passwd.c revision 1.1.1.10
1 1.1.1.9 christos /* $NetBSD: passwd.c,v 1.1.1.10 2025/09/05 21:09:34 christos Exp $ */ 2 1.1.1.2 lukem 3 1.1.1.4 tron /* $OpenLDAP$ */ 4 1.1 lukem /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 5 1.1 lukem * 6 1.1.1.10 christos * Copyright 1998-2024 The OpenLDAP Foundation. 7 1.1 lukem * All rights reserved. 8 1.1 lukem * 9 1.1 lukem * Redistribution and use in source and binary forms, with or without 10 1.1 lukem * modification, are permitted only as authorized by the OpenLDAP 11 1.1 lukem * Public License. 12 1.1 lukem * 13 1.1 lukem * A copy of this license is available in the file LICENSE in the 14 1.1 lukem * top-level directory of the distribution or, alternatively, at 15 1.1 lukem * <http://www.OpenLDAP.org/license.html>. 16 1.1 lukem */ 17 1.1 lukem 18 1.1 lukem /* 19 1.1 lukem * int lutil_passwd( 20 1.1 lukem * const struct berval *passwd, 21 1.1 lukem * const struct berval *cred, 22 1.1 lukem * const char **schemes ) 23 1.1 lukem * 24 1.1 lukem * Returns true if user supplied credentials (cred) matches 25 1.1 lukem * the stored password (passwd). 26 1.1 lukem * 27 1.1 lukem * Due to the use of the crypt(3) function 28 1.1 lukem * this routine is NOT thread-safe. 29 1.1 lukem */ 30 1.1 lukem 31 1.1.1.5 christos #include <sys/cdefs.h> 32 1.1.1.9 christos __RCSID("$NetBSD: passwd.c,v 1.1.1.10 2025/09/05 21:09:34 christos Exp $"); 33 1.1.1.5 christos 34 1.1 lukem #include "portable.h" 35 1.1 lukem 36 1.1 lukem #include <stdio.h> 37 1.1 lukem #include <ac/stdlib.h> 38 1.1 lukem #include <ac/string.h> 39 1.1 lukem #include <ac/unistd.h> 40 1.1 lukem #include <ac/param.h> 41 1.1 lukem 42 1.1 lukem #ifdef SLAPD_CRYPT 43 1.1 lukem # include <ac/crypt.h> 44 1.1 lukem 45 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 46 1.1 lukem # ifdef HAVE_SHADOW_H 47 1.1 lukem # include <shadow.h> 48 1.1 lukem # endif 49 1.1 lukem # ifdef HAVE_PWD_H 50 1.1 lukem # include <pwd.h> 51 1.1 lukem # endif 52 1.1 lukem # ifdef HAVE_AIX_SECURITY 53 1.1 lukem # include <userpw.h> 54 1.1 lukem # endif 55 1.1 lukem # endif 56 1.1 lukem #endif 57 1.1 lukem 58 1.1 lukem #include <lber.h> 59 1.1 lukem 60 1.1 lukem #include "ldap_pvt.h" 61 1.1 lukem #include "lber_pvt.h" 62 1.1 lukem 63 1.1 lukem #include "lutil_md5.h" 64 1.1 lukem #include "lutil_sha1.h" 65 1.1 lukem #include "lutil.h" 66 1.1 lukem 67 1.1 lukem static const unsigned char crypt64[] = 68 1.1 lukem "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; 69 1.1 lukem 70 1.1 lukem #ifdef SLAPD_CRYPT 71 1.1 lukem static char *salt_format = NULL; 72 1.1 lukem static lutil_cryptfunc lutil_crypt; 73 1.1 lukem lutil_cryptfunc *lutil_cryptptr = lutil_crypt; 74 1.1 lukem #endif 75 1.1 lukem 76 1.1 lukem /* KLUDGE: 77 1.1 lukem * chk_fn is NULL iff name is {CLEARTEXT} 78 1.1 lukem * otherwise, things will break 79 1.1 lukem */ 80 1.1 lukem struct pw_scheme { 81 1.1 lukem struct berval name; 82 1.1 lukem LUTIL_PASSWD_CHK_FUNC *chk_fn; 83 1.1 lukem LUTIL_PASSWD_HASH_FUNC *hash_fn; 84 1.1 lukem }; 85 1.1 lukem 86 1.1 lukem struct pw_slist { 87 1.1 lukem struct pw_slist *next; 88 1.1 lukem struct pw_scheme s; 89 1.1 lukem }; 90 1.1 lukem 91 1.1 lukem /* password check routines */ 92 1.1 lukem 93 1.1 lukem #define SALT_SIZE 4 94 1.1 lukem 95 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_md5; 96 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_smd5; 97 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_smd5; 98 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_md5; 99 1.1 lukem 100 1.1 lukem 101 1.1 lukem #ifdef LUTIL_SHA1_BYTES 102 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_ssha1; 103 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_sha1; 104 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_sha1; 105 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_ssha1; 106 1.1 lukem #endif 107 1.1 lukem 108 1.1 lukem 109 1.1 lukem #ifdef SLAPD_CRYPT 110 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_crypt; 111 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_crypt; 112 1.1 lukem 113 1.1 lukem #if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 114 