last_set_default) {
    2412         126 :                         break;
    2413             :                 }
    2414       21961 :                 if (!io->ac->update_password) {
    2415       20889 :                         break;
    2416             :                 }
    2417             :                 FALL_THROUGH;
    2418             :         case UINT64_MAX:
    2419       16301 :                 if (!io->ac->update_password &&
    2420          67 :                     io->u.pwdLastSet != 0 &&
    2421          46 :                     io->u.pwdLastSet != UINT64_MAX)
    2422             :                 {
    2423             :                         /*
    2424             :                          * Just setting pwdLastSet to -1, while not changing
    2425             :                          * any password field has no effect if pwdLastSet
    2426             :                          * is already non-zero.
    2427             :                          */
    2428          46 :                         io->ac->update_lastset = false;
    2429          46 :                         break;
    2430             :                 }
    2431             :                 /* -1 means set it as now */
    2432       16255 :                 GetTimeOfDay(&tv);
    2433       16255 :                 io->g.last_set = timeval_to_nttime(&tv);
    2434       16255 :                 break;
    2435           9 :         default:
    2436           9 :                 return dsdb_module_werror(io->ac->module,
    2437             :                                           LDB_ERR_OTHER,
    2438             :                                           WERR_INVALID_PARAMETER,
    2439             :                                           "setup_last_set_field: "
    2440             :                                           "pwdLastSet must be 0 or -1 only!");
    2441             :         }
    2442             : 
    2443       37316 :         if (io->ac->req->operation == LDB_ADD) {
    2444             :                 /*
    2445             :                  * We always need to store the value on add
    2446             :                  * operations.
    2447             :                  */
    2448       21917 :                 return LDB_SUCCESS;
    2449             :         }
    2450             : 
    2451       15399 :         if (io->g.last_set == io->u.pwdLastSet) {
    2452             :                 /*
    2453             :                  * Just setting pwdLastSet to 0, is no-op if it's already 0.
    2454             :                  */
    2455          75 :                 io->ac->update_lastset = false;
    2456             :         }
    2457             : 
    2458       15399 :         return LDB_SUCCESS;
    2459             : }
    2460             : 
    2461       32474 : static int setup_given_passwords(struct setup_password_fields_io *io,
    2462             :                                  struct setup_password_fields_given *g)
    2463             : {
    2464       32474 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2465             : 
    2466       32474 :         if (g->cleartext_utf8) {
    2467             :                 struct ldb_val *cleartext_utf16_blob;
    2468             : 
    2469        1985 :                 cleartext_utf16_blob = talloc(io->ac, struct ldb_val);
    2470        1985 :                 if (!cleartext_utf16_blob) {
    2471           0 :                         return ldb_oom(ldb);
    2472             :                 }
    2473        1985 :                 if (!convert_string_talloc(io->ac,
    2474             :                                            CH_UTF8, CH_UTF16,
    2475        1985 :                                            g->cleartext_utf8->data,
    2476        1985 :                                            g->cleartext_utf8->length,
    2477        1985 :                                            (void *)&cleartext_utf16_blob->data,
    2478             :                                            &cleartext_utf16_blob->length)) {
    2479           0 :                         if (g->cleartext_utf8->length != 0) {
    2480           0 :                                 talloc_free(cleartext_utf16_blob);
    2481           0 :                                 ldb_asprintf_errstring(ldb,
    2482             :                                                        "setup_password_fields: "
    2483             :                                                        "failed to generate UTF16 password from cleartext UTF8 one for user '%s'!",
    2484             :                                                        io->u.sAMAccountName);
    2485           0 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    2486             :                         } else {
    2487             :                                 /* passwords with length "0" are valid! */
    2488           0 :                                 cleartext_utf16_blob->data = NULL;
    2489           0 :                                 cleartext_utf16_blob->length = 0;
    2490             :                         }
    2491             :                 }
    2492        1985 :                 g->cleartext_utf16 = cleartext_utf16_blob;
    2493       30489 :         } else if (g->cleartext_utf16) {
    2494             :                 struct ldb_val *cleartext_utf8_blob;
    2495             : 
    2496       14837 :                 cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
    2497       14837 :                 if (!cleartext_utf8_blob) {
    2498           0 :                         return ldb_oom(ldb);
    2499             :                 }
    2500       14837 :                 if (!convert_string_talloc(io->ac,
    2501             :                                            CH_UTF16MUNGED, CH_UTF8,
    2502       14837 :                                            g->cleartext_utf16->data,
    2503       14837 :                                            g->cleartext_utf16->length,
    2504       14837 :                                            (void *)&cleartext_utf8_blob->data,
    2505             :                                            &cleartext_utf8_blob->length)) {
    2506           0 :                         if (g->cleartext_utf16->length != 0) {
    2507             :                                 /* We must bail out here, the input wasn't even
    2508             :                                  * a multiple of 2 bytes */
    2509           0 :                                 talloc_free(cleartext_utf8_blob);
    2510           0 :                                 ldb_asprintf_errstring(ldb,
    2511             :                                                        "setup_password_fields: "
    2512             :                                                        "failed to generate UTF8 password from cleartext UTF 16 one for user '%s' - the latter had odd length (length must be a multiple of 2)!",
    2513             :                                                        io->u.sAMAccountName);
    2514           0 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    2515             :                         } else {
    2516             :                                 /* passwords with length "0" are valid! */
    2517           0 :                                 cleartext_utf8_blob->data = NULL;
    2518           0 :                                 cleartext_utf8_blob->length = 0;
    2519             :                         }
    2520             :                 }
    2521       14837 :                 g->cleartext_utf8 = cleartext_utf8_blob;
    2522             :         }
    2523             : 
    2524       32474 :         if (g->cleartext_utf16) {
    2525             :                 struct samr_Password *nt_hash;
    2526             : 
    2527       16822 :                 nt_hash = talloc(io->ac, struct samr_Password);
    2528       16822 :                 if (!nt_hash) {
    2529           0 :                         return ldb_oom(ldb);
    2530             :                 }
    2531       16822 :                 g->nt_hash = nt_hash;
    2532             : 
    2533             :                 /* compute the new nt hash */
    2534       16822 :                 mdfour(nt_hash->hash,
    2535       16822 :                        g->cleartext_utf16->data,
    2536       16822 :                        g->cleartext_utf16->length);
    2537             :         }
    2538             : 
    2539             :         /*
    2540             :          * We need to build one more hash, so we can compare with what might
    2541             :          * have been stored in the old password (for the LDAP password change)
    2542             :          *
    2543             :          * We don't have any old salts, so we won't catch password reuse if said
    2544             :          * password was used prior to an account rename and another password
    2545             :          * change.
    2546             :          *
    2547             :          * We don't have to store the 'opaque' (string2key iterations)
    2548             :          * as Heimdal doesn't allow that to be changed.
    2549             :          */
    2550       32474 :         if (g->cleartext_utf8 != NULL) {
    2551       16822 :                 int ret = setup_kerberos_key_hash(io, g);
    2552       16822 :                 if (ret != LDB_SUCCESS) {
    2553           0 :                         return ret;
    2554             :                 }
    2555             :         }
    2556             : 
    2557       32474 :         return LDB_SUCCESS;
    2558             : }
    2559             : 
    2560       37335 : static int setup_password_fields(struct setup_password_fields_io *io)
    2561             : {
    2562       37335 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2563             :         int ret;
    2564             : 
    2565       37335 :         ret = setup_last_set_field(io);
    2566       37335 :         if (ret != LDB_SUCCESS) {
    2567          15 :                 return ret;
    2568             :         }
    2569             : 
    2570       37320 :         if (!io->ac->update_password) {
    2571       21083 :                 return LDB_SUCCESS;
    2572             :         }
    2573             : 
    2574       16237 :         if (io->u.is_krbtgt) {
    2575         201 :                 size_t min = 196;
    2576         201 :                 size_t max = 255;
    2577         201 :                 size_t diff = max - min;
    2578         201 :                 size_t len = max;
    2579         201 :                 struct ldb_val *krbtgt_utf16 = NULL;
    2580             : 
    2581         201 :                 if (!io->ac->pwd_reset) {
    2582           0 :                         return dsdb_module_werror(io->ac->module,
    2583             :                                         LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS,
    2584             :                                         WERR_DS_ATT_ALREADY_EXISTS,
    2585             :                                         "Password change on krbtgt not permitted!");
    2586             :                 }
    2587             : 
    2588         201 :                 if (io->n.cleartext_utf16 == NULL) {
    2589           0 :                         return dsdb_module_werror(io->ac->module,
    2590             :                                         LDB_ERR_UNWILLING_TO_PERFORM,
    2591             :                                         WERR_DS_INVALID_ATTRIBUTE_SYNTAX,
    2592             :                                         "Password reset on krbtgt requires UTF16!");
    2593             :                 }
    2594             : 
    2595             :                 /*
    2596             :                  * Instead of taking the callers value,
    2597             :                  * we just generate a new random value here.
    2598             :                  *
    2599             :                  * Include null termination in the array.
    2600             :                  */
    2601         201 :                 if (diff > 0) {
    2602             :                         size_t tmp;
    2603             : 
    2604         201 :                         generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
    2605             : 
    2606         201 :                         tmp %= diff;
    2607             : 
    2608         201 :                         len = min + tmp;
    2609             :                 }
    2610             : 
    2611         201 :                 krbtgt_utf16 = talloc_zero(io->ac, struct ldb_val);
    2612         201 :                 if (krbtgt_utf16 == NULL) {
    2613           0 :                         return ldb_oom(ldb);
    2614             :                 }
    2615             : 
    2616         201 :                 *krbtgt_utf16 = data_blob_talloc_zero(krbtgt_utf16,
    2617         201 :                                                       (len+1)*2);
    2618         201 :                 if (krbtgt_utf16->data == NULL) {
    2619           0 :                         return ldb_oom(ldb);
    2620             :                 }
    2621         201 :                 krbtgt_utf16->length = len * 2;
    2622         201 :                 generate_secret_buffer(krbtgt_utf16->data,
    2623         201 :                                        krbtgt_utf16->length);
    2624         201 :                 io->n.cleartext_utf16 = krbtgt_utf16;
    2625             :         }
    2626             : 
    2627             :         /* transform the old password (for password changes) */
    2628       16237 :         ret = setup_given_passwords(io, &io->og);
    2629       16237 :         if (ret != LDB_SUCCESS) {
    2630           0 :                 return ret;
    2631             :         }
    2632             : 
    2633             :         /* transform the new password */
    2634       16237 :         ret = setup_given_passwords(io, &io->n);
    2635       16237 :         if (ret != LDB_SUCCESS) {
    2636           0 :                 return ret;
    2637             :         }
    2638             : 
    2639       16237 :         if (io->n.cleartext_utf8) {
    2640       15979 :                 ret = setup_kerberos_keys(io);
    2641       15979 :                 if (ret != LDB_SUCCESS) {
    2642           2 :                         return ret;
    2643             :                 }
    2644             :         }
    2645             : 
    2646             :         /*
    2647             :          * This relies on setup_kerberos_keys to make a NT-hash-like
    2648             :          * value for password history purposes
    2649             :          */
    2650             : 
    2651       16235 :         ret = setup_nt_fields(io);
    2652       16235 :         if (ret != LDB_SUCCESS) {
    2653           0 :                 return ret;
    2654             :         }
    2655             : 
    2656       16235 :         ret = setup_supplemental_field(io);
    2657       16235 :         if (ret != LDB_SUCCESS) {
    2658           0 :                 return ret;
    2659             :         }
    2660             : 
    2661       16235 :         return LDB_SUCCESS;
    2662             : }
    2663             : 
    2664       36565 : static int setup_smartcard_reset(struct setup_password_fields_io *io)
    2665             : {
    2666       36565 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2667       36565 :         struct supplementalCredentialsBlob scb = { .__ndr_size = 0 };
    2668             :         enum ndr_err_code ndr_err;
    2669             : 
    2670       36565 :         if (!io->ac->smartcard_reset) {
    2671       36552 :                 return LDB_SUCCESS;
    2672             :         }
    2673             : 
    2674          13 :         io->g.nt_hash = talloc(io->ac, struct samr_Password);
    2675          13 :         if (io->g.nt_hash == NULL) {
    2676           0 :                 return ldb_module_oom(io->ac->module);
    2677             :         }
    2678          13 :         generate_secret_buffer(io->g.nt_hash->hash,
    2679             :                                sizeof(io->g.nt_hash->hash));
    2680          13 :         io->g.nt_history_len = 0;
    2681             : 
    2682             :         /*
    2683             :          * We take the "old" value and store it
    2684             :          * with num_packages = 0.
    2685             :          *
    2686             :          * On "add" we have scb.sub.signature == 0, which
    2687             :          * results in:
    2688             :          *
    2689             :          * [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00
    2690             :          *
    2691             :          * On modify it's likely to be scb.sub.signature ==
    2692             :          * SUPPLEMENTAL_CREDENTIALS_SIGNATURE (0x0050), which results in
    2693             :          * something like:
    2694             :          *
    2695             :          * [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00
    2696             :          * [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00
    2697             :          * [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00
    2698             :          * [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00
    2699             :          * [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00
    2700             :          * [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00
    2701             :          * [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00
    2702             :          *
    2703             :          * See https://bugzilla.samba.org/show_bug.cgi?id=11441
    2704             :          * and ndr_{push,pull}_supplementalCredentialsSubBlob().
    2705             :          */
    2706          13 :         scb = io->o.scb;
    2707          13 :         scb.sub.num_packages = 0;
    2708             : 
    2709             :         /*
    2710             :          * setup 'supplementalCredentials' value without packages
    2711             :          */
    2712          13 :         ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
    2713             :                                        &scb,
    2714             :                                        (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
    2715          13 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2716           0 :                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
    2717           0 :                 ldb_asprintf_errstring(ldb,
    2718             :                                        "setup_smartcard_reset: "
    2719             :                                        "failed to push supplementalCredentialsBlob: %s",
    2720             :                                        nt_errstr(status));
    2721           0 :                 return LDB_ERR_OPERATIONS_ERROR;
    2722             :         }
    2723             : 
    2724          13 :         io->ac->update_password = true;
    2725          13 :         return LDB_SUCCESS;
    2726             : }
    2727             : 
    2728         270 : static int make_error_and_update_badPwdCount(struct setup_password_fields_io *io, WERROR *werror)
    2729             : {
    2730         270 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2731         270 :         struct ldb_message *mod_msg = NULL;
    2732         270 :         struct ldb_message *pso_msg = NULL;
    2733         270 :         struct ldb_message *current = NULL;
    2734         270 :         NTSTATUS status = NT_STATUS_OK;
    2735             :         int ret; /* The errors we will actually return */
    2736             :         int dbg_ret; /* The errors we can only complain about in logs */
    2737             : 
    2738             :         /*
    2739             :          * OK, horrible semantics ahead.
    2740             :          *
    2741             :          * - We need to abort any existing transaction
    2742             :          * - create a transaction arround the badPwdCount update
    2743             :          * - re-open the transaction so the upper layer
    2744             :          *   doesn't know what happened.
    2745             :          *
    2746             :          * This is needed because returning an error to the upper
    2747             :          * layer will cancel the transaction and undo the badPwdCount
    2748             :          * update.
    2749             :          */
    2750             : 
    2751             :         /*
    2752             :          * Checking errors here is a bit pointless.
    2753             :          * What can we do if we can't end the transaction?
    2754             :          */
    2755         270 :         dbg_ret = ldb_next_del_trans(io->ac->module);
    2756         270 :         if (dbg_ret != LDB_SUCCESS) {
    2757           0 :                 ldb_debug(ldb, LDB_DEBUG_FATAL,
    2758             :                           "Failed to abort transaction prior to update of badPwdCount of %s: %s",
    2759           0 :                           ldb_dn_get_linearized(io->ac->search_res->message->dn),
    2760             :                           ldb_errstring(ldb));
    2761             :                 /*
    2762             :                  * just return the original error
    2763             :                  */
    2764           0 :                 goto done;
    2765             :         }
    2766             : 
    2767             :         /* Likewise, what should we do if we can't open a new transaction? */
    2768         270 :         dbg_ret = ldb_next_start_trans(io->ac->module);
    2769         270 :         if (dbg_ret != LDB_SUCCESS) {
    2770           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    2771             :                           "Failed to open transaction to update badPwdCount of %s: %s",
    2772           0 :                           ldb_dn_get_linearized(io->ac->search_res->message->dn),
    2773             :                           ldb_errstring(ldb));
    2774             :                 /*
    2775             :                  * just return the original error
    2776             :                  */
    2777           0 :                 goto done;
    2778             :         }
    2779             : 
    2780             :         /*
    2781             :          * Re-read the account details, using the GUID in case the DN
    2782             :          * is being changed.
    2783             :          */
    2784         270 :         status = authsam_reread_user_logon_data(
    2785         270 :                 ldb, io->ac,
    2786         270 :                 io->ac->search_res->message,
    2787             :                 ¤t);
    2788         270 :         if (!NT_STATUS_IS_OK(status)) {
    2789             :                 /* The re-read can return account locked out, as well
    2790             :                  * as an internal error
    2791             :                  */
    2792           0 :                 goto end_transaction;
    2793             :         }
    2794             : 
    2795             :         /* PSO search result is optional (NULL if no PSO applies) */
    2796         270 :         if (io->ac->pso_res != NULL) {
    2797          15 :                 pso_msg = io->ac->pso_res->message;
    2798             :         }
    2799             : 
    2800         270 :         status = dsdb_update_bad_pwd_count(io->ac, ldb,
    2801             :                                            current,
    2802         270 :                                            io->ac->dom_res->message,
    2803             :                                            pso_msg,
    2804             :                                            &mod_msg);
    2805         270 :         if (!NT_STATUS_IS_OK(status)) {
    2806           0 :                 goto end_transaction;
    2807             :         }
    2808             : 
    2809         270 :         if (mod_msg == NULL) {
    2810         204 :                 goto end_transaction;
    2811             :         }
    2812             : 
    2813          66 :         dbg_ret = dsdb_module_modify(io->ac->module, mod_msg,
    2814             :                                  DSDB_FLAG_NEXT_MODULE,
    2815          66 :                                  io->ac->req);
    2816          66 :         if (dbg_ret != LDB_SUCCESS) {
    2817           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    2818             :                           "Failed to update badPwdCount of %s: %s",
    2819           0 :                           ldb_dn_get_linearized(io->ac->search_res->message->dn),
    2820             :                           ldb_errstring(ldb));
    2821             :                 /*
    2822             :                  * We can only ignore this...
    2823             :                  */
    2824             :         }
    2825             : 
    2826          66 : end_transaction:
    2827         270 :         dbg_ret = ldb_next_end_trans(io->ac->module);
    2828         270 :         if (dbg_ret != LDB_SUCCESS) {
    2829           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    2830             :                           "Failed to close transaction to update badPwdCount of %s: %s",
    2831           0 :                           ldb_dn_get_linearized(io->ac->search_res->message->dn),
    2832             :                           ldb_errstring(ldb));
    2833             :                 /*
    2834             :                  * We can only ignore this...
    2835             :                  */
    2836             :         }
    2837             : 
    2838         270 :         dbg_ret = ldb_next_start_trans(io->ac->module);
    2839         270 :         if (dbg_ret != LDB_SUCCESS) {
    2840           0 :                 ldb_debug(ldb, LDB_DEBUG_ERROR,
    2841             :                           "Failed to open transaction after update of badPwdCount of %s: %s",
    2842           0 :                           ldb_dn_get_linearized(io->ac->search_res->message->dn),
    2843             :                           ldb_errstring(ldb));
    2844             :                 /*
    2845             :                  * We can only ignore this...
    2846             :                  */
    2847             :         }
    2848             : 
    2849         270 : done:
    2850         270 :         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    2851         270 :         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
    2852           0 :                 *werror = WERR_ACCOUNT_LOCKED_OUT;
    2853             :         } else {
    2854         270 :                 *werror = WERR_INVALID_PASSWORD;
    2855             :         }
    2856         270 :         ldb_asprintf_errstring(ldb,
    2857             :                                "%08X: %s - check_password_restrictions: "
    2858             :                                "The old password specified doesn't match!",
    2859             :                                W_ERROR_V(*werror),
    2860             :                                ldb_strerror(ret));
    2861         270 :         return ret;
    2862             : }
    2863             : 
    2864       37318 : static int check_password_restrictions(struct setup_password_fields_io *io, WERROR *werror)
    2865             : {
    2866       37318 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    2867             :         int ret;
    2868             :         uint32_t i;
    2869             :         struct loadparm_context *lp_ctx =
    2870       37318 :                 talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
    2871             :                                 struct loadparm_context);
    2872             : 
    2873       37318 :         *werror = WERR_INVALID_PARAMETER;
    2874             : 
    2875       37318 :         if (!io->ac->update_password) {
    2876       21083 :                 return LDB_SUCCESS;
    2877             :         }
    2878             : 
    2879             :         /*
    2880             :          * First check the old password is correct, for password
    2881             :          * changes when this hasn't already been checked by a
    2882             :          * trustwrothy layer above
    2883             :          */
    2884       16235 :         if (!io->ac->pwd_reset && !(io->ac->change
    2885         642 :                                     && io->ac->change->old_password_checked == DSDB_PASSWORD_CHECKED_AND_CORRECT)) {
    2886         843 :                 bool hash_checked = false;
    2887             :                 /*
    2888             :                  * we need the old nt hash given by the client (this
    2889             :                  * is for the plaintext over LDAP password change,
    2890             :                  * Kpasswd and SAMR supply the control)
    2891             :                  */
    2892         843 :                 if (io->og.nt_hash == NULL && io->og.aes_256.length == 0) {
    2893           0 :                         ldb_asprintf_errstring(ldb,
    2894             :                                 "check_password_restrictions: "
    2895             :                                 "You need to provide the old password in order "
    2896             :                                 "to change it!");
    2897           0 :                         return LDB_ERR_UNWILLING_TO_PERFORM;
    2898             :                 }
    2899             : 
    2900             :                 /*
    2901             :                  * First compare the ENCTYPE_AES256_CTS_HMAC_SHA1_96 password and see if we have a match
    2902             :                  */
    2903             : 
    2904         843 :                 if (io->og.aes_256.length > 0 && io->o.aes_256.length) {
    2905         605 :                         hash_checked = data_blob_equal_const_time(&io->og.aes_256, &io->o.aes_256);
    2906             :                 }
    2907             : 
    2908             :                 /* The password modify through the NT hash is encouraged and
    2909             :                    has no problems at all */
    2910         843 :                 if (!hash_checked && io->og.nt_hash && io->o.nt_hash) {
    2911         130 :                         hash_checked = mem_equal_const_time(io->og.nt_hash->hash, io->o.nt_hash->hash, 16);
    2912             :                 }
    2913             : 
    2914         843 :                 if (!hash_checked) {
    2915         270 :                         return make_error_and_update_badPwdCount(io, werror);
    2916             :                 }
    2917             :         }
    2918             : 
    2919       15965 :         if (io->u.restrictions == 0) {
    2920             :                 /* FIXME: Is this right? */
    2921        1840 :                 return LDB_SUCCESS;
    2922             :         }
    2923             : 
    2924             :         /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
    2925       14125 :         if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) &&
    2926         346 :             !io->ac->pwd_reset)
    2927             :         {
    2928         158 :                 ret = LDB_ERR_CONSTRAINT_VIOLATION;
    2929         158 :                 *werror = WERR_PASSWORD_RESTRICTION;
    2930         158 :                 ldb_asprintf_errstring(ldb,
    2931             :                         "%08X: %s - check_password_restrictions: "
    2932             :                         "password is too young to change!",
    2933             :                         W_ERROR_V(*werror),
    2934             :                         ldb_strerror(ret));
    2935         158 :                 return ret;
    2936             :         }
    2937             : 
    2938             :         /*
    2939             :          * Fundamental password checks done by the call
    2940             :          * "samdb_check_password".
    2941             :          * It is also in use by "dcesrv_samr_ValidatePassword".
    2942             :          */
    2943       13967 :         if (io->n.cleartext_utf8 != NULL) {
    2944             :                 enum samr_ValidationStatus vstat;
    2945       13869 :                 vstat = samdb_check_password(io->ac, lp_ctx,
    2946             :                                              io->u.sAMAccountName,
    2947             :                                              io->u.user_principal_name,
    2948             :                                              io->u.displayName,
    2949       13869 :                                              io->n.cleartext_utf8,
    2950       13869 :                                              io->ac->status->domain_data.pwdProperties,
    2951       13869 :                                              io->ac->status->domain_data.minPwdLength);
    2952       13869 :                 switch (vstat) {
    2953       13653 :                 case SAMR_VALIDATION_STATUS_SUCCESS:
    2954             :                                 /* perfect -> proceed! */
    2955       13653 :                         break;
    2956             : 
    2957         172 :                 case SAMR_VALIDATION_STATUS_PWD_TOO_SHORT:
    2958         172 :                         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    2959         172 :                         *werror = WERR_PASSWORD_RESTRICTION;
    2960         172 :                         ldb_asprintf_errstring(ldb,
    2961             :                                 "%08X: %s - check_password_restrictions: "
    2962             :                                 "the password is too short. It should be equal or longer than %u characters!",
    2963             :                                 W_ERROR_V(*werror),
    2964             :                                 ldb_strerror(ret),
    2965         172 :                                 io->ac->status->domain_data.minPwdLength);
    2966         172 :                         io->ac->status->reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
    2967         216 :                         return ret;
    2968             : 
    2969          44 :                 case SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH:
    2970          44 :                         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    2971          44 :                         *werror = WERR_PASSWORD_RESTRICTION;
    2972          44 :                         ldb_asprintf_errstring(ldb,
    2973             :                                 "%08X: %s - check_password_restrictions: "
    2974             :                                 "the password does not meet the complexity criteria!",
    2975             :                                 W_ERROR_V(*werror),
    2976             :                                 ldb_strerror(ret));
    2977          44 :                         io->ac->status->reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
    2978          44 :                         return ret;
    2979             : 
    2980           0 :                 default:
    2981           0 :                         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    2982           0 :                         *werror = WERR_PASSWORD_RESTRICTION;
    2983           0 :                         ldb_asprintf_errstring(ldb,
    2984             :                                 "%08X: %s - check_password_restrictions: "
    2985             :                                 "the password doesn't fit due to a miscellaneous restriction!",
    2986             :                                 W_ERROR_V(*werror),
    2987             :                                 ldb_strerror(ret));
    2988           0 :                         return ret;
    2989             :                 }
    2990             :         }
    2991             : 
    2992       13751 :         if (io->ac->pwd_reset) {
    2993       13293 :                 *werror = WERR_OK;
    2994       13293 :                 return LDB_SUCCESS;
    2995             :         }
    2996             : 
    2997             :         /*
    2998             :          * This check works by using the current Kerberos password to
    2999             :          * make up a password history.  We already did the salted hash
    3000             :          * creation to pass the password change check.
    3001             :          *
    3002             :          * We check the pwdHistoryLength to ensure we honour the
    3003             :          * policy on if the history should be checked
    3004             :          */
    3005         458 :         if (io->ac->status->domain_data.pwdHistoryLength > 0
    3006         441 :             && io->g.aes_256.length && io->o.aes_256.length)
    3007             :         {
    3008         385 :                 bool equal = data_blob_equal_const_time(&io->g.aes_256,
    3009         385 :                                                         &io->o.aes_256);
    3010         385 :                 if (equal) {
    3011          41 :                         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    3012          41 :                         *werror = WERR_PASSWORD_RESTRICTION;
    3013          41 :                         ldb_asprintf_errstring(ldb,
    3014             :                                                "%08X: %s - check_password_restrictions: "
    3015             :                                                "the password was already used (previous password)!",
    3016             :                                                W_ERROR_V(*werror),
    3017             :                                                ldb_strerror(ret));
    3018          41 :                         io->ac->status->reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
    3019          41 :                         return ret;
    3020             :                 }
    3021             :         }
    3022             : 
    3023         417 :         if (io->n.nt_hash) {
    3024             :                 /*
    3025             :                  * checks the NT hash password history, against the
    3026             :                  * generated NT hash
    3027             :                  */
    3028        1244 :                 for (i = 0; i < io->o.nt_history_len; i++) {
    3029         895 :                         bool pw_cmp = mem_equal_const_time(io->n.nt_hash, io->o.nt_history[i].hash, 16);
    3030         895 :                         if (pw_cmp) {
    3031          68 :                                 ret = LDB_ERR_CONSTRAINT_VIOLATION;
    3032          68 :                                 *werror = WERR_PASSWORD_RESTRICTION;
    3033          68 :                                 ldb_asprintf_errstring(ldb,
    3034             :                                         "%08X: %s - check_password_restrictions: "
    3035             :                                         "the password was already used (in history)!",
    3036             :                                         W_ERROR_V(*werror),
    3037             :                                         ldb_strerror(ret));
    3038          68 :                                 io->ac->status->reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
    3039          68 :                                 return ret;
    3040             :                         }
    3041             :                 }
    3042             :         }
    3043             : 
    3044             :         /*
    3045             :          * This check works by using the old Kerberos passwords
    3046             :          * (old and older) to make up a password history.
    3047             :          *
    3048             :          * We check the pwdHistoryLength to ensure we honour the
    3049             :          * policy on if the history should be checked
    3050             :          */
    3051         349 :         for (i = 1;
    3052         579 :              i <= io->o.kvno && i < MIN(3, io->ac->status->domain_data.pwdHistoryLength);
    3053         230 :              i++)
    3054             :         {
    3055             :                 krb5_error_code krb5_ret;
    3056         391 :                 const uint32_t request_kvno = io->o.kvno - i;
    3057             :                 DATA_BLOB db_key_blob;
    3058             :                 bool pw_equal;
    3059             : 
    3060         391 :                 if (io->n.cleartext_utf8 == NULL) {
    3061             :                         /*
    3062             :                          * No point checking history if we don't have
    3063             :                          * a cleartext password.
    3064             :                          */
    3065         161 :                         break;
    3066             :                 }
    3067             : 
    3068         391 :                 if (io->ac->search_res == NULL) {
    3069             :                         /*
    3070             :                          * This is an ADD, no existing history to check
    3071             :                          */
    3072           0 :                         break;
    3073             :                 }
    3074             : 
    3075             :                 /*
    3076             :                  * If this account requires a smartcard for login, we don't
    3077             :                  * attempt a comparison with the old password.
    3078             :                  */
    3079         391 :                 if (io->u.userAccountControl & UF_SMARTCARD_REQUIRED) {
    3080           0 :                         break;
    3081             :                 }
    3082             : 
    3083             :                 /*
    3084             :                  * Extract the old ENCTYPE_AES256_CTS_HMAC_SHA1_96 value from
    3085             :                  * the supplementalCredentials.
