passwd.c revision 1.1.1.2
1 1.1.1.2 lukem /* $NetBSD: passwd.c,v 1.1.1.2 2010/03/08 02:14:20 lukem Exp $ */ 2 1.1.1.2 lukem 3 1.1.1.2 lukem /* OpenLDAP: pkg/ldap/libraries/liblutil/passwd.c,v 1.104.2.9 2009/08/30 22:55:47 quanah Exp */ 4 1.1 lukem /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 5 1.1 lukem * 6 1.1.1.2 lukem * Copyright 1998-2009 The OpenLDAP Foundation. 7 1.1 lukem * All rights reserved. 8 1.1 lukem * 9 1.1 lukem * Redistribution and use in source and binary forms, with or without 10 1.1 lukem * modification, are permitted only as authorized by the OpenLDAP 11 1.1 lukem * Public License. 12 1.1 lukem * 13 1.1 lukem * A copy of this license is available in the file LICENSE in the 14 1.1 lukem * top-level directory of the distribution or, alternatively, at 15 1.1 lukem * <http://www.OpenLDAP.org/license.html>. 16 1.1 lukem */ 17 1.1 lukem 18 1.1 lukem /* 19 1.1 lukem * int lutil_passwd( 20 1.1 lukem * const struct berval *passwd, 21 1.1 lukem * const struct berval *cred, 22 1.1 lukem * const char **schemes ) 23 1.1 lukem * 24 1.1 lukem * Returns true if user supplied credentials (cred) matches 25 1.1 lukem * the stored password (passwd). 26 1.1 lukem * 27 1.1 lukem * Due to the use of the crypt(3) function 28 1.1 lukem * this routine is NOT thread-safe. 29 1.1 lukem */ 30 1.1 lukem 31 1.1 lukem #include "portable.h" 32 1.1 lukem 33 1.1 lukem #include <stdio.h> 34 1.1 lukem #include <ac/stdlib.h> 35 1.1 lukem #include <ac/string.h> 36 1.1 lukem #include <ac/unistd.h> 37 1.1 lukem 38 1.1 lukem #if defined(SLAPD_LMHASH) 39 1.1.1.2 lukem #if defined(HAVE_OPENSSL) 40 1.1 lukem # include <openssl/des.h> 41 1.1.1.2 lukem 42 1.1.1.2 lukem 43 1.1.1.2 lukem typedef des_cblock des_key; 44 1.1.1.2 lukem typedef des_cblock des_data_block; 45 1.1.1.2 lukem typedef des_key_schedule des_context; 46 1.1.1.2 lukem #define des_failed(encrypted) 0 47 1.1.1.2 lukem #define des_finish(key, schedule) 48 1.1.1.2 lukem 49 1.1.1.2 lukem #elif defined(HAVE_MOZNSS) 50 1.1.1.2 lukem /* 51 1.1.1.2 lukem hack hack hack 52 1.1.1.2 lukem We need to define this here so that nspr/obsolete/protypes.h will not be included 53 1.1.1.2 lukem if that file is included, it will create a uint32 typedef that will cause the 54 1.1.1.2 lukem one in lutil_sha1.h to blow up 55 1.1.1.2 lukem */ 56 1.1.1.2 lukem #define PROTYPES_H 1 57 1.1.1.2 lukem # include <nss/pk11pub.h> 58 1.1.1.2 lukem typedef PK11SymKey *des_key; 59 1.1.1.2 lukem typedef unsigned char des_data_block[8]; 60 1.1.1.2 lukem typedef PK11Context *des_context[1]; 61 1.1.1.2 lukem #define DES_ENCRYPT CKA_ENCRYPT 62 1.1.1.2 lukem 63 1.1.1.2 lukem #endif 64 1.1.1.2 lukem 65 1.1 lukem #endif /* SLAPD_LMHASH */ 66 1.1 lukem 67 1.1 lukem #include <ac/param.h> 68 1.1 lukem 69 1.1 lukem #ifdef SLAPD_CRYPT 70 1.1 lukem # include <ac/crypt.h> 71 1.1 lukem 72 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 73 1.1 lukem # ifdef HAVE_SHADOW_H 74 1.1 lukem # include <shadow.h> 75 1.1 lukem # endif 76 1.1 lukem # ifdef HAVE_PWD_H 77 1.1 lukem # include <pwd.h> 78 1.1 lukem # endif 79 1.1 lukem # ifdef HAVE_AIX_SECURITY 80 1.1 lukem # include <userpw.h> 81 1.1 lukem # endif 82 1.1 lukem # endif 83 1.1 lukem #endif 84 1.1 lukem 85 1.1 lukem #include <lber.h> 86 1.1 lukem 87 1.1 lukem #include "ldap_pvt.h" 88 1.1 lukem #include "lber_pvt.h" 89 1.1 lukem 90 1.1 lukem #include "lutil_md5.h" 91 1.1 lukem #include "lutil_sha1.h" 92 1.1 lukem #include "lutil.h" 93 1.1 lukem 94 1.1 lukem static const unsigned char crypt64[] = 95 1.1 lukem "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; 96 1.1 lukem 97 1.1 lukem #ifdef SLAPD_CRYPT 98 1.1 lukem static char *salt_format = NULL; 99 1.1 lukem static lutil_cryptfunc lutil_crypt; 100 1.1 lukem lutil_cryptfunc *lutil_cryptptr = lutil_crypt; 101 1.1 lukem #endif 102 1.1 lukem 103 1.1 lukem /* KLUDGE: 104 1.1 lukem * chk_fn is NULL iff name is {CLEARTEXT} 105 1.1 lukem * otherwise, things will break 106 1.1 lukem */ 107 1.1 lukem struct pw_scheme { 108 1.1 lukem struct berval name; 109 1.1 lukem LUTIL_PASSWD_CHK_FUNC *chk_fn; 110 1.1 lukem LUTIL_PASSWD_HASH_FUNC *hash_fn; 111 1.1 lukem }; 112 1.1 lukem 113 1.1 lukem struct pw_slist { 114 1.1 lukem struct pw_slist *next; 115 1.1 lukem struct pw_scheme s; 116 1.1 lukem }; 117 1.1 lukem 118 1.1 lukem /* password check routines */ 119 1.1 lukem 120 1.1 lukem #define SALT_SIZE 4 121 1.1 lukem 122 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_md5; 123 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_smd5; 124 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_smd5; 125 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_md5; 126 1.1 lukem 127 1.1 lukem 128 1.1 lukem #ifdef LUTIL_SHA1_BYTES 129 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_ssha1; 130 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_sha1; 131 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_sha1; 132 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_ssha1; 133 1.1 lukem #endif 134 1.1 lukem 135 1.1 lukem #ifdef SLAPD_LMHASH 136 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_lanman; 137 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_lanman; 138 1.1 lukem #endif 139 1.1 lukem 140 1.1 lukem #ifdef SLAPD_CRYPT 141 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_crypt; 142 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_crypt; 143 1.1 lukem 144 1.1 lukem #if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 145 1.1 lukem static LUTIL_PASSWD_CHK_FUNC chk_unix; 146 1.1 lukem #endif 147 1.1 lukem #endif 148 1.1 lukem 149 1.1 lukem /* password hash routines */ 150 1.1 lukem 151 1.1 lukem #ifdef SLAPD_CLEARTEXT 152 1.1 lukem static LUTIL_PASSWD_HASH_FUNC hash_clear; 153 1.1 lukem #endif 154 1.1 lukem 155 1.1 lukem static struct pw_slist *pw_schemes; 