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_unix; 115 1.1 lukem #endif 116 1.1 lukem #endif 117 1.1 lukem 118 1.1 lukem /* password hash routines */ 119 1.1 lukem 120 1.1 lukem #ifdef SLAPD_CLEARTEXT 121 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_clear; 122 1.1 lukem #endif 123 1.1 lukem 124 1.1 lukem static struct pw_slist *pw_schemes; 125 1.1 lukem static int pw_inited; 126 1.1 lukem 127 1.1 lukem static const struct pw_scheme pw_schemes_default[] = 128 1.1 lukem { 129 1.1 lukem #ifdef LUTIL_SHA1_BYTES 130 1.1 lukem { BER_BVC("{SSHA}"), chk_ssha1, hash_ssha1 }, 131 1.1 lukem { BER_BVC("{SHA}"), chk_sha1, hash_sha1 }, 132 1.1 lukem #endif 133 1.1 lukem 134 1.1 lukem { BER_BVC("{SMD5}"), chk_smd5, hash_smd5 }, 135 1.1 lukem { BER_BVC("{MD5}"), chk_md5, hash_md5 }, 136 1.1 lukem 137 1.1 lukem #ifdef SLAPD_CRYPT 138 1.1 lukem { BER_BVC("{CRYPT}"), chk_crypt, hash_crypt }, 139 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 140 1.1 lukem { BER_BVC("{UNIX}"), chk_unix, NULL }, 141 1.1 lukem # endif 142 1.1 lukem #endif 143 1.1 lukem 144 1.1 lukem #ifdef SLAPD_CLEARTEXT 145 1.1 lukem /* pseudo scheme */ 146 1.1 lukem { BER_BVC("{CLEARTEXT}"), NULL, hash_clear }, 147 1.1 lukem #endif 148 1.1 lukem 149 1.1 lukem { BER_BVNULL, NULL, NULL } 150 1.1 lukem }; 151 1.1 lukem 152 1.1 lukem int lutil_passwd_add( 153 1.1 lukem struct berval *scheme, 154 1.1 lukem LUTIL_PASSWD_CHK_FUNC *chk, 155 1.1 lukem LUTIL_PASSWD_HASH_FUNC *hash ) 156 1.1 lukem { 157 1.1 lukem struct pw_slist *ptr; 158 1.1 lukem 159 1.1 lukem if (!pw_inited) lutil_passwd_init(); 160 1.1 lukem 161 1.1 lukem ptr = ber_memalloc( sizeof( struct pw_slist )); 162 1.1 lukem if (!ptr) return -1; 163 1.1 lukem ptr->next = pw_schemes; 164 1.1 lukem ptr->s.name = *scheme; 165 1.1 lukem ptr->s.chk_fn = chk; 166 1.1 lukem ptr->s.hash_fn = hash; 167 1.1 lukem pw_schemes = ptr; 168 1.1 lukem return 0; 169 1.1 lukem } 170 1.1 lukem 171 1.1 lukem void lutil_passwd_init() 172 1.1 lukem { 173 1.1 lukem struct pw_scheme *s; 174 1.1 lukem 175 1.1 lukem pw_inited = 1; 176 1.1 lukem 177 1.1 lukem for( s=(struct pw_scheme *)pw_schemes_default; s->name.bv_val; s++) { 178 1.1 lukem if ( lutil_passwd_add( &s->name, s->chk_fn, s->hash_fn ) ) break; 179 1.1 lukem } 180 1.1 lukem } 181 1.1 lukem 182 1.1 lukem void lutil_passwd_destroy() 183 1.1 lukem { 184 1.1 lukem struct pw_slist *ptr, *next; 185 1.1 lukem 186 1.1 lukem for( ptr=pw_schemes; ptr; ptr=next ) { 187 1.1 lukem next = ptr->next; 188 1.1 lukem ber_memfree( ptr ); 189 1.1 lukem } 190 1.1 lukem } 191 1.1 lukem 192 1.1 lukem static const struct pw_scheme *get_scheme( 193 1.1 lukem const char* scheme ) 194 1.1 lukem { 195 1.1 lukem struct pw_slist *pws; 196 1.1 lukem struct berval bv; 197 1.1 lukem 198 1.1 lukem if (!pw_inited) lutil_passwd_init(); 199 1.1 lukem 200 1.1 lukem bv.bv_val = strchr( scheme, '}' ); 201 1.1 lukem if ( !bv.bv_val ) 202 1.1 lukem return NULL; 203 1.1 lukem 204 1.1 lukem bv.bv_len = bv.bv_val - scheme + 1; 205 1.1 lukem bv.bv_val = (char *) scheme; 206 1.1 lukem 207 1.1 lukem for( pws=pw_schemes; pws; pws=pws->next ) { 208 1.1 lukem if ( ber_bvstrcasecmp(&bv, &pws->s.name ) == 0 ) { 209 1.1 lukem return &(pws->s); 210 1.1 lukem } 211 1.1 lukem } 212 1.1 lukem 213 1.1 lukem return NULL; 214 1.1 lukem } 215 1.1 lukem 216 1.1 lukem int lutil_passwd_scheme( 217 1.1 lukem const char* scheme ) 218 1.1 lukem { 219 1.1 lukem if( scheme == NULL ) { 220 1.1 lukem return 0; 221 1.1 lukem } 222 1.1 lukem 223 1.1 lukem return get_scheme(scheme) != NULL; 224 1.1 lukem } 225 1.1 lukem 226 1.1 lukem 227 1.1 lukem static int is_allowed_scheme( 228 1.1 lukem const char* scheme, 229 1.1 lukem const char** schemes ) 230 1.1 lukem { 231 1.1 lukem int i; 232 1.1 lukem 233 1.1 lukem if( schemes == NULL ) return 1; 234 1.1 lukem 235 1.1 lukem for( i=0; schemes[i] != NULL; i++ ) { 236 1.1 lukem if( strcasecmp( scheme, schemes[i] ) == 0 ) { 237 1.1 lukem return 1; 238 1.1 lukem } 239 1.1 lukem } 240 1.1 lukem return 0; 241 1.1 lukem } 242 1.1 lukem 243 1.1 lukem static struct berval *passwd_scheme( 244 1.1 lukem const struct pw_scheme *scheme, 245 1.1 lukem