    3086             :                  */
    3087         391 :                 krb5_ret = dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context,
    3088         391 :                                                     io->ac,
    3089         391 :                                                     io->ac->search_res->message,
    3090             :                                                     io->u.userAccountControl,
    3091             :                                                     &request_kvno, /* kvno */
    3092             :                                                     NULL, /* kvno_out */
    3093             :                                                     &db_key_blob,
    3094             :                                                     NULL); /* salt */
    3095         391 :                 if (krb5_ret == ENOENT) {
    3096             :                         /*
    3097             :                          * If there is no old AES hash (perhaps an imported DB with
    3098             :                          * just unicodePwd) then we just wont have an old
    3099             :                          * password to compare to if there is no NT hash
    3100             :                          */
    3101         161 :                         break;
    3102         230 :                 } else if (krb5_ret) {
    3103           0 :                         ldb_asprintf_errstring(ldb,
    3104             :                                                "check_password_restrictions: "
    3105             :                                                "extraction of old[%u - %d = %d] aes256-cts-hmac-sha1-96 key failed: %s",
    3106           0 :                                                io->o.kvno, i, io->o.kvno - i,
    3107           0 :                                                smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
    3108           0 :                                                                           krb5_ret, io->ac));
    3109           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    3110             :                 }
    3111             : 
    3112             :                 /* This is the actual history check */
    3113         230 :                 pw_equal = data_blob_equal_const_time(&io->n.aes_256,
    3114             :                                                       &db_key_blob);
    3115         230 :                 if (pw_equal) {
    3116           0 :                         ret = LDB_ERR_CONSTRAINT_VIOLATION;
    3117           0 :                         *werror = WERR_PASSWORD_RESTRICTION;
    3118           0 :                         ldb_asprintf_errstring(ldb,
    3119             :                                                "%08X: %s - check_password_restrictions: "
    3120             :                                                "the password was already used (in history)!",
    3121             :                                                W_ERROR_V(*werror),
    3122             :                                                ldb_strerror(ret));
    3123           0 :                         io->ac->status->reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
    3124           0 :                         return ret;
    3125             :                 }
    3126             :         }
    3127             : 
    3128             :         /* are all password changes disallowed? */
    3129         349 :         if (io->ac->status->domain_data.pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
    3130           0 :                 ret = LDB_ERR_CONSTRAINT_VIOLATION;
    3131           0 :                 *werror = WERR_PASSWORD_RESTRICTION;
    3132           0 :                 ldb_asprintf_errstring(ldb,
    3133             :                         "%08X: %s - check_password_restrictions: "
    3134             :                         "password changes disabled!",
    3135             :                         W_ERROR_V(*werror),
    3136             :                         ldb_strerror(ret));
    3137           0 :                 return ret;
    3138             :         }
    3139             : 
    3140             :         /* can this user change the password? */
    3141         349 :         if (io->u.userAccountControl & UF_PASSWD_CANT_CHANGE) {
    3142           0 :                 ret = LDB_ERR_CONSTRAINT_VIOLATION;
    3143           0 :                 *werror = WERR_PASSWORD_RESTRICTION;
    3144           0 :                 ldb_asprintf_errstring(ldb,
    3145             :                         "%08X: %s - check_password_restrictions: "
    3146             :                         "password can't be changed on this account!",
    3147             :                         W_ERROR_V(*werror),
    3148             :                         ldb_strerror(ret));
    3149           0 :                 return ret;
    3150             :         }
    3151             : 
    3152         349 :         return LDB_SUCCESS;
    3153             : }
    3154             : 
    3155       37318 : static int check_password_restrictions_and_log(struct setup_password_fields_io *io)
    3156             : {
    3157             :         WERROR werror;
    3158       37318 :         int ret = check_password_restrictions(io, &werror);
    3159       37318 :         struct ph_context *ac = io->ac;
    3160             :         /*
    3161             :          * Password resets are not authentication events, and if the
    3162             :          * upper layer checked the password and supplied the hash
    3163             :          * values as proof, then this is also not an authentication
    3164             :          * even at this layer (already logged).  This is to log LDAP
    3165             :          * password changes.
    3166             :          */
    3167             : 
    3168             :         /* Do not record a failure in the auth log below in the success case */
    3169       37318 :         if (ret == LDB_SUCCESS) {
    3170       36565 :                 werror = WERR_OK;
    3171             :         }
    3172             : 
    3173       37318 :         if (ac->pwd_reset == false && ac->change == NULL) {
    3174         843 :                 struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
    3175             :                 struct imessaging_context *msg_ctx;
    3176             :                 struct loadparm_context *lp_ctx
    3177         843 :                         = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"),
    3178             :                                                 struct loadparm_context);
    3179         843 :                 NTSTATUS status = werror_to_ntstatus(werror);
    3180         843 :                 const char *domain_name = lpcfg_sam_name(lp_ctx);
    3181         843 :                 void *opaque_remote_address = NULL;
    3182             :                 /*
    3183             :                  * Forcing this via the NTLM auth structure is not ideal, but
    3184             :                  * it is the most practical option right now, and ensures the
    3185             :                  * logs are consistent, even if some elements are always NULL.
    3186             :                  */
    3187         843 :                 struct auth_usersupplied_info ui = {
    3188             :                         .was_mapped = true,
    3189             :                         .client = {
    3190         843 :                                 .account_name = io->u.sAMAccountName,
    3191             :                                 .domain_name = domain_name,
    3192             :                         },
    3193             :                         .mapped = {
    3194         843 :                                 .account_name = io->u.sAMAccountName,
    3195             :                                 .domain_name = domain_name,
    3196             :                         },
    3197             :                         .service_description = "LDAP Password Change",
    3198             :                         .auth_description = "LDAP Modify",
    3199             :                         .password_type = "plaintext"
    3200             :                 };
    3201             : 
    3202         843 :                 opaque_remote_address = ldb_get_opaque(ldb,
    3203             :                                                        "remoteAddress");
    3204         843 :                 if (opaque_remote_address == NULL) {
    3205           0 :                         ldb_asprintf_errstring(ldb,
    3206             :                                                "Failed to obtain remote address for "
    3207             :                                                "the LDAP client while changing the "
    3208             :                                                "password");
    3209           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    3210             :                 }
    3211         843 :                 ui.remote_host = talloc_get_type(opaque_remote_address,
    3212             :                                                  struct tsocket_address);
    3213             : 
    3214         843 :                 msg_ctx = imessaging_client_init(ac, lp_ctx,
    3215             :                                                  ldb_get_event_context(ldb));
    3216         843 :                 if (!msg_ctx) {
    3217           0 :                         ldb_asprintf_errstring(ldb,
    3218             :                                                "Failed to generate client messaging context in %s",
    3219             :                                                lpcfg_imessaging_path(ac, lp_ctx));
    3220           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    3221             :                 }
    3222         843 :                 log_authentication_event(msg_ctx,
    3223             :                                          lp_ctx,
    3224             :                                          NULL,
    3225             :                                          &ui,
    3226             :                                          status,
    3227             :                                          domain_name,
    3228             :                                          io->u.sAMAccountName,
    3229             :                                          io->u.account_sid);
    3230             : 
    3231             :         }
    3232       37318 :         return ret;
    3233             : }
    3234             : 
    3235       36565 : static int update_final_msg(struct setup_password_fields_io *io)
    3236             : {
    3237       36565 :         struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
    3238             :         int ret;
    3239       36565 :         int el_flags = 0;
    3240       36565 :         bool update_password = io->ac->update_password;
    3241       36565 :         bool update_scb = io->ac->update_password;
    3242             : 
    3243             :         /*
    3244             :          * If we add a user without initial password,
    3245             :          * we need to add replication meta data for
    3246             :          * following attributes:
    3247             :          * - unicodePwd
    3248             :          * - dBCSPwd
    3249             :          * - ntPwdHistory
    3250             :          * - lmPwdHistory
    3251             :          *
    3252             :          * If we add a user with initial password or a
    3253             :          * password is changed of an existing user,
    3254             :          * we need to replace the following attributes
    3255             :          * with a forced meta data update, e.g. also
    3256             :          * when updating an empty attribute with an empty value:
    3257             :          * - unicodePwd
    3258             :          * - dBCSPwd
    3259             :          * - ntPwdHistory
    3260             :          * - lmPwdHistory
    3261             :          * - supplementalCredentials
    3262             :          */
    3263             : 
    3264       36565 :         switch (io->ac->req->operation) {
    3265       21914 :         case LDB_ADD:
    3266       21914 :                 update_password = true;
    3267       21914 :                 el_flags |= DSDB_FLAG_INTERNAL_FORCE_META_DATA;
    3268       21914 :                 break;
    3269       14651 :         case LDB_MODIFY:
    3270       14651 :                 el_flags |= LDB_FLAG_MOD_REPLACE;
    3271       14651 :                 el_flags |= DSDB_FLAG_INTERNAL_FORCE_META_DATA;
    3272       14651 :                 break;
    3273           0 :         default:
    3274           0 :                 return ldb_module_operr(io->ac->module);
    3275             :         }
    3276             : 
    3277       36565 :         if (update_password) {
    3278       36337 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3279             :                                         "unicodePwd",
    3280             :                                         el_flags, NULL);
    3281       36337 :                 if (ret != LDB_SUCCESS) {
    3282           0 :                         return ret;
    3283             :                 }
    3284             : 
    3285             :                 /*
    3286             :                  * This wipes any old LM password after any password
    3287             :                  * update operation.
    3288             :                  *
    3289             :                  * This is the same as the previous default behaviour
    3290             :                  * of 'lanman auth = no'
    3291             :                  */
    3292       36337 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3293             :                                         "dBCSPwd",
    3294             :                                         el_flags, NULL);
    3295       36337 :                 if (ret != LDB_SUCCESS) {
    3296           0 :                         return ret;
    3297             :                 }
    3298       36337 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3299             :                                         "ntPwdHistory",
    3300             :                                         el_flags, NULL);
    3301       36337 :                 if (ret != LDB_SUCCESS) {
    3302           0 :                         return ret;
    3303             :                 }
    3304             :                 /*
    3305             :                  * This wipes any LM password history after any password
    3306             :                  * update operation.
    3307             :                  *
    3308             :                  * This is the same as the previous default behaviour
    3309             :                  * of 'lanman auth = no'
    3310             :                  */
    3311       36337 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3312             :                                         "lmPwdHistory",
    3313             :                                         el_flags, NULL);
    3314       36337 :                 if (ret != LDB_SUCCESS) {
    3315           0 :                         return ret;
    3316             :                 }
    3317             :         }
    3318       36565 :         if (update_scb) {
    3319       15495 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3320             :                                         "supplementalCredentials",
    3321             :                                         el_flags, NULL);
    3322       15495 :                 if (ret != LDB_SUCCESS) {
    3323           0 :                         return ret;
    3324             :                 }
    3325             :         }
    3326       36565 :         if (io->ac->update_lastset) {
    3327       36438 :                 ret = ldb_msg_add_empty(io->ac->update_msg,
    3328             :                                         "pwdLastSet",
    3329             :                                         el_flags, NULL);
    3330       36438 :                 if (ret != LDB_SUCCESS) {
    3331           0 :                         return ret;
    3332             :                 }
    3333             :         }
    3334             : 
    3335       36565 :         if (io->g.nt_hash != NULL) {
    3336       15495 :                 ret = samdb_msg_add_hash(ldb, io->ac,
    3337       15495 :                                          io->ac->update_msg,
    3338             :                                          "unicodePwd",
    3339       15495 :                                          io->g.nt_hash);
    3340       15495 :                 if (ret != LDB_SUCCESS) {
    3341           0 :                         return ret;
    3342             :                 }
    3343             :         }
    3344             : 
    3345       36565 :         if (io->g.nt_history_len > 0) {
    3346       15448 :                 ret = samdb_msg_add_hashes(ldb, io->ac,
    3347       15448 :                                            io->ac->update_msg,
    3348             :                                            "ntPwdHistory",
    3349             :                                            io->g.nt_history,
    3350             :                                            io->g.nt_history_len);
    3351       15448 :                 if (ret != LDB_SUCCESS) {
    3352           0 :                         return ret;
    3353             :                 }
    3354             :         }
    3355       36565 :         if (io->g.supplemental.length > 0) {
    3356       15237 :                 ret = ldb_msg_add_value(io->ac->update_msg,
    3357             :                                         "supplementalCredentials",
    3358       15237 :                                         &io->g.supplemental, NULL);
    3359       15237 :                 if (ret != LDB_SUCCESS) {
    3360           0 :                         return ret;
    3361             :                 }
    3362             :         }
    3363       36565 :         if (io->ac->update_lastset) {
    3364       36438 :                 ret = samdb_msg_add_uint64(ldb, io->ac,
    3365       36438 :                                            io->ac->update_msg,
    3366             :                                            "pwdLastSet",
    3367             :                                            io->g.last_set);
    3368       36438 :                 if (ret != LDB_SUCCESS) {
    3369           0 :                         return ret;
    3370             :                 }
    3371             :         }
    3372             : 
    3373       36565 :         return LDB_SUCCESS;
    3374             : }
    3375             : 
    3376             : /*
    3377             :  * This is intended for use by the "password_hash" module since there
    3378             :  * password changes can be specified through one message element with the
    3379             :  * new password (to set) and another one with the old password (to unset).
    3380             :  *
    3381             :  * The first which sets a password (new value) can have flags
    3382             :  * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add" operations
    3383             :  * for entries). The latter (old value) has always specified
    3384             :  * LDB_FLAG_MOD_DELETE.
    3385             :  *
    3386             :  * Returns LDB_ERR_CONSTRAINT_VIOLATION and LDB_ERR_UNWILLING_TO_PERFORM if
    3387             :  * matching message elements are malformed in respect to the set/change rules.
    3388             :  * Otherwise it returns LDB_SUCCESS.
    3389             :  */
    3390      152921 : static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
    3391             :                                         const char *name,
    3392             :                                         enum ldb_request_type operation,
    3393             :                                         const struct ldb_val **new_val,
    3394             :                                         const struct ldb_val **old_val)
    3395             : {
    3396             :         unsigned int i;
    3397             : 
    3398      152921 :         *new_val = NULL;
    3399      152921 :         *old_val = NULL;
    3400             : 
    3401      152921 :         if (msg == NULL) {
    3402           0 :                 return LDB_SUCCESS;
    3403             :         }
    3404             : 
    3405     1997835 :         for (i = 0; i < msg->num_elements; i++) {
    3406     1844970 :                 if (ldb_attr_cmp(msg->elements[i].name, name) != 0) {
    3407     1804982 :                         continue;
    3408             :                 }
    3409             : 
    3410       39988 :                 if ((operation == LDB_MODIFY) &&
    3411       16966 :                     (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_DELETE)) {
    3412             :                         /* 0 values are allowed */
    3413        1428 :                         if (msg->elements[i].num_values == 1) {
    3414         954 :                                 *old_val = &msg->elements[i].values[0];
    3415         474 :                         } else if (msg->elements[i].num_values > 1) {
    3416           0 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    3417             :                         }
    3418       38560 :                 } else if ((operation == LDB_MODIFY) &&
    3419       15538 :                            (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_REPLACE)) {
    3420       14115 :                         if (msg->elements[i].num_values > 0) {
    3421       14087 :                                 *new_val = &msg->elements[i].values[msg->elements[i].num_values - 1];
    3422             :                         } else {
    3423          28 :                                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3424             :                         }
    3425             :                 } else {
    3426             :                         /* Add operations and LDB_FLAG_MOD_ADD */
    3427       24445 :                         if (msg->elements[i].num_values > 0) {
    3428       24417 :                                 *new_val = &msg->elements[i].values[msg->elements[i].num_values - 1];
    3429             :                         } else {
    3430          28 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    3431             :                         }
    3432             :                 }
    3433             :         }
    3434             : 
    3435      152865 :         return LDB_SUCCESS;
    3436             : }
    3437             : 
    3438       37544 : static int setup_io(struct ph_context *ac, 
    3439             :                     const struct ldb_message *client_msg,
    3440             :                     const struct ldb_message *existing_msg,
    3441             :                     struct setup_password_fields_io *io) 
    3442             : { 
    3443             :         const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
    3444       37544 :         struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
    3445       37544 :         struct loadparm_context *lp_ctx = talloc_get_type(
    3446             :                 ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
    3447       37544 :         enum store_nt_hash store_hash_setting =
    3448       37544 :                 lpcfg_nt_hash_store(lp_ctx);
    3449             :         int ret;
    3450       37544 :         const struct ldb_message *info_msg = NULL;
    3451       37544 :         struct dom_sid *account_sid = NULL;
    3452       37544 :         int rodc_krbtgt = 0;
    3453             : 
    3454       37544 :         ZERO_STRUCTP(io);
    3455             : 
    3456             :         /* Some operations below require kerberos contexts */
    3457             : 
    3458       37544 :         if (existing_msg != NULL) {
    3459             :                 /*
    3460             :                  * This is a modify operation
    3461             :                  */
    3462       15593 :                 info_msg = existing_msg;
    3463             :         } else {
    3464             :                 /*
    3465             :                  * This is an add operation
    3466             :                  */
    3467       21951 :                 info_msg = client_msg;
    3468             :         }
    3469             : 
    3470       37544 :         ret = smb_krb5_init_context(ac,
    3471       37544 :                                   (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
    3472             :                                   &io->smb_krb5_context);
    3473             : 
    3474       37544 :         if (ret != 0) {
    3475             :                 /*
    3476             :                  * In the special case of mit krb5.conf vs heimdal, the includedir
    3477             :                  * statement causes ret == 22 (KRB5_CONFIG_BADFORMAT) to be returned.
    3478             :                  * We look for this case so that we can give a more instructional
    3479             :                  * message to the administrator.
    3480             :                  */
    3481           0 :                 if (ret == KRB5_CONFIG_BADFORMAT || ret == EINVAL) {
    3482           0 :                         ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s - "
    3483             :                                 "This could be due to an invalid krb5 configuration. "
    3484             :                                 "Please check your system's krb5 configuration is correct.",
    3485             :                                 error_message(ret));
    3486             :                 } else {
    3487           0 :                         ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s",
    3488             :                                 error_message(ret));
    3489             :                 }
    3490           0 :                 return LDB_ERR_OPERATIONS_ERROR;
    3491             :         }
    3492             : 
    3493       37544 :         io->ac                               = ac;
    3494             : 
    3495       37544 :         io->u.userAccountControl     = ldb_msg_find_attr_as_uint(info_msg,
    3496             :                                                                     "userAccountControl", 0);
    3497       37544 :         if (info_msg == existing_msg) {
    3498             :                 /*
    3499             :                  * We only take pwdLastSet from the existing object
    3500             :                  * otherwise we leave it as 0.
    3501             :                  *
    3502             :                  * If no attribute is available, e.g. on deleted objects
    3503             :                  * we remember that as UINT64_MAX.
    3504             :                  */
    3505       15593 :                 io->u.pwdLastSet = samdb_result_nttime(info_msg, "pwdLastSet",
    3506             :                                                        UINT64_MAX);
    3507             :         }
    3508       37544 :         io->u.sAMAccountName         = ldb_msg_find_attr_as_string(info_msg,
    3509             :                                                                       "sAMAccountName", NULL);
    3510       37544 :         io->u.user_principal_name    = ldb_msg_find_attr_as_string(info_msg,
    3511             :                                                                       "userPrincipalName", NULL);
    3512       37544 :         io->u.displayName            = ldb_msg_find_attr_as_string(info_msg,
    3513             :                                                                       "displayName", NULL);
    3514             : 
    3515             :         /* Ensure it has an objectSID too */
    3516       37544 :         io->u.account_sid = samdb_result_dom_sid(ac, info_msg, "objectSid");
    3517       37544 :         if (io->u.account_sid != NULL) {
    3518             :                 NTSTATUS status;
    3519       37544 :                 uint32_t rid = 0;
    3520             : 
    3521       37544 :                 status = dom_sid_split_rid(account_sid, io->u.account_sid, NULL, &rid);
    3522       37544 :                 if (NT_STATUS_IS_OK(status)) {
    3523       37544 :                         if (rid == DOMAIN_RID_KRBTGT) {
    3524         132 :                                 io->u.is_krbtgt = true;
    3525             :                         }
    3526             :                 }
    3527             :         }
    3528             : 
    3529       37544 :         rodc_krbtgt = ldb_msg_find_attr_as_int(info_msg,
    3530             :                         "msDS-SecondaryKrbTgtNumber", 0);
    3531       37544 :         if (rodc_krbtgt != 0) {
    3532          77 :                 io->u.is_krbtgt = true;
    3533             :         }
    3534             : 
    3535       37544 :         if (io->u.sAMAccountName == NULL) {
    3536           0 :                 ldb_asprintf_errstring(ldb,
    3537             :                                        "setup_io: sAMAccountName attribute is missing on %s for attempted password set/change",
    3538           0 :                                        ldb_dn_get_linearized(info_msg->dn));
    3539             : 
    3540           0 :                 return LDB_ERR_CONSTRAINT_VIOLATION;
    3541             :         }
    3542             : 
    3543       37544 :         if (io->u.userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
    3544         134 :                 struct ldb_control *permit_trust = ldb_request_get_control(ac->req,
    3545             :                                 DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
    3546             : 
    3547         134 :                 if (permit_trust == NULL) {
    3548           4 :                         ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
    3549           4 :                         ldb_asprintf_errstring(ldb,
    3550             :                                 "%08X: %s - setup_io: changing the interdomain trust password "
    3551             :                                 "on %s not allowed via LDAP. Use LSA or NETLOGON",
    3552           4 :                                 W_ERROR_V(WERR_ACCESS_DENIED),
    3553             :                                 ldb_strerror(ret),
    3554           4 :                                 ldb_dn_get_linearized(info_msg->dn));
    3555           4 :                         return ret;
    3556             :                 }
    3557             :         }
    3558             : 
    3559             :         /* Only non-trust accounts have restrictions (possibly this test is the
    3560             :          * wrong way around, but we like to be restrictive if possible */
    3561       37540 :         io->u.restrictions = !(io->u.userAccountControl & UF_TRUST_ACCOUNT_MASK);
    3562             : 
    3563       37540 :         if (io->u.is_krbtgt) {
    3564         209 :                 io->u.restrictions = 0;
    3565         209 :                 io->ac->status->domain_data.pwdHistoryLength =
    3566         209 :                         MAX(io->ac->status->domain_data.pwdHistoryLength, 3);
    3567             :         }
    3568             : 
    3569             :         /*
    3570             :          * Machine accounts need the NT hash to operate the NETLOGON
    3571             :          * ServerAuthenticate{,2,3} logic
    3572             :          */
    3573       37540 :         if (!(io->u.userAccountControl & UF_NORMAL_ACCOUNT)) {
    3574        3593 :                 store_hash_setting = NT_HASH_STORE_ALWAYS;
    3575             :         }
    3576             : 
    3577       37540 :         switch (store_hash_setting) {
    3578       37540 :         case NT_HASH_STORE_ALWAYS:
    3579       37540 :                 io->u.store_nt_hash = true;
    3580       37540 :                 break;
    3581           0 :         case NT_HASH_STORE_NEVER:
    3582           0 :                 io->u.store_nt_hash = false;
    3583           0 :                 break;
    3584           0 :         case NT_HASH_STORE_AUTO:
    3585           0 :                 if (lpcfg_ntlm_auth(lp_ctx) == NTLM_AUTH_DISABLED) {
    3586           0 :                         io->u.store_nt_hash = false;
    3587           0 :                         break;
    3588             :                 }
    3589           0 :                 io->u.store_nt_hash = true;
    3590           0 :                 break;
    3591             :         }
    3592             : 
    3593       37540 :         if (ac->userPassword) {
    3594        3068 :                 ret = msg_find_old_and_new_pwd_val(client_msg, "userPassword",
    3595        3068 :                                                    ac->req->operation,
    3596             :                                                    &io->n.cleartext_utf8,
    3597             :                                                    &io->og.cleartext_utf8);
    3598        3068 :                 if (ret != LDB_SUCCESS) {
    3599          14 :                         ldb_asprintf_errstring(ldb,
    3600             :                                 "setup_io: "
    3601             :                                 "it's only allowed to set the old password once!");
    3602          14 :                         return ret;
    3603             :                 }
    3604             :         }
    3605             : 
    3606       37526 :         if (io->n.cleartext_utf8 != NULL) {
    3607             :                 struct ldb_val *cleartext_utf8_blob;
    3608             :                 char *p;
    3609             : 
    3610        1291 :                 cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
    3611        1291 :                 if (!cleartext_utf8_blob) {
    3612           0 :                         return ldb_oom(ldb);
    3613             :                 }
    3614             : 
    3615        1291 :                 *cleartext_utf8_blob = *io->n.cleartext_utf8;
    3616             : 
    3617             :                 /* make sure we have a null terminated string */
    3618        1291 :                 p = talloc_strndup(cleartext_utf8_blob,
    3619        1291 :                                    (const char *)io->n.cleartext_utf8->data,
    3620        1291 :                                    io->n.cleartext_utf8->length);
    3621        1291 :                 if ((p == NULL) && (io->n.cleartext_utf8->length > 0)) {
    3622           0 :                         return ldb_oom(ldb);
    3623             :                 }
    3624        1291 :                 cleartext_utf8_blob->data = (uint8_t *)p;
    3625             : 
    3626        1291 :                 io->n.cleartext_utf8 = cleartext_utf8_blob;
    3627             :         }
    3628             : 
    3629       37526 :         ret = msg_find_old_and_new_pwd_val(client_msg, "clearTextPassword",
    3630       37526 :                                            ac->req->operation,
    3631             :                                            &io->n.cleartext_utf16,
    3632             :                                            &io->og.cleartext_utf16);
    3633       37526 :         if (ret != LDB_SUCCESS) {
    3634          14 :                 ldb_asprintf_errstring(ldb,
    3635             :                         "setup_io: "
    3636             :                         "it's only allowed to set the old password once!");
    3637          14 :                 return ret;
    3638             :         }
    3639             : 
    3640             :         /* this rather strange looking piece of code is there to
    3641             :            handle a ldap client setting a password remotely using the
    3642             :            unicodePwd ldap field. The syntax is that the password is
    3643             :            in UTF-16LE, with a " at either end. Unfortunately the
    3644             :            unicodePwd field is also used to store the nt hashes
    3645             :            internally in Samba, and is used in the nt hash format on
    3646             :            the wire in DRS replication, so we have a single name for
    3647             :            two distinct values. The code below leaves us with a small
    3648             :            chance (less than 1 in 2^32) of a mixup, if someone manages
    3649             :            to create a MD4 hash which starts and ends in 0x22 0x00, as
    3650             :            that would then be treated as a UTF16 password rather than
    3651             :            a nthash */
    3652             : 
    3653       37512 :         ret = msg_find_old_and_new_pwd_val(client_msg, "unicodePwd",
    3654       37512 :                                            ac->req->operation,
    3655             :                                            "ed_utf16,
    3656             :                                            &old_quoted_utf16);
    3657       37512 :         if (ret != LDB_SUCCESS) {
    3658          14 :                 ldb_asprintf_errstring(ldb,
    3659             :                         "setup_io: "
    3660             :                         "it's only allowed to set the old password once!");
    3661          14 :                 return ret;
    3662             :         }
    3663             : 
    3664             :         /* Checks and converts the actual "unicodePwd" attribute */
    3665       37498 :         if (!ac->hash_values &&
    3666       13071 :             quoted_utf16 &&
    3667       13071 :             quoted_utf16->length >= 4 &&
    3668       13071 :             quoted_utf16->data[0] == '"' &&
    3669       13057 :             quoted_utf16->data[1] == 0 &&
    3670       13057 :             quoted_utf16->data[quoted_utf16->length-2] == '"' &&
    3671       13057 :             quoted_utf16->data[quoted_utf16->length-1] == 0) {
    3672             :                 struct ldb_val *quoted_utf16_2;
    3673             : 
    3674       13057 :                 if (io->n.cleartext_utf16) {
    3675             :                         /* refuse the change if someone wants to change with
    3676             :                            with both UTF16 possibilities at the same time... */
    3677           0 :                         ldb_asprintf_errstring(ldb,
    3678             :                                 "setup_io: "
    3679             :                                 "it's only allowed to set the cleartext password as 'unicodePwd' or as 'clearTextPassword'");
    3680           0 :                         return LDB_ERR_UNWILLING_TO_PERFORM;
    3681             :                 }
    3682             : 
    3683             :                 /*
    3684             :                  * adapt the quoted UTF16 string to be a real
    3685             :                  * cleartext one
    3686             :                  */
    3687       13057 :                 quoted_utf16_2 = talloc(io->ac, struct ldb_val);
    3688       13057 :                 if (quoted_utf16_2 == NULL) {
    3689           0 :                         return ldb_oom(ldb);
    3690             :                 }
    3691             : 
    3692       13057 :                 quoted_utf16_2->data = quoted_utf16->data + 2;
    3693       13057 :                 quoted_utf16_2->length = quoted_utf16->length-4;
    3694       13057 :                 io->n.cleartext_utf16 = quoted_utf16_2;
    3695       13057 :                 io->n.nt_hash = NULL;
    3696             : 
    3697       24441 :         } else if (quoted_utf16) {
    3698             :                 /* We have only the hash available -> so no plaintext here */
    3699         272 :                 if (!ac->hash_values) {
    3700             :                         /* refuse the change if someone wants to change
    3701             :                            the hash without control specified... */
    3702          14 :                         ldb_asprintf_errstring(ldb,
    3703             :                                 "setup_io: "
    3704             :                                 "it's not allowed to set the NT hash password directly'");
    3705             :                         /* this looks odd but this is what Windows does:
    3706             :                            returns "UNWILLING_TO_PERFORM" on wrong
    3707             :                            password sets and "CONSTRAINT_VIOLATION" on
    3708             :                            wrong password changes. */
    3709          14 :                         if (old_quoted_utf16 == NULL) {
    3710           7 :                                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3711             :                         }
    3712             : 
    3713           7 :                         return LDB_ERR_CONSTRAINT_VIOLATION;
    3714             :                 }
    3715             : 
    3716         258 :                 io->n.nt_hash = talloc(io->ac, struct samr_Password);
    3717         258 :                 memcpy(io->n.nt_hash->hash, quoted_utf16->data,
    3718         258 :                        MIN(quoted_utf16->length, sizeof(io->n.nt_hash->hash)));
    3719             :         }
    3720             : 
    3721             :         /* Checks and converts the previous "unicodePwd" attribute */
    3722       37484 :         if (!ac->hash_values &&
    3723         104 :             old_quoted_utf16 &&
    3724         104 :             old_quoted_utf16->length >= 4 &&
    3725         104 :             old_quoted_utf16->data[0] == '"' &&
    3726         104 :             old_quoted_utf16->data[1] == 0 &&
    3727         104 :             old_quoted_utf16->data[old_quoted_utf16->length-2] == '"' &&
    3728         104 :             old_quoted_utf16->data[old_quoted_utf16->length-1] == 0) {
    3729             :                 struct ldb_val *old_quoted_utf16_2;
    3730             : 
    3731         104 :                 if (io->og.cleartext_utf16) {
    3732             :                         /* refuse the change if someone wants to change with
    3733             :                            both UTF16 possibilities at the same time... */
    3734           0 :                         ldb_asprintf_errstring(ldb,
    3735             :                                 "setup_io: "
    3736             :                                 "it's only allowed to set the cleartext password as 'unicodePwd' or as 'clearTextPassword'");
    3737           0 :                         return LDB_ERR_UNWILLING_TO_PERFORM;
    3738             :                 }
    3739             : 
    3740             :                 /*
    3741             :                  * adapt the quoted UTF16 string to be a real
    3742             :                  * cleartext one
    3743             :                  */
    3744         104 :                 old_quoted_utf16_2 = talloc(io->ac, struct ldb_val);
    3745         104 :                 if (old_quoted_utf16_2 == NULL) {
    3746           0 :                         return ldb_oom(ldb);
    3747             :                 }
    3748             : 
    3749         104 :                 old_quoted_utf16_2->data = old_quoted_utf16->data + 2;
    3750         104 :                 old_quoted_utf16_2->length = old_quoted_utf16->length-4;
    3751             : 
    3752         104 :                 io->og.cleartext_utf16 = old_quoted_utf16_2;
    3753         104 :                 io->og.nt_hash = NULL;
    3754       37380 :         } else if (old_quoted_utf16) {
    3755             :                 /* We have only the hash available -> so no plaintext here */
    3756           0 :                 if (!ac->hash_values) {
    3757             :                         /* refuse the change if someone wants to change
    3758             :                            the hash without control specified... */
    3759           0 :                         ldb_asprintf_errstring(ldb,
    3760             :                                 "setup_io: "
    3761             :                                 "it's not allowed to set the NT hash password directly'");
    3762           0 :                         return LDB_ERR_UNWILLING_TO_PERFORM;
    3763             :                 }
    3764             : 
    3765           0 :                 io->og.nt_hash = talloc(io->ac, struct samr_Password);
    3766           0 :                 memcpy(io->og.nt_hash->hash, old_quoted_utf16->data,
    3767           0 :                        MIN(old_quoted_utf16->length, sizeof(io->og.nt_hash->hash)));
    3768             :         }
    3769             : 
    3770             :         /* Handles the "dBCSPwd" attribute (LM hash) */
    3771       37484 :         ret = msg_find_old_and_new_pwd_val(client_msg, "dBCSPwd",
    3772       37484 :                                            ac->req->operation,
    3773             :                                            &lm_hash, &old_lm_hash);
    3774       37484 :         if (ret != LDB_SUCCESS) {
    3775          14 :                 ldb_asprintf_errstring(ldb,
    3776             :                         "setup_io: "
    3777             :                         "it's only allowed to set the old password once!");
    3778          14 :                 return ret;
    3779             :         }
    3780             : 
    3781       37470 :         if (((lm_hash != NULL) || (old_lm_hash != NULL))) {
    3782             :                 /* refuse the change if someone wants to change the LM hash */
    3783          23 :                 ldb_asprintf_errstring(ldb,
    3784             :                         "setup_io: "
    3785             :                         "it's not allowed to set the LM hash password (dBCSPwd)'");
    3786          23 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3787             :         }
    3788             : 
    3789             :         /*
    3790             :          * Handles the password change control if it's specified. It has the
    3791             :          * precedance and overrides already specified old password values of
    3792             :          * change requests (but that shouldn't happen since the control is
    3793             :          * fully internal and only used in conjunction with replace requests!).
