Commit e02de533 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Import in slapd password enhancements from -devel.

parent 87f57351
......@@ -37,12 +37,13 @@ CHANGES
Changes from OpenLDAP 1.0
- improved build environment with dynamic library support,
- externally configurable client library support: ldap.conf(5),
- improved password security features include SHA1, MD5, crypt(3)
user and root passwords instead of clear-text password
- integrated SDK and tools for MS NT,
- platforms updates, and
- numerous bug fixes and build changes.
Changes from U. Mich release 3.3
- TCP Wrappers support added to slapd,
- Berkely DB2 compatibility added to slapd,
- ACL enhancements including Access by Group and POSIX regex(3) support,
......
......@@ -4,6 +4,7 @@ Changes included in OpenLDAP 1.1-Alpha (from -devel)
CVS Tag: OPENLDAP_REL_ENG_1_1_BETA
Added ldap.conf support
Added configuration preservation support
Added slapd passwd handling improvements
Updated shared library version to release 1
Fixed lib-shared.mk handling of static library
Fixed no-ldapd make install bugs
......
......@@ -154,15 +154,15 @@
/* define this for ACL Group support */
#undef SLAPD_ACLGROUPS
/* define this for ClearText password support */
#undef SLAPD_CLEARTEXT
/* define this for crypt(3) password support */
#undef SLAPD_CRYPT
/* define this to use SLAPD LDBM backend */
#undef SLAPD_LDBM
/* define this for MD5 password support */
#undef SLAPD_MD5
/* define this to use SLAPD passwd backend */
#undef SLAPD_PASSWD
......@@ -172,9 +172,6 @@
/* define this for Reverse Lookup support */
#undef SLAPD_RLOOKUPS
/* define this for SHA1 password support */
#undef SLAPD_SHA1
/* define this to use SLAPD shell backend */
#undef SLAPD_SHELL
......
This diff is collapsed.
......@@ -67,9 +67,8 @@ dnl SLAPD OPTIONS
AC_ARG_WITH(xxslapdoptions,[SLAPD Options:])
OL_ARG_ENABLE(slapd,[ --enable-slapd enable building slapd], yes)dnl
OL_ARG_ENABLE(aclgroups,[ --enable-aclgroups enable ACL group support], auto)dnl
OL_ARG_ENABLE(cleartext,[ --enable-cleartext enable cleartext passwords], yes)dnl
OL_ARG_ENABLE(crypt,[ --enable-crypt enable crypt(3) passwords], auto)dnl
OL_ARG_ENABLE(md5,[ --enable-md5 enable MD5 passwords], auto)dnl
OL_ARG_ENABLE(sha1,[ --enable-sha1 enable SHA1 passwords], auto)dnl
OL_ARG_ENABLE(wrappers,[ --enable-wrappers enable tcp wrapper support], no)dnl
OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups], auto)dnl
......@@ -116,15 +115,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_aclgroups = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable_aclgroups argument])
fi
if test $ol_enable_crypt = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable_crypt argument])
fi
if test $ol_enable_md5 = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable_md5 argument])
fi
if test $ol_enable_sha1 = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable_sha1 argument])
fi
if test $ol_enable_wrappers = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable_wrappers argument])
fi
......@@ -149,9 +139,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_shell=no
ol_enable_passwd=no
ol_enable_aclgroups=no
ol_enable_crypt=no
ol_enable_md5=no
ol_enable_sha1=no
ol_enable_wrappers=no
ol_enable_phonetic=no
ol_enable_rlookups=no
......@@ -1134,11 +1121,8 @@ fi
if test $ol_enable_crypt != no ; then
AC_DEFINE(SLAPD_CRYPT,1)
fi
if test $ol_enable_md5 != no ; then
AC_DEFINE(SLAPD_MD5,1)
fi
if test $ol_enable_sha1 != no ; then
AC_DEFINE(SLAPD_SHA1,1)
if test $ol_enable_cleartext != no ; then
AC_DEFINE(SLAPD_CLEARTEXT,1)
fi
if test $ol_enable_phonetic != no ; then
AC_DEFINE(SLAPD_PHONETIC,1)
......