const struct berval * passwd, 246 1.1 lukem struct berval *bv, 247 1.1 lukem const char** allowed ) 248 1.1 lukem { 249 1.1 lukem if( !is_allowed_scheme( scheme->name.bv_val, allowed ) ) { 250 1.1 lukem return NULL; 251 1.1 lukem } 252 1.1 lukem 253 1.1 lukem if( passwd->bv_len >= scheme->name.bv_len ) { 254 1.1 lukem if( strncasecmp( passwd->bv_val, scheme->name.bv_val, scheme->name.bv_len ) == 0 ) { 255 1.1 lukem bv->bv_val = &passwd->bv_val[scheme->name.bv_len]; 256 1.1 lukem bv->bv_len = passwd->bv_len - scheme->name.bv_len; 257 1.1 lukem 258 1.1 lukem return bv; 259 1.1 lukem } 260 1.1 lukem } 261 1.1 lukem 262 1.1 lukem return NULL; 263 1.1 lukem } 264 1.1 lukem 265 1.1 lukem /* 266 1.1 lukem * Return 0 if creds are good. 267 1.1 lukem */ 268 1.1 lukem int 269 1.1 lukem lutil_passwd( 270 1.1 lukem const struct berval *passwd, /* stored passwd */ 271 1.1 lukem const struct berval *cred, /* user cred */ 272 1.1 lukem const char **schemes, 273 1.1 lukem const char **text ) 274 1.1 lukem { 275 1.1 lukem struct pw_slist *pws; 276 1.1 lukem 277 1.1 lukem if ( text ) *text = NULL; 278 1.1 lukem 279 1.1 lukem if (cred == NULL || cred->bv_len == 0 || 280 1.1 lukem passwd == NULL || passwd->bv_len == 0 ) 281 1.1 lukem { 282 1.1 lukem return -1; 283 1.1 lukem } 284 1.1 lukem 285 1.1 lukem if (!pw_inited) lutil_passwd_init(); 286 1.1 lukem 287 1.1 lukem for( pws=pw_schemes; pws; pws=pws->next ) { 288 1.1 lukem if( pws->s.chk_fn ) { 289 1.1 lukem struct berval x; 290 1.1 lukem struct berval *p = passwd_scheme( &(pws->s), 291 1.1 lukem passwd, &x, schemes ); 292 1.1 lukem 293 1.1 lukem if( p != NULL ) { 294 1.1 lukem return (pws->s.chk_fn)( &(pws->s.name), p, cred, text ); 295 1.1 lukem } 296 1.1 lukem } 297 1.1 lukem } 298 1.1 lukem 299 1.1 lukem #ifdef SLAPD_CLEARTEXT 300 1.1 lukem /* Do we think there is a scheme specifier here that we 301 1.1 lukem * didn't recognize? Assume a scheme name is at least 1 character. 302 1.1 lukem */ 303 1.1 lukem if (( passwd->bv_val[0] == '{' ) && 304 1.1 lukem ( ber_bvchr( passwd, '}' ) > passwd->bv_val+1 )) 305 1.1 lukem { 306 1.1 lukem return 1; 307 1.1 lukem } 308 1.1 lukem if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) { 309 1.1 lukem return ( passwd->bv_len == cred->bv_len ) ? 310 1.1 lukem memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len ) 311 1.1 lukem : 1; 312 1.1 lukem } 313 1.1 lukem #endif 314 1.1 lukem return 1; 315 1.1 lukem } 316 1.1 lukem 317 1.1 lukem int lutil_passwd_generate( struct berval *pw, ber_len_t len ) 318 1.1 lukem { 319 1.1 lukem 320 1.1 lukem if( len < 1 ) return -1; 321 1.1 lukem 322 1.1 lukem pw->bv_len = len; 323 1.1 lukem pw->bv_val = ber_memalloc( len + 1 ); 324 1.1 lukem 325 1.1 lukem if( pw->bv_val == NULL ) { 326 1.1 lukem return -1; 327 1.1 lukem } 328 1.1 lukem 329 1.1 lukem if( lutil_entropy( (unsigned char *) pw->bv_val, pw->bv_len) < 0 ) { 330 1.1 lukem return -1; 331 1.1 lukem } 332 1.1 lukem 333 1.1 lukem for( len = 0; len < pw->bv_len; len++ ) { 334 1.1 lukem pw->bv_val[len] = crypt64[ 335 1.1 lukem pw->bv_val[len] % (sizeof(crypt64)-1) ]; 336 1.1 lukem } 337 1.1 lukem 338 1.1 lukem pw->bv_val[len] = '\0'; 339 1.1 lukem 340 1.1 lukem return 0; 341 1.1 lukem } 342 1.1 lukem 343 1.1 lukem int lutil_passwd_hash( 344 1.1 lukem const struct berval * passwd, 345 1.1 lukem const char * method, 346 1.1 lukem struct berval *hash, 347 1.1 lukem const char **text ) 348 1.1 lukem { 349 1.1 lukem const struct pw_scheme *sc = get_scheme( method ); 350 1.1 lukem 351 1.1 lukem hash->bv_val = NULL; 352 1.1 lukem hash->bv_len = 0; 353 1.1 lukem 354 1.1 lukem if( sc == NULL ) { 355 1.1 lukem if( text ) *text = "scheme not recognized"; 356 1.1 lukem return -1; 357 1.1 lukem } 358 1.1 lukem 359 1.1 lukem if( ! sc->hash_fn ) { 360 1.1 lukem if( text ) *text = "scheme provided no hash function"; 361 1.1 lukem return -1; 362 1.1 lukem } 363 1.1 lukem 364 1.1 lukem if( text ) *text = NULL; 365 1.1 lukem 366 1.1 lukem return (sc->hash_fn)( &sc->name, passwd, hash, text ); 367 1.1 lukem } 368 1.1 lukem 369 1.1.1.9 christos /* pw_string is only called when SLAPD_CRYPT is defined */ 370 1.1.1.9 christos #if defined(SLAPD_CRYPT) 371 1.1 lukem static int pw_string( 372 1.1 lukem const struct berval *sc, 373 1.1 lukem struct berval *passwd ) 374 1.1 lukem { 375 1.1 lukem struct berval pw; 376 1.1 lukem 377 1.1 lukem pw.bv_len = sc->bv_len + passwd->bv_len; 378 1.1 lukem pw.bv_val = ber_memalloc( pw.bv_len + 1 ); 379 1.1 lukem 380 1.1 lukem if( pw.bv_val == NULL ) { 381 1.1 lukem return LUTIL_PASSWD_ERR; 382 1.1 lukem } 383 1.1 lukem 384 1.1 lukem AC_MEMCPY( pw.bv_val, sc->bv_val, sc->bv_len ); 385 1.1 lukem AC_MEMCPY( &pw.bv_val[sc->bv_len], passwd->bv_val, passwd->bv_len ); 386 1.1 lukem 387 1.1 lukem pw.bv_val[pw.bv_len] = '\0'; 388 1.1 lukem *passwd = pw; 389 1.1 lukem 390 1.1 lukem return LUTIL_PASSWD_OK; 391 1.1 lukem } 392 1.1.1.9 christos #endif /* SLAPD_CRYPT */ 393 1.1 lukem 394 1.1.1.4 tron int lutil_passwd_string64( 395 1.1 lukem const struct berval *sc, 396 1.1 lukem const struct berval *hash, 397 1.1 lukem struct berval *b64, 398 1.1 lukem const struct berval *salt ) 399 1.1 lukem { 400 1.1 lukem int rc; 401 1.1 lukem struct berval string; 402 1.1 lukem size_t b64len; 403 1.1 lukem 404 1.1 lukem if( salt ) { 405 1.1 lukem /* need to base64 combined string */ 406 1.1 lukem string.bv_len = hash->bv_len + salt->bv_len; 407 1.1 lukem string.bv_val = ber_memalloc( string.bv_len + 1 ); 408 1.1 lukem 409 1.1 lukem if( string.bv_val == NULL ) { 410 1.1 lukem return LUTIL_PASSWD_ERR; 411 1.1 lukem } 412 1.1 lukem 413 1.1 lukem AC_MEMCPY( string.bv_val, hash->bv_val, 414 1.1 lukem hash->bv_len ); 415 1.1 lukem AC_MEMCPY( &string.bv_val[hash->bv_len], salt->bv_val, 416 1.1 lukem salt->bv_len ); 417 1.1 lukem string.bv_val[string.bv_len] = '\0'; 418 1.1 lukem 419 1.1 lukem } else { 420 1.1 lukem string = *hash; 421 1.1 lukem } 422 1.1 lukem 423 1.1 lukem b64len = LUTIL_BASE64_ENCODE_LEN( string.bv_len ) + 1; 424 1.1 lukem b64->bv_len = b64len + sc->bv_len; 425 1.1 lukem b64->bv_val = ber_memalloc( b64->bv_len + 1 ); 426 1.1 lukem 427 1.1 lukem if( b64->bv_val == NULL ) { 428 1.1 lukem if( salt ) ber_memfree( string.bv_val ); 429 1.1 lukem return LUTIL_PASSWD_ERR; 430 1.1 lukem } 431 1.1 lukem 432 1.1 lukem AC_MEMCPY(b64->bv_val, sc->bv_val, sc->bv_len); 433 1.1 lukem 434 1.1 lukem rc = lutil_b64_ntop( 435 1.1 lukem (unsigned char *) string.bv_val, string.bv_len, 436 1.1 lukem &b64->bv_val[sc->bv_len], b64len ); 437 1.1 lukem 438 1.1 lukem if( salt ) ber_memfree( string.bv_val ); 439 1.1 lukem 440 1.1 lukem if( rc < 0 ) { 441 1.1 lukem return LUTIL_PASSWD_ERR; 442 1.1 lukem } 443 1.1 lukem 444 1.1 lukem /* recompute length */ 445 1.1 lukem b64->bv_len = sc->bv_len + rc; 446 1.1 lukem assert( strlen(b64->bv_val) == b64->bv_len ); 447 1.1 lukem return LUTIL_PASSWD_OK; 448 1.1 lukem } 449 1.1 lukem 450 1.1 lukem /* PASSWORD CHECK ROUTINES */ 451 1.1 lukem 452 1.1 lukem #ifdef LUTIL_SHA1_BYTES 453 1.1 lukem static int chk_ssha1( 454 1.1 lukem const struct berval *sc, 455 1.1 lukem const struct berval * passwd, 456 1.1 lukem const struct berval * cred, 457 1.1 lukem const char **text ) 458 1.1 lukem { 459 1.1 lukem lutil_SHA1_CTX SHA1context; 460 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 461 1.1 lukem int rc; 462 1.1 lukem unsigned char *orig_pass = NULL; 463 1.1.1.5 christos size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); 464 1.1 lukem 465 1.1 lukem /* safety check -- must have some salt */ 466 1.1.1.5 christos if (decode_len <= sizeof(SHA1digest)) { 467 1.1 lukem return LUTIL_PASSWD_ERR; 468 1.1 lukem } 469 1.1 lukem 470 1.1 lukem /* decode base64 password */ 471 1.1.1.5 christos orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); 472 1.1 lukem 473 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 474 1.1 lukem 475 1.1.1.5 christos rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); 476 1.1 lukem 477 1.1 lukem /* safety check -- must have some salt */ 478 1.1 lukem if (rc <= (int)(sizeof(SHA1digest))) { 479 1.1 lukem ber_memfree(orig_pass); 480 1.1 lukem return LUTIL_PASSWD_ERR; 481 1.1 lukem } 482 1.1 lukem 483 1.1 lukem /* hash credentials with salt */ 484 1.1 lukem lutil_SHA1Init(&SHA1context); 485 1.1 lukem lutil_SHA1Update(&SHA1context, 486 1.1 lukem (const unsigned char *) cred->bv_val, cred->bv_len); 487 1.1 lukem lutil_SHA1Update(&SHA1context, 488 1.1 lukem (const unsigned char *) &orig_pass[sizeof(SHA1digest)], 489 1.1 lukem rc - sizeof(SHA1digest)); 490 1.1 lukem lutil_SHA1Final(SHA1digest, &SHA1context); 491 1.1 lukem 492 1.1 lukem /* compare */ 493 1.1 lukem rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); 494 1.1 lukem ber_memfree(orig_pass); 495 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 496 1.1 lukem } 497 1.1 lukem 498 1.1 lukem static int chk_sha1( 499 1.1 lukem const struct berval *sc, 500 1.1 lukem const struct berval * passwd, 501 1.1 lukem const struct berval * cred, 502 1.1 lukem const char **text ) 503 1.1 lukem { 504 1.1 lukem lutil_SHA1_CTX SHA1context; 505 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 506 1.1 lukem int rc; 507 1.1 lukem unsigned char *orig_pass = NULL; 508 1.1.1.5 christos size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); 509 1.1 lukem 510 1.1 lukem /* safety check */ 511 1.1.1.5 christos if (decode_len < sizeof(SHA1digest)) { 512 1.1 lukem return LUTIL_PASSWD_ERR; 513 1.1 lukem } 514 1.1 lukem 515 1.1 lukem /* base64 un-encode password */ 516 1.1.1.5 christos orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); 517 1.1 lukem 518 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 519 1.1 lukem 520 1.1.1.5 christos rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); 521 1.1 lukem 522 1.1 lukem if( rc != sizeof(SHA1digest) ) { 523 1.1 lukem ber_memfree(orig_pass); 524 1.1 lukem return LUTIL_PASSWD_ERR; 525 1.1 lukem } 526 1.1 lukem 527 1.1 lukem /* hash credentials with salt */ 528 1.1 lukem lutil_SHA1Init(&SHA1context); 529 1.1 lukem lutil_SHA1Update(&SHA1context, 530 1.1 lukem (const unsigned char *) cred->bv_val, cred->bv_len); 531 1.1 lukem lutil_SHA1Final(SHA1digest, &SHA1context); 532 1.1 lukem 533 1.1 lukem /* compare */ 534 1.1 lukem rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); 535 1.1 lukem ber_memfree(orig_pass); 536 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 537 1.1 lukem } 538 1.1 lukem #endif 539 1.1 lukem 540 1.1 lukem static int chk_smd5( 541 1.1 lukem const struct berval *sc, 542 1.1 lukem const struct berval * passwd, 543 1.1 lukem const struct berval * cred, 544 1.1 lukem const char **text ) 545 1.1 lukem { 546 1.1 lukem lutil_MD5_CTX MD5context; 547 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 548 1.1 lukem int rc; 549 1.1 lukem unsigned char *orig_pass = NULL; 550 1.1.1.5 christos size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); 551 1.1 lukem 552 1.1 lukem /* safety check */ 553 1.1.1.5 christos if (decode_len <= sizeof(MD5digest)) { 554 1.1 lukem return LUTIL_PASSWD_ERR; 555 1.1 lukem } 556 1.1 lukem 557 1.1 lukem /* base64 un-encode password */ 558 1.1.1.5 christos orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); 559 1.1 lukem 560 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 561 1.1 lukem 562 1.1.1.5 christos rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); 563 1.1 lukem 564 1.1 lukem if (rc <= (int)(sizeof(MD5digest))) { 565 1.1 lukem ber_memfree(orig_pass); 566 1.1 lukem return LUTIL_PASSWD_ERR; 567 1.1 lukem } 568 1.1 lukem 569 1.1 lukem /* hash credentials with salt */ 570 1.1 lukem lutil_MD5Init(&MD5context); 571 1.1 lukem lutil_MD5Update(&MD5context, 572 1.1 lukem (const unsigned char *) cred->bv_val, 573 1.1 lukem cred->bv_len ); 574 1.1 lukem lutil_MD5Update(&MD5context, 575 1.1 lukem &orig_pass[sizeof(MD5digest)], 576 1.1 lukem rc - sizeof(MD5digest)); 577 1.1 lukem lutil_MD5Final(MD5digest, &MD5context); 578 1.1 lukem 579 1.1 lukem /* compare */ 580 1.1 lukem rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); 581 1.1 lukem ber_memfree(orig_pass); 582 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 583 1.1 lukem } 584 1.1 lukem 585 1.1 lukem static int chk_md5( 586 1.1 lukem const struct berval *sc, 587 1.1 lukem const struct berval * passwd, 588 1.1 lukem const struct berval * cred, 589 1.1 lukem const char **text ) 590 1.1 lukem { 591 1.1 lukem lutil_MD5_CTX MD5context; 592 