156 1.1 lukem static int pw_inited; 157 1.1 lukem 158 1.1 lukem static const struct pw_scheme pw_schemes_default[] = 159 1.1 lukem { 160 1.1 lukem #ifdef LUTIL_SHA1_BYTES 161 1.1 lukem { BER_BVC("{SSHA}"), chk_ssha1, hash_ssha1 }, 162 1.1 lukem { BER_BVC("{SHA}"), chk_sha1, hash_sha1 }, 163 1.1 lukem #endif 164 1.1 lukem 165 1.1 lukem { BER_BVC("{SMD5}"), chk_smd5, hash_smd5 }, 166 1.1 lukem { BER_BVC("{MD5}"), chk_md5, hash_md5 }, 167 1.1 lukem 168 1.1 lukem #ifdef SLAPD_LMHASH 169 1.1 lukem { BER_BVC("{LANMAN}"), chk_lanman, hash_lanman }, 170 1.1 lukem #endif /* SLAPD_LMHASH */ 171 1.1 lukem 172 1.1 lukem #ifdef SLAPD_CRYPT 173 1.1 lukem { BER_BVC("{CRYPT}"), chk_crypt, hash_crypt }, 174 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 175 1.1 lukem { BER_BVC("{UNIX}"), chk_unix, NULL }, 176 1.1 lukem # endif 177 1.1 lukem #endif 178 1.1 lukem 179 1.1 lukem #ifdef SLAPD_CLEARTEXT 180 1.1 lukem /* pseudo scheme */ 181 1.1 lukem { BER_BVC("{CLEARTEXT}"), NULL, hash_clear }, 182 1.1 lukem #endif 183 1.1 lukem 184 1.1 lukem { BER_BVNULL, NULL, NULL } 185 1.1 lukem }; 186 1.1 lukem 187 1.1 lukem int lutil_passwd_add( 188 1.1 lukem struct berval *scheme, 189 1.1 lukem LUTIL_PASSWD_CHK_FUNC *chk, 190 1.1 lukem LUTIL_PASSWD_HASH_FUNC *hash ) 191 1.1 lukem { 192 1.1 lukem struct pw_slist *ptr; 193 1.1 lukem 194 1.1 lukem if (!pw_inited) lutil_passwd_init(); 195 1.1 lukem 196 1.1 lukem ptr = ber_memalloc( sizeof( struct pw_slist )); 197 1.1 lukem if (!ptr) return -1; 198 1.1 lukem ptr->next = pw_schemes; 199 1.1 lukem ptr->s.name = *scheme; 200 1.1 lukem ptr->s.chk_fn = chk; 201 1.1 lukem ptr->s.hash_fn = hash; 202 1.1 lukem pw_schemes = ptr; 203 1.1 lukem return 0; 204 1.1 lukem } 205 1.1 lukem 206 1.1 lukem void lutil_passwd_init() 207 1.1 lukem { 208 1.1 lukem struct pw_scheme *s; 209 1.1 lukem 210 1.1 lukem pw_inited = 1; 211 1.1 lukem 212 1.1 lukem for( s=(struct pw_scheme *)pw_schemes_default; s->name.bv_val; s++) { 213 1.1 lukem if ( lutil_passwd_add( &s->name, s->chk_fn, s->hash_fn ) ) break; 214 1.1 lukem } 215 1.1 lukem } 216 1.1 lukem 217 1.1 lukem void lutil_passwd_destroy() 218 1.1 lukem { 219 1.1 lukem struct pw_slist *ptr, *next; 220 1.1 lukem 221 1.1 lukem for( ptr=pw_schemes; ptr; ptr=next ) { 222 1.1 lukem next = ptr->next; 223 1.1 lukem ber_memfree( ptr ); 224 1.1 lukem } 225 1.1 lukem } 226 1.1 lukem 227 1.1 lukem static const struct pw_scheme *get_scheme( 228 1.1 lukem const char* scheme ) 229 1.1 lukem { 230 1.1 lukem struct pw_slist *pws; 231 1.1 lukem struct berval bv; 232 1.1 lukem 233 1.1 lukem if (!pw_inited) lutil_passwd_init(); 234 1.1 lukem 235 1.1 lukem bv.bv_val = strchr( scheme, '}' ); 236 1.1 lukem if ( !bv.bv_val ) 237 1.1 lukem return NULL; 238 1.1 lukem 239 1.1 lukem bv.bv_len = bv.bv_val - scheme + 1; 240 1.1 lukem bv.bv_val = (char *) scheme; 241 1.1 lukem 242 1.1 lukem for( pws=pw_schemes; pws; pws=pws->next ) { 243 1.1 lukem if ( ber_bvstrcasecmp(&bv, &pws->s.name ) == 0 ) { 244 1.1 lukem return &(pws->s); 245 1.1 lukem } 246 1.1 lukem } 247 1.1 lukem 248 1.1 lukem return NULL; 249 1.1 lukem } 250 1.1 lukem 251 1.1 lukem int lutil_passwd_scheme( 252 1.1 lukem const char* scheme ) 253 1.1 lukem { 254 1.1 lukem if( scheme == NULL ) { 255 1.1 lukem return 0; 256 1.1 lukem } 257 1.1 lukem 258 1.1 lukem return get_scheme(scheme) != NULL; 259 1.1 lukem } 260 1.1 lukem 261 1.1 lukem 262 1.1 lukem static int is_allowed_scheme( 263 1.1 lukem const char* scheme, 264 1.1 lukem const char** schemes ) 265 1.1 lukem { 266 1.1 lukem int i; 267 1.1 lukem 268 1.1 lukem if( schemes == NULL ) return 1; 269 1.1 lukem 270 1.1 lukem for( i=0; schemes[i] != NULL; i++ ) { 271 1.1 lukem if( strcasecmp( scheme, schemes[i] ) == 0 ) { 272 1.1 lukem return 1; 273 1.1 lukem } 274 1.1 lukem } 275 1.1 lukem return 0; 276 1.1 lukem } 277 1.1 lukem 278 1.1 lukem static struct berval *passwd_scheme( 279 1.1 lukem const struct pw_scheme *scheme, 280 1.1 lukem const struct berval * passwd, 281 1.1 lukem struct berval *bv, 282 1.1 lukem const char** allowed ) 283 1.1 lukem { 284 1.1 lukem if( !is_allowed_scheme( scheme->name.bv_val, allowed ) ) { 285 1.1 lukem return NULL; 286 1.1 lukem } 287 1.1 lukem 288 1.1 lukem if( passwd->bv_len >= scheme->name.bv_len ) { 289 1.1 lukem if( strncasecmp( passwd->bv_val, scheme->name.bv_val, scheme->name.bv_len ) == 0 ) { 290 1.1 lukem bv->bv_val = &passwd->bv_val[scheme->name.bv_len]; 291 1.1 lukem bv->bv_len = passwd->bv_len - scheme->name.bv_len; 292 1.1 lukem 293 1.1 lukem return bv; 294 1.1 lukem } 295 1.1 lukem } 296 1.1 lukem 297 1.1 lukem return NULL; 298 1.1 lukem } 299 1.1 lukem 300 1.1 lukem /* 301 1.1 lukem * Return 0 if creds are good. 302 1.1 lukem */ 303 1.1 lukem int 304 1.1 lukem lutil_passwd( 305 1.1 lukem const struct berval *passwd, /* stored passwd */ 306 1.1 lukem const struct berval *cred, /* user cred */ 307 1.1 lukem const char **schemes, 308 1.1 lukem const char **text ) 309 1.1 lukem { 310 1.1 lukem struct pw_slist *pws; 311 1.1 lukem 312 1.1 lukem if ( text ) *text = NULL; 313 1.1 lukem 314 1.1 lukem if (cred == NULL || cred->bv_len == 0 || 315 1.1 lukem passwd == NULL || passwd->bv_len == 0 ) 316 1.1 lukem { 317 1.1 lukem return -1; 318 1.1 lukem } 319 1.1 lukem 320 1.1 lukem if (!pw_inited) lutil_passwd_init(); 321 1.1 lukem 322 1.1 lukem for( pws=pw_schemes; pws; pws=pws->next ) { 323 1.1 lukem if( pws->s.chk_fn ) { 324 1.1 lukem struct berval x; 325 1.1 lukem struct berval *p = passwd_scheme( &(pws->s), 326 1.1 lukem passwd, &x, schemes ); 327 1.1 lukem 328 1.1 lukem if( p != NULL ) { 329 1.1 lukem return (pws->s.chk_fn)( &(pws->s.name), p, cred, text ); 330 1.1 lukem } 331 1.1 lukem } 332 1.1 lukem } 333 1.1 lukem 334 1.1 lukem #ifdef SLAPD_CLEARTEXT 335 1.1 lukem /* Do we think there is a scheme specifier here that we 336 1.1 lukem * didn't recognize? Assume a scheme name is at least 1 character. 