......@@ -10,8 +10,8 @@ LDAP_BEGIN_DECL
/* ISC Base64 Routines */
/* base64.c */
LDAP_F int b64_ntop LDAP_P((u_char const *, size_t, char *, size_t));
LDAP_F int b64_pton LDAP_P((char const *, u_char *, size_t));
LDAP_F int lutil_b64_ntop LDAP_P((u_char const *, size_t, char *, size_t));
LDAP_F int lutil_b64_pton LDAP_P((char const *, u_char *, size_t));
/* detach.c */
LDAP_F void lutil_detach LDAP_P((int debug, int do_close));
/* passwd.c */
......
/* See md5.c for explanation and copyright information. */
#ifndef _LDAP_MD5_H_
#define _LDAP_MD5_H_
#ifndef _LUTIL_MD5_H_
#define _LUTIL_MD5_H_
#include <ldap_cdefs.h>
#include <ac/bytes.h>
......@@ -19,33 +19,33 @@ LDAP_BEGIN_DECL
typedef LDAP_UINT4 uint32;
#endif
struct ldap_MD5Context {
struct lutil_MD5Context {
uint32 buf[4];
uint32 bits[2];
unsigned char in[64];
};
LDAP_F void ldap_MD5Init LDAP_P((
struct ldap_MD5Context *context));
LDAP_F void lutil_MD5Init LDAP_P((
struct lutil_MD5Context *context));
LDAP_F void ldap_MD5Update LDAP_P((
struct ldap_MD5Context *context,
LDAP_F void lutil_MD5Update LDAP_P((
struct lutil_MD5Context *context,
unsigned char const *buf,
unsigned len));
LDAP_F void ldap_MD5Final LDAP_P((
LDAP_F void lutil_MD5Final LDAP_P((
unsigned char digest[16],
struct ldap_MD5Context *context));
struct lutil_MD5Context *context));
LDAP_F void ldap_MD5Transform LDAP_P((
LDAP_F void lutil_MD5Transform LDAP_P((
uint32 buf[4],
const unsigned char in[64]));
/*
* This is needed to make RSAREF happy on some MS-DOS compilers.
*/
typedef struct ldap_MD5Context ldap_MD5_CTX;
typedef struct lutil_MD5Context lutil_MD5_CTX;
LDAP_END_DECL
#endif /* _LDAP_MD5_H_ */
#endif /* _LUTIL_MD5_H_ */
/* This version is based on:
* $OpenBSD: sha1.h,v 1.8 1997/07/15 01:54:23 millert Exp $ */
#ifndef _LDAP_SHA1_H_
#define _LDAP_SHA1_H_
#ifndef _LUTIL_SHA1_H_
#define _LUTIL_SHA1_H_
#include <ldap_cdefs.h>
#include <ac/bytes.h>
......@@ -24,29 +24,29 @@ typedef struct {
uint32 state[5];
uint32 count[2];
unsigned char buffer[64];
} ldap_SHA1_CTX;
} lutil_SHA1_CTX;
LDAP_F void ldap_SHA1Transform
LDAP_F void lutil_SHA1Transform
LDAP_P((uint32 state[5], const unsigned char buffer[64]));
LDAP_F void ldap_SHA1Init
LDAP_P((ldap_SHA1_CTX *context));
LDAP_F void lutil_SHA1Init
LDAP_P((lutil_SHA1_CTX *context));
LDAP_F void ldap_SHA1Update
LDAP_P((ldap_SHA1_CTX *context, const unsigned char *data, u_int len));
LDAP_F void lutil_SHA1Update
LDAP_P((lutil_SHA1_CTX *context, const unsigned char *data, u_int len));
LDAP_F void ldap_SHA1Final
LDAP_P((unsigned char digest[20], ldap_SHA1_CTX *context));
LDAP_F void lutil_SHA1Final
LDAP_P((unsigned char digest[20], lutil_SHA1_CTX *context));
LDAP_F char *ldap_SHA1End
LDAP_P((ldap_SHA1_CTX *, char *));
LDAP_F char *lutil_SHA1End
LDAP_P((lutil_SHA1_CTX *, char *));
LDAP_F char *ldap_SHA1File
LDAP_F char *lutil_SHA1File
LDAP_P((char *, char *));
LDAP_F char *ldap_SHA1Data
LDAP_F char *lutil_SHA1Data
LDAP_P((const unsigned char *, size_t, char *));
LDAP_END_DECL
#endif /* _LDAP_SHA1_H_ */
#endif /* _LUTIL_SHA1_H_ */
......@@ -246,15 +246,15 @@ is provided ``as is'' without express or implied warranty.