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 593 1.1 lukem int rc; 594 1.1 lukem unsigned char *orig_pass = NULL; 595 1.1.1.5 christos size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); 596 1.1 lukem 597 1.1 lukem /* safety check */ 598 1.1.1.5 christos if (decode_len < sizeof(MD5digest)) { 599 1.1 lukem return LUTIL_PASSWD_ERR; 600 1.1 lukem } 601 1.1 lukem 602 1.1 lukem /* base64 un-encode password */ 603 1.1.1.5 christos orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); 604 1.1 lukem 605 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 606 1.1 lukem 607 1.1.1.5 christos rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); 608 1.1 lukem if ( rc != sizeof(MD5digest) ) { 609 1.1 lukem ber_memfree(orig_pass); 610 1.1 lukem return LUTIL_PASSWD_ERR; 611 1.1 lukem } 612 1.1 lukem 613 1.1 lukem /* hash credentials with salt */ 614 1.1 lukem lutil_MD5Init(&MD5context); 615 1.1 lukem lutil_MD5Update(&MD5context, 616 1.1 lukem (const unsigned char *) cred->bv_val, 617 1.1 lukem cred->bv_len ); 618 1.1 lukem lutil_MD5Final(MD5digest, &MD5context); 619 1.1 lukem 620 1.1 lukem /* compare */ 621 1.1 lukem rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); 622 1.1 lukem ber_memfree(orig_pass); 623 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 624 1.1 lukem } 625 1.1 lukem 626 1.1 lukem #ifdef SLAPD_CRYPT 627 1.1 lukem static int lutil_crypt( 628 1.1 lukem const char *key, 629 1.1 lukem const char *salt, 630 1.1 lukem char **hash ) 631 1.1 lukem { 632 1.1 lukem char *cr = crypt( key, salt ); 633 1.1 lukem int rc; 634 1.1 lukem 635 1.1 lukem if( cr == NULL || cr[0] == '\0' ) { 636 1.1 lukem /* salt must have been invalid */ 637 1.1 lukem rc = LUTIL_PASSWD_ERR; 638 1.1 lukem } else { 639 1.1 lukem if ( hash ) { 640 1.1 lukem *hash = ber_strdup( cr ); 641 1.1 lukem rc = LUTIL_PASSWD_OK; 642 1.1 lukem } else { 643 1.1 lukem rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 644 1.1 lukem } 645 1.1 lukem } 646 1.1 lukem return rc; 647 1.1 lukem } 648 1.1 lukem 649 1.1 lukem static int chk_crypt( 650 1.1 lukem const struct berval *sc, 651 1.1 lukem const struct berval * passwd, 652 1.1 lukem const struct berval * cred, 653 1.1 lukem const char **text ) 654 1.1 lukem { 655 1.1 lukem unsigned int i; 656 1.1 lukem 657 1.1 lukem for( i=0; i<cred->bv_len; i++) { 658 1.1 lukem if(cred->bv_val[i] == '\0') { 659 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 660 1.1 lukem } 661 1.1 lukem } 662 1.1 lukem 663 1.1 lukem if( cred->bv_val[i] != '\0' ) { 664 1.1 lukem return LUTIL_PASSWD_ERR; /* cred must behave like a string */ 665 1.1 lukem } 666 1.1 lukem 667 1.1 lukem if( passwd->bv_len < 2 ) { 668 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must be at least two characters long */ 669 1.1 lukem } 670 1.1 lukem 671 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 672 1.1 lukem if(passwd->bv_val[i] == '\0') { 673 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 674 1.1 lukem } 675 1.1 lukem } 676 1.1 lukem 677 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 678 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 679 1.1 lukem } 680 1.1 lukem 681 1.1 lukem return lutil_cryptptr( cred->bv_val, passwd->bv_val, NULL ); 682 1.1 lukem } 683 1.1 lukem 684 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 685 1.1 lukem static int chk_unix( 686 1.1 lukem const struct berval *sc, 687 1.1 lukem const struct berval * passwd, 688 1.1 lukem const struct berval * cred, 689 1.1 lukem const char **text ) 690 1.1 lukem { 691 1.1 lukem unsigned int i; 692 1.1 lukem char *pw; 693 1.1 lukem 694 1.1 lukem for( i=0; i<cred->bv_len; i++) { 695 1.1 lukem if(cred->bv_val[i] == '\0') { 696 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 697 1.1 lukem } 698 1.1 lukem } 699 1.1 lukem if( cred->bv_val[i] != '\0' ) { 700 1.1 lukem return LUTIL_PASSWD_ERR; /* cred must behave like a string */ 701 1.1 lukem } 702 1.1 lukem 703 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 704 1.1 lukem if(passwd->bv_val[i] == '\0') { 705 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 706 1.1 lukem } 707 1.1 lukem } 708 1.1 lukem 709 