passwd.c 14.5 KB
Newer Older
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1
/* passwd.c - password extended operation routines */
2
/* $OpenLDAP$ */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
3
4
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
5
 * Copyright 1998-2021 The OpenLDAP Foundation.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
6
7
8
9
10
11
12
13
14
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
15
16
17
18
19
20
21
22
23
24
 */

#include "portable.h"

#include <stdio.h>

#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>

25
#ifdef SLAPD_CRYPT
Howard Chu's avatar
Howard Chu committed
26
27
28
#ifdef HAVE_CRYPT_R
#define __USE_GNU
#endif /* HAVE_CRYPT_R */
29
#include <ac/crypt.h>
Howard Chu's avatar
Howard Chu committed
30
#endif /* SLAPD_CRYPT */
31

32
33
#include "slap.h"

34
#include <lber_pvt.h>
35
#include <lutil.h>
36
#include <lutil_sha1.h>
37

38
39
const struct berval slap_EXOP_MODIFY_PASSWD = BER_BVC(LDAP_EXOP_MODIFY_PASSWD);

40
41
42
43
44
45
46
47
48
static const char *defhash[] = {
#ifdef LUTIL_SHA1_BYTES
	"{SSHA}",
#else
	"{SMD5}",
#endif
	NULL
};

49
int passwd_extop(
50
51
	Operation *op,
	SlapReply *rs )
52
{
53
54
	struct berval id = {0, NULL}, hash, *rsp = NULL;
	req_pwdexop_s *qpw = &op->oq_pwdexop;
55
	req_extended_s qext = op->oq_extended;
56
	Modifications *ml;
57
	slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
58
	int i, nhash;
59
	char **hashes, idNul;
60
	int rc;
61
	BackendDB *op_be;
62
	int freenewpw = 0;
63
	struct berval dn = BER_BVNULL, ndn = BER_BVNULL;
64

Howard Chu's avatar
Howard Chu committed
65
	assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
66

67
	if( op->o_dn.bv_len == 0 ) {
68
69
		Debug( LDAP_DEBUG_STATS, "%s PASSMOD\n",
			op->o_log_prefix );
70
		rs->sr_text = "only authenticated users may change passwords";
71
72
73
		return LDAP_STRONG_AUTH_REQUIRED;
	}

74
	qpw->rs_old.bv_len = 0;
75
	qpw->rs_old.bv_val = NULL;
76
	qpw->rs_new.bv_len = 0;
77
78
79
80
	qpw->rs_new.bv_val = NULL;
	qpw->rs_mods = NULL;
	qpw->rs_modtail = NULL;

81
82
	rs->sr_err = slap_passwd_parse( op->ore_reqdata, &id,
		&qpw->rs_old, &qpw->rs_new, &rs->sr_text );
83

84
85
86
87
	if ( !BER_BVISNULL( &id )) {
		idNul = id.bv_val[id.bv_len];
		id.bv_val[id.bv_len] = '\0';
	}
88
	if ( rs->sr_err == LDAP_SUCCESS && !BER_BVISEMPTY( &id ) ) {
89
		Debug( LDAP_DEBUG_STATS, "%s PASSMOD id=\"%s\"%s%s\n",
90
91
			op->o_log_prefix, id.bv_val,
			qpw->rs_old.bv_val ? " old" : "",
92
			qpw->rs_new.bv_val ? " new" : "" );
93
	} else {
94
		Debug( LDAP_DEBUG_STATS, "%s PASSMOD%s%s\n",
95
96
			op->o_log_prefix,
			qpw->rs_old.bv_val ? " old" : "",
97
			qpw->rs_new.bv_val ? " new" : "" );
98
99
	}

100
	if ( rs->sr_err != LDAP_SUCCESS ) {
101
102
		if ( !BER_BVISNULL( &id ))
			id.bv_val[id.bv_len] = idNul;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
103
104
		return rs->sr_err;
	}
105

Pierangelo Masarati's avatar
Pierangelo Masarati committed
106
	if ( !BER_BVISEMPTY( &id ) ) {
107
		rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx );
108
		id.bv_val[id.bv_len] = idNul;
109
110
		if ( rs->sr_err != LDAP_SUCCESS ) {
			rs->sr_text = "Invalid DN";
111
112
			rc = rs->sr_err;
			goto error_return;
113
		}
114
115
		op->o_req_dn = dn;
		op->o_req_ndn = ndn;
116
		op->o_bd = select_backend( &op->o_req_ndn, 1 );
117