    3794             :          */
    3795       37447 :         if (ac->change != NULL) {
    3796         642 :                 io->og.nt_hash = NULL;
    3797             :         }
    3798             : 
    3799             :         /* refuse the change if someone wants to change the clear-
    3800             :            text and supply his own hashes at the same time... */
    3801       37447 :         if ((io->n.cleartext_utf8 || io->n.cleartext_utf16)
    3802       16035 :                         && (io->n.nt_hash)) {
    3803           0 :                 ldb_asprintf_errstring(ldb,
    3804             :                         "setup_io: "
    3805             :                         "it's only allowed to set the password in form of cleartext attributes or as hashes");
    3806           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3807             :         }
    3808             : 
    3809             :         /* refuse the change if someone wants to change the password
    3810             :            using both plaintext methods (UTF8 and UTF16) at the same time... */
    3811       37447 :         if (io->n.cleartext_utf8 && io->n.cleartext_utf16) {
    3812           0 :                 ldb_asprintf_errstring(ldb,
    3813             :                         "setup_io: "
    3814             :                         "it's only allowed to set the cleartext password as 'unicodePwd' or as 'userPassword' or as 'clearTextPassword'");
    3815           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3816             :         }
    3817             : 
    3818             :         /* refuse the change if someone tries to set/change the password by
    3819             :          * any method that would leave us without a password! */
    3820       37447 :         if (io->ac->update_password
    3821       16349 :             && (!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
    3822         314 :             && (!io->n.nt_hash)) {
    3823          56 :                 ldb_asprintf_errstring(ldb,
    3824             :                         "setup_io: "
    3825             :                         "It's not possible to delete the password (changes using the LAN Manager hash alone could be deactivated)!");
    3826             :                 /* on "userPassword" and "clearTextPassword" we've to return
    3827             :                  * something different, since these are virtual attributes */
    3828          77 :                 if ((ldb_msg_find_element(client_msg, "userPassword") != NULL) ||
    3829          21 :                     (ldb_msg_find_element(client_msg, "clearTextPassword") != NULL)) {
    3830          42 :                         return LDB_ERR_CONSTRAINT_VIOLATION;
    3831             :                 }
    3832          14 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3833             :         }
    3834             : 
    3835             :         /*
    3836             :          * refuse the change if someone wants to compare against a
    3837             :          * plaintext or dsdb_control_password_change at the same time
    3838             :          * for a "password modify" operation...
    3839             :          */
    3840       37391 :         if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)
    3841         899 :             && ac->change) {
    3842           0 :                 ldb_asprintf_errstring(ldb,
    3843             :                         "setup_io: "
    3844             :                         "it's only allowed to provide the old password in form of cleartext attributes or as the dsdb_control_password_change");
    3845           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3846             :         }
    3847             : 
    3848             :         /* refuse the change if someone wants to compare against both
    3849             :          * plaintexts at the same time for a "password modify" operation... */
    3850       37391 :         if (io->og.cleartext_utf8 && io->og.cleartext_utf16) {
    3851           0 :                 ldb_asprintf_errstring(ldb,
    3852             :                         "setup_io: "
    3853             :                         "it's only allowed to provide the old cleartext password as 'unicodePwd' or as 'userPassword' or as 'clearTextPassword'");
    3854           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    3855             :         }
    3856             : 
    3857             :         /* Decides if we have a password modify or password reset operation */
    3858       37391 :         if (ac->req->operation == LDB_ADD) {
    3859             :                 /* On "add" we have only "password reset" */
    3860       21923 :                 ac->pwd_reset = true;
    3861       15468 :         } else if (ac->req->operation == LDB_MODIFY) {
    3862       15468 :                 struct ldb_control *pav_ctrl = NULL;
    3863       15468 :                 struct dsdb_control_password_acl_validation *pav = NULL;
    3864             : 
    3865       15468 :                 pav_ctrl = ldb_request_get_control(ac->req,
    3866             :                                 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
    3867       15468 :                 if (pav_ctrl != NULL) {
    3868       14455 :                         pav = talloc_get_type_abort(pav_ctrl->data,
    3869             :                                 struct dsdb_control_password_acl_validation);
    3870             :                 }
    3871             : 
    3872       15468 :                 if (pav == NULL && ac->update_password) {
    3873             :                         bool ok;
    3874             : 
    3875             :                         /*
    3876             :                          * If the DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
    3877             :                          * control is missing, we require system access!
    3878             :                          */
    3879         767 :                         ok = dsdb_module_am_system(ac->module);
    3880         767 :                         if (!ok) {
    3881           0 :                                 return ldb_module_operr(ac->module);
    3882             :                         }
    3883             :                 }
    3884             : 
    3885       15468 :                 if (pav != NULL) {
    3886             :                         /*
    3887             :                          * We assume what the acl module has validated.
    3888             :                          */
    3889       14455 :                         ac->pwd_reset = pav->pwd_reset;
    3890        1013 :                 } else if (io->og.cleartext_utf8 || io->og.cleartext_utf16
    3891        1013 :                     || ac->change) {
    3892             :                         /*
    3893             :                          * If we have an old password specified or the
    3894             :                          * dsdb_control_password_change then for sure
    3895             :                          * it is a user "password change"
    3896             :                          */
    3897         202 :                         ac->pwd_reset = false;
    3898             :                 } else {
    3899             :                         /* Otherwise we have also here a "password reset" */
    3900         811 :                         ac->pwd_reset = true;
    3901             :                 }
    3902             :         } else {
    3903             :                 /* this shouldn't happen */
    3904           0 :                 return ldb_operr(ldb);
    3905             :         }
    3906             : 
    3907       37391 :         if (existing_msg != NULL) {
    3908             :                 NTSTATUS status;
    3909             :                 krb5_error_code krb5_ret;
    3910             :                 DATA_BLOB key_blob;
    3911             :                 DATA_BLOB salt_blob;
    3912             :                 uint32_t kvno;
    3913             : 
    3914       15468 :                 if (ac->pwd_reset) {
    3915             :                         /* Get the old password from the database */
    3916       13927 :                         status = samdb_result_passwords_no_lockout(ac,
    3917             :                                                                    lp_ctx,
    3918             :                                                                    existing_msg,
    3919             :                                                                    &io->o.nt_hash);
    3920             :                 } else {
    3921             :                         /* Get the old password from the database */
    3922        1541 :                         status = samdb_result_passwords(ac,
    3923             :                                                         lp_ctx,
    3924             :                                                         existing_msg,
    3925             :                                                         &io->o.nt_hash);
    3926             :                 }
    3927             : 
    3928       15468 :                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
    3929          56 :                         return dsdb_module_werror(ac->module,
    3930             :                                                   LDB_ERR_CONSTRAINT_VIOLATION,
    3931             :                                                   WERR_ACCOUNT_LOCKED_OUT,
    3932             :                                                   "Password change not permitted,"
    3933             :                                                   " account locked out!");
    3934             :                 }
    3935             : 
    3936       15412 :                 if (!NT_STATUS_IS_OK(status)) {
    3937             :                         /*
    3938             :                          * This only happens if the database has gone weird,
    3939             :                          * not if we are just missing the passwords
    3940             :                          */
    3941           0 :                         return ldb_operr(ldb);
    3942             :                 }
    3943             : 
    3944       15412 :                 io->o.nt_history_len = samdb_result_hashes(ac, existing_msg,
    3945             :                                                            "ntPwdHistory",
    3946             :                                                            &io->o.nt_history);
    3947       15412 :                 io->o.supplemental = ldb_msg_find_ldb_val(existing_msg,
    3948             :                                                           "supplementalCredentials");
    3949             : 
    3950       15412 :                 if (io->o.supplemental != NULL) {
    3951             :                         enum ndr_err_code ndr_err;
    3952             : 
    3953        1880 :                         ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
    3954        1880 :                                         &io->o.scb,
    3955             :                                         (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
    3956        1880 :                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    3957           0 :                                 status = ndr_map_error2ntstatus(ndr_err);
    3958           0 :                                 ldb_asprintf_errstring(ldb,
    3959             :                                                 "setup_io: failed to pull "
    3960             :                                                 "old supplementalCredentialsBlob: %s",
    3961             :                                                 nt_errstr(status));
    3962           0 :                                 return LDB_ERR_OPERATIONS_ERROR;
    3963             :                         }
    3964             :                 }
    3965             : 
    3966             :                 /*
    3967             :                  * If this account requires a smartcard for login, we don't
    3968             :                  * attempt a comparison with the old password.
    3969             :                  */
    3970       15412 :                 if (io->u.userAccountControl & UF_SMARTCARD_REQUIRED) {
    3971           9 :                         return LDB_SUCCESS;
    3972             :                 }
    3973             : 
    3974             :                 /*
    3975             :                  * Extract the old ENCTYPE_AES256_CTS_HMAC_SHA1_96
    3976             :                  * value from the supplementalCredentials.
    3977             :                  */
    3978       15403 :                 krb5_ret = dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context,
    3979       15403 :                                                     io->ac,
    3980             :                                                     existing_msg,
    3981             :                                                     io->u.userAccountControl,
    3982             :                                                     NULL, /* kvno */
    3983             :                                                     &kvno, /* kvno_out */
    3984             :                                                     &key_blob,
    3985             :                                                     &salt_blob);
    3986       15403 :                 if (krb5_ret == ENOENT) {
    3987             :                         /*
    3988             :                          * If there is no old AES hash (perhaps an imported DB with
    3989             :                          * just unicodePwd) then we just wont have an old
    3990             :                          * password to compare to if there is no NT hash
    3991             :                          */
    3992       13628 :                         return LDB_SUCCESS;
    3993             :                 }
    3994        1775 :                 if (krb5_ret) {
    3995           0 :                         ldb_asprintf_errstring(ldb,
    3996             :                                                "setup_io: "
    3997             :                                                "extraction of salt for old aes256-cts-hmac-sha1-96 key failed: %s",
    3998           0 :                                                smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
    3999           0 :                                                                           krb5_ret, io->ac));
    4000           0 :                         return LDB_ERR_OPERATIONS_ERROR;
    4001             :                 }
    4002             : 
    4003        1775 :                 io->o.salt = salt_blob;
    4004        1775 :                 io->o.aes_256 = key_blob;
    4005        1775 :                 io->o.kvno = kvno;
    4006             :         }
    4007             : 
    4008       23698 :         return LDB_SUCCESS;
    4009             : }
    4010             : 
    4011       37817 : static struct ph_context *ph_init_context(struct ldb_module *module,
    4012             :                                           struct ldb_request *req,
    4013             :                                           bool userPassword,
    4014             :                                           bool update_password)
    4015             : {
    4016             :         struct ldb_context *ldb;
    4017             :         struct ph_context *ac;
    4018       37817 :         struct loadparm_context *lp_ctx = NULL;
    4019             : 
    4020       37817 :         ldb = ldb_module_get_ctx(module);
    4021             : 
    4022       37817 :         ac = talloc_zero(req, struct ph_context);
    4023       37817 :         if (ac == NULL) {
    4024           0 :                 ldb_set_errstring(ldb, "Out of Memory");
    4025           0 :                 return NULL;
    4026             :         }
    4027             : 
    4028       37817 :         ac->module = module;
    4029       37817 :         ac->req = req;
    4030       37817 :         ac->userPassword = userPassword;
    4031       37817 :         ac->update_password = update_password;
    4032       37817 :         ac->update_lastset = true;
    4033             : 
    4034       37817 :         lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"),
    4035             :                                        struct loadparm_context);
    4036       37817 :         ac->gpg_key_ids = lpcfg_password_hash_gpg_key_ids(lp_ctx);
    4037             :         ac->userPassword_schemes
    4038       37817 :                 = lpcfg_password_hash_userpassword_schemes(lp_ctx);
    4039       37817 :         return ac;
    4040             : }
    4041             : 
    4042       37817 : static void ph_apply_controls(struct ph_context *ac)
    4043             : {
    4044             :         struct ldb_control *ctrl;
    4045             : 
    4046       37817 :         ac->change_status = false;
    4047       37817 :         ctrl = ldb_request_get_control(ac->req,
    4048             :                                        DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID);
    4049       37817 :         if (ctrl != NULL) {
    4050        1493 :                 ac->change_status = true;
    4051             : 
    4052             :                 /* Mark the "change status" control as uncritical (done) */
    4053        1493 :                 ctrl->critical = false;
    4054             :         }
    4055             : 
    4056       37817 :         ac->hash_values = false;
    4057       37817 :         ctrl = ldb_request_get_control(ac->req,
    4058             :                                        DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
    4059       37817 :         if (ctrl != NULL) {
    4060         258 :                 ac->hash_values = true;
    4061             : 
    4062             :                 /* Mark the "hash values" control as uncritical (done) */
    4063         258 :                 ctrl->critical = false;
    4064             :         }
    4065             : 
    4066       37817 :         ctrl = ldb_request_get_control(ac->req,
    4067             :                                        DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID);
    4068       37817 :         if (ctrl != NULL) {
    4069         642 :                 ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);
    4070             : 
    4071             :                 /* Mark the "change" control as uncritical (done) */
    4072         642 :                 ctrl->critical = false;
    4073             :         }
    4074             : 
    4075       37817 :         ac->pwd_last_set_bypass = false;
    4076       37817 :         ctrl = ldb_request_get_control(ac->req,
    4077             :                                 DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID);
    4078       37817 :         if (ctrl != NULL) {
    4079           4 :                 ac->pwd_last_set_bypass = true;
    4080             : 
    4081             :                 /* Mark the "bypass pwdLastSet" control as uncritical (done) */
    4082           4 :                 ctrl->critical = false;
    4083             :         }
    4084             : 
    4085       37817 :         ac->pwd_last_set_default = false;
    4086       37817 :         ctrl = ldb_request_get_control(ac->req,
    4087             :                                 DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID);
    4088       37817 :         if (ctrl != NULL) {
    4089       21989 :                 ac->pwd_last_set_default = true;
    4090             : 
    4091             :                 /* Mark the "bypass pwdLastSet" control as uncritical (done) */
    4092       21989 :                 ctrl->critical = false;
    4093             :         }
    4094             : 
    4095       37817 :         ac->smartcard_reset = false;
    4096       37817 :         ctrl = ldb_request_get_control(ac->req,
    4097             :                                 DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID);
    4098       37817 :         if (ctrl != NULL) {
    4099       21963 :                 struct dsdb_control_password_user_account_control *uac = NULL;
    4100       21963 :                 uint32_t added_flags = 0;
    4101             : 
    4102       21963 :                 uac = talloc_get_type_abort(ctrl->data,
    4103             :                         struct dsdb_control_password_user_account_control);
    4104             : 
    4105       21963 :                 added_flags = uac->new_flags & ~uac->old_flags;
    4106             : 
    4107       21963 :                 if (added_flags & UF_SMARTCARD_REQUIRED) {
    4108          13 :                         ac->smartcard_reset = true;
    4109             :                 }
    4110             : 
    4111             :                 /* Mark the "smartcard required" control as uncritical (done) */
    4112       21963 :                 ctrl->critical = false;
    4113             :         }
    4114       37817 : }
    4115             : 
    4116       36565 : static int ph_op_callback(struct ldb_request *req, struct ldb_reply *ares)
    4117             : {
    4118             :         struct ph_context *ac;
    4119             : 
    4120       36565 :         ac = talloc_get_type(req->context, struct ph_context);
    4121             : 
    4122       36565 :         if (!ares) {
    4123           0 :                 return ldb_module_done(ac->req, NULL, NULL,
    4124             :                                         LDB_ERR_OPERATIONS_ERROR);
    4125             :         }
    4126             : 
    4127       36565 :         if (ares->type == LDB_REPLY_REFERRAL) {
    4128           0 :                 return ldb_module_send_referral(ac->req, ares->referral);
    4129             :         }
    4130             : 
    4131       36565 :         if ((ares->error != LDB_ERR_OPERATIONS_ERROR) && (ac->change_status)) {
    4132             :                 /* On success and trivial errors a status control is being
    4133             :                  * added (used for example by the "samdb_set_password" call) */
    4134        1317 :                 ldb_reply_add_control(ares,
    4135             :                                       DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
    4136             :                                       false,
    4137        1317 :                                       ac->status);
    4138             :         }
    4139             : 
    4140       36565 :         if (ares->error != LDB_SUCCESS) {
    4141          25 :                 return ldb_module_done(ac->req, ares->controls,
    4142             :                                         ares->response, ares->error);
    4143             :         }
    4144             : 
    4145       36540 :         if (ares->type != LDB_REPLY_DONE) {
    4146           0 :                 talloc_free(ares);
    4147           0 :                 return ldb_module_done(ac->req, NULL, NULL,
    4148             :                                         LDB_ERR_OPERATIONS_ERROR);
    4149             :         }
    4150             : 
    4151       36540 :         return ldb_module_done(ac->req, ares->controls,
    4152             :                                 ares->response, ares->error);
    4153             : }
    4154             : 
    4155             : static int password_hash_add_do_add(struct ph_context *ac);
    4156             : static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares);
    4157             : static int password_hash_mod_search_self(struct ph_context *ac);
    4158             : static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares);
    4159             : static int password_hash_mod_do_mod(struct ph_context *ac);
    4160             : 
    4161             : /*
    4162             :  * LDB callback handler for searching for a user's PSO. Once we have all the
    4163             :  * Password Settings that apply to the user, we can continue with the modify
    4164             :  * operation
    4165             :  */
    4166         612 : static int get_pso_data_callback(struct ldb_request *req,
    4167             :                                  struct ldb_reply *ares)
    4168             : {
    4169         612 :         struct ldb_context *ldb = NULL;
    4170         612 :         struct ph_context *ac = NULL;
    4171         612 :         bool domain_complexity = true;
    4172         612 :         bool pso_complexity = true;
    4173         612 :         struct dsdb_user_pwd_settings *settings = NULL;
    4174         612 :         int ret = LDB_SUCCESS;
    4175             : 
    4176         612 :         ac = talloc_get_type(req->context, struct ph_context);
    4177         612 :         ldb = ldb_module_get_ctx(ac->module);
    4178             : 
    4179         612 :         if (!ares) {
    4180           0 :                 ret = LDB_ERR_OPERATIONS_ERROR;
    4181           0 :                 goto done;
    4182             :         }
    4183         612 :         if (ares->error != LDB_SUCCESS) {
    4184           0 :                 return ldb_module_done(ac->req, ares->controls,
    4185             :                                        ares->response, ares->error);
    4186             :         }
    4187             : 
    4188         612 :         switch (ares->type) {
    4189         306 :         case LDB_REPLY_ENTRY:
    4190             : 
    4191             :                 /* check status was initialized by the domain query */
    4192         306 :                 if (ac->status == NULL) {
    4193           0 :                         talloc_free(ares);
    4194           0 :                         ldb_set_errstring(ldb, "Uninitialized status");
    4195           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4196           0 :                         goto done;
    4197             :                 }
    4198             : 
    4199             :                 /*
    4200             :                  * use the PSO's values instead of the domain defaults (the PSO
    4201             :                  * attributes should always exist, but use the domain default
    4202             :                  * values as a fallback).