/* define this for ACL Group support */
#undef SLAPD_ACLGROUPS
/* define this for ClearText password support */
#undef SLAPD_CLEARTEXT
/* define this for crypt(3) password support */
#undef SLAPD_CRYPT
/* define this to use SLAPD LDBM backend */
#undef SLAPD_LDBM
/* define this for MD5 password support */
#undef SLAPD_MD5
/* define this to use SLAPD passwd backend */
#undef SLAPD_PASSWD
......@@ -264,9 +264,6 @@ is provided ``as is'' without express or implied warranty.
/* define this for Reverse Lookup support */
#undef SLAPD_RLOOKUPS
/* define this for SHA1 password support */
#undef SLAPD_SHA1
/* define this to use SLAPD shell backend */
#undef SLAPD_SHELL
......
......@@ -127,7 +127,7 @@ static const char Pad64 = '=';
*/
int
b64_ntop(
lutil_b64_ntop(
u_char const *src,
size_t srclength,
char *target,
......@@ -198,7 +198,7 @@ b64_ntop(
*/
int
b64_pton(
lutil_b64_pton(
char const *src,
u_char *target,
size_t targsize)
......
......@@ -65,7 +65,7 @@ putu32( uint32 data, unsigned char *addr )
* initialization constants.
*/
void
ldap_MD5Init( struct ldap_MD5Context *ctx )
lutil_MD5Init( struct lutil_MD5Context *ctx )
{
ctx->buf[0] = 0x67452301;
ctx->buf[1] = 0xefcdab89;
......@@ -81,8 +81,8 @@ ldap_MD5Init( struct ldap_MD5Context *ctx )
* of bytes.
*/
void
ldap_MD5Update(
struct ldap_MD5Context *ctx,
lutil_MD5Update(
struct lutil_MD5Context *ctx,
const unsigned char *buf,
unsigned int len
)
......@@ -109,7 +109,7 @@ ldap_MD5Update(
return;
}
memcpy(p, buf, t);
ldap_MD5Transform(ctx->buf, ctx->in);
lutil_MD5Transform(ctx->buf, ctx->in);
buf += t;
len -= t;
}
......@@ -118,7 +118,7 @@ ldap_MD5Update(
while (len >= 64) {
memcpy(ctx->in, buf, 64);
ldap_MD5Transform(ctx->buf, ctx->in);
lutil_MD5Transform(ctx->buf, ctx->in);
buf += 64;
len -= 64;
}
......@@ -133,7 +133,7 @@ ldap_MD5Update(
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void
ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
lutil_MD5Final( unsigned char *digest, struct lutil_MD5Context *ctx )
{
unsigned count;
unsigned char *p;
......@@ -153,7 +153,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
if (count < 8) {
/* Two lots of padding: Pad the first block to 64 bytes */
memset(p, 0, count);
ldap_MD5Transform(ctx->buf, ctx->in);
lutil_MD5Transform(ctx->buf, ctx->in);
/* Now fill the next block with 56 bytes */
memset(ctx->in, 0, 56);
......@@ -166,7 +166,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
putu32(ctx->bits[0], ctx->in + 56);
putu32(ctx->bits[1], ctx->in + 60);
ldap_MD5Transform(ctx->buf, ctx->in);
lutil_MD5Transform(ctx->buf, ctx->in);
putu32(ctx->buf[0], digest);
putu32(ctx->buf[1], digest + 4);
putu32(ctx->buf[2], digest + 8);
......@@ -194,7 +194,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
* the data and converts bytes into longwords for this routine.
*/
void
ldap_MD5Transform( uint32 *buf, const unsigned char *inraw )
lutil_MD5Transform( uint32 *buf, const unsigned char *inraw )
{
register uint32 a, b, c, d;
uint32 in[16];
......@@ -291,7 +291,7 @@ ldap_MD5Transform( uint32 *buf, const unsigned char *inraw )
int
main (int argc, char **argv )
{
struct ldap_MD5Context context;
struct lutil_MD5Context context;
unsigned char checksum[16];
int i;
int j;
......@@ -304,9 +304,9 @@ main (int argc, char **argv )
for (j = 1; j < argc; ++j)
{
printf ("MD5 (\"%s\") = ", argv[j]);
ldap_MD5Init (&context);
ldap_MD5Update (&context, argv[j], strlen (argv[j]));
ldap_MD5Final (checksum, &context);
lutil_MD5Init (&context);
lutil_MD5Update (&context, argv[j], strlen (argv[j]));
lutil_MD5Final (checksum, &context);
for (i = 0; i < 16; i++)
{
printf ("%02x", (unsigned int) checksum[i]);
......