Pierangelo Masarati's avatar
Pierangelo Masarati committed
118
	} else {
119
120
121
122
		ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx );
		ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx );
		op->o_req_dn = dn;
		op->o_req_ndn = ndn;
123
		ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
124
		op->o_bd = op->o_conn->c_authz_backend;
125
		ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
126
	}
127

128
	if( op->o_bd == NULL ) {
129
130
131
132
133
134
		if ( qpw->rs_old.bv_val != NULL ) {
			rs->sr_text = "unwilling to verify old password";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto error_return;
		}

135
#ifdef HAVE_CYRUS_SASL
136
		rc = slap_sasl_setpass( op, rs );
137
138
#else
		rs->sr_text = "no authz backend";
139
		rc = LDAP_OTHER;
140
#endif
141
		goto error_return;
142
143
	}

144
	if ( op->o_req_ndn.bv_len == 0 ) {
145
		rs->sr_text = "no password is associated with the Root DSE";
146
147
		rc = LDAP_UNWILLING_TO_PERFORM;
		goto error_return;
148
	}
149

150
151
152
	/* If we've got a glued backend, check the real backend */
	op_be = op->o_bd;
	if ( SLAP_GLUE_INSTANCE( op->o_bd )) {
153
		op->o_bd = select_backend( &op->o_req_ndn, 0 );
154
155
	}

156
157
	if (backend_check_restrictions( op, rs,
			(struct berval *)&slap_EXOP_MODIFY_PASSWD ) != LDAP_SUCCESS) {
158
159
		rc = rs->sr_err;
		goto error_return;
160
161
	}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
162
163
164
165
166
	/* check for referrals */
	if ( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
		rc = rs->sr_err;
		goto error_return;
	}
167

168
	/* This does not apply to multi-provider case */
169
	if(!( !SLAP_SINGLE_SHADOW( op->o_bd ) || be_isupdate( op ))) {
170
		/* we SHOULD return a referral in this case */
171
		BerVarray defref = op->o_bd->be_update_refs
172
			? op->o_bd->be_update_refs : default_referral; 
173
174
175

		if( defref != NULL ) {
			rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs,
176
				NULL, NULL, LDAP_SCOPE_DEFAULT );
177
178
179
180
181
			if(rs->sr_ref) {
				rs->sr_flags |= REP_REF_MUSTBEFREED;
			} else {
				rs->sr_ref = defref;
			}
182
183
			rc = LDAP_REFERRAL;
			goto error_return;
184

185
		}
186
187

		rs->sr_text = "shadow context; no update referral";
188
189
		rc = LDAP_UNWILLING_TO_PERFORM;
		goto error_return;
190
	}
191

192
193
194
195
196
	/* generate a new password if none was provided */
	if ( qpw->rs_new.bv_len == 0 ) {
		slap_passwd_generate( &qpw->rs_new );
		if ( qpw->rs_new.bv_len ) {
			rsp = slap_passwd_return( &qpw->rs_new );
197
			freenewpw = 1;
198
199
200
201
		}
	}
	if ( qpw->rs_new.bv_len == 0 ) {
		rs->sr_text = "password generation failed";
202
203
		rc = LDAP_OTHER;
		goto error_return;
204
205
	}

206
207
	op->o_bd = op_be;

208
209
210
	/* Give the backend a chance to handle this itself */
	if ( op->o_bd->be_extended ) {
		rs->sr_err = op->o_bd->be_extended( op, rs );
211
		if ( rs->sr_err != LDAP_UNWILLING_TO_PERFORM &&
212
213
			rs->sr_err != SLAP_CB_CONTINUE )
		{
214
			rc = rs->sr_err;
215
216
217
218
			if ( rsp ) {
				rs->sr_rspdata = rsp;
				rsp = NULL;
			}
219
			goto error_return;
220
221
222
223
224
225
		}
	}

	/* The backend didn't handle it, so try it here */
	if( op->o_bd && !op->o_bd->be_modify ) {
		rs->sr_text = "operation not supported for current user";
226
227
		rc = LDAP_UNWILLING_TO_PERFORM;
		goto error_return;
228
229
	}