    4203             :                  */
    4204         306 :                 settings = &ac->status->domain_data;
    4205         306 :                 settings->store_cleartext =
    4206         612 :                         ldb_msg_find_attr_as_bool(ares->message,
    4207             :                                                   "msDS-PasswordReversibleEncryptionEnabled",
    4208         306 :                                                   settings->store_cleartext);
    4209             : 
    4210         306 :                 settings->pwdHistoryLength =
    4211         306 :                         ldb_msg_find_attr_as_uint(ares->message,
    4212             :                                                   "msDS-PasswordHistoryLength",
    4213             :                                                   settings->pwdHistoryLength);
    4214         306 :                 settings->maxPwdAge =
    4215         306 :                         ldb_msg_find_attr_as_int64(ares->message,
    4216             :                                                    "msDS-MaximumPasswordAge",
    4217             :                                                    settings->maxPwdAge);
    4218         306 :                 settings->minPwdAge =
    4219         306 :                         ldb_msg_find_attr_as_int64(ares->message,
    4220             :                                                    "msDS-MinimumPasswordAge",
    4221             :                                                    settings->minPwdAge);
    4222         306 :                 settings->minPwdLength =
    4223         306 :                         ldb_msg_find_attr_as_uint(ares->message,
    4224             :                                                   "msDS-MinimumPasswordLength",
    4225             :                                                   settings->minPwdLength);
    4226         306 :                 domain_complexity =
    4227         306 :                         (settings->pwdProperties & DOMAIN_PASSWORD_COMPLEX);
    4228         306 :                 pso_complexity =
    4229         306 :                         ldb_msg_find_attr_as_bool(ares->message,
    4230             :                                                   "msDS-PasswordComplexityEnabled",
    4231             :                                                    domain_complexity);
    4232             : 
    4233             :                 /* set or clear the complexity bit if required */
    4234         306 :                 if (pso_complexity && !domain_complexity) {
    4235           0 :                         settings->pwdProperties |= DOMAIN_PASSWORD_COMPLEX;
    4236         306 :                 } else if (domain_complexity && !pso_complexity) {
    4237         100 :                         settings->pwdProperties &= ~DOMAIN_PASSWORD_COMPLEX;
    4238             :                 }
    4239             : 
    4240         306 :                 if (ac->pso_res != NULL) {
    4241           0 :                         DBG_ERR("Too many PSO results for %s",
    4242             :                                 ldb_dn_get_linearized(ac->search_res->message->dn));
    4243           0 :                         talloc_free(ac->pso_res);
    4244             :                 }
    4245             : 
    4246             :                 /* store the PSO result (we may need its lockout settings) */
    4247         306 :                 ac->pso_res = talloc_steal(ac, ares);
    4248         306 :                 ret = LDB_SUCCESS;
    4249         306 :                 break;
    4250             : 
    4251           0 :         case LDB_REPLY_REFERRAL:
    4252             :                 /* ignore */
    4253           0 :                 talloc_free(ares);
    4254           0 :                 ret = LDB_SUCCESS;
    4255           0 :                 break;
    4256             : 
    4257         306 :         case LDB_REPLY_DONE:
    4258         306 :                 talloc_free(ares);
    4259             : 
    4260             :                 /*
    4261             :                  * perform the next step of the modify operation (this code
    4262             :                  * shouldn't get called in the 'user add' case)
    4263             :                  */
    4264         306 :                 if (ac->req->operation == LDB_MODIFY) {
    4265         306 :                         ret = password_hash_mod_do_mod(ac);
    4266             :                 } else {
    4267           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4268             :                 }
    4269         306 :                 break;
    4270             :         }
    4271             : 
    4272         612 : done:
    4273         612 :         if (ret != LDB_SUCCESS) {
    4274             :                 struct ldb_reply *new_ares;
    4275             : 
    4276         230 :                 new_ares = talloc_zero(ac->req, struct ldb_reply);
    4277         230 :                 if (new_ares == NULL) {
    4278           0 :                         ldb_oom(ldb);
    4279           0 :                         return ldb_module_done(ac->req, NULL, NULL,
    4280             :                                                LDB_ERR_OPERATIONS_ERROR);
    4281             :                 }
    4282             : 
    4283         230 :                 new_ares->error = ret;
    4284         230 :                 if ((ret != LDB_ERR_OPERATIONS_ERROR) && (ac->change_status)) {
    4285             :                         /* On success and trivial errors a status control is being
    4286             :                          * added (used for example by the "samdb_set_password" call) */
    4287           0 :                         ldb_reply_add_control(new_ares,
    4288             :                                               DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
    4289             :                                               false,
    4290           0 :                                               ac->status);
    4291             :                 }
    4292             : 
    4293         230 :                 return ldb_module_done(ac->req, new_ares->controls,
    4294             :                                        new_ares->response, new_ares->error);
    4295             :         }
    4296             : 
    4297         382 :         return LDB_SUCCESS;
    4298             : }
    4299             : 
    4300             : /*
    4301             :  * Builds and returns a search request to lookup up the PSO that applies to
    4302             :  * the user in question. Returns NULL if no PSO applies, or could not be found
    4303             :  */
    4304       15593 : static struct ldb_request * build_pso_data_request(struct ph_context *ac)
    4305             : {
    4306             :         /* attrs[] is returned from this function in
    4307             :            pso_req->op.search.attrs, so it must be static, as
    4308             :            otherwise the compiler can put it on the stack */
    4309             :         static const char * const attrs[] = { "msDS-PasswordComplexityEnabled",
    4310             :                                               "msDS-PasswordReversibleEncryptionEnabled",
    4311             :                                               "msDS-PasswordHistoryLength",
    4312             :                                               "msDS-MaximumPasswordAge",
    4313             :                                               "msDS-MinimumPasswordAge",
    4314             :                                               "msDS-MinimumPasswordLength",
    4315             :                                               "msDS-LockoutThreshold",
    4316             :                                               "msDS-LockoutObservationWindow",
    4317             :                                               NULL };
    4318       15593 :         struct ldb_context *ldb = NULL;
    4319       15593 :         struct ldb_request *pso_req = NULL;
    4320       15593 :         struct ldb_dn *pso_dn = NULL;
    4321       15593 :         TALLOC_CTX *mem_ctx = ac;
    4322             :         int ret;
    4323             : 
    4324       15593 :         ldb = ldb_module_get_ctx(ac->module);
    4325             : 
    4326             :         /* if a PSO applies to the user, we need to lookup the PSO as well */
    4327       15593 :         pso_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, ac->search_res->message,
    4328             :                                          "msDS-ResultantPSO");
    4329       15593 :         if (pso_dn == NULL) {
    4330       15287 :                 return NULL;
    4331             :         }
    4332             : 
    4333         306 :         ret = ldb_build_search_req(&pso_req, ldb, mem_ctx, pso_dn,
    4334             :                                    LDB_SCOPE_BASE, NULL, attrs, NULL,
    4335             :                                    ac, get_pso_data_callback,
    4336             :                                    ac->dom_req);
    4337             : 
    4338             :         /* log errors, but continue with the default domain settings */
    4339         306 :         if (ret != LDB_SUCCESS) {
    4340           0 :                 DBG_ERR("Error %d constructing PSO query for user %s", ret,
    4341             :                         ldb_dn_get_linearized(ac->search_res->message->dn));
    4342             :         }
    4343         306 :         LDB_REQ_SET_LOCATION(pso_req);
    4344         306 :         return pso_req;
    4345             : }
    4346             : 
    4347             : 
    4348       75088 : static int get_domain_data_callback(struct ldb_request *req,
    4349             :                                     struct ldb_reply *ares)
    4350             : {
    4351             :         struct ldb_context *ldb;
    4352             :         struct ph_context *ac;
    4353             :         struct loadparm_context *lp_ctx;
    4354       75088 :         struct ldb_request *pso_req = NULL;
    4355       75088 :         int ret = LDB_SUCCESS;
    4356             : 
    4357       75088 :         ac = talloc_get_type(req->context, struct ph_context);
    4358       75088 :         ldb = ldb_module_get_ctx(ac->module);
    4359             : 
    4360       75088 :         if (!ares) {
    4361           0 :                 ret = LDB_ERR_OPERATIONS_ERROR;
    4362           0 :                 goto done;
    4363             :         }
    4364       75088 :         if (ares->error != LDB_SUCCESS) {
    4365           0 :                 return ldb_module_done(ac->req, ares->controls,
    4366             :                                         ares->response, ares->error);
    4367             :         }
    4368             : 
    4369       75088 :         switch (ares->type) {
    4370       37544 :         case LDB_REPLY_ENTRY:
    4371       37544 :                 if (ac->status != NULL) {
    4372           0 :                         talloc_free(ares);
    4373             : 
    4374           0 :                         ldb_set_errstring(ldb, "Too many results");
    4375           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4376           0 :                         goto done;
    4377             :                 }
    4378             : 
    4379             :                 /* Setup the "status" structure (used as control later) */
    4380       37544 :                 ac->status = talloc_zero(ac->req,
    4381             :                                          struct dsdb_control_password_change_status);
    4382       37544 :                 if (ac->status == NULL) {
    4383           0 :                         talloc_free(ares);
    4384             : 
    4385           0 :                         ldb_oom(ldb);
    4386           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4387           0 :                         goto done;
    4388             :                 }
    4389             : 
    4390             :                 /* Setup the "domain data" structure */
    4391       75088 :                 ac->status->domain_data.pwdProperties =
    4392       37544 :                         ldb_msg_find_attr_as_uint(ares->message, "pwdProperties", -1);
    4393       75088 :                 ac->status->domain_data.pwdHistoryLength =
    4394       37544 :                         ldb_msg_find_attr_as_uint(ares->message, "pwdHistoryLength", -1);
    4395       75088 :                 ac->status->domain_data.maxPwdAge =
    4396       37544 :                         ldb_msg_find_attr_as_int64(ares->message, "maxPwdAge", -1);
    4397       75088 :                 ac->status->domain_data.minPwdAge =
    4398       37544 :                         ldb_msg_find_attr_as_int64(ares->message, "minPwdAge", -1);
    4399       75088 :                 ac->status->domain_data.minPwdLength =
    4400       37544 :                         ldb_msg_find_attr_as_uint(ares->message, "minPwdLength", -1);
    4401       37544 :                 ac->status->domain_data.store_cleartext =
    4402       37544 :                         ac->status->domain_data.pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
    4403             : 
    4404             :                 /* For a domain DN, this puts things in dotted notation */
    4405             :                 /* For builtin domains, this will give details for the host,
    4406             :                  * but that doesn't really matter, as it's just used for salt
    4407             :                  * and kerberos principals, which don't exist here */
    4408             : 
    4409       37544 :                 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
    4410             :                                          struct loadparm_context);
    4411             : 
    4412       37544 :                 ac->status->domain_data.dns_domain = lpcfg_dnsdomain(lp_ctx);
    4413       37544 :                 ac->status->domain_data.realm = lpcfg_realm(lp_ctx);
    4414       37544 :                 ac->status->domain_data.netbios_domain = lpcfg_sam_name(lp_ctx);
    4415             : 
    4416       37544 :                 ac->status->reject_reason = SAM_PWD_CHANGE_NO_ERROR;
    4417             : 
    4418       37544 :                 if (ac->dom_res != NULL) {
    4419           0 :                         talloc_free(ares);
    4420             : 
    4421           0 :                         ldb_set_errstring(ldb, "Too many results");
    4422           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4423           0 :                         goto done;
    4424             :                 }
    4425             : 
    4426       37544 :                 ac->dom_res = talloc_steal(ac, ares);
    4427       37544 :                 ret = LDB_SUCCESS;
    4428       37544 :                 break;
    4429             : 
    4430           0 :         case LDB_REPLY_REFERRAL:
    4431             :                 /* ignore */
    4432           0 :                 talloc_free(ares);
    4433           0 :                 ret = LDB_SUCCESS;
    4434           0 :                 break;
    4435             : 
    4436       37544 :         case LDB_REPLY_DONE:
    4437       37544 :                 talloc_free(ares);
    4438             :                 /* call the next step */
    4439       37544 :                 switch (ac->req->operation) {
    4440       21951 :                 case LDB_ADD:
    4441       21951 :                         ret = password_hash_add_do_add(ac);
    4442       21951 :                         break;
    4443             : 
    4444       15593 :                 case LDB_MODIFY:
    4445             : 
    4446             :                         /*
    4447             :                          * The user may have an optional PSO applied. If so,
    4448             :                          * query the PSO to get the Fine-Grained Password Policy
    4449             :                          * for the user, before we perform the modify
    4450             :                          */
    4451       15593 :                         pso_req = build_pso_data_request(ac);
    4452       15593 :                         if (pso_req != NULL) {
    4453         306 :                                 ret = ldb_next_request(ac->module, pso_req);
    4454             :                         } else {
    4455             : 
    4456             :                                 /* no PSO, so we can perform the modify now */
    4457       15287 :                                 ret = password_hash_mod_do_mod(ac);
    4458             :                         }
    4459       15593 :                         break;
    4460             : 
    4461           0 :                 default:
    4462           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4463           0 :                         break;
    4464             :                 }
    4465       37544 :                 break;
    4466             :         }
    4467             : 
    4468       75088 : done:
    4469       75088 :         if (ret != LDB_SUCCESS) {
    4470             :                 struct ldb_reply *new_ares;
    4471             : 
    4472         755 :                 new_ares = talloc_zero(ac->req, struct ldb_reply);
    4473         755 :                 if (new_ares == NULL) {
    4474           0 :                         ldb_oom(ldb);
    4475           0 :                         return ldb_module_done(ac->req, NULL, NULL,
    4476             :                                                LDB_ERR_OPERATIONS_ERROR);
    4477             :                 }
    4478             : 
    4479         755 :                 new_ares->error = ret;
    4480         755 :                 if ((ret != LDB_ERR_OPERATIONS_ERROR) && (ac->change_status)) {
    4481             :                         /* On success and trivial errors a status control is being
    4482             :                          * added (used for example by the "samdb_set_password" call) */
    4483         176 :                         ldb_reply_add_control(new_ares,
    4484             :                                               DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
    4485             :                                               false,
    4486         176 :                                               ac->status);
    4487             :                 }
    4488             : 
    4489         755 :                 return ldb_module_done(ac->req, new_ares->controls,
    4490             :                                        new_ares->response, new_ares->error);
    4491             :         }
    4492             : 
    4493       74333 :         return LDB_SUCCESS;
    4494             : }
    4495             : 
    4496       37544 : static int build_domain_data_request(struct ph_context *ac)
    4497             : {
    4498             :         /* attrs[] is returned from this function in
    4499             :            ac->dom_req->op.search.attrs, so it must be static, as
    4500             :            otherwise the compiler can put it on the stack */
    4501             :         struct ldb_context *ldb;
    4502             :         static const char * const attrs[] = { "pwdProperties",
    4503             :                                               "pwdHistoryLength",
    4504             :                                               "maxPwdAge",
    4505             :                                               "minPwdAge",
    4506             :                                               "minPwdLength",
    4507             :                                               "lockoutThreshold",
    4508             :                                               "lockOutObservationWindow",
    4509             :                                               NULL };
    4510             :         int ret;
    4511             : 
    4512       37544 :         ldb = ldb_module_get_ctx(ac->module);
    4513             : 
    4514       37544 :         ret = ldb_build_search_req(&ac->dom_req, ldb, ac,
    4515             :                                    ldb_get_default_basedn(ldb),
    4516             :                                    LDB_SCOPE_BASE,
    4517             :                                    NULL, attrs,
    4518             :                                    NULL,