......@@ -18,6 +18,7 @@
#include "lutil.h"
/*
* Return 0 if creds are good.
*/
int
......@@ -27,53 +28,58 @@ lutil_passwd(
{
if (cred == NULL || passwd == NULL) {
return 0;
return -1;
}
if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
const char *p = passwd + (sizeof("{CRYPT}") - 1);
return( strcmp(p, crypt(cred, p)) != 0 );
return( strcmp(p, crypt(cred, p)) );
} else if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
ldap_MD5_CTX MD5context;
unsigned char MD5digest[20];
char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
lutil_MD5_CTX MD5context;
unsigned char MD5digest[16];
char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */
const char *p = passwd + (sizeof("{MD5}") - 1);
ldap_MD5Init(&MD5context);
ldap_MD5Update(&MD5context,
lutil_MD5Init(&MD5context);
lutil_MD5Update(&MD5context,
(const unsigned char *)cred, strlen(cred));
ldap_MD5Final(MD5digest, &MD5context);
lutil_MD5Final(MD5digest, &MD5context);
if ( b64_ntop(MD5digest, sizeof(MD5digest),
if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
base64digest, sizeof(base64digest)) < 0)
{
return ( 1 );
}
return (strcmp(p, base64digest) != 0);
return( strcmp(p, base64digest) );
} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
ldap_SHA1_CTX SHA1context;
lutil_SHA1_CTX SHA1context;
unsigned char SHA1digest[20];
char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
const char *p = passwd + (sizeof("{SHA}") - 1);
ldap_SHA1Init(&SHA1context);
ldap_SHA1Update(&SHA1context,
lutil_SHA1Init(&SHA1context);
lutil_SHA1Update(&SHA1context,
(const unsigned char *) cred, strlen(cred));
ldap_SHA1Final(SHA1digest, &SHA1context);
lutil_SHA1Final(SHA1digest, &SHA1context);
if (b64_ntop(SHA1digest, sizeof(SHA1digest),
if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
base64digest, sizeof(base64digest)) < 0)
{
return ( 0 );
return ( 1 );
}
return( strcmp(p, base64digest) != 0 );
return( strcmp(p, base64digest) );
}
return( strcmp(passwd, cred) != 0 );
#ifdef SLAPD_CLEARTEXT
return( strcmp(passwd, cred) );
#else
return( 1 );
#endif
}
......@@ -4,7 +4,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <ac/string.h>
#include <ac/setproctitle.h>
#include <ac/string.h>
......
......@@ -58,7 +58,7 @@
* Hash a single 512-bit block. This is the core of the algorithm.
*/
void
ldap_SHA1Transform( uint32 *state, const unsigned char *buffer )
lutil_SHA1Transform( uint32 *state, const unsigned char *buffer )
{
uint32 a, b, c, d, e;
typedef union {
......@@ -117,10 +117,10 @@ ldap_SHA1Transform( uint32 *state, const unsigned char *buffer )
/*
* ldap_SHA1Init - Initialize new context
* lutil_SHA1Init - Initialize new context
*/
void
ldap_SHA1Init( ldap_SHA1_CTX *context )
lutil_SHA1Init( lutil_SHA1_CTX *context )
{
/* SHA1 initialization constants */
......@@ -137,8 +137,8 @@ ldap_SHA1Init( ldap_SHA1_CTX *context )
* Run your data through this.
*/
void
ldap_SHA1Update(
ldap_SHA1_CTX *context,
lutil_SHA1Update(
lutil_SHA1_CTX *context,
const unsigned char *data,
u_int len
)
......@@ -151,9 +151,9 @@ ldap_SHA1Update(
j = (j >> 3) & 63;
if ((j + len) > 63) {
(void)memcpy(&context->buffer[j], data, (i = 64-j));
ldap_SHA1Transform(context->state, context->buffer);
lutil_SHA1Transform(context->state, context->buffer);
for ( ; i + 63 < len; i += 64)
ldap_SHA1Transform(context->state, &data[i]);
lutil_SHA1Transform(context->state, &data[i]);
j = 0;
} else {
i = 0;
......@@ -166,7 +166,7 @@ ldap_SHA1Update(
* Add padding and return the message digest.
