Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
7f41bdf6
Commit
7f41bdf6
authored
Jan 26, 2009
by
Quanah Gibson-Mount
Browse files
ITS#5660
parent
23f271ce
Changes
6
Expand all
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
7f41bdf6
...
...
@@ -35,6 +35,7 @@ OpenLDAP 2.4.14 Engineering
Updated contrib/addpartial module (ITS#5764)
Added contrib/cloak module (ITS#5872)
Added contrib/smbk5pwd gcrypt support (ITS#5410)
Added contrib/passwd sha2 support (ITS#5660)
Build Environment
Fixed test049,test050 to work on windows (ITS#5842)
Updated test017,test018,test019 to cover more cases (ITS#5883)
...
...
contrib/slapd-modules/passwd/sha2/Makefile
0 → 100644
View file @
7f41bdf6
# $OpenLDAP$
OPENLDAP
:=
../../../..
#CCFLAGS = -Wall -g -DSLAPD_SHA2_DEBUG
CCFLAGS
=
-Wall
-g
slapd-sha2.so
:
slapd-sha2.o sha2.o
$(CC)
-I
$(OPENLDAP)
/include
-shared
-Wall
-g
$^
-o
$@
%.o
:
%.c
$(CC)
-I
$(OPENLDAP)
/include
$(CCFLAGS)
-c
$<
clean
:
@
rm
-f
slapd-sha2.so
*
.o
contrib/slapd-modules/passwd/sha2/README
0 → 100644
View file @
7f41bdf6
SHA-512 OpenLDAP support
------------------------
Based on SHA2 implementation by Aaron D. Gifford (http://www.aarongifford.com/), also used in OpenBSD.
Adapted for OpenLDAP use by Jeff Turner <jeff@atlassian.com>
Distributed under open source BSD license - see code for details.
slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
OpenLDAP. For instance, one could have the LDAP attribute:
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
or:
userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
or:
userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
all of which encode the password 'secret'.
Building
--------
1) Obtain the OpenLDAP source, eg. 'apt-get source slapd'. Really we
only want the headers, but there doesn't seem to be a Debian package
with them.
2) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
source root.
For initial testing you might also want to edit CCFLAGS to define
SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
in production, as it prints passwords in cleartext).
3) Run 'make' to produce slapd-sha2.so
4) Copy slapd-sha2.so somewhere permanent.
4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
moduleload ...path/to/slapd-sha2.so
5) Restart slapd.
The {SHA512} scheme should now be recognised.
Testing
-------
A quick way to test whether it's working is to customize the rootdn and
rootpw in slapd.conf, eg:
rootdn "cn=admin,dc=example,dc=com"
# This encrypts the string 'secret'
rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Then to test, run something like:
ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
-- Test hashes:
Test hashes can be generated with openssl:
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
W192CF5bDufKRpayrW/isg==
(join those lines up to form the full hash)
Alternatively we could modify an existing user's password with
ldapmodify, and then test binding as that user:
$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
Enter LDAP Password:
dn: uid=jturner,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
modifying entry "uid=jturner,ou=People,dc=example,dc=com"
$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
Debugging
---------
To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
commented-out CCFLAGS in Makefile), and then run slapd from the console
to see stderr:
$ sudo /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
@(#) $OpenLDAP$
buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
slapd starting
...
Validating password
Password to validate: secret
Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
Stored password scheme: {SHA256}
Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
-> Passwords match
conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
conn=0 fd=12 closed (connection lost)
Origin
------
Based on code maintained at:
http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256%2C+SHA-384%2C+SHA-512)+and+atlassian-sha1+passwords
contrib/slapd-modules/passwd/sha2/sha2.c
0 → 100644
View file @
7f41bdf6
This diff is collapsed.
Click to expand it.
contrib/slapd-modules/passwd/sha2/sha2.h
0 → 100644
View file @
7f41bdf6
/* $OpenLDAP$ */
/*
* FILE: sha2.h
* AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
*
* Copyright (c) 2000-2001, Aaron D. Gifford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
*/
#ifndef __SHA2_H__
#define __SHA2_H__
#ifdef __cplusplus
extern
"C"
{
#endif
/*
* Import u_intXX_t size_t type definitions from system headers. You
* may need to change this, or define these things yourself in this
* file.
