[Freeipa-devel] [PATCHES] 122-123 Remove generation and handling of LM hashes

Sumit Bose sbose at redhat.com
Wed Oct 30 11:34:41 UTC 2013


Hi,

those two patches try to fix
https://fedorahosted.org/freeipa/ticket/3795 (Remove LANMAN hash
support). The first patch removes to option to enable the support while
the second removes all the related C-code.

Although the ticket is schedule for the 3.3.x bugfix release I'm not
sure if it is a good idea to remove the support in a minor release.
Since the LM hashes are not enabled by default I would expect that in
setups where it is enabled the hashes are needed one way or the other.
Those setup should get time to adopt.

Maybe we can add to the release notes of 3.3.x that LM hash support will
go away with the next major release and add the patches to master only?
If the patches are needed/wanted on some platforms I think they can be
easily backported and added as a patch to those platforms.

bye,
Sumit
-------------- next part --------------
From c9c2510a087eb91afa718ccd6d731478c461c8fc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 29 Oct 2013 11:37:03 +0100
Subject: [PATCH 122/123] Remove AllowLMhash from the allowed IPA config
 strings

Fixes https://fedorahosted.org/freeipa/ticket/3795
---
 API.txt                                     | 2 +-
 install/ui/src/freeipa/serverconfig.js      | 2 +-
 install/ui/test/data/ipa_init_commands.json | 1 -
 install/ui/test/data/ipa_init_objects.json  | 1 -
 ipalib/plugins/config.py                    | 2 +-
 5 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 40871f6a8b105a7b161df34ce4f6feaf785a6107..605f9ee30b7a945e529dc208c8e719cd04ec3a87 100644
--- a/API.txt
+++ b/API.txt
@@ -499,7 +499,7 @@ args: 0,24,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 94e1454adebc3dd6848b0251db5e3e460211084e..7dea5d1f5344d187e746333824416b85874414e3 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -69,7 +69,7 @@ return {
                             name: 'ipaconfigstring',
                             $type: 'checkboxes',
                             options: IPA.create_options([
-                                'AllowLMhash', 'AllowNThash',
+                                'AllowNThash',
                                 'KDC:Disable Last Success', 'KDC:Disable Lockout'
                             ])
                         },
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 4f28701fb1db2913a8317a9299a4cc7de73155da..207318115cc9a0d9f7cbd2c6f1bf31aae9aa8814 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2278,7 +2278,6 @@
                         "name": "ipaconfigstring",
                         "type": "unicode",
                         "values": [
-                            "AllowLMhash",
                             "AllowNThash",
                             "KDC:Disable Last Success",
                             "KDC:Disable Lockout"
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index bef3cc65d45a8473f7fed3b67124bbc892213ca5..8550e8280a69d4eafdac5529ba39f162f3dbc9eb 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -580,7 +580,6 @@
                         "name": "ipaconfigstring",
                         "type": "unicode",
                         "values": [
-                            "AllowLMhash",
                             "AllowNThash",
                             "KDC:Disable Last Success",
                             "KDC:Disable Lockout"
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index b9cf05016bf80cd48134cca5a50cdca7db423ca9..fbaacb7b9daafac4de49f23794b807e99aab6fc3 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -178,7 +178,7 @@ class config(LDAPObject):
             cli_name='ipaconfigstring',
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
-            values=(u'AllowLMhash', u'AllowNThash',
+            values=(u'AllowNThash',
                     u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
             csv=True,
         ),
-- 
1.8.1.4

-------------- next part --------------
From 01ec90e42b4f66fa0478c30ad9ab826ab1786fdf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 29 Oct 2013 12:19:01 +0100
Subject: [PATCH 123/123] Remove generation and handling of LM hashes

https://fedorahosted.org/freeipa/ticket/3795
---
 daemons/ipa-sam/ipa_sam.c                          |  6 +-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c   | 14 +---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 11 +--
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h   |  3 +-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c  | 17 +----
 util/ipa_pwd.h                                     |  1 -
 util/ipa_pwd_ntlm.c                                | 89 +---------------------
 7 files changed, 10 insertions(+), 131 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 59ddcef2e66f59297d2e42dadb5512e242f60657..5743a792f27b45937b709b15f2e79e1562dc0c18 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2711,17 +2711,13 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		goto done;
 	}
 
-	ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
+	ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true,
 			       &ntlm_keys);
 	if (ret != 0) {
 		res = false;
 		goto done;
 	}
 