337 1.1 lukem */ 338 1.1 lukem if (( passwd->bv_val[0] == '{' ) && 339 1.1 lukem ( ber_bvchr( passwd, '}' ) > passwd->bv_val+1 )) 340 1.1 lukem { 341 1.1 lukem return 1; 342 1.1 lukem } 343 1.1 lukem if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) { 344 1.1 lukem return ( passwd->bv_len == cred->bv_len ) ? 345 1.1 lukem memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len ) 346 1.1 lukem : 1; 347 1.1 lukem } 348 1.1 lukem #endif 349 1.1 lukem return 1; 350 1.1 lukem } 351 1.1 lukem 352 1.1 lukem int lutil_passwd_generate( struct berval *pw, ber_len_t len ) 353 1.1 lukem { 354 1.1 lukem 355 1.1 lukem if( len < 1 ) return -1; 356 1.1 lukem 357 1.1 lukem pw->bv_len = len; 358 1.1 lukem pw->bv_val = ber_memalloc( len + 1 ); 359 1.1 lukem 360 1.1 lukem if( pw->bv_val == NULL ) { 361 1.1 lukem return -1; 362 1.1 lukem } 363 1.1 lukem 364 1.1 lukem if( lutil_entropy( (unsigned char *) pw->bv_val, pw->bv_len) < 0 ) { 365 1.1 lukem return -1; 366 1.1 lukem } 367 1.1 lukem 368 1.1 lukem for( len = 0; len < pw->bv_len; len++ ) { 369 1.1 lukem pw->bv_val[len] = crypt64[ 370 1.1 lukem pw->bv_val[len] % (sizeof(crypt64)-1) ]; 371 1.1 lukem } 372 1.1 lukem 373 1.1 lukem pw->bv_val[len] = '\0'; 374 1.1 lukem 375 1.1 lukem return 0; 376 1.1 lukem } 377 1.1 lukem 378 1.1 lukem int lutil_passwd_hash( 379 1.1 lukem const struct berval * passwd, 380 1.1 lukem const char * method, 381 1.1 lukem struct berval *hash, 382 1.1 lukem const char **text ) 383 1.1 lukem { 384 1.1 lukem const struct pw_scheme *sc = get_scheme( method ); 385 1.1 lukem 386 1.1 lukem hash->bv_val = NULL; 387 1.1 lukem hash->bv_len = 0; 388 1.1 lukem 389 1.1 lukem if( sc == NULL ) { 390 1.1 lukem if( text ) *text = "scheme not recognized"; 391 1.1 lukem return -1; 392 1.1 lukem } 393 1.1 lukem 394 1.1 lukem if( ! sc->hash_fn ) { 395 1.1 lukem if( text ) *text = "scheme provided no hash function"; 396 1.1 lukem return -1; 397 1.1 lukem } 398 1.1 lukem 399 1.1 lukem if( text ) *text = NULL; 400 1.1 lukem 401 1.1 lukem return (sc->hash_fn)( &sc->name, passwd, hash, text ); 402 1.1 lukem } 403 1.1 lukem 404 1.1 lukem /* pw_string is only called when SLAPD_LMHASH or SLAPD_CRYPT is defined */ 405 1.1 lukem #if defined(SLAPD_LMHASH) || defined(SLAPD_CRYPT) 406 1.1 lukem static int pw_string( 407 1.1 lukem const struct berval *sc, 408 1.1 lukem struct berval *passwd ) 409 1.1 lukem { 410 1.1 lukem struct berval pw; 411 1.1 lukem 412 1.1 lukem pw.bv_len = sc->bv_len + passwd->bv_len; 413 1.1 lukem pw.bv_val = ber_memalloc( pw.bv_len + 1 ); 414 1.1 lukem 415 1.1 lukem if( pw.bv_val == NULL ) { 416 1.1 lukem return LUTIL_PASSWD_ERR; 417 1.1 lukem } 418 1.1 lukem 419 1.1 lukem AC_MEMCPY( pw.bv_val, sc->bv_val, sc->bv_len ); 420 1.1 lukem AC_MEMCPY( &pw.bv_val[sc->bv_len], passwd->bv_val, passwd->bv_len ); 421 1.1 lukem 422 1.1 lukem pw.bv_val[pw.bv_len] = '\0'; 423 1.1 lukem *passwd = pw; 424 1.1 lukem 425 1.1 lukem return LUTIL_PASSWD_OK; 426 1.1 lukem } 427 1.1 lukem #endif /* SLAPD_LMHASH || SLAPD_CRYPT */ 428 1.1 lukem 429 1.1 lukem static int pw_string64( 430 1.1 lukem const struct berval *sc, 431 1.1 lukem const struct berval *hash, 432 1.1 lukem struct berval *b64, 433 1.1 lukem const struct berval *salt ) 434 1.1 lukem { 435 1.1 lukem int rc; 436 1.1 lukem struct berval string; 437 1.1 lukem size_t b64len; 438 1.1 lukem 439 1.1 lukem if( salt ) { 440 1.1 lukem /* need to base64 combined string */ 441 1.1 lukem string.bv_len = hash->bv_len + salt->bv_len; 442 1.1 lukem string.bv_val = ber_memalloc( string.bv_len + 1 ); 443 1.1 lukem 444 1.1 lukem if( string.bv_val == NULL ) { 445 1.1 lukem return LUTIL_PASSWD_ERR; 446 1.1 lukem } 447 1.1 lukem 448 1.1 lukem AC_MEMCPY( string.bv_val, hash->bv_val, 449 1.1 lukem hash->bv_len ); 450 1.1 lukem AC_MEMCPY( &string.bv_val[hash->bv_len], salt->bv_val, 451 1.1 lukem salt->bv_len ); 452 1.1 lukem string.bv_val[string.bv_len] = '\0'; 453 1.1 lukem 454 1.1 lukem } else { 455 1.1 lukem string = *hash; 456 1.1 lukem } 457 1.1 lukem 458 1.1 lukem b64len = LUTIL_BASE64_ENCODE_LEN( string.bv_len ) + 1; 459 1.1 lukem b64->bv_len = b64len + sc->bv_len; 460 1.1 lukem b64->bv_val = ber_memalloc( b64->bv_len + 1 ); 461 1.1 lukem 462 1.1 lukem if( b64->bv_val == NULL ) { 463 1.1 lukem if( salt ) ber_memfree( string.bv_val ); 464 1.1 lukem return LUTIL_PASSWD_ERR; 465 1.1 lukem } 466 1.1 lukem 467 1.1 lukem AC_MEMCPY(b64->bv_val, sc->bv_val, sc->bv_len); 468 1.1 lukem 469 1.1 lukem rc = lutil_b64_ntop( 470 1.1 lukem (unsigned char *) string.bv_val, string.bv_len, 471 1.1 lukem &b64->bv_val[sc->bv_len], b64len ); 472 1.1 lukem 473 1.1 lukem if( salt ) ber_memfree( string.bv_val ); 474 1.1 lukem 475 1.1 lukem if( rc < 0 ) { 476 1.1 lukem return LUTIL_PASSWD_ERR; 477 1.1 lukem } 478 1.1 lukem 479 1.1 lukem /* recompute length */ 480 1.1 lukem b64->bv_len = sc->bv_len + rc; 481 1.1 lukem assert( strlen(b64->bv_val) == b64->bv_len ); 482 1.1 lukem return LUTIL_PASSWD_OK; 483 1.1 lukem } 484 1.1 lukem 485 1.1 lukem /* PASSWORD CHECK ROUTINES */ 486 1.1 lukem 487 1.1 lukem #ifdef LUTIL_SHA1_BYTES 488 1.1 lukem static int chk_ssha1( 489 1.1 lukem const struct berval *sc, 490 1.1 lukem const struct berval * passwd, 491 1.1 lukem const struct berval * cred, 492 1.1 lukem const char **text ) 493 1.1 lukem { 494 1.1 lukem lutil_SHA1_CTX SHA1context; 495 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 496 1.1 lukem int rc; 497 1.1 lukem unsigned char *orig_pass = NULL; 498 1.1 lukem 499 1.1 lukem /* safety check -- must have some salt */ 500 1.1 lukem if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) { 501 1.1 lukem return LUTIL_PASSWD_ERR; 502 1.1 lukem } 503 1.1 lukem 504 1.1 lukem /* decode base64 password */ 505 1.1 lukem orig_pass = (unsigned char *) ber_memalloc( (size_t) ( 506 1.1 lukem LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); 507 1.1 lukem 508 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 509 1.1 lukem 510 1.1 lukem rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); 511 1.1 lukem 512 1.1 lukem /* safety check -- must have some salt */ 513 1.1 lukem if (rc <= (int)(sizeof(SHA1digest))) { 514 1.1 lukem ber_memfree(orig_pass); 515 1.1 lukem return LUTIL_PASSWD_ERR; 516 1.1 lukem } 517 1.1 lukem 518 1.1 lukem /* hash credentials with salt */ 519 1.1 lukem lutil_SHA1Init(&SHA1context); 520 1.1 lukem lutil_SHA1Update(&SHA1context, 521 1.1 lukem (const unsigned char *) cred->bv_val, cred->bv_len); 522 1.1 lukem lutil_SHA1Update(&SHA1context, 523 1.1 lukem (const unsigned char *) &orig_pass[sizeof(SHA1digest)], 524 1.1 lukem rc - sizeof(SHA1digest)); 525 1.1 lukem lutil_SHA1Final(SHA1digest, &SHA1context); 526 1.1 lukem 527 1.1 lukem /* compare */ 528 1.1 lukem rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); 529 1.1 lukem ber_memfree(orig_pass); 530 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 531 1.1 lukem } 532 1.1 lukem 533 1.1 lukem static int chk_sha1( 534 1.1 lukem const struct berval *sc, 535 1.1 lukem const struct berval * passwd, 536 1.1 lukem const struct berval * cred, 537 1.1 lukem const char **text ) 538 1.1 lukem { 539 1.1 lukem lutil_SHA1_CTX SHA1context; 540 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 541 1.1 lukem int rc; 542 1.1 lukem unsigned char *orig_pass = NULL; 543 1.1 lukem 544 1.1 lukem /* safety check */ 545 1.1 lukem if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHA1digest)) { 546 1.1 lukem return LUTIL_PASSWD_ERR; 547 1.1 lukem } 548 1.1 lukem 549 1.1 lukem /* base64 un-encode password */ 550 1.1 lukem orig_pass = (unsigned char *) ber_memalloc( (size_t) ( 551 1.1 lukem LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); 552 1.1 lukem 553 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 554 1.1 lukem 555 1.1 lukem rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); 556 1.1 lukem 557 1.1 lukem if( rc != sizeof(SHA1digest) ) { 558 1.1 lukem ber_memfree(orig_pass); 559 1.1 lukem return LUTIL_PASSWD_ERR; 560 1.1 lukem } 561 1.1 lukem 562 1.1 lukem /* hash credentials with salt */ 563 1.1 lukem lutil_SHA1Init(&SHA1context); 564 1.1 lukem lutil_SHA1Update(&SHA1context, 565 1.1 lukem (const unsigned char *) cred->bv_val, cred->bv_len); 566 1.1 lukem lutil_SHA1Final(SHA1digest, &SHA1context); 567 1.1 lukem 568 1.1 lukem /* compare */ 569 1.1 lukem rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); 570 1.1 lukem ber_memfree(orig_pass); 571 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 572 1.1 lukem } 573 1.1 lukem #endif 574 1.1 lukem 575 1.1 lukem static int chk_smd5( 576 1.1 lukem const struct berval *sc, 577 1.1 lukem const struct berval * passwd, 578 1.1 lukem const struct berval * cred, 579 1.1 lukem const char **text ) 580 1.1 lukem { 581 1.1 lukem lutil_MD5_CTX MD5context; 582 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 583 1.1 lukem int rc; 584 1.1 lukem unsigned char *orig_pass = NULL; 585 1.1 lukem 586 1.1 lukem /* safety check */ 587 1.1 lukem if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) { 588 1.1 lukem return LUTIL_PASSWD_ERR; 589 1.1 lukem } 590 1.1 lukem 591 1.1 lukem /* base64 un-encode password */ 592 1.1 lukem orig_pass = (unsigned char *) ber_memalloc( (size_t) ( 593 1.1 lukem LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); 594 1.1 lukem 595 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 596 1.1 lukem 597 1.1 lukem rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); 598 1.1 lukem 599 1.1 lukem if (rc <= (int)(sizeof(MD5digest))) { 600 1.1 lukem ber_memfree(orig_pass); 601 1.1 lukem return LUTIL_PASSWD_ERR; 602 1.1 lukem } 603 1.1 lukem 604 1.1 lukem /* hash credentials with salt */ 605 1.1 lukem lutil_MD5Init(&MD5context); 606 1.1 lukem lutil_MD5Update(&MD5context, 607 1.1 lukem (const unsigned char *) cred->bv_val, 608 1.1 lukem cred->bv_len ); 609 1.1 lukem lutil_MD5Update(&MD5context, 610 1.1 lukem &orig_pass[sizeof(MD5digest)], 611 1.1 lukem rc - sizeof(MD5digest)); 612 1.1 lukem lutil_MD5Final(MD5digest, &MD5context); 613 1.1 lukem 614 1.1 lukem /* compare */ 615 1.1 lukem rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); 616 1.1 lukem ber_memfree(orig_pass); 617 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 618 1.1 lukem } 619 1.1 lukem 620 1.1 lukem static int chk_md5( 621 1.1 lukem const struct berval *sc, 622 1.1 lukem const struct berval * passwd, 623 1.1 lukem const struct berval * cred, 624 1.1 lukem const char **text ) 625 1.1 lukem { 626 1.1 lukem lutil_MD5_CTX MD5context; 627 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 628 1.1 lukem int rc; 629 1.1 lukem unsigned char *orig_pass = NULL; 630 1.1 lukem 631 1.1 lukem /* safety check */ 632 1.1 lukem if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(MD5digest)) { 633 1.1 lukem return LUTIL_PASSWD_ERR; 634 1.1 lukem } 635 1.1 lukem 636 1.1 lukem /* base64 un-encode password */ 637 1.1 lukem orig_pass = (unsigned char *) ber_memalloc( (size_t) ( 638 1.1 lukem LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); 639 1.1 lukem 640 1.1 lukem if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; 641 1.1 lukem 642 1.1 lukem rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); 643 1.1 lukem if ( rc != sizeof(MD5digest) ) { 644 1.1 lukem ber_memfree(orig_pass); 645 1.1 lukem return LUTIL_PASSWD_ERR; 646 1.1 lukem } 647 1.1 lukem 648 1.1 lukem /* hash credentials with salt */ 649 1.1 lukem lutil_MD5Init(&MD5context); 650 1.1 lukem lutil_MD5Update(&MD5context, 651 1.1 lukem (const unsigned char *) cred->bv_val, 652 1.1 lukem cred->bv_len ); 653 1.1 lukem lutil_MD5Final(MD5digest, &MD5context); 654 1.1 lukem 655 1.1 lukem /* compare */ 656 1.1 lukem rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); 657 1.1 lukem ber_memfree(orig_pass); 658 1.1 lukem return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 659 1.1 lukem } 660 1.1 lukem 661 1.1 lukem #ifdef SLAPD_LMHASH 662 1.1.1.2 lukem 663 1.1.1.2 lukem #if defined(HAVE_OPENSSL) 664 1.1.1.2 lukem 665 1.1.1.2 lukem /* 666 1.1.1.2 lukem * abstract away setting the parity. 667 1.1.1.2 lukem */ 668 1.1.1.2 lukem static void 669 1.1.1.2 lukem des_set_key_and_parity( des_key *key, unsigned char *keyData) 670 1.1.1.2 lukem { 671 1.1.1.2 lukem memcpy(key, keyData, 8); 672 1.1.1.2 lukem des_set_odd_parity( key ); 673 1.1.1.2 lukem } 674 1.1.1.2 lukem 675 1.1.1.2 lukem 676 1.1.1.2 lukem #elif defined(HAVE_MOZNSS) 677 1.1.1.2 lukem 678 1.1.1.2 lukem /* 679 1.1.1.2 lukem * implement MozNSS wrappers for the openSSL calls 680 1.1.1.2 lukem */ 681 1.1.1.2 lukem static void 682 1.1.1.2 lukem des_set_key_and_parity( des_key *key, unsigned char *keyData) 683 1.1.1.2 lukem { 684 1.1.1.2 lukem SECItem keyDataItem; 685 1.1.1.2 lukem PK11SlotInfo *slot; 686 1.1.1.2 lukem *key = NULL; 687 1.1.1.2 lukem 688 1.1.1.2 lukem keyDataItem.data = keyData; 689 1.1.1.2 lukem keyDataItem.len = 8; 690 1.1.1.2 lukem 691 1.1.1.2 lukem slot = PK11_GetBestSlot(CKM_DES_ECB, NULL); 692 1.1.1.2 lukem if (slot == NULL) { 693 1.1.1.2 lukem return; 694 1.1.1.2 lukem } 695 1.1.1.2 lukem 696 1.1.1.2 lukem /* NOTE: this will not work in FIPS mode. In order to make lmhash 697 1.1.1.2 lukem * work in fips mode we need to define a LMHASH pbe mechanism and 698 1.1.1.2 lukem * do the fulll key derivation inside the token */ 699 1.1.1.2 lukem *key = PK11_ImportSymKey(slot, CKM_DES_ECB, PK11_OriginGenerated, 700 1.1.1.2 lukem CKA_ENCRYPT, &keyDataItem, NULL); 701 1.1.1.2 lukem } 702 1.1.1.2 lukem 703 1.1.1.2 lukem static void 704 1.1.1.2 lukem des_set_key_unchecked( des_key *key, des_context ctxt ) 705 1.1.1.2 lukem { 706 1.1.1.2 lukem ctxt[0] = NULL; 707 1.1.1.2 lukem 708 1.1.1.2 lukem /* handle error conditions from previous call */ 709 1.1.1.2 lukem if (!*key) { 710 1.1.1.2 lukem return; 711 1.1.1.2 lukem } 712 1.1.1.2 lukem 713 1.1.1.2 lukem ctxt[0] = PK11_CreateContextBySymKey(CKM_DES_ECB, CKA_ENCRYPT, *key, NULL); 714 1.1.1.2 lukem } 715 1.1.1.2 lukem 716 1.1.1.2 lukem static void 717 1.1.1.2 lukem des_ecb_encrypt( des_data_block *plain, des_data_block *encrypted, 718 1.1.1.2 lukem des_context ctxt, int op) 719 1.1.1.2 lukem { 720 1.1.1.2 lukem SECStatus rv; 721 1.1.1.2 lukem int size; 722 1.1.1.2 lukem 723 1.1.1.2 lukem if (ctxt[0] == NULL) { 724 1.1.1.2 lukem /* need to fail here... */ 725 1.1.1.2 lukem memset(encrypted, 0, sizeof(des_data_block)); 726 1.1.1.2 lukem return; 727 1.1.1.2 lukem } 728 1.1.1.2 lukem rv = PK11_CipherOp(ctxt[0], (unsigned char *)&encrypted[0], 729 1.1.1.2 lukem &size, sizeof(des_data_block), 730 1.1.1.2 lukem (unsigned char *)&plain[0], sizeof(des_data_block)); 731 1.1.1.2 lukem if (rv != SECSuccess) { 732 1.1.1.2 lukem /* signal failure */ 733 1.1.1.2 lukem memset(encrypted, 0, sizeof(des_data_block)); 734 1.1.1.2 lukem return; 735 1.1.1.2 lukem } 736 1.1.1.2 lukem return; 737 1.1.1.2 lukem } 738 1.1.1.2 lukem 739 1.1.1.2 lukem static int 740 1.1.1.2 lukem des_failed(des_data_block *encrypted) 741 1.1.1.2 lukem { 742 1.1.1.2 lukem static const des_data_block zero = { 0 }; 743 1.1.1.2 lukem return memcmp(encrypted, zero, sizeof(zero)) == 0; 744 1.1.1.2 lukem } 745 1.1.1.2 lukem 746 1.1.1.2 lukem static void 747 1.1.1.2 lukem des_finish(des_key *key, des_context ctxt) 748 1.1.1.2 lukem { 749 1.1.1.2 lukem if (*key) { 750 1.1.1.2 lukem PK11_FreeSymKey(*key); 751 1.1.1.2 lukem *key = NULL; 752 1.1.1.2 lukem } 753 1.1.1.2 lukem if (ctxt[0]) { 754 1.1.1.2 lukem PK11_Finalize(ctxt[0]); 755 1.1.1.2 lukem PK11_DestroyContext(ctxt[0], PR_TRUE); 756 1.1.1.2 lukem ctxt[0] = NULL; 757 1.1.1.2 lukem } 758 1.1.1.2 lukem } 759 1.1.1.2 lukem 760 1.1.1.2 lukem #endif 761 1.1.1.2 lukem 762 1.1 lukem /* pseudocode from RFC2433 763 1.1 lukem * A.2 LmPasswordHash() 764 1.1 lukem * 765 1.1 lukem * LmPasswordHash( 766 1.1 lukem * IN 0-to-14-oem-char Password, 767 1.1 lukem * OUT 16-octet PasswordHash ) 768 1.1 lukem * { 769 1.1 lukem * Set UcasePassword to the uppercased Password 770 1.1 lukem * Zero pad UcasePassword to 14 characters 771 1.1 lukem * 772 1.1 lukem * DesHash( 1st 7-octets of UcasePassword, 773 1.1 lukem * giving 1st 8-octets of PasswordHash ) 774 1.1 lukem * 775 1.1 lukem * DesHash( 2nd 7-octets of UcasePassword, 776 1.1 lukem * giving 2nd 8-octets of PasswordHash ) 777 1.1 lukem * } 778 1.1 lukem * 779 1.1 lukem * 780 1.1 lukem * A.3 DesHash() 781 1.1 lukem * 782 1.1 lukem * DesHash( 783 1.1 lukem * IN 7-octet Clear, 784 1.1 lukem * OUT 8-octet Cypher ) 785 1.1 lukem * { 786 1.1 lukem * * 787 1.1 lukem * * Make Cypher an irreversibly encrypted form of Clear by 788 1.1 lukem * * encrypting known text using Clear as the secret key. 789 1.1 lukem * * The known text consists of the string 790 1.1 lukem * * 791 1.1 lukem * * KGS!@#$% 792 1.1 lukem * * 793 1.1 lukem * 794 1.1 lukem * Set StdText to "KGS!@#$%" 795 1.1 lukem * DesEncrypt( StdText, Clear, giving Cypher ) 796 1.1 lukem * } 797 1.1 lukem * 798 1.1 lukem * 799 1.1 lukem * A.4 DesEncrypt() 800 1.1 lukem * 801 1.1 lukem * DesEncrypt( 802 1.1 lukem * IN 8-octet Clear, 803 1.1 lukem * IN 7-octet Key, 804 1.1 lukem * OUT 8-octet Cypher ) 805 1.1 lukem * { 806 1.1 lukem * * 807 1.1 lukem * * Use the DES encryption algorithm [4] in ECB mode [9] 808 1.1 lukem * * to encrypt Clear into Cypher such that Cypher can 809 1.1 lukem * * only be decrypted back to Clear by providing Key. 810 1.1 lukem * * Note that the DES algorithm takes as input a 64-bit 811 1.1 lukem * * stream where the 8th, 16th, 24th, etc. bits are 812 1.1 lukem * * parity bits ignored by the encrypting algorithm. 813 1.1 lukem * * Unless you write your own DES to accept 56-bit input 814 1.1 lukem * * without parity, you will need to insert the parity bits 815 1.1 lukem * * yourself. 816 1.1 lukem * * 817 1.1 lukem * } 818 1.1 lukem */ 819 1.1 lukem 820 1.1 lukem static void lmPasswd_to_key( 821 1.1 lukem const char *lmPasswd, 822 1.1.1.2 lukem des_key *key) 823 1.1 lukem { 824 1.1 lukem const unsigned char *lpw = (const unsigned char *) lmPasswd; 825 1.1.1.2 lukem unsigned char k[8]; 826 1.1 lukem 827 1.1 lukem /* make room for parity bits */ 828 1.1 lukem k[0] = lpw[0]; 829 1.1 lukem k[1] = ((lpw[0] & 0x01) << 7) | (lpw[1] >> 1); 830 1.1 lukem k[2] = ((lpw[1] & 0x03) << 6) | (lpw[2] >> 2); 831 1.1 lukem k[3] = ((lpw[2] & 0x07) << 5) | (lpw[3] >> 3); 832 1.1 lukem k[4] = ((lpw[3] & 0x0F) << 4) | (lpw[4] >> 4); 833 1.1 lukem k[5] = ((lpw[4] & 0x1F) << 3) | (lpw[5] >> 5); 834 1.1 lukem k[6] = ((lpw[5] & 0x3F) << 2) | (lpw[6] >> 6); 835 1.1 lukem k[7] = ((lpw[6] & 0x7F) << 1); 836 1.1 lukem 837 1.1.1.2 lukem des_set_key_and_parity( key, k ); 838 1.1 lukem } 839 1.1 lukem 840 1.1 lukem static int chk_lanman( 841 1.1 lukem const struct berval *scheme, 842 1.1 lukem const struct berval *passwd, 843 1.1 lukem const struct berval *cred, 844 1.1 lukem const char **text ) 845 1.1 lukem { 846 1.1.1.2 lukem ber_len_t i; 847 1.1 lukem char UcasePassword[15]; 848 1.1.1.2 lukem des_key key; 849 1.1.1.2 lukem des_context schedule; 850 1.1.1.2 lukem des_data_block StdText = "KGS!@#$%"; 851 1.1.1.2 lukem des_data_block PasswordHash1, PasswordHash2; 852 1.1 lukem char PasswordHash[33], storedPasswordHash[33]; 853 1.1 lukem 854 1.1 lukem for( i=0; i<cred->bv_len; i++) { 855 1.1 lukem if(cred->bv_val[i] == '\0') { 856 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 857 1.1 lukem } 858 1.1 lukem } 859 1.1 lukem 860 1.1 lukem if( cred->bv_val[i] != '\0' ) { 861 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 862 1.1 lukem } 863 1.1 lukem 864 1.1 lukem strncpy( UcasePassword, cred->bv_val, 14 ); 865 1.1 lukem UcasePassword[14] = '\0'; 866 1.1 lukem ldap_pvt_str2upper( UcasePassword ); 867 1.1 lukem 868 1.1 lukem lmPasswd_to_key( UcasePassword, &key ); 869 1.1 lukem des_set_key_unchecked( &key, schedule ); 870 1.1 lukem des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT ); 871 1.1.1.2 lukem 872 1.1.1.2 lukem if (des_failed(&PasswordHash1)) { 873 1.1.1.2 lukem return LUTIL_PASSWD_ERR; 874 1.1.1.2 lukem } 875 1.1 lukem 876 1.1 lukem lmPasswd_to_key( &UcasePassword[7], &key ); 877 1.1 lukem des_set_key_unchecked( &key, schedule ); 878 1.1 lukem des_ecb_encrypt( &StdText, &PasswordHash2, schedule , DES_ENCRYPT ); 879 1.1.1.2 lukem if (des_failed(&PasswordHash2)) { 880 1.1.1.2 lukem return LUTIL_PASSWD_ERR; 881 1.1.1.2 lukem } 882 1.1.1.2 lukem 883 1.1.1.2 lukem des_finish( &key, schedule ); 884 1.1 lukem 885 1.1 lukem sprintf( PasswordHash, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", 886 1.1 lukem PasswordHash1[0],PasswordHash1[1],PasswordHash1[2],PasswordHash1[3], 887 1.1 lukem PasswordHash1[4],PasswordHash1[5],PasswordHash1[6],PasswordHash1[7], 888 1.1 lukem PasswordHash2[0],PasswordHash2[1],PasswordHash2[2],PasswordHash2[3], 889 1.1 lukem PasswordHash2[4],PasswordHash2[5],PasswordHash2[6],PasswordHash2[7] ); 890 1.1 lukem 891 1.1 lukem /* as a precaution convert stored password hash to lower case */ 892 1.1 lukem strncpy( storedPasswordHash, passwd->bv_val, 32 ); 893 1.1 lukem storedPasswordHash[32] = '\0'; 894 1.1 lukem ldap_pvt_str2lower( storedPasswordHash ); 895 1.1 lukem 896 1.1 lukem return memcmp( PasswordHash, storedPasswordHash, 32) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 897 1.1 lukem } 898 1.1 lukem #endif /* SLAPD_LMHASH */ 899 1.1 lukem 900 1.1 lukem #ifdef SLAPD_CRYPT 901 1.1 lukem static int lutil_crypt( 902 1.1 lukem const char *key, 903 1.1 lukem const char *salt, 904 1.1 lukem char **hash ) 905 1.1 lukem { 906 1.1 lukem char *cr = crypt( key, salt ); 907 1.1 lukem int rc; 908 1.1 lukem 909 1.1 lukem if( cr == NULL || cr[0] == '\0' ) { 910 1.1 lukem /* salt must have been invalid */ 911 1.1 lukem rc = LUTIL_PASSWD_ERR; 912 1.1 lukem } else { 913 1.1 lukem if ( hash ) { 914 1.1 lukem *hash = ber_strdup( cr ); 915 1.1 lukem rc = LUTIL_PASSWD_OK; 916 1.1 lukem } else { 917 1.1 lukem rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; 918 1.1 lukem } 919 1.1 lukem } 920 1.1 lukem return rc; 921 1.1 lukem } 922 1.1 lukem 923 1.1 lukem static int chk_crypt( 924 1.1 lukem const struct berval *sc, 925 1.1 lukem const struct berval * passwd, 926 1.1 lukem const struct berval * cred, 927 1.1 lukem const char **text ) 928 1.1 lukem { 929 1.1 lukem unsigned int i; 930 1.1 lukem 931 1.1 lukem for( i=0; i<cred->bv_len; i++) { 932 1.1 lukem if(cred->bv_val[i] == '\0') { 933 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 934 1.1 lukem } 935 1.1 lukem } 936 1.1 lukem 937 1.1 lukem if( cred->bv_val[i] != '\0' ) { 938 1.1 lukem return LUTIL_PASSWD_ERR; /* cred must behave like a string */ 939 1.1 lukem } 940 1.1 lukem 941 1.1 lukem if( passwd->bv_len < 2 ) { 942 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must be at least two characters long */ 943 1.1 lukem } 944 1.1 lukem 945 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 946 1.1 lukem if(passwd->bv_val[i] == '\0') { 947 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 948 1.1 lukem } 949 1.1 lukem } 950 1.1 lukem 951 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 952 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 953 1.1 lukem } 954 1.1 lukem 955 1.1 lukem return lutil_cryptptr( cred->bv_val, passwd->bv_val, NULL ); 956 1.1 lukem } 957 1.1 lukem 958 1.1 lukem # if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD ) 959 1.1 lukem static int chk_unix( 960 1.1 lukem const struct berval *sc, 961 1.1 lukem const struct berval * passwd, 962 1.1 lukem const struct berval * cred, 963 1.1 lukem const char **text ) 964 1.1 lukem { 965 1.1 lukem unsigned int i; 966 1.1 lukem char *pw; 967 1.1 lukem 968 1.1 lukem for( i=0; i<cred->bv_len; i++) { 969 1.1 lukem if(cred->bv_val[i] == '\0') { 970 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 971 1.1 lukem } 972 1.1 lukem } 973 1.1 lukem if( cred->bv_val[i] != '\0' ) { 974 1.1 lukem return LUTIL_PASSWD_ERR; /* cred must behave like a string */ 975 1.1 lukem } 976 1.1 lukem 977 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 978 1.1 lukem if(passwd->bv_val[i] == '\0') { 979 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 980 1.1 lukem } 981 1.1 lukem } 982 1.1 lukem 983 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 984 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 985 1.1 lukem } 986 1.1 lukem 987 1.1 lukem { 988 1.1 lukem struct passwd *pwd = getpwnam(passwd->bv_val); 989 1.1 lukem 990 1.1 lukem if(pwd == NULL) { 991 1.1 lukem return LUTIL_PASSWD_ERR; /* not found */ 992 1.1 lukem } 993 1.1 lukem 994 1.1 lukem pw = pwd->pw_passwd; 995 1.1 lukem } 996 1.1 lukem # ifdef HAVE_GETSPNAM 997 1.1 lukem { 998 1.1 lukem struct spwd *spwd = getspnam(passwd->bv_val); 999 1.1 lukem 1000 1.1 lukem if(spwd != NULL) { 1001 1.1 lukem pw = spwd->sp_pwdp; 1002 1.1 lukem } 1003 1.1 lukem } 1004 1.1 lukem # endif 1005 1.1 lukem # ifdef HAVE_AIX_SECURITY 1006 1.1 lukem { 1007 1.1 lukem struct userpw *upw = getuserpw(passwd->bv_val); 1008 1.1 lukem 1009 1.1 lukem if (upw != NULL) { 1010 1.1 lukem pw = upw->upw_passwd; 1011 1.1 lukem } 1012 1.1 lukem } 1013 1.1 lukem # endif 1014 1.1 lukem 1015 1.1 lukem if( pw == NULL || pw[0] == '\0' || pw[1] == '\0' ) { 1016 1.1 lukem /* password must must be at least two characters long */ 1017 1.1 lukem return LUTIL_PASSWD_ERR; 1018 1.1 lukem } 1019 1.1 lukem 1020 1.1 lukem return lutil_cryptptr( cred->bv_val, pw, NULL ); 1021 1.1 lukem } 1022 1.1 lukem # endif 1023 1.1 lukem #endif 1024 1.1 lukem 1025 1.1 lukem /* PASSWORD GENERATION ROUTINES */ 1026 1.1 lukem 1027 1.1 lukem #ifdef LUTIL_SHA1_BYTES 1028 1.1 lukem static int hash_ssha1( 1029 1.1 lukem const struct berval *scheme, 1030 1.1 lukem const struct berval *passwd, 1031 1.1 lukem struct berval *hash, 1032 1.1 lukem const char **text ) 1033 1.1 lukem { 1034 1.1 lukem lutil_SHA1_CTX SHA1context; 1035 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 1036 1.1 lukem char saltdata[SALT_SIZE]; 1037 1.1 lukem struct berval digest; 1038 1.1 lukem struct berval salt; 1039 1.1 lukem 1040 1.1 lukem digest.bv_val = (char *) SHA1digest; 1041 1.1 lukem digest.bv_len = sizeof(SHA1digest); 1042 1.1 lukem salt.bv_val = saltdata; 1043 1.1 lukem salt.bv_len = sizeof(saltdata); 1044 1.1 lukem 1045 1.1 lukem if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) { 1046 1.1 lukem return LUTIL_PASSWD_ERR; 1047 1.1 lukem } 1048 1.1 lukem 1049 1.1 lukem lutil_SHA1Init( &SHA1context ); 1050 1.1 lukem lutil_SHA1Update( &SHA1context, 1051 1.1 lukem (const unsigned char *)passwd->bv_val, passwd->bv_len ); 1052 1.1 lukem lutil_SHA1Update( &SHA1context, 1053 1.1 lukem (const unsigned char *)salt.bv_val, salt.bv_len ); 1054 1.1 lukem lutil_SHA1Final( SHA1digest, &SHA1context ); 1055 1.1 lukem 1056 1.1 lukem return pw_string64( scheme, &digest, hash, &salt); 1057 1.1 lukem } 1058 1.1 lukem 1059 1.1 lukem static int hash_sha1( 1060 1.1 lukem const struct berval *scheme, 1061 1.1 lukem const struct berval *passwd, 1062 1.1 lukem struct berval *hash, 1063 1.1 lukem const char **text ) 1064 1.1 lukem { 1065 1.1 lukem lutil_SHA1_CTX SHA1context; 1066 1.1 lukem unsigned char SHA1digest[LUTIL_SHA1_BYTES]; 1067 1.1 lukem struct berval digest; 1068 1.1 lukem digest.bv_val = (char *) SHA1digest; 1069 1.1 lukem digest.bv_len = sizeof(SHA1digest); 1070 1.1 lukem 1071 1.1 lukem lutil_SHA1Init( &SHA1context ); 1072 1.1 lukem lutil_SHA1Update( &SHA1context, 1073 1.1 lukem (const unsigned char *)passwd->bv_val, passwd->bv_len ); 1074 1.1 lukem lutil_SHA1Final( SHA1digest, &SHA1context ); 1075 1.1 lukem 1076 1.1 lukem return pw_string64( scheme, &digest, hash, NULL); 1077 1.1 lukem } 1078 1.1 lukem #endif 1079 1.1 lukem 1080 1.1 lukem static int hash_smd5( 1081 1.1 lukem const struct berval *scheme, 1082 1.1 lukem const struct berval *passwd, 1083 1.1 lukem struct berval *hash, 1084 1.1 lukem const char **text ) 1085 1.1 lukem { 1086 1.1 lukem lutil_MD5_CTX MD5context; 1087 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 1088 1.1 lukem char saltdata[SALT_SIZE]; 1089 1.1 lukem struct berval digest; 1090 1.1 lukem struct berval salt; 1091 1.1 lukem 1092 1.1 lukem digest.bv_val = (char *) MD5digest; 1093 1.1 lukem digest.bv_len = sizeof(MD5digest); 1094 1.1 lukem salt.bv_val = saltdata; 1095 1.1 lukem salt.bv_len = sizeof(saltdata); 1096 1.1 lukem 1097 1.1 lukem if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) { 1098 1.1 lukem return LUTIL_PASSWD_ERR; 1099 1.1 lukem } 1100 1.1 lukem 1101 1.1 lukem lutil_MD5Init( &MD5context ); 1102 1.1 lukem lutil_MD5Update( &MD5context, 1103 1.1 lukem (const unsigned char *) passwd->bv_val, passwd->bv_len ); 1104 1.1 lukem lutil_MD5Update( &MD5context, 1105 1.1 lukem (const unsigned char *) salt.bv_val, salt.bv_len ); 1106 1.1 lukem lutil_MD5Final( MD5digest, &MD5context ); 1107 1.1 lukem 1108 1.1 lukem return pw_string64( scheme, &digest, hash, &salt ); 1109 1.1 lukem } 1110 1.1 lukem 1111 1.1 lukem static int hash_md5( 1112 1.1 lukem const struct berval *scheme, 1113 1.1 lukem const struct berval *passwd, 1114 1.1 lukem struct berval *hash, 1115 1.1 lukem const