    4519             :                                    ac, get_domain_data_callback,
    4520             :                                    ac->req);
    4521       37544 :         LDB_REQ_SET_LOCATION(ac->dom_req);
    4522       37544 :         return ret;
    4523             : }
    4524             : 
    4525      653235 : static int password_hash_needed(struct ldb_module *module,
    4526             :                                 struct ldb_request *req,
    4527             :                                 struct ph_context **_ac)
    4528             : {
    4529      653235 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
    4530      653235 :         const char *operation = NULL;
    4531      653235 :         const struct ldb_message *msg = NULL;
    4532      653235 :         struct ph_context *ac = NULL;
    4533      653235 :         const char *passwordAttrs[] = {
    4534             :                 DSDB_PASSWORD_ATTRIBUTES,
    4535             :                 NULL
    4536             :         };
    4537      653235 :         const char **a = NULL;
    4538      653235 :         unsigned int attr_cnt = 0;
    4539      653235 :         struct ldb_control *bypass = NULL;
    4540      653235 :         struct ldb_control *uac_ctrl = NULL;
    4541      653235 :         bool userPassword = dsdb_user_password_support(module, req, req);
    4542      653235 :         bool update_password = false;
    4543      653235 :         bool processing_needed = false;
    4544             : 
    4545      653235 :         *_ac = NULL;
    4546             : 
    4547      653235 :         ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_needed\n");
    4548             : 
    4549      653235 :         switch (req->operation) {
    4550      323060 :         case LDB_ADD:
    4551      323060 :                 operation = "add";
    4552      323060 :                 msg = req->op.add.message;
    4553      323060 :                 break;
    4554      330175 :         case LDB_MODIFY:
    4555      330175 :                 operation = "modify";
    4556      330175 :                 msg = req->op.mod.message;
    4557      330175 :                 break;
    4558           0 :         default:
    4559           0 :                 return ldb_next_request(module, req);
    4560             :         }
    4561             : 
    4562      653235 :         if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
    4563         935 :                 return ldb_next_request(module, req);
    4564             :         }
    4565             : 
    4566      652300 :         bypass = ldb_request_get_control(req,
    4567             :                                          DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID);
    4568      652300 :         if (bypass != NULL) {
    4569             :                 /* Mark the "bypass" control as uncritical (done) */
    4570           2 :                 bypass->critical = false;
    4571           2 :                 ldb_debug(ldb, LDB_DEBUG_TRACE,
    4572             :                           "password_hash_needed(%s) (bypassing)\n",
    4573             :                           operation);
    4574           2 :                 return password_hash_bypass(module, req);
    4575             :         }
    4576             : 
    4577             :         /* nobody must touch password histories and 'supplementalCredentials' */
    4578      652298 :         if (ldb_msg_find_element(msg, "ntPwdHistory")) {
    4579           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4580             :         }
    4581      652298 :         if (ldb_msg_find_element(msg, "lmPwdHistory")) {
    4582           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4583             :         }
    4584      652298 :         if (ldb_msg_find_element(msg, "supplementalCredentials")) {
    4585           0 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4586             :         }
    4587             : 
    4588             :         /*
    4589             :          * If no part of this touches the 'userPassword' OR 'clearTextPassword'
    4590             :          * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes.
    4591             :          * For password changes/set there should be a 'delete' or a 'modify'
    4592             :          * on these attributes.
    4593             :          */
    4594     3261466 :         for (a = passwordAttrs; *a != NULL; a++) {
    4595     2609174 :                 if ((!userPassword) && (ldb_attr_cmp(*a, "userPassword") == 0)) {
    4596      641079 :                         continue;
    4597             :                 }
    4598             : 
    4599     1968095 :                 if (ldb_msg_find_element(msg, *a) != NULL) {
    4600             :                         /* MS-ADTS 3.1.1.3.1.5.2 */
    4601       18344 :                         if ((ldb_attr_cmp(*a, "userPassword") == 0) &&
    4602        1605 :                             (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
    4603           6 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    4604             :                         }
    4605             : 
    4606       16733 :                         ++attr_cnt;
    4607             :                 }
    4608             :         }
    4609             : 
    4610      652292 :         if (attr_cnt > 0) {
    4611       16719 :                 update_password = true;
    4612       16719 :                 processing_needed = true;
    4613             :         }
    4614             : 
    4615      652292 :         if (ldb_msg_find_element(msg, "pwdLastSet")) {
    4616       22192 :                 processing_needed = true;
    4617             :         }
    4618             : 
    4619      652292 :         uac_ctrl = ldb_request_get_control(req,
    4620             :                                 DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID);
    4621      652292 :         if (uac_ctrl != NULL) {
    4622       35873 :                 struct dsdb_control_password_user_account_control *uac = NULL;
    4623       35873 :                 uint32_t added_flags = 0;
    4624             : 
    4625       35873 :                 uac = talloc_get_type_abort(uac_ctrl->data,
    4626             :                         struct dsdb_control_password_user_account_control);
    4627             : 
    4628       35873 :                 added_flags = uac->new_flags & ~uac->old_flags;
    4629             : 
    4630       35873 :                 if (added_flags & UF_SMARTCARD_REQUIRED) {
    4631          13 :                         processing_needed = true;
    4632             :                 }
    4633             :         }
    4634             : 
    4635      652292 :         if (!processing_needed) {
    4636      614475 :                 return ldb_next_request(module, req);
    4637             :         }
    4638             : 
    4639       37817 :         ac = ph_init_context(module, req, userPassword, update_password);
    4640       37817 :         if (!ac) {
    4641           0 :                 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
    4642           0 :                 return ldb_operr(ldb);
    4643             :         }
    4644       37817 :         ph_apply_controls(ac);
    4645             : 
    4646             :         /*
    4647             :          * Make a copy in order to apply our modifications
    4648             :          * to the final update
    4649             :          */
    4650       37817 :         ac->update_msg = ldb_msg_copy_shallow(ac, msg);
    4651       37817 :         if (ac->update_msg == NULL) {
    4652           0 :                 return ldb_oom(ldb);
    4653             :         }
    4654             : 
    4655             :         /*
    4656             :          * Remove all password related attributes.
    4657             :          */
    4658       37817 :         if (ac->userPassword) {
    4659        3341 :                 ldb_msg_remove_attr(ac->update_msg, "userPassword");
    4660             :         }
    4661       37817 :         ldb_msg_remove_attr(ac->update_msg, "clearTextPassword");
    4662       37817 :         ldb_msg_remove_attr(ac->update_msg, "unicodePwd");
    4663       37817 :         ldb_msg_remove_attr(ac->update_msg, "ntPwdHistory");
    4664       37817 :         ldb_msg_remove_attr(ac->update_msg, "dBCSPwd");
    4665       37817 :         ldb_msg_remove_attr(ac->update_msg, "lmPwdHistory");
    4666       37817 :         ldb_msg_remove_attr(ac->update_msg, "supplementalCredentials");
    4667       37817 :         ldb_msg_remove_attr(ac->update_msg, "pwdLastSet");
    4668             : 
    4669       37817 :         *_ac = ac;
    4670       37817 :         return LDB_SUCCESS;
    4671             : }
    4672             : 
    4673      323060 : static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
    4674             : {
    4675      323060 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
    4676      323060 :         struct ph_context *ac = NULL;
    4677             :         int ret;
    4678             : 
    4679      323060 :         ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
    4680             : 
    4681      323060 :         ret = password_hash_needed(module, req, &ac);
    4682      323060 :         if (ret != LDB_SUCCESS) {
    4683          43 :                 return ret;
    4684             :         }
    4685      323017 :         if (ac == NULL) {
    4686      301066 :                 return ret;
    4687             :         }
    4688             : 
    4689             :         /* Make sure we are performing the password set action on a (for us)
    4690             :          * valid object. Those are instances of either "user" and/or
    4691             :          * "inetOrgPerson". Otherwise continue with the submodules. */
    4692       21951 :         if ((!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "user"))
    4693           0 :                 && (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "inetOrgPerson"))) {
    4694             : 
    4695           0 :                 TALLOC_FREE(ac);
    4696             : 
    4697           0 :                 if (ldb_msg_find_element(req->op.add.message, "clearTextPassword") != NULL) {
    4698           0 :                         ldb_set_errstring(ldb,
    4699             :                                           "'clearTextPassword' is only allowed on objects of class 'user' and/or 'inetOrgPerson'!");
    4700           0 :                         return LDB_ERR_NO_SUCH_ATTRIBUTE;
    4701             :                 }
    4702             : 
    4703           0 :                 return ldb_next_request(module, req);
    4704             :         }
    4705             : 
    4706             :         /* get user domain data */
    4707       21951 :         ret = build_domain_data_request(ac);
    4708       21951 :         if (ret != LDB_SUCCESS) {
    4709           0 :                 return ret;
    4710             :         }
    4711             : 
    4712       21951 :         return ldb_next_request(module, ac->dom_req);
    4713             : }
    4714             : 
    4715       21951 : static int password_hash_add_do_add(struct ph_context *ac)
    4716             : {
    4717       21951 :         struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
    4718             :         struct ldb_request *down_req;
    4719             :         struct setup_password_fields_io io;
    4720             :         int ret;
    4721             : 
    4722             :         /* Prepare the internal data structure containing the passwords */
    4723       21951 :         ret = setup_io(ac, ac->req->op.add.message, NULL, &io);
    4724       21951 :         if (ret != LDB_SUCCESS) {
    4725          28 :                 return ret;
    4726             :         }
    4727             : 
    4728       21923 :         ret = setup_password_fields(&io);
    4729       21923 :         if (ret != LDB_SUCCESS) {
    4730           8 :                 return ret;
    4731             :         }
    4732             : 
    4733       21915 :         ret = check_password_restrictions_and_log(&io);
    4734       21915 :         if (ret != LDB_SUCCESS) {
    4735           1 :                 return ret;
    4736             :         }
    4737             : 
    4738       21914 :         ret = setup_smartcard_reset(&io);
    4739       21914 :         if (ret != LDB_SUCCESS) {
    4740           0 :                 return ret;
    4741             :         }
    4742             : 
    4743       21914 :         ret = update_final_msg(&io);
    4744       21914 :         if (ret != LDB_SUCCESS) {
    4745           0 :                 return ret;
    4746             :         }
    4747             : 
    4748       21914 :         ret = ldb_build_add_req(&down_req, ldb, ac,
    4749       21914 :                                 ac->update_msg,
    4750       21914 :                                 ac->req->controls,
    4751             :                                 ac, ph_op_callback,
    4752             :                                 ac->req);
    4753       21914 :         LDB_REQ_SET_LOCATION(down_req);
    4754       21914 :         if (ret != LDB_SUCCESS) {
    4755           0 :                 return ret;
    4756             :         }
    4757             : 
    4758       21914 :         return ldb_next_request(ac->module, down_req);
    4759             : }
    4760             : 
    4761      330175 : static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
    4762             : {
    4763      330175 :         struct ldb_context *ldb = ldb_module_get_ctx(module);
    4764      330175 :         struct ph_context *ac = NULL;
    4765      330175 :         const char *passwordAttrs[] = {DSDB_PASSWORD_ATTRIBUTES, NULL}, **l;
    4766             :         unsigned int del_attr_cnt, add_attr_cnt, rep_attr_cnt;
    4767             :         struct ldb_message_element *passwordAttr;
    4768             :         struct ldb_message *msg;
    4769             :         struct ldb_request *down_req;
    4770      330175 :         struct ldb_control *restore = NULL;
    4771             :         int ret;
    4772      330175 :         unsigned int i = 0;
    4773             : 
    4774      330175 :         ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
    4775             : 
    4776      330175 :         ret = password_hash_needed(module, req, &ac);
    4777      330175 :         if (ret != LDB_SUCCESS) {
    4778         134 :                 return ret;
    4779             :         }
    4780      330041 :         if (ac == NULL) {
    4781      314175 :                 return ret;
    4782             :         }
    4783             : 
    4784             :         /* use a new message structure so that we can modify it */
    4785       15866 :         msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
    4786       15866 :         if (msg == NULL) {
    4787           0 :                 return ldb_oom(ldb);
    4788             :         }
    4789             : 
    4790             :         /* - check for single-valued password attributes
    4791             :          *   (if not return "CONSTRAINT_VIOLATION")
    4792             :          * - check that for a password change operation one add and one delete
    4793             :          *   operation exists
    4794             :          *   (if not return "CONSTRAINT_VIOLATION" or "UNWILLING_TO_PERFORM")
    4795             :          * - check that a password change and a password set operation cannot
    4796             :          *   be mixed
    4797             :          *   (if not return "UNWILLING_TO_PERFORM")
    4798             :          * - remove all password attributes modifications from the first change
    4799             :          *   operation (anything without the passwords) - we will make the real
    4800             :          *   modification later */
    4801       15866 :         del_attr_cnt = 0;
    4802       15866 :         add_attr_cnt = 0;
    4803       15866 :         rep_attr_cnt = 0;
    4804       78420 :         for (l = passwordAttrs; *l != NULL; l++) {
    4805       62792 :                 if ((!ac->userPassword) &&
    4806       54120 :                     (ldb_attr_cmp(*l, "userPassword") == 0)) {
    4807       13530 :                         continue;
    4808             :                 }
    4809             : 
    4810       66264 :                 while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
    4811       17240 :                         unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
    4812       17240 :                         unsigned int nvalues = passwordAttr->num_values;
    4813             : 
    4814       17240 :                         if (mtype == LDB_FLAG_MOD_DELETE) {
    4815        1662 :                                 ++del_attr_cnt;
    4816             :                         }
    4817       17240 :                         if (mtype == LDB_FLAG_MOD_ADD) {
    4818        1620 :                                 ++add_attr_cnt;
    4819             :                         }
    4820       17240 :                         if (mtype == LDB_FLAG_MOD_REPLACE) {
    4821       13958 :                                 ++rep_attr_cnt;
    4822             :                         }
    4823       17240 :                         if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) {
    4824         224 :                                 talloc_free(ac);
    4825         224 :                                 ldb_asprintf_errstring(ldb,
    4826             :                                                        "'%s' attribute must have exactly one value on add operations!",
    4827             :                                                        *l);
    4828         224 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    4829             :                         }
    4830       17016 :                         if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) {
    4831          14 :                                 talloc_free(ac);
    4832          14 :                                 ldb_asprintf_errstring(ldb,
    4833             :                                                        "'%s' attribute must have zero or one value(s) on delete operations!",
    4834             :                                                        *l);
    4835          14 :                                 return LDB_ERR_CONSTRAINT_VIOLATION;
    4836             :                         }
    4837       17002 :                         ldb_msg_remove_element(msg, passwordAttr);
    4838             :                 }
    4839             :         }
    4840       15628 :         if ((del_attr_cnt == 0) && (add_attr_cnt > 0)) {
    4841           7 :                 talloc_free(ac);
    4842           7 :                 ldb_set_errstring(ldb,
    4843             :                                   "Only the add action for a password change specified!");
    4844           7 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4845             :         }
    4846       15621 :         if ((del_attr_cnt > 1) || (add_attr_cnt > 1)) {
    4847          21 :                 talloc_free(ac);
    4848          21 :                 ldb_set_errstring(ldb,
    4849             :                                   "Only one delete and one add action for a password change allowed!");
    4850          21 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4851             :         }
    4852       15600 :         if ((rep_attr_cnt > 0) && ((del_attr_cnt > 0) || (add_attr_cnt > 0))) {
    4853           7 :                 talloc_free(ac);
    4854           7 :                 ldb_set_errstring(ldb,
    4855             :                                   "Either a password change or a password set operation is allowed!");
    4856           7 :                 return LDB_ERR_UNWILLING_TO_PERFORM;
    4857             :         }
    4858             : 
    4859       15593 :         restore = ldb_request_get_control(req,
    4860             :                                         DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
    4861       15593 :         if (restore == NULL) {
    4862             :                 /*
    4863             :                  * A tomstone reanimation generates a double update
    4864             :                  * of pwdLastSet.
    4865             :                  *
    4866             :                  * So we only remove it without the
    4867             :                  * DSDB_CONTROL_RESTORE_TOMBSTONE_OID control.
    4868             :                  */
    4869       15542 :                 ldb_msg_remove_attr(msg, "pwdLastSet");
    4870             :         }
    4871             : 
    4872             : 
    4873             :         /* if there was nothing else to be modified skip to next step */
    4874       15593 :         if (msg->num_elements == 0) {
    4875       15526 :                 return password_hash_mod_search_self(ac);
    4876             :         }
    4877             : 
    4878             :         /*
    4879             :          * Now we apply all changes remaining in msg
    4880             :          * and remove them from our final update_msg
    4881             :          */
    4882             : 
    4883         919 :         for (i = 0; i < msg->num_elements; i++) {
    4884         852 :                 ldb_msg_remove_attr(ac->update_msg,
    4885         852 :                                     msg->elements[i].name);
    4886             :         }
    4887             : 
    4888          67 :         ret = ldb_build_mod_req(&down_req, ldb, ac,
    4889             :                                 msg,
    4890             :                                 req->controls,
    4891             :                                 ac, ph_modify_callback,
    4892             :                                 req);
    4893          67 :         LDB_REQ_SET_LOCATION(down_req);
    4894          67 :         if (ret != LDB_SUCCESS) {
    4895           0 :                 return ret;
    4896             :         }
    4897             : 
    4898          67 :         return ldb_next_request(module, down_req);
    4899             : }
    4900             : 
    4901          67 : static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
    4902             : {
    4903             :         struct ph_context *ac;
    4904             : 
    4905          67 :         ac = talloc_get_type(req->context, struct ph_context);
    4906             : 
    4907          67 :         if (!ares) {
    4908           0 :                 return ldb_module_done(ac->req, NULL, NULL,
    4909             :                                         LDB_ERR_OPERATIONS_ERROR);
    4910             :         }
    4911             : 
    4912          67 :         if (ares->type == LDB_REPLY_REFERRAL) {
    4913           0 :                 return ldb_module_send_referral(ac->req, ares->referral);
    4914             :         }
    4915             : 
    4916          67 :         if (ares->error != LDB_SUCCESS) {
    4917           0 :                 return ldb_module_done(ac->req, ares->controls,
    4918             :                                         ares->response, ares->error);
    4919             :         }
    4920             : 
    4921          67 :         if (ares->type != LDB_REPLY_DONE) {
    4922           0 :                 talloc_free(ares);
    4923           0 :                 return ldb_module_done(ac->req, NULL, NULL,
    4924             :                                         LDB_ERR_OPERATIONS_ERROR);
    4925             :         }
    4926             : 
    4927          67 :         talloc_free(ares);
    4928             : 
    4929          67 :         return password_hash_mod_search_self(ac);
    4930             : }
    4931             : 
    4932       31186 : static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares)
    4933             : {
    4934             :         struct ldb_context *ldb;
    4935             :         struct ph_context *ac;
    4936       31186 :         int ret = LDB_SUCCESS;
    4937             : 
    4938       31186 :         ac = talloc_get_type(req->context, struct ph_context);
    4939       31186 :         ldb = ldb_module_get_ctx(ac->module);
    4940             : 
    4941       31186 :         if (!ares) {
    4942           0 :                 ret = LDB_ERR_OPERATIONS_ERROR;
    4943           0 :                 goto done;
    4944             :         }
    4945       31186 :         if (ares->error != LDB_SUCCESS) {
    4946           0 :                 return ldb_module_done(ac->req, ares->controls,
    4947             :                                         ares->response, ares->error);
    4948             :         }
    4949             : 
    4950             :         /* we are interested only in the single reply (base search) */
    4951       31186 :         switch (ares->type) {
    4952       15593 :         case LDB_REPLY_ENTRY:
    4953             :                 /* Make sure we are performing the password change action on a
    4954             :                  * (for us) valid object. Those are instances of either "user"
    4955             :                  * and/or "inetOrgPerson". Otherwise continue with the
    4956             :                  * submodules. */
    4957       15593 :                 if ((!ldb_msg_check_string_attribute(ares->message, "objectClass", "user"))
    4958           0 :                         && (!ldb_msg_check_string_attribute(ares->message, "objectClass", "inetOrgPerson"))) {
    4959           0 :                         talloc_free(ares);
    4960             : 
    4961           0 :                         if (ldb_msg_find_element(ac->req->op.mod.message, "clearTextPassword") != NULL) {
    4962           0 :                                 ldb_set_errstring(ldb,
    4963             :                                                   "'clearTextPassword' is only allowed on objects of class 'user' and/or 'inetOrgPerson'!");
    4964           0 :                                 ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
    4965           0 :                                 goto done;
    4966             :                         }
    4967             : 
    4968           0 :                         ret = ldb_next_request(ac->module, ac->req);
    4969           0 :                         goto done;
    4970             :                 }
    4971             : 
    4972       15593 :                 if (ac->search_res != NULL) {
    4973           0 :                         talloc_free(ares);
    4974             : 
    4975           0 :                         ldb_set_errstring(ldb, "Too many results");
    4976           0 :                         ret = LDB_ERR_OPERATIONS_ERROR;
    4977           0 :                         goto done;
    4978             :                 }
    4979             : 
    4980       15593 :                 ac->search_res = talloc_steal(ac, ares);
    4981       15593 :                 ret = LDB_SUCCESS;
    4982       15593 :                 break;
    4983             : 
    4984           0 :         case LDB_REPLY_REFERRAL:
    4985             :                 /* ignore anything else for now */
    4986           0 :                 talloc_free(ares);
    4987           0 :                 ret = LDB_SUCCESS;
    4988           0 :                 break;
    4989             : 
    4990       15593 :         case LDB_REPLY_DONE:
    4991       15593 :                 talloc_free(ares);
    4992             : 
    4993             :                 /* get user domain data */
    4994       15593 :                 ret = build_domain_data_request(ac);
    4995       15593 :                 if (ret != LDB_SUCCESS) {
    4996           0 :                         return ldb_module_done(ac->req, NULL, NULL, ret);
    4997             :                 }
    4998             : 
    4999       15593 :                 ret = ldb_next_request(ac->module, ac->dom_req);
    5000       15593 :                 break;
    5001             :         }
    5002             : 
    5003       31186 : done:
    5004       31186 :         if (ret != LDB_SUCCESS) {
    5005           0 :                 return ldb_module_done(ac->req, NULL, NULL, ret);
    5006             :         }
    5007             : 
    5008       31186 :         return LDB_SUCCESS;
    5009             : }
    5010             : 
    5011       15593 : static int password_hash_mod_search_self(struct ph_context *ac)
    5012             : {
    5013             :         struct ldb_context *ldb;
    5014             :         static const char * const attrs[] = { "objectClass",
    5015             :                                               "userAccountControl",
    5016             :                                               "msDS-ResultantPSO",
    5017             :                                               "msDS-User-Account-Control-Computed",
    5018             :                                               "pwdLastSet",
    5019             :                                               "sAMAccountName",
    5020             :                                               "objectSid",
    5021             :                                               "userPrincipalName",
    5022             :                                               "displayName",
    5023             :                                               "supplementalCredentials",
    5024             :                                               "lmPwdHistory",
    5025             :                                               "ntPwdHistory",
    5026             :                                               "dBCSPwd",
    5027             :                                               "unicodePwd",
    5028             :                                               "badPasswordTime",
    5029             :                                               "badPwdCount",
    5030             :                                               "lockoutTime",
    5031             :                                               "msDS-KeyVersionNumber",
    5032             :                                               "msDS-SecondaryKrbTgtNumber",
    5033             :                                               NULL };
    5034             :         struct ldb_request *search_req;
    5035             :         int ret;
    5036             : 
    5037       15593 :         ldb = ldb_module_get_ctx(ac->module);
    5038             : 
    5039       15593 :         ret = ldb_build_search_req(&search_req, ldb, ac,
    5040       15593 :                                    ac->req->op.mod.message->dn,
    5041             :                                    LDB_SCOPE_BASE,
    5042             :                                    "(objectclass=*)",
    5043             :                                    attrs,
    5044             :                                    NULL,
    5045             :                                    ac, ph_mod_search_callback,
    5046             :                                    ac->req);
    5047       15593 :         LDB_REQ_SET_LOCATION(search_req);
    5048       15593 :         if (ret != LDB_SUCCESS) {
    5049           0 :                 return ret;
    5050             :         }
    5051             : 
    5052       15593 :         return ldb_next_request(ac->module, search_req);
    5053             : }
    5054             : 
    5055       15593 : static int password_hash_mod_do_mod(struct ph_context *ac)
    5056             : {
    5057       15593 :         struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
    5058             :         struct ldb_request *mod_req;
    5059             :         struct setup_password_fields_io io;
    5060             :         int ret;
    5061             : 
    5062             :         /* Prepare the internal data structure containing the passwords */
    5063       15593 :         ret = setup_io(ac, ac->req->op.mod.message,
    5064       15593 :                        ac->search_res->message, &io);
    5065       15593 :         if (ret != LDB_SUCCESS) {
    5066         181 :                 return ret;
    5067             :         }
    5068             : 
    5069       15412 :         ret = setup_password_fields(&io);
    5070       15412 :         if (ret != LDB_SUCCESS) {
    5071           9 :                 return ret;
    5072             :         }
    5073             : 
    5074       15403 :         ret = check_password_restrictions_and_log(&io);
    5075       15403 :         if (ret != LDB_SUCCESS) {
    5076         752 :                 return ret;
    5077             :         }
    5078             : 
    5079       14651 :         ret = setup_smartcard_reset(&io);
    5080       14651 :         if (ret != LDB_SUCCESS) {
    5081           0 :                 return ret;
    5082             :         }
    5083             : 
    5084       14651 :         ret = update_final_msg(&io);
    5085       14651 :         if (ret != LDB_SUCCESS) {
    5086           0 :                 return ret;
    5087             :         }
    5088             : 
    5089       14651 :         ret = ldb_build_mod_req(&mod_req, ldb, ac,
    5090       14651 :                                 ac->update_msg,
    5091       14651 :                                 ac->req->controls,
    5092             :                                 ac, ph_op_callback,
    5093             :                                 ac->req);
    5094       14651 :         LDB_REQ_SET_LOCATION(mod_req);
    5095       14651 :         if (ret != LDB_SUCCESS) {
    5096           0 :                 return ret;
    5097             :         }
    5098             : 
    5099       14651 :         return ldb_next_request(ac->module, mod_req);
    5100             : }
    5101             : 
    5102             : static const struct ldb_module_ops ldb_password_hash_module_ops = {
    5103             :         .name          = "password_hash",
    5104             :         .add           = password_hash_add,
    5105             :         .modify        = password_hash_modify
    5106             : };
    5107             : 
    5108        4223 : int ldb_password_hash_module_init(const char *version)
    5109             : {
    5110             : #ifdef ENABLE_GPGME
    5111        4223 :         const char *gversion = NULL;
    5112             : #endif /* ENABLE_GPGME */
    5113             : 
    5114        4223 :         LDB_MODULE_CHECK_VERSION(version);
    5115             : 
    5116             : #ifdef ENABLE_GPGME
    5117             :         /*
    5118             :          * Note: this sets a SIGPIPE handler
    5119             :          * if none is active already. See:
    5120             :          * https://www.gnupg.org/documentation/manuals/gpgme/Signal-Handling.html#Signal-Handling
    5121             :          */
    5122        4223 :         gversion = gpgme_check_version(MINIMUM_GPGME_VERSION);
    5123        4223 :         if (gversion == NULL) {
    5124           0 :                 fprintf(stderr, "%s() in %s version[%s]: "
    5125             :                         "gpgme_check_version(%s) not available, "
    5126             :                         "gpgme_check_version(NULL) => '%s'\n",
    5127             :                         __func__, __FILE__, version,
    5128             :                         MINIMUM_GPGME_VERSION, gpgme_check_version(NULL));
    5129           0 :                 return LDB_ERR_UNAVAILABLE;
    5130             :         }
    5131             : #endif /* ENABLE_GPGME */
    5132             : 
    5133        4223 :         return ldb_register_module(&ldb_password_hash_module_ops);
    5134             : }
 |