-	if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
-		res = false;
-		goto done;
-	}
 	if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
 		res = false;
 		goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index f0339c47c5b242b436d77c4845c5914eae79814f..2538a4094bd9a166e61b0911e5ea93426092d88a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -366,7 +366,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     slapi_entry_free(config_entry);
 
     /* get the ipa etc/ipaConfig entry */
-    config->allow_lm_hash = false;
     config->allow_nt_hash = false;
     ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
     if (ret != LDAP_SUCCESS) {
@@ -376,10 +375,6 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
         tmparray = slapi_entry_attr_get_charray(config_entry,
                                                 "ipaConfigString");
         for (i = 0; tmparray && tmparray[i]; i++) {
-            if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
-                config->allow_lm_hash = true;
-                continue;
-            }
             if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
                 config->allow_nt_hash = true;
                 continue;
@@ -928,7 +923,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     Slapi_Value **pwvals = NULL;
     struct tm utctime;
     char timestr[GENERALIZED_TIME_LENGTH+1];
-    char *lm = NULL;
     char *nt = NULL;
     int is_smb = 0;
     int is_ipant = 0;
@@ -965,7 +959,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     ret = ipapwd_gen_hashes(krbcfg, data,
                             data->password,
                             is_krb, is_smb, is_ipant,
-                            &svals, &nt, &lm, &ntvals, &errMesg);
+                            &svals, &nt, &ntvals, &errMesg);
     if (ret) {
         goto free_and_return;
     }
@@ -1004,11 +998,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 		}
 	}
 
-    if (lm && is_smb) {
-        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                              "sambaLMPassword", lm);
-    }
-
     if (nt && is_smb) {
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaNTPassword", nt);
@@ -1069,7 +1058,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     LOG_TRACE("<= result: %d\n", ret);
 
 free_and_return:
-    if (lm) slapi_ch_free((void **)&lm);
     if (nt) slapi_ch_free((void **)&nt);
     if (modtime) slapi_ch_free((void **)&modtime);
     slapi_mods_free(&smods);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index a92eaf0da33809e5a4b81c7f10a801e256880743..aa06b5302f0a76a270c7aeed66d60a2551ef4d89 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -201,7 +201,7 @@ enc_error:
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
                       int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
-                      char **nthash, char **lmhash, Slapi_Value ***ntvals,
+                      char **nthash, Slapi_Value ***ntvals,
                       char **errMesg)
 {
     int rc;
@@ -209,7 +209,6 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
 
     *svals = NULL;
     *nthash = NULL;
-    *lmhash = NULL;
     *errMesg = NULL;
 
     if (is_krb) {
@@ -225,7 +224,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
     }
 
     if (is_smb || is_ipant) {
-        char lm[33], nt[33];
+        char nt[33];
         struct ntlm_keys ntlm;
         int ret;
 
@@ -239,7 +238,6 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
 
         ret = encode_ntlm_keys(userpw,
                                userpw_uc,
-                               krbcfg->allow_lm_hash,
                                krbcfg->allow_nt_hash,
                                &ntlm);
         memset(userpw_uc, 0, strlen(userpw_uc));
@@ -250,11 +248,6 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
-        if (krbcfg->allow_lm_hash) {
-            hexbuf(lm, ntlm.lm);
-            lm[32] = '\0';
-            *lmhash = slapi_ch_strdup(lm);
-        }
         if (krbcfg->allow_nt_hash) {
             hexbuf(nt, ntlm.nt);
             nt[32] = '\0';
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 74b63627689da9e519ec15d1e2020fa50ea7f75c..b4087488ccf2081aeed9aa02d1a4f0d37f4cf7f4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -132,7 +132,6 @@ struct ipapwd_krbcfg {
     krb5_key_salt_tuple *pref_encsalts;
     char **passsync_mgrs;
     int num_passsync_mgrs;
-    bool allow_lm_hash;
     bool allow_nt_hash;
 };
 
@@ -172,7 +171,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
                       int is_krb, int is_smb, int is_ipant,
-                      Slapi_Value ***svals, char **nthash, char **lmhash,
+                      Slapi_Value ***svals, char **nthash,
                       Slapi_Value ***ntvals, char **errMesg);
 