char **text ) 1116 1.1 lukem { 1117 1.1 lukem lutil_MD5_CTX MD5context; 1118 1.1 lukem unsigned char MD5digest[LUTIL_MD5_BYTES]; 1119 1.1 lukem 1120 1.1 lukem struct berval digest; 1121 1.1 lukem 1122 1.1 lukem digest.bv_val = (char *) MD5digest; 1123 1.1 lukem digest.bv_len = sizeof(MD5digest); 1124 1.1 lukem 1125 1.1 lukem lutil_MD5Init( &MD5context ); 1126 1.1 lukem lutil_MD5Update( &MD5context, 1127 1.1 lukem (const unsigned char *) passwd->bv_val, passwd->bv_len ); 1128 1.1 lukem lutil_MD5Final( MD5digest, &MD5context ); 1129 1.1 lukem 1130 1.1 lukem return pw_string64( scheme, &digest, hash, NULL ); 1131 1.1 lukem ; 1132 1.1 lukem } 1133 1.1 lukem 1134 1.1 lukem #ifdef SLAPD_LMHASH 1135 1.1 lukem static int hash_lanman( 1136 1.1 lukem const struct berval *scheme, 1137 1.1 lukem const struct berval *passwd, 1138 1.1 lukem struct berval *hash, 1139 1.1 lukem const char **text ) 1140 1.1 lukem { 1141 1.1 lukem 1142 1.1.1.2 lukem ber_len_t i; 1143 1.1 lukem char UcasePassword[15]; 1144 1.1.1.2 lukem des_key key; 1145 1.1.1.2 lukem des_context schedule; 1146 1.1.1.2 lukem des_data_block StdText = "KGS!@#$%"; 1147 1.1.1.2 lukem des_data_block PasswordHash1, PasswordHash2; 1148 1.1 lukem char PasswordHash[33]; 1149 1.1 lukem 1150 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 1151 1.1 lukem if(passwd->bv_val[i] == '\0') { 1152 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 1153 1.1 lukem } 1154 1.1 lukem } 1155 1.1 lukem 1156 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 1157 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 1158 1.1 lukem } 1159 1.1 lukem 1160 1.1 lukem strncpy( UcasePassword, passwd->bv_val, 14 ); 1161 1.1 lukem UcasePassword[14] = '\0'; 1162 1.1 lukem ldap_pvt_str2upper( UcasePassword ); 1163 1.1 lukem 1164 1.1 lukem lmPasswd_to_key( UcasePassword, &key ); 1165 1.1 lukem des_set_key_unchecked( &key, schedule ); 1166 1.1 lukem des_ecb_encrypt( &StdText, &PasswordHash1, schedule , DES_ENCRYPT ); 1167 1.1 lukem 1168 1.1 lukem lmPasswd_to_key( &UcasePassword[7], &key ); 1169 1.1 lukem des_set_key_unchecked( &key, schedule ); 1170 1.1 lukem des_ecb_encrypt( &StdText, &PasswordHash2, schedule , DES_ENCRYPT ); 1171 1.1 lukem 1172 1.1 lukem sprintf( PasswordHash, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", 1173 1.1 lukem PasswordHash1[0],PasswordHash1[1],PasswordHash1[2],PasswordHash1[3], 1174 1.1 lukem PasswordHash1[4],PasswordHash1[5],PasswordHash1[6],PasswordHash1[7], 1175 1.1 lukem PasswordHash2[0],PasswordHash2[1],PasswordHash2[2],PasswordHash2[3], 1176 1.1 lukem PasswordHash2[4],PasswordHash2[5],PasswordHash2[6],PasswordHash2[7] ); 1177 1.1 lukem 1178 1.1 lukem hash->bv_val = PasswordHash; 1179 1.1 lukem hash->bv_len = 32; 1180 1.1 lukem 1181 1.1 lukem return pw_string( scheme, hash ); 1182 1.1 lukem } 1183 1.1 lukem #endif /* SLAPD_LMHASH */ 1184 1.1 lukem 1185 1.1 lukem #ifdef SLAPD_CRYPT 1186 1.1 lukem static int hash_crypt( 1187 1.1 lukem const struct berval *scheme, 1188 1.1 lukem const struct berval *passwd, 1189 1.1 lukem struct berval *hash, 1190 1.1 lukem const char **text ) 1191 1.1 lukem { 1192 1.1 lukem unsigned char salt[32]; /* salt suitable for most anything */ 1193 1.1 lukem unsigned int i; 1194 1.1 lukem char *save; 1195 1.1 lukem int rc; 1196 1.1 lukem 1197 1.1 lukem for( i=0; i<passwd->bv_len; i++) { 1198 1.1 lukem if(passwd->bv_val[i] == '\0') { 1199 1.1 lukem return LUTIL_PASSWD_ERR; /* NUL character in password */ 1200 1.1 lukem } 1201 1.1 lukem } 1202 1.1 lukem 1203 1.1 lukem if( passwd->bv_val[i] != '\0' ) { 1204 1.1 lukem return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ 1205 1.1 lukem } 1206 1.1 lukem 1207 1.1 lukem if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) { 1208 1.1 lukem return LUTIL_PASSWD_ERR; 1209 1.1 lukem } 1210 1.1 lukem 1211 1.1 lukem for( i=0; i< ( sizeof(salt) - 1 ); i++ ) { 1212 1.1 lukem salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ]; 1213 1.1 lukem } 1214 1.1 lukem salt[sizeof( salt ) - 1 ] = '\0'; 1215 1.1 lukem 1216 1.1 lukem if( salt_format != NULL ) { 1217 1.1 lukem /* copy the salt we made into entropy before snprintfing 1218 1.1 lukem it back into the salt */ 1219 1.1 lukem char entropy[sizeof(salt)]; 1220 1.1 lukem strcpy( entropy, (char *) salt ); 1221 1.1 lukem snprintf( (char *) salt, sizeof(entropy), salt_format, entropy ); 1222 1.1 lukem } 1223 1.1 lukem 1224 1.1 lukem rc = lutil_cryptptr( passwd->bv_val, (char *) salt, &hash->bv_val ); 1225 1.1 lukem if ( rc != LUTIL_PASSWD_OK ) return rc; 1226 1.1 lukem 1227 1.1 lukem if( hash->bv_val == NULL ) return -1; 1228 1.1 lukem 1229 1.1 lukem hash->bv_len = strlen( hash->bv_val ); 1230 1.1 lukem 1231 1.1 lukem save = hash->bv_val; 1232 1.1 lukem 1233 1.1 lukem if( hash->bv_len == 0 ) { 1234 1.1 lukem rc = LUTIL_PASSWD_ERR; 1235 1.1 lukem } else { 1236 1.1 lukem rc = pw_string( scheme, hash ); 1237 1.1 lukem } 1238 1.1 lukem ber_memfree( save ); 1239 1.1 lukem return rc; 1240 1.1 lukem } 1241 1.1 lukem #endif 1242 1.1 lukem 1243 1.1 lukem int lutil_salt_format(const char *format) 1244 1.1 lukem { 1245 1.1 lukem #ifdef SLAPD_CRYPT 1246 1.1.1.2 lukem ber_memfree( salt_format ); 1247 1.1 lukem 1248 1.1 lukem salt_format = format != NULL ? ber_strdup( format ) : NULL; 1249 1.1 lukem #endif 1250 1.1 lukem 1251 1.1 lukem return 0; 1252 1.1 lukem } 1253 1.1 lukem 1254 1.1 lukem #ifdef SLAPD_CLEARTEXT 1255 1.1 lukem static int hash_clear( 1256 1.1 lukem const struct berval *scheme, 1257 1.1 lukem const struct berval *passwd, 1258 1.1 lukem struct berval *hash, 1259 1.1 lukem const char **text ) 1260 1.1 lukem { 1261 1.1 lukem ber_dupbv( hash, (struct berval *)passwd ); 1262 1.1 lukem return LUTIL_PASSWD_OK; 1263 1.1 lukem } 1264 1.1 lukem #endif 1265 1.1 lukem 1266
Indexes created Tue Mar 17 00:23:13 UTC 2026