*/
#include
<sys/types.h>
#ifdef SHA2_USE_INTTYPES_H
#include
<inttypes.h>
#endif
/* SHA2_USE_INTTYPES_H */
/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA256_BLOCK_LENGTH 64
#define SHA256_DIGEST_LENGTH 32
#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
#define SHA384_BLOCK_LENGTH 128
#define SHA384_DIGEST_LENGTH 48
#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
#define SHA512_BLOCK_LENGTH 128
#define SHA512_DIGEST_LENGTH 64
#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
/*** SHA-256/384/512 Context Structures *******************************/
/* NOTE: If your architecture does not define either u_intXX_t types or
* uintXX_t (from inttypes.h), you may need to define things by hand
* for your system:
*/
#if 0
typedef unsigned char u_int8_t; /* 1-byte (8-bits) */
typedef unsigned int u_int32_t; /* 4-bytes (32-bits) */
typedef unsigned long long u_int64_t; /* 8-bytes (64-bits) */
#endif
/*
* Most BSD systems already define u_intXX_t types, as does Linux.
* Some systems, however, like Compaq's Tru64 Unix instead can use
* uintXX_t types defined by very recent ANSI C standards and included
* in the file:
*
* #include <inttypes.h>
*
* If you choose to use <inttypes.h> then please define:
*
* #define SHA2_USE_INTTYPES_H
*
* Or on the command line during compile:
*
* cc -DSHA2_USE_INTTYPES_H ...
*/
#ifdef SHA2_USE_INTTYPES_H
typedef
struct
_SHA256_CTX
{
uint32_t
state
[
8
];
uint64_t
bitcount
;
uint8_t
buffer
[
SHA256_BLOCK_LENGTH
];
}
SHA256_CTX
;
typedef
struct
_SHA512_CTX
{
uint64_t
state
[
8
];
uint64_t
bitcount
[
2
];
uint8_t
buffer
[
SHA512_BLOCK_LENGTH
];
}
SHA512_CTX
;
#else
/* SHA2_USE_INTTYPES_H */
typedef
struct
_SHA256_CTX
{
u_int32_t
state
[
8
];
u_int64_t
bitcount
;
u_int8_t
buffer
[
SHA256_BLOCK_LENGTH
];
}
SHA256_CTX
;
typedef
struct
_SHA512_CTX
{
u_int64_t
state
[
8
];
u_int64_t
bitcount
[
2
];
u_int8_t
buffer
[
SHA512_BLOCK_LENGTH
];
}
SHA512_CTX
;
#endif
/* SHA2_USE_INTTYPES_H */
typedef
SHA512_CTX
SHA384_CTX
;
/*** SHA-256/384/512 Function Prototypes ******************************/
#ifndef NOPROTO
#ifdef SHA2_USE_INTTYPES_H
void
SHA256_Init
(
SHA256_CTX
*
);
void
SHA256_Update
(
SHA256_CTX
*
,
const
uint8_t
*
,
size_t
);
void
SHA256_Final
(
uint8_t
[
SHA256_DIGEST_LENGTH
],
SHA256_CTX
*
);
char
*
SHA256_End
(
SHA256_CTX
*
,
char
[
SHA256_DIGEST_STRING_LENGTH
]);
char
*
SHA256_Data
(
const
uint8_t
*
,
size_t
,
char
[
SHA256_DIGEST_STRING_LENGTH
]);
void
SHA384_Init
(
SHA384_CTX
*
);
void
SHA384_Update
(
SHA384_CTX
*
,
const
uint8_t
*
,
size_t
);
void
SHA384_Final
(
uint8_t
[
SHA384_DIGEST_LENGTH
],
SHA384_CTX
*
);
char
*
SHA384_End
(
SHA384_CTX
*
,
char
[
SHA384_DIGEST_STRING_LENGTH
]);
char
*
SHA384_Data
(
const
uint8_t
*
,
size_t
,
char
[
SHA384_DIGEST_STRING_LENGTH
]);
void
SHA512_Init
(
SHA512_CTX
*
);
void
SHA512_Update
(
SHA512_CTX
*
,
const
uint8_t
*
,
size_t
);
void
SHA512_Final
(
uint8_t
[
SHA512_DIGEST_LENGTH
],
SHA512_CTX
*
);
char
*
SHA512_End
(
SHA512_CTX
*
,
char
[
SHA512_DIGEST_STRING_LENGTH
]);
char
*
SHA512_Data
(
const
uint8_t
*
,
size_t
,
char
[
SHA512_DIGEST_STRING_LENGTH
]);
#else
/* SHA2_USE_INTTYPES_H */
void
SHA256_Init
(
SHA256_CTX
*
);
void
SHA256_Update
(
SHA256_CTX
*
,
const
u_int8_t
*
,
size_t
);
void
