From 9225707a06d145fad128f97236166b65ae1c4f3e Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 29 Jun 1999 22:24:53 +0000
Subject: [PATCH] Modify lutil_passwd to accept a third argument char** methods
to specific which methods may be used. This will facilate development of a
slapd config directive "passwordMethod ..." to specify which methods should
be allowed.
---
include/lutil.h | 3 +-
libraries/liblutil/passwd.c | 71 +++++++++++++++++++++++++---------
servers/slapd/back-bdb2/bind.c | 3 +-
servers/slapd/back-ldbm/bind.c | 3 +-
servers/slapd/backend.c | 2 +-
5 files changed, 59 insertions(+), 23 deletions(-)
diff --git a/include/lutil.h b/include/lutil.h
index 56aea51f37..a718ed6ece 100644
--- a/include/lutil.h
+++ b/include/lutil.h
@@ -39,7 +39,8 @@ lutil_detach LDAP_P((
LDAP_F( int )
lutil_passwd LDAP_P((
const char *cred,
- const char *passwd));
+ const char *passwd,
+ const char **methods ));
LDAP_END_DECL
diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index f3d5c54b8e..cbe5e6fb13 100644
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -26,27 +26,65 @@
# include <pwd.h>
#endif
+static int supported_hash(
+ const char* method,
+ const char** methods )
+{
+ int i;
+
+ if(methods == NULL) {
+ return 1;
+ }
+
+ for(i=0; methods[i] != NULL; i++) {
+ if(strcasecmp(method, methods[i]) == 0) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+static const char *passwd_hash(
+ const char* passwd,
+ const char* method,
+ const char** methods )
+{
+ int len;
+
+ if( !supported_hash( method, methods ) ) {
+ return NULL;
+ }
+
+ len = strlen(method);
+
+ if( strncasecmp( passwd, method, len ) == 0 ) {
+ return &passwd[len];
+ }
+
+ return NULL;
+}
+
/*
* Return 0 if creds are good.
*/
-
int
lutil_passwd(
const char *cred,
- const char *passwd)
+ const char *passwd,
+ const char **methods)
{
+ const char *p;
if (cred == NULL || passwd == NULL) {
return -1;
}
- if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
+ if ((p = passwd_hash( passwd, "{MD5}", methods )) != NULL ) {
lutil_MD5_CTX MD5context;
unsigned char MD5digest[16];
char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */
- const char *p = passwd + (sizeof("{MD5}") - 1);
-
lutil_MD5Init(&MD5context);
lutil_MD5Update(&MD5context,
(const unsigned char *)cred, strlen(cred));
@@ -60,11 +98,10 @@ lutil_passwd(
return( strcmp(p, base64digest) );
- } else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
+ } else if ((p = passwd_hash( passwd, "{SHA}", methods )) != NULL ) {
lutil_SHA1_CTX SHA1context;
unsigned char SHA1digest[20];
char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
- const char *p = passwd + (sizeof("{SHA}") - 1);
lutil_SHA1Init(&SHA1context);
lutil_SHA1Update(&SHA1context,
@@ -79,10 +116,9 @@ lutil_passwd(
return( strcmp(p, base64digest) );
- } else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
+ } else if ((p = passwd_hash( passwd, "{SSHA}", methods )) != NULL ) {
lutil_SHA1_CTX SHA1context;
unsigned char SHA1digest[20];
- const char *p = passwd + (sizeof("{SSHA}") - 1);
int pw_len = strlen(p);
int rc;
unsigned char *orig_pass = NULL;
@@ -109,10 +145,9 @@ lutil_passwd(
free(orig_pass);
return(rc);
- } else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) {
+ } else if ((p = passwd_hash( passwd, "{SMD5}", methods )) != NULL ) {
lutil_MD5_CTX MD5context;
unsigned char MD5digest[16];
- const char *p = passwd + (sizeof("{SMD5}") - 1);
int pw_len = strlen(p);
int rc;
unsigned char *orig_pass = NULL;
@@ -140,18 +175,15 @@ lutil_passwd(
return ( rc );
#ifdef SLAPD_CRYPT
- } else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
- const char *p = passwd + (sizeof("{CRYPT}") - 1);
-
+ } else if ((p = passwd_hash( passwd, "{CRYPT}", methods )) != NULL ) {
return( strcmp(p, crypt(cred, p)) );
# if defined( HAVE_GETSPNAM ) \
|| ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
- } else if (strncasecmp(passwd, "{UNIX}", sizeof("{UNIX}") - 1) == 0 ) {
- const char *u = passwd + (sizeof("{UNIX}") - 1);
+ } else if ((p = passwd_hash( passwd, "{UNIX}", methods )) != NULL ) {
# ifdef HAVE_GETSPNAM
- struct spwd *spwd = getspnam(u);
+ struct spwd *spwd = getspnam(p);
if(spwd == NULL) {
return 1; /* not found */
@@ -159,7 +191,7 @@ lutil_passwd(
return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
# else
- struct passwd *pwd = getpwnam(u);
+ struct passwd *pwd = getpwnam(p);
if(pwd == NULL) {
return 1; /* not found */
@@ -172,7 +204,8 @@ lutil_passwd(
}
#ifdef SLAPD_CLEARTEXT
- return( strcmp(passwd, cred) );
+ return supported_hash("{CLEARTEXT}", methods ) &&
+ strcmp(passwd, cred) != 0;
#else
return( 1 );
#endif
diff --git a/servers/slapd/back-bdb2/bind.c b/servers/slapd/back-bdb2/bind.c
index 5524a0ea31..c2137fd0f9 100644
--- a/servers/slapd/back-bdb2/bind.c
+++ b/servers/slapd/back-bdb2/bind.c
@@ -39,7 +39,8 @@ crypted_value_find(
result = lutil_passwd(
(char*) cred->bv_val,
- (char*) vals[i]->bv_val);
+ (char*) vals[i]->bv_val,
+ NULL );
#ifdef SLAPD_CRYPT
ldap_pvt_thread_mutex_unlock( &crypt_mutex );
diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c
index 97d88b921c..bf05252337 100644
--- a/servers/slapd/back-ldbm/bind.c
+++ b/servers/slapd/back-ldbm/bind.c
@@ -39,7 +39,8 @@ crypted_value_find(
result = lutil_passwd(
(char*) cred->bv_val,
- (char*) vals[i]->bv_val);
+ (char*) vals[i]->bv_val,
+ NULL );
#ifdef SLAPD_CRYPT
ldap_pvt_thread_mutex_unlock( &crypt_mutex );
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index e7d6c13d4b..5b5a1f5db8 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -525,7 +525,7 @@ be_isroot_pw( Backend *be, char *ndn, struct berval *cred )
ldap_pvt_thread_mutex_lock( &crypt_mutex );
#endif
- result = lutil_passwd( cred->bv_val, be->be_root_pw );
+ result = lutil_passwd( cred->bv_val, be->be_root_pw, NULL );
#ifdef SLAPD_CRYPT
ldap_pvt_thread_mutex_unlock( &crypt_mutex );
--
GitLab