 /* from prepost.c */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index f5100a292adcb6db63fcad7b4780d4b2a5ab512e..fa956acebe974a2b07bb2ea6abfdd4c339b6eb47 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -329,13 +329,12 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         Slapi_Value **svals = NULL;
         Slapi_Value **ntvals = NULL;
         char *nt = NULL;
-        char *lm = NULL;
 
         pwdop->is_krb = is_krb;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
                                userpw, is_krb, is_smb, is_ipant,
-                               &svals, &nt, &lm, &ntvals, &errMesg);
+                               &svals, &nt, &ntvals, &errMesg);
         if (rc != LDAP_SUCCESS) {
             goto done;
         }
@@ -353,11 +352,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm && is_smb) {
-            /* set value */
-            slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
-            slapi_ch_free_string(&lm);
-        }
         if (nt && is_smb) {
             /* set value */
             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
@@ -823,11 +817,10 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
         Slapi_Value **svals = NULL;
         Slapi_Value **ntvals = NULL;
         char *nt = NULL;
-        char *lm = NULL;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
                                gen_krb_keys, is_smb, is_ipant,
-                               &svals, &nt, &lm, &ntvals, &errMesg);
+                               &svals, &nt, &ntvals, &errMesg);
         if (rc) {
             goto done;
         }
@@ -839,12 +832,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm && is_smb) {
-            /* replace value */
-            slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                                  "sambaLMPassword", lm);
-            slapi_ch_free_string(&lm);
-        }
         if (nt && is_smb) {
             /* replace value */
             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index a6990cac6333bf2582fb071a507001b10145df6d..fecf89650b18ea64393c69b71127305036d336cd 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -81,7 +81,6 @@ struct ntlm_keys {
 
 int encode_ntlm_keys(char *newPasswd,
                      char *upperPasswd,
-                     bool do_lm_hash,
                      bool do_nt_hash,
                      struct ntlm_keys *keys);
 
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index a3399b58e006e340677fa43773e6282249858062..92f56099fdad23e777488fcf0fdc1fd1cfce599d 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -43,104 +43,21 @@ static const uint8_t parity_table[128] = {
     224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
 };
 
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
-    out[0] = parity_table[in[0]>>1];
-    out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
-    out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
-    out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
-    out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
-    out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
-    out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
-    out[7] = parity_table[in[6] & 0x7F];
-}
-
-/* create the lm and nt hashes
+/* create the nt hash
    newPassword: the clear text utf8 password
    upperPasswd: upper case version of clear text utf8 password
-   do_lm_hash: determine if LM hash is generated
    do_nt_hash: determine if NT hash is generated
    keys[out]: array with generated hashes
 */
 int encode_ntlm_keys(char *newPasswd,
                      char *upperPasswd,
-                     bool do_lm_hash,
                      bool do_nt_hash,
                      struct ntlm_keys *keys)
 {
     int ret = 0;
 
-    /* do lanman first */
-    if (do_lm_hash) {
-        iconv_t cd;
-        size_t cs, il, ol;
-        char *inc, *outc;
-        char *asciiPasswd;
-        DES_key_schedule schedule;
-        DES_cblock deskey;
-        DES_cblock magic = "KGS!@#$%";
-
-        if (upperPasswd == NULL) {
-            ret = -1;
-            goto done;
-        }
-        il = strlen(upperPasswd);
-
-        /* TODO: must store the dos charset somewhere in the directory */
-        cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
-        if (cd == (iconv_t)(-1)) {
-            ret = -1;
-            goto done;
-        }
-
-        /* an ascii string can only be smaller than or equal to an utf8 one */
-        ol = il;
-        if (ol < 14) ol = 14;
-        asciiPasswd = calloc(ol+1, 1);
-        if (!asciiPasswd) {
-            iconv_close(cd);
-            ret = -1;
-            goto done;
-        }
-
-        inc = upperPasswd;
-        outc = asciiPasswd;
-        cs = iconv(cd, &inc, &il, &outc, &ol);
-        if (cs == -1) {
-            ret = -1;
-            free(asciiPasswd);
-            iconv_close(cd);
-            goto done;
-        }
-
-        /* done with these */
-        iconv_close(cd);
-
-        /* we are interested only in the first 14 ASCII chars for lanman */
-        if (strlen(asciiPasswd) > 14) {
-            asciiPasswd[14] = '\0';
-        }
-
-        /* first half */
-        lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
-                        &schedule, DES_ENCRYPT);
-
-        /* second half */
-        lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
-                        &schedule, DES_ENCRYPT);
-
-        /* done with it */
-        free(asciiPasswd);
-
-    } else {
-        memset(keys->lm, 0, 16);
-    }
+    /* clear ln hash so that old values might get cleared as well */
+    memset(keys->lm, 0, 16);
 
     if (do_nt_hash) {
         iconv_t cd;
-- 
1.8.1.4



More information about the Freeipa-devel mailing list