SHA256_Final
(
u_int8_t
[
SHA256_DIGEST_LENGTH
],
SHA256_CTX
*
);
char
*
SHA256_End
(
SHA256_CTX
*
,
char
[
SHA256_DIGEST_STRING_LENGTH
]);
char
*
SHA256_Data
(
const
u_int8_t
*
,
size_t
,
char
[
SHA256_DIGEST_STRING_LENGTH
]);
void
SHA384_Init
(
SHA384_CTX
*
);
void
SHA384_Update
(
SHA384_CTX
*
,
const
u_int8_t
*
,
size_t
);
void
SHA384_Final
(
u_int8_t
[
SHA384_DIGEST_LENGTH
],
SHA384_CTX
*
);
char
*
SHA384_End
(
SHA384_CTX
*
,
char
[
SHA384_DIGEST_STRING_LENGTH
]);
char
*
SHA384_Data
(
const
u_int8_t
*
,
size_t
,
char
[
SHA384_DIGEST_STRING_LENGTH
]);
void
SHA512_Init
(
SHA512_CTX
*
);
void
SHA512_Update
(
SHA512_CTX
*
,
const
u_int8_t
*
,
size_t
);
void
SHA512_Final
(
u_int8_t
[
SHA512_DIGEST_LENGTH
],
SHA512_CTX
*
);
char
*
SHA512_End
(
SHA512_CTX
*
,
char
[
SHA512_DIGEST_STRING_LENGTH
]);
char
*
SHA512_Data
(
const
u_int8_t
*
,
size_t
,
char
[
SHA512_DIGEST_STRING_LENGTH
]);
#endif
/* SHA2_USE_INTTYPES_H */
#else
/* NOPROTO */
void
SHA256_Init
();
void
SHA256_Update
();
void
SHA256_Final
();
char
*
SHA256_End
();
char
*
SHA256_Data
();
void
SHA384_Init
();
void
SHA384_Update
();
void
SHA384_Final
();
char
*
SHA384_End
();
char
*
SHA384_Data
();
void
SHA512_Init
();
void
SHA512_Update
();
void
SHA512_Final
();
char
*
SHA512_End
();
char
*
SHA512_Data
();
#endif
/* NOPROTO */
#ifdef __cplusplus
}
#endif
/* __cplusplus */
#endif
/* __SHA2_H__ */
contrib/slapd-modules/passwd/sha2/slapd-sha2.c
0 → 100644
View file @
7f41bdf6
/* $OpenLDAP$ */
#include
<lber.h>
#include
<lber_pvt.h>
// Required for BER_BVC
#include
<ac/string.h>
// Required for BER_BVC dep
#include
"lutil.h"
#include
<stdint.h>
#include
<string.h>
/* memcpy()/memset() or bcopy()/bzero() */
#include
<assert.h>
/* assert() */
#include
"sha2.h"
#ifdef SLAPD_SHA2_DEBUG
#include
<stdio.h>
#endif
char
*
sha256_hex_hash
(
const
char
*
passwd
)
{
SHA256_CTX
ct
;
unsigned
char
hash
[
SHA256_DIGEST_LENGTH
];
static
char
real_hash
[
LUTIL_BASE64_ENCODE_LEN
(
SHA256_DIGEST_LENGTH
)
+
1
];
// extra char for \0
SHA256_Init
(
&
ct
);
SHA256_Update
(
&
ct
,
(
const
uint8_t
*
)
passwd
,
strlen
(
passwd
));
SHA256_Final
(
hash
,
&
ct
);
/* base64 encode it */
lutil_b64_ntop
(
hash
,
SHA256_DIGEST_LENGTH
,
real_hash
,
LUTIL_BASE64_ENCODE_LEN
(
SHA256_DIGEST_LENGTH
)
+
1
);
return
real_hash
;
}
char
*
sha384_hex_hash
(
const
char
*
passwd
)
{
SHA384_CTX
ct
;
unsigned
char
hash
[
SHA384_DIGEST_LENGTH
];
static
char
real_hash
[
LUTIL_BASE64_ENCODE_LEN
(
SHA384_DIGEST_LENGTH
)
+
1
];
// extra char for \0
SHA384_Init
(
&
ct
);
SHA384_Update
(
&
ct
,
(
const
uint8_t
*
)
passwd
,
strlen
(
passwd
));
SHA384_Final
(
hash
,
&
ct
);
/* base64 encode it */
lutil_b64_ntop
(
hash
,
SHA384_DIGEST_LENGTH
,
real_hash
,
LUTIL_BASE64_ENCODE_LEN
(
SHA384_DIGEST_LENGTH
)
+
1
);
return
real_hash
;
}
char
*
sha512_hex_hash
(
const
char
*
passwd
)
{
SHA512_CTX
ct
;
unsigned
char
hash
[
SHA512_DIGEST_LENGTH
];
static
char
real_hash
[
LUTIL_BASE64_ENCODE_LEN
(
SHA512_DIGEST_LENGTH
)
+
1
];
// extra char for \0
SHA512_Init
(
&
ct
);
SHA512_Update
(
&
ct
,
(
const
uint8_t
*
)
passwd
,
strlen
(
passwd
));
SHA512_Final
(
hash
,
&
ct
);
/* base64 encode it */
lutil_b64_ntop
(
hash
,
SHA512_DIGEST_LENGTH
,
real_hash
,
LUTIL_BASE64_ENCODE_LEN
(
SHA512_DIGEST_LENGTH