230
	if ( qpw->rs_old.bv_val != NULL ) {
231
232
233
234
235
236
237
		Entry *e = NULL;

		rc = be_entry_get_rw( op, &op->o_req_ndn, NULL,
			slap_schema.si_ad_userPassword, 0, &e );
		if ( rc == LDAP_SUCCESS && e ) {
			Attribute *a = attr_find( e->e_attrs,
				slap_schema.si_ad_userPassword );
Howard Chu's avatar
Howard Chu committed
238
			if ( a )
239
240
241
242
243
244
245
				rc = slap_passwd_check( op, e, a, &qpw->rs_old, &rs->sr_text );
			else
				rc = 1;
			be_entry_release_r( op, e );
			if ( rc == LDAP_SUCCESS )
				goto old_good;
		}
246
247
248
249
250
		rs->sr_text = "unwilling to verify old password";
		rc = LDAP_UNWILLING_TO_PERFORM;
		goto error_return;
	}

251
old_good:
252
253
254
	ml = ch_malloc( sizeof(Modifications) );
	if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next;

255
256
257
	if ( default_passwd_hash ) {
		for ( nhash = 0; default_passwd_hash[nhash]; nhash++ );
		hashes = default_passwd_hash;
258
259
260
	} else {
		nhash = 1;
		hashes = (char **)defhash;
261
	}
262
	ml->sml_numvals = nhash;
263
264
	ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) );
	for ( i=0; hashes[i]; i++ ) {
265
		slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text );
266
267
268
269
270
		if ( hash.bv_len == 0 ) {
			if ( !rs->sr_text ) {
				rs->sr_text = "password hash failed";
			}
			break;
271
		}
272
		ml->sml_values[i] = hash;
273
	}
274
	ml->sml_values[i].bv_val = NULL;
275
	ml->sml_nvalues = NULL;
276
	ml->sml_desc = slap_schema.si_ad_userPassword;
Howard Chu's avatar
Howard Chu committed
277
	ml->sml_type = ml->sml_desc->ad_cname;
278
	ml->sml_op = LDAP_MOD_REPLACE;
279
	ml->sml_flags = 0;
280
281
	ml->sml_next = qpw->rs_mods;
	qpw->rs_mods = ml;
282

283
284
	if ( hashes[i] ) {
		rs->sr_err = LDAP_OTHER;
285

286
	} else {
287
288
289
		slap_callback *sc = op->o_callback;

		op->o_tag = LDAP_REQ_MODIFY;
Howard Chu's avatar
Howard Chu committed
290
		op->o_callback = &cb;
291
		op->orm_modlist = qpw->rs_mods;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
292
293
		op->orm_no_opattrs = 0;
		
Howard Chu's avatar
Howard Chu committed
294
		cb.sc_private = qpw;	/* let Modify know this was pwdMod,
Howard Chu's avatar
Howard Chu committed
295
					 * if it cares... */
296

Howard Chu's avatar
Howard Chu committed
297
		rs->sr_err = op->o_bd->be_modify( op, rs );
298
299
300
301

		/* be_modify() might have shuffled modifications */
		qpw->rs_mods = op->orm_modlist;

302
303
		if ( rs->sr_err == LDAP_SUCCESS ) {
			rs->sr_rspdata = rsp;
304

305
306
		} else if ( rsp ) {
			ber_bvfree( rsp );
307
			rsp = NULL;
308
		}
309
310
		op->o_tag = LDAP_REQ_EXTENDED;
		op->o_callback = sc;
311
312
	}

313
	rc = rs->sr_err;
314
	op->oq_extended = qext;
315
316

error_return:;
317
318
319
320
321
322
	if ( qpw->rs_mods ) {
		slap_mods_free( qpw->rs_mods, 1 );
	}
	if ( freenewpw ) {
		free( qpw->rs_new.bv_val );
	}
323
324
	if ( !BER_BVISNULL( &dn ) ) {
		op->o_tmpfree( dn.bv_val, op->o_tmpmemctx );
325
		BER_BVZERO( &op->o_req_dn );
326
	}
327
328
	if ( !BER_BVISNULL( &ndn ) ) {
		op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
329
		BER_BVZERO( &op->o_req_ndn );
330
331
332
	}

	return rc;
333
334
}

335
336
337
338
/* NOTE: The DN in *id is NOT NUL-terminated here. dnNormalize will
 * reject it in this condition, the caller must NUL-terminate it.
 * FIXME: should dnNormalize still be complaining about that?
 */
339
int slap_passwd_parse( struct berval *reqdata,
340
341
342
	struct berval *id,
	struct berval *oldpass,
	struct berval *newpass,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
343
	const char **text )
344
345
346
{
	int rc = LDAP_SUCCESS;
	ber_tag_t tag;
347
	ber_len_t len = -1;
348
349
	BerElementBuffer berbuf;
	BerElement *ber = (BerElement *)&berbuf;
350