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 710 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 711 1.1 lukem } 712 1.1 lukem 713 1.1 lukem { 714 1.1 lukem struct passwd *pwd = getpwnam(passwd->bv_val); 715 1.1 lukem 716 1.1 lukem if(pwd == NULL) { 717 1.1 lukem return LUTIL_PASSWD_ERR; /* not found */ 718 1.1 lukem } 719 1.1 lukem 720 1.1 lukem pw = pwd->pw_passwd; 721 1.1 lukem } 722 1.1 lukem # ifdef HAVE_GETSPNAM 723 1.1 lukem { 724 1.1 lukem struct spwd *spwd = getspnam(passwd->bv_val); 725 1.1 lukem 726 1.1 lukem if(spwd != NULL) { 727 1.1 lukem pw = spwd->sp_pwdp; 728 1.1 lukem } 729 1.1 lukem } 730 1.1 lukem # endif 731 1.1 lukem # ifdef HAVE_AIX_SECURITY 732 1.1 lukem { 733 1.1 lukem struct userpw *upw = getuserpw(passwd->bv_val); 734 1.1 lukem 735 1.1 lukem if (upw != NULL) { 736 1.1 lukem pw = upw->upw_passwd; 737 1.1 lukem } 738 1.1 lukem } 739 1.1 lukem # endif 740 1.1 lukem 741 1.1 lukem if( pw == NULL || pw[0] == '\0' || pw[1] == '\0' ) { 742 1.1 lukem /* password must must be at least two characters long */ 743 1.1 lukem return LUTIL_PASSWD_ERR; 744 1.1 lukem } 745 1.1 lukem 746 1.1 lukem return lutil_cryptptr( cred->bv_val, pw, NULL ); 747 1.1 lukem } 748 1.1 lukem # endif 749 1.1 lukem #endif 750 1.1 lukem 751 1.1 lukem /* PASSWORD GENERATION ROUTINES */ 752 1.1 lukem 753 1.1 lukem #ifdef LUTIL_SHA1_BYTES 754 1.1 lukem static int hash_ssha1( 755 1.1 lukem const struct berval *scheme, 756 1.1 lukem const struct berval *passwd, 757 1.1 lukem struct berval *hash, 758 1.1 lukem const char **text ) 759 1.1 lukem { 760 1.1 lukem lutil_SHA1_CTX SHA1context; 761 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 762 1.1 lukem char saltdata[SALT_SIZE]; 763 1.1 lukem struct berval digest; 764 1.1 lukem struct berval salt; 765 1.1 lukem 766 1.1 lukem digest.bv_val = (char *) SHA1digest; 767 1.1 lukem digest.bv_len = sizeof(SHA1digest); 768 1.1 lukem salt.bv_val = saltdata; 769 1.1 lukem salt.bv_len = sizeof(saltdata); 770 1.1 lukem 771 1.1 lukem if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) { 772 1.1 lukem return LUTIL_PASSWD_ERR; 773 1.1 lukem } 774 1.1 lukem 775 1.1 lukem lutil_SHA1Init( &SHA1context ); 776 1.1 lukem lutil_SHA1Update( &SHA1context, 777 1.1 lukem (const unsigned char *)passwd->bv_val, passwd->bv_len ); 778 1.1 lukem lutil_SHA1Update( &SHA1context, 779 1.1 lukem (const unsigned char *)salt.bv_val, salt.bv_len ); 780 1.1 lukem lutil_SHA1Final( SHA1digest, &SHA1context ); 781 1.1 lukem 782 1.1.1.4 tron return lutil_passwd_string64( scheme, &digest, hash, &salt); 783 1.1 lukem } 784 1.1 lukem 785 1.1 lukem static int hash_sha1( 786 1.1 lukem const struct berval *scheme, 787 1.1 lukem const struct berval *passwd, 788 1.1 lukem struct berval *hash, 789 1.1 lukem const char **text ) 790 1.1 lukem { 791 1.1 lukem lutil_SHA1_CTX SHA1context; 792 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 793 1.1 lukem struct berval digest; 794 1.1 lukem digest.bv_val = (char *) SHA1digest; 795 1.1 lukem digest.bv_len = sizeof(SHA1digest); 796 1.1 lukem 797 1.1 lukem lutil_SHA1Init( &SHA1context ); 798 1.1 lukem lutil_SHA1Update( &SHA1context, 799 1.1 lukem (const unsigned char *)passwd->bv_val, passwd->bv_len ); 800 1.1 lukem lutil_SHA1Final( SHA1digest, &SHA1context ); 801 1.1 lukem 802 1.1.1.4 tron return lutil_passwd_string64( scheme, &digest, hash, NULL); 803 1.1 lukem } 804 1.1 lukem #endif 805 1.1 lukem 806 1.1 lukem static int hash_smd5( 807 1.1 lukem const struct berval *scheme, 808 1.1 lukem const struct berval *passwd, 809 1.1 lukem struct berval *hash, 810 1.1 lukem const char **text ) 811 1.1 lukem { 812 1.1 lukem lutil_MD5_CTX MD5context; 813 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 814 1.1 lukem char saltdata[SALT_SIZE]; 815 1.1 lukem struct berval digest; 816 1.1 lukem struct berval salt; 817 1.1 lukem 818 1.1 lukem digest.bv_val = (char *) MD5digest; 819 1.1 lukem digest.bv_len = sizeof(MD5digest); 820 1.1 lukem salt.bv_val = saltdata; 821 1.1 lukem salt.bv_len = sizeof(saltdata); 822 1.1 lukem 823 1.1 lukem if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) { 824 1.1 lukem return LUTIL_PASSWD_ERR; 825 1.1 lukem } 826 1.1 lukem 827 1.1 lukem lutil_MD5Init( &MD5context ); 828 1.1 lukem lutil_MD5Update( &MD5context, 829 1.1 lukem (const unsigned char *) passwd->bv_val, passwd->bv_len ); 830 1.1 lukem lutil_MD5Update( &MD5context, 831 1.1 lukem (const unsigned char *) salt.bv_val, salt.bv_len ); 832 1.1 lukem lutil_MD5Final( MD5digest, &MD5context ); 833 1.1 lukem 834 1.1.1.4 tron return lutil_passwd_string64( scheme, &digest, hash, &salt ); 835 1.1 lukem } 836 1.1 lukem 837 1.1 lukem static int hash_md5( 838 1.1 lukem const struct berval *scheme, 839 1.1 lukem const struct berval *passwd, 840 1.1 lukem struct berval *hash, 841 1.1 lukem const char **text ) 842 1.1 lukem { 843 1.1 lukem lutil_MD5_CTX MD5context; 844 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 845 1.1 lukem 846 1.1 lukem struct berval digest; 847 1.1 lukem 848 1.1 lukem digest.bv_val = (char *) MD5digest; 849 1.1 lukem digest.bv_len = sizeof(MD5digest); 850 1.1 lukem 851 1.1 lukem lutil_MD5Init( &MD5context ); 852 1.1 lukem lutil_MD5Update( &MD5context, 853 1.1 lukem (const unsigned char *) passwd->bv_val, passwd->bv_len ); 854 1.1 lukem lutil_MD5Final( MD5digest, &MD5context ); 855 1.1 lukem 856 1.1.1.4 tron return lutil_passwd_string64( scheme, &digest, hash, NULL ); 857 1.1 lukem ; 858 1.1 lukem } 859 1.1 lukem 860 1.1 lukem #ifdef SLAPD_CRYPT 861 1.1 lukem static int hash_crypt( 862 1.1 lukem const struct berval *scheme, 863 1.1 lukem const struct berval *passwd, 864 1.1 lukem struct berval *hash, 865 1.1 lukem const char **text ) 866 1.1 lukem { 867 1.1 lukem unsigned char salt[32]; /* salt suitable for most anything */ 868 1.1 lukem unsigned int i; 869 1.1 lukem char *save; 870 1.1 lukem int rc; 871 1.1 lukem 872 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 873 1.1 lukem if(passwd->bv_val[i] == '\0') { 874 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 875 1.1 lukem } 876 1.1 lukem } 877 1.1 lukem 878 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 879 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 880 1.1 lukem } 881 1.1 lukem 882 1.1 lukem if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) { 883 1.1 lukem return LUTIL_PASSWD_ERR; 884 1.1 lukem } 885 1.1 lukem 886 1.1 lukem for( i=0; i< ( sizeof(salt) - 1 ); i++ ) { 887 1.1 lukem salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ]; 888 1.1 lukem } 889 1.1 lukem salt[sizeof( salt ) - 1 ] = '\0'; 890 1.1 lukem 891 1.1 lukem if( salt_format != NULL ) { 892 1.1 lukem /* copy the salt we made into entropy before snprintfing 893 1.1 lukem it back into the salt */ 894 1.1 lukem char entropy[sizeof(salt)]; 895 1.1 lukem strcpy( entropy, (char *) salt ); 896 1.1 lukem snprintf( (char *) salt, sizeof(entropy), salt_format, entropy ); 897 1.1 lukem } 898 1.1 lukem 899 1.1 lukem rc = lutil_cryptptr( passwd->bv_val, (char *) salt, &hash->bv_val ); 900 1.1 lukem if ( rc != LUTIL_PASSWD_OK ) return rc; 901 1.1 lukem 902 1.1 lukem if( hash->bv_val == NULL ) return -1; 903 1.1 lukem 904 1.1 lukem hash->bv_len = strlen( hash->bv_val ); 905 1.1 lukem 906 1.1 lukem save = hash->bv_val; 907 1.1 lukem 908 1.1 lukem if( hash->bv_len == 0 ) { 909 1.1 lukem rc = LUTIL_PASSWD_ERR; 910 1.1 lukem } else { 911 1.1 lukem rc = pw_string( scheme, hash ); 912 1.1 lukem } 913 1.1 lukem ber_memfree( save ); 914 1.1 lukem return rc; 915 1.1 lukem } 916 1.1 lukem #endif 917 1.1 lukem 918 1.1 lukem int lutil_salt_format(const char *format) 919 1.1 lukem { 920 1.1 lukem #ifdef SLAPD_CRYPT 921 1.1.1.2 lukem ber_memfree( salt_format ); 922 1.1 lukem 923 1.1 lukem salt_format = format != NULL ? ber_strdup( format ) : NULL; 924 1.1 lukem #endif 925 1.1 lukem 926 1.1 lukem return 0; 927 1.1 lukem } 928 1.1 lukem 929 1.1 lukem #ifdef SLAPD_CLEARTEXT 930 1.1 lukem static int hash_clear( 931 1.1 lukem const struct berval *scheme, 932 1.1 lukem const struct berval *passwd, 933 1.1 lukem struct berval *hash, 934 1.1 lukem const char **text ) 935 1.1 lukem { 936 1.1 lukem ber_dupbv( hash, (struct berval *)passwd ); 937 1.1 lukem return LUTIL_PASSWD_OK; 938 1.1 lukem } 939 1.1 lukem #endif 940 1.1 lukem 941
Indexes created Mon Mar 16 00:23:04 UTC 2026