*/
void
ldap_SHA1Final( unsigned char *digest, ldap_SHA1_CTX *context )
lutil_SHA1Final( unsigned char *digest, lutil_SHA1_CTX *context )
{
u_int i;
unsigned char finalcount[8];
......@@ -175,10 +175,10 @@ ldap_SHA1Final( unsigned char *digest, ldap_SHA1_CTX *context )
finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
>> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
}
ldap_SHA1Update(context, (unsigned char *)"\200", 1);
lutil_SHA1Update(context, (unsigned char *)"\200", 1);
while ((context->count[0] & 504) != 448)
ldap_SHA1Update(context, (unsigned char *)"\0", 1);
ldap_SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
lutil_SHA1Update(context, (unsigned char *)"\0", 1);
lutil_SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
if (digest) {
for (i = 0; i < 20; i++)
......@@ -225,7 +225,7 @@ static char rcsid[] = "$OpenBSD: sha1hl.c,v 1.1 1997/07/12 20:06:03 millert Exp
/* ARGSUSED */
char *
ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
lutil_SHA1End( lutil_SHA1_CTX *ctx, char *buf )
{
int i;
char *p = buf;
......@@ -235,7 +235,7 @@ ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
if (p == NULL && (p = malloc(41)) == NULL)
return 0;
ldap_SHA1Final(digest,ctx);
lutil_SHA1Final(digest,ctx);
for (i = 0; i < 20; i++) {
p[i + i] = hex[digest[i] >> 4];
p[i + i + 1] = hex[digest[i] & 0x0f];
......@@ -245,32 +245,32 @@ ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
}
char *
ldap_SHA1File( char *filename, char *buf )
lutil_SHA1File( char *filename, char *buf )
{
unsigned char buffer[BUFSIZ];
ldap_SHA1_CTX ctx;
lutil_SHA1_CTX ctx;
int fd, num, oerrno;
ldap_SHA1Init(&ctx);
lutil_SHA1Init(&ctx);
if ((fd = open(filename,O_RDONLY)) < 0)
return(0);
while ((num = read(fd, buffer, sizeof(buffer))) > 0)
ldap_SHA1Update(&ctx, buffer, num);
lutil_SHA1Update(&ctx, buffer, num);
oerrno = errno;
close(fd);
errno = oerrno;
return(num < 0 ? 0 : ldap_SHA1End(&ctx, buf));
return(num < 0 ? 0 : lutil_SHA1End(&ctx, buf));
}
char *
ldap_SHA1Data( const unsigned char *data, size_t len, char *buf )
lutil_SHA1Data( const unsigned char *data, size_t len, char *buf )
{
ldap_SHA1_CTX ctx;
lutil_SHA1_CTX ctx;
ldap_SHA1Init(&ctx);
ldap_SHA1Update(&ctx, data, len);
return(ldap_SHA1End(&ctx, buf));
lutil_SHA1Init(&ctx);
lutil_SHA1Update(&ctx, data, len);
return(lutil_SHA1End(&ctx, buf));
}
......@@ -112,7 +112,7 @@ char *derefDN ( Backend *be,
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
char *matched;
char *matched = 0;
char *newDN = NULL;
int depth, i;
Entry *eMatched;
......
......@@ -13,21 +13,12 @@
#include "back-ldbm.h"
#include "proto-back-ldbm.h"
#ifdef SLAPD_SHA1
#include <lutil_sha1.h>
#endif /* SLAPD_SHA1 */
#ifdef SLAPD_MD5
#include <lutil_md5.h>
#endif /* SLAPD_MD5 */
#include <lutil.h>
#ifdef HAVE_KERBEROS
extern int krbv4_ldap_auth();
#endif
#ifdef SLAPD_CRYPT
pthread_mutex_t crypt_mutex;
static int
......@@ -41,66 +32,19 @@ crypted_value_find(
{
int i;
for ( i = 0; vals[i] != NULL; i++ ) {
if ( syntax != SYNTAX_BIN && strncasecmp( "{CRYPT}",
vals[i]->bv_val, (sizeof(