351
352
353
	if( reqdata == NULL ) {
		return LDAP_SUCCESS;
	}
354

355
356
357
358
359
	if( reqdata->bv_len == 0 ) {
		*text = "empty request data field";
		return LDAP_PROTOCOL_ERROR;
	}

360
361
	/* ber_init2 uses reqdata directly, doesn't allocate new buffers */
	ber_init2( ber, reqdata, 0 );
362

363
	tag = ber_skip_tag( ber, &len );
364

365
	if( tag != LBER_SEQUENCE ) {
366
		Debug( LDAP_DEBUG_TRACE,
367
			"slap_passwd_parse: decoding error\n" );
368
369
		rc = LDAP_PROTOCOL_ERROR;
		goto done;
370
	}
371

372
	tag = ber_peek_tag( ber, &len );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
373
	if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
374
		if( id == NULL ) {
375
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n" );
376

377
378
379
380
381
			*text = "user must change own password";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto done;
		}

382
		tag = ber_get_stringbv( ber, id, LBER_BV_NOTERM );
383
384

		if( tag == LBER_ERROR ) {
385
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n" );
386

387
388
389
			goto decoding_error;
		}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
390
		tag = ber_peek_tag( ber, &len );
391
392
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
393
	if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
394
		if( oldpass == NULL ) {
395
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n" );
396

397
398
399
400
401
			*text = "use bind to verify old password";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto done;
		}

402
		tag = ber_get_stringbv( ber, oldpass, LBER_BV_NOTERM );
403
404

		if( tag == LBER_ERROR ) {
405
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n" );
406

407
408
409
			goto decoding_error;
		}

410
		if( oldpass->bv_len == 0 ) {
411
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD empty.\n" );
412
413
414
415
416
417

			*text = "old password value is empty";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto done;
		}

418
		tag = ber_peek_tag( ber, &len );
419
420
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
421
	if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
422
		if( newpass == NULL ) {
423
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n" );
424

425
426
427
428
			*text = "user specified passwords disallowed";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto done;
		}
429

430
		tag = ber_get_stringbv( ber, newpass, LBER_BV_NOTERM );
431
432

		if( tag == LBER_ERROR ) {
433
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW parse failed.\n" );
434

435
436
437
			goto decoding_error;
		}

438
		if( newpass->bv_len == 0 ) {
439
			Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW empty.\n" );
440
441
442
443
444
445

			*text = "new password value is empty";
			rc = LDAP_UNWILLING_TO_PERFORM;
			goto done;
		}

446
447
448
449
450
451
452
		tag = ber_peek_tag( ber, &len );
	}

	if( len != 0 ) {
decoding_error:
		Debug( LDAP_DEBUG_TRACE,
			"slap_passwd_parse: decoding error, len=%ld\n",
453
			(long) len );
454

455
		*text = "data decoding error";
456
		rc = LDAP_PROTOCOL_ERROR;
457
458
	}

459
done:
460
461
462
	return rc;
}

463
464
465
466
struct berval * slap_passwd_return(
	struct berval		*cred )
{
	int rc;
Howard Chu's avatar
Howard Chu committed
467
	struct berval *bv = NULL;
468
	BerElementBuffer berbuf;
Howard Chu's avatar
Howard Chu committed
469
	/* opaque structure, size unknown but smaller than berbuf */
470
	BerElement *ber = (BerElement *)&berbuf;
471
472
473
474

	assert( cred != NULL );

	Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
475
		(long) cred->bv_len );
476
	
Howard Chu's avatar
Howard Chu committed
477
478
	ber_init_w_nullc( ber, LBER_USE_DER );

479
	rc = ber_printf( ber, "{tON}",
Kurt Zeilenga's avatar
Kurt Zeilenga committed
480
		LDAP_TAG_EXOP_MODIFY_PASSWD_GEN, cred );
481

Howard Chu's avatar
Howard Chu committed
482
483
	if( rc >= 0 ) {
		(void) ber_flatten( ber, &bv );
484
485
	}

Howard Chu's avatar
Howard Chu committed
486
	ber_free_buf( ber );
487
488
489
490

	return bv;
}

491
492
493
/*
 * if "e" is provided, access to each value of the password is checked first
 */
494
495
int
slap_passwd_check(
496
497
498
499
500
	Operation	*op,
	Entry		*e,
	Attribute	*a,
	struct berval	*cred,
	const char	**text )
501
{
502
503
504
	int			result = 1;
	struct berval		*bv;
	AccessControlState	acl_state = ACL_STATE_INIT;
Howard Chu's avatar
Howard Chu committed
505
	char		credNul = cred->bv_val[cred->bv_len];
506

507
#ifdef SLAPD_SPASSWD
508
509
	void		*old_authctx = NULL;

510
511
	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
		op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
512
#endif
513

Howard Chu's avatar
Howard Chu committed
514
515
	if ( credNul ) cred->bv_val[cred->bv_len] = 0;

516
	for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
517
518
519
520
521
522
		/* if e is provided, check access */
		if ( e && access_allowed( op, e, a->a_desc, bv,
					ACL_AUTH, &acl_state ) == 0 )
		{
			continue;
		}
523
524
		
		if ( !lutil_passwd( bv, cred, NULL, text ) ) {
525
526
527
528
			result = 0;
			break;
		}
	}
529

Howard Chu's avatar
Howard Chu committed
530
531
	if ( credNul ) cred->bv_val[cred->bv_len] = credNul;

532
#ifdef SLAPD_SPASSWD
533
534
	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
		old_authctx, 0, NULL, NULL );
535
536
#endif

537
	return result;
538
}
539

540
541
void
slap_passwd_generate( struct berval *pass )
542
{
543
	Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n" );
Pierangelo Masarati's avatar
cleanup    
Pierangelo Masarati committed
544
	BER_BVZERO( pass );
545

546
547
548
549
	/*
	 * generate passwords of only 8 characters as some getpass(3)
	 * implementations truncate at 8 characters.
	 */
550
	lutil_passwd_generate( pass, 8 );
551
552
}

553
void
554
slap_passwd_hash_type(
555
	struct berval * cred,
556
	struct berval * new,
557
	char *hash,
558
	const char **text )
559
{
560
561
	new->bv_len = 0;
	new->bv_val = NULL;
562

563
	assert( hash != NULL );
Howard Chu's avatar
Howard Chu committed
564

565
	lutil_passwd_hash( cred , hash, new, text );
566
}
567
568
569
570
571
572
void
slap_passwd_hash(
	struct berval * cred,
	struct berval * new,
	const char **text )
{
Howard Chu's avatar
Howard Chu committed
573
	char *hash = NULL;
574
575
	if ( default_passwd_hash ) {
		hash = default_passwd_hash[0];
576
577
578
579
580
581
582
	}
	if ( !hash ) {
		hash = (char *)defhash[0];
	}

	slap_passwd_hash_type( cred, new, hash, text );
}
583
584
585
586
587

#ifdef SLAPD_CRYPT
static ldap_pvt_thread_mutex_t passwd_mutex;
static lutil_cryptfunc slapd_crypt;

Howard Chu's avatar
Howard Chu committed
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
#ifdef HAVE_CRYPT_R
static int slapd_crypt( const char *key, const char *salt, char **hash )
{
	char *cr;
	int rc;
	struct crypt_data data;

	data.initialized = 0;
	cr = crypt_r( key, salt, &data );
	if ( cr == NULL || cr[0] == '\0' ) {
		/* salt must have been invalid */
		rc = LUTIL_PASSWD_ERR;
	} else {
		if ( hash ) {
			*hash = ber_strdup( cr );
			rc = LUTIL_PASSWD_OK;
		} else {
			rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
		}
	}

    return rc;
}
#else
Howard Chu's avatar
Howard Chu committed
612
static int slapd_crypt( const char *key, const char *salt, char **hash )
613
614
615
616
617
618
619
620
621
622
623
624
625
626
{
	char *cr;
	int rc;

	ldap_pvt_thread_mutex_lock( &passwd_mutex );

	cr = crypt( key, salt );
	if ( cr == NULL || cr[0] == '\0' ) {
		/* salt must have been invalid */
		rc = LUTIL_PASSWD_ERR;
	} else {
		if ( hash ) {
			*hash = ber_strdup( cr );
			rc = LUTIL_PASSWD_OK;
Pierangelo Masarati's avatar
Pierangelo Masarati committed
627
628
629

		} else {
			rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
630
631
632
633
634
635
		}
	}

	ldap_pvt_thread_mutex_unlock( &passwd_mutex );
	return rc;
}
Howard Chu's avatar
Howard Chu committed
636
637
#endif /* HAVE_CRYPT_R */

638
639
#endif /* SLAPD_CRYPT */

Howard Chu's avatar
Howard Chu committed
640
641
642
643
644
645
646
647
void slap_passwd_init()
{
#ifdef SLAPD_CRYPT
	ldap_pvt_thread_mutex_init( &passwd_mutex );
	lutil_cryptptr = slapd_crypt;
#endif
}