)
+
1
);
return
real_hash
;
}
static
int
chk_sha256
(
const
struct
berval
*
scheme
,
// Scheme of hashed reference password
const
struct
berval
*
passwd
,
// Hashed reference password to check against
const
struct
berval
*
cred
,
// user-supplied password to check
const
char
**
text
)
{
#ifdef SLAPD_SHA2_DEBUG
fprintf
(
stderr
,
"Validating password
\n
"
);
fprintf
(
stderr
,
" Password to validate: %s
\n
"
,
cred
->
bv_val
);
fprintf
(
stderr
,
" Hashes to: %s
\n
"
,
sha256_hex_hash
(
cred
->
bv_val
));
fprintf
(
stderr
,
" Stored password scheme: %s
\n
"
,
scheme
->
bv_val
);
fprintf
(
stderr
,
" Stored password value: %s
\n
"
,
passwd
->
bv_val
);
fprintf
(
stderr
,
" -> Passwords %s
\n
"
,
strcmp
(
sha256_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
)
==
0
?
"match"
:
"do not match"
);
#endif
return
(
strcmp
(
sha256_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
));
}
static
int
chk_sha384
(
const
struct
berval
*
scheme
,
// Scheme of hashed reference password
const
struct
berval
*
passwd
,
// Hashed reference password to check against
const
struct
berval
*
cred
,
// user-supplied password to check
const
char
**
text
)
{
#ifdef SLAPD_SHA2_DEBUG
fprintf
(
stderr
,
"Validating password
\n
"
);
fprintf
(
stderr
,
" Password to validate: %s
\n
"
,
cred
->
bv_val
);
fprintf
(
stderr
,
" Hashes to: %s
\n
"
,
sha384_hex_hash
(
cred
->
bv_val
));
fprintf
(
stderr
,
" Stored password scheme: %s
\n
"
,
scheme
->
bv_val
);
fprintf
(
stderr
,
" Stored password value: %s
\n
"
,
passwd
->
bv_val
);
fprintf
(
stderr
,
" -> Passwords %s
\n
"
,
strcmp
(
sha384_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
)
==
0
?
"match"
:
"do not match"
);
#endif
return
(
strcmp
(
sha384_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
));
}
static
int
chk_sha512
(
const
struct
berval
*
scheme
,
// Scheme of hashed reference password
const
struct
berval
*
passwd
,
// Hashed reference password to check against
const
struct
berval
*
cred
,
// user-supplied password to check
const
char
**
text
)
{
#ifdef SLAPD_SHA2_DEBUG
fprintf
(
stderr
,
" Password to validate: %s
\n
"
,
cred
->
bv_val
);
fprintf
(
stderr
,
" Hashes to: %s
\n
"
,
sha512_hex_hash
(
cred
->
bv_val
));
fprintf
(
stderr
,
" Stored password scheme: %s
\n
"
,
scheme
->
bv_val
);
fprintf
(
stderr
,
" Stored password value: %s
\n
"
,
passwd
->
bv_val
);
fprintf
(
stderr
,
" -> Passwords %s
\n
"
,
strcmp
(
sha512_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
)
==
0
?
"match"
:
"do not match"
);
#endif
return
(
strcmp
(
sha512_hex_hash
(
cred
->
bv_val
),
passwd
->
bv_val
));
}
const
struct
berval
sha256scheme
=
BER_BVC
(
"{SHA256}"
);
const
struct
berval
sha384scheme
=
BER_BVC
(
"{SHA384}"
);
const
struct
berval
sha512scheme
=
BER_BVC
(
"{SHA512}"
);
int
init_module
(
int
argc
,
char
*
argv
[])
{
int
result
=
0
;
result
=
lutil_passwd_add
(
(
struct
berval
*
)
&
sha256scheme
,
chk_sha256
,
NULL
);
if
(
result
!=
0
)
return
result
;
result
=
lutil_passwd_add
(
(
struct
berval
*
)
&
sha384scheme
,
chk_sha384
,
NULL
);
if
(
result
!=
0
)
return
result
;
result
=
lutil_passwd_add
(
(
struct
berval
*
)
&
sha512scheme
,
chk_sha512
,
NULL
);
return
result
;
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment