passwd.c 20.4 KB
Newer Older
1
/* $OpenLDAP$ */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
2
3
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
4
 * Copyright 1998-2021 The OpenLDAP Foundation.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
6
7
8
9
10
11
12
13
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
14
 */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
15

Kurt Zeilenga's avatar
Kurt Zeilenga committed
16
/*
Kurt Zeilenga's avatar
Kurt Zeilenga committed
17
18
19
20
 * int lutil_passwd(
 *	const struct berval *passwd,
 *	const struct berval *cred,
 *	const char **schemes )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
21
 *
Kurt Zeilenga's avatar
Kurt Zeilenga committed
22
23
 * Returns true if user supplied credentials (cred) matches
 * the stored password (passwd). 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
24
25
26
27
28
29
30
 *
 * Due to the use of the crypt(3) function 
 * this routine is NOT thread-safe.
 */

#include "portable.h"

31
#include <stdio.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
32
#include <ac/stdlib.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
33
#include <ac/string.h>
34
#include <ac/unistd.h>
35
#include <ac/param.h>
36
#include <ac/socket.h>
37

Kurt Zeilenga's avatar
Kurt Zeilenga committed
38
#ifdef SLAPD_CRYPT
Kurt Zeilenga's avatar
Kurt Zeilenga committed
39
# include <ac/crypt.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
40

Kurt Zeilenga's avatar
Kurt Zeilenga committed
41
# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
42
#  ifdef HAVE_SHADOW_H
43
#	include <shadow.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
44
45
#  endif
#  ifdef HAVE_PWD_H
46
#	include <pwd.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
47
48
#  endif
#  ifdef HAVE_AIX_SECURITY
49
#	include <userpw.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
50
51
#  endif
# endif
52
#endif
53

54
55
#include <lber.h>

56
#include "ldap_pvt.h"
Kurt Zeilenga's avatar
Kurt Zeilenga committed
57
#include "lber_pvt.h"
58

59
60
61
62
#include "lutil_md5.h"
#include "lutil_sha1.h"
#include "lutil.h"

63
64
65
static const unsigned char crypt64[] =
	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";

66
#ifdef SLAPD_CRYPT
Kurt Zeilenga's avatar
Kurt Zeilenga committed
67
static char *salt_format = NULL;
68
69
static lutil_cryptfunc lutil_crypt;
lutil_cryptfunc *lutil_cryptptr = lutil_crypt;
70
71
#endif

72
73
74
75
/* KLUDGE:
 *  chk_fn is NULL iff name is {CLEARTEXT}
 *	otherwise, things will break
 */
76
77
78
79
80
81
struct pw_scheme {
	struct berval name;
	LUTIL_PASSWD_CHK_FUNC *chk_fn;
	LUTIL_PASSWD_HASH_FUNC *hash_fn;
};

82
83
struct pw_slist {
	struct pw_slist *next;
84
	struct pw_scheme s;
85
86
87
88
};

/* password check routines */

89
90
#define	SALT_SIZE	4

91
92
93
94
static LUTIL_PASSWD_CHK_FUNC chk_md5;
static LUTIL_PASSWD_CHK_FUNC chk_smd5;
static LUTIL_PASSWD_HASH_FUNC hash_smd5;
static LUTIL_PASSWD_HASH_FUNC hash_md5;
95
96


97
98
99
100
101
#ifdef LUTIL_SHA1_BYTES
static LUTIL_PASSWD_CHK_FUNC chk_ssha1;
static LUTIL_PASSWD_CHK_FUNC chk_sha1;
static LUTIL_PASSWD_HASH_FUNC hash_sha1;
static LUTIL_PASSWD_HASH_FUNC hash_ssha1;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
102
#endif
103

104

105
#ifdef SLAPD_CRYPT
106
107
static LUTIL_PASSWD_CHK_FUNC chk_crypt;
static LUTIL_PASSWD_HASH_FUNC hash_crypt;
108

Kurt Zeilenga's avatar
Kurt Zeilenga committed
109
#if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
110
static LUTIL_PASSWD_CHK_FUNC chk_unix;
111
112
#endif
#endif
113

114
/* password hash routines */
115

116
#ifdef SLAPD_CLEARTEXT
117
static LUTIL_PASSWD_HASH_FUNC hash_clear;
118
#endif
119

120
static struct pw_slist *pw_schemes;
121
static int pw_inited;
122

123
static const struct pw_scheme pw_schemes_default[] =
124
{
Kurt Zeilenga's avatar
Kurt Zeilenga committed
125
#ifdef LUTIL_SHA1_BYTES
Kurt Zeilenga's avatar
Kurt Zeilenga committed
126
127
	{ BER_BVC("{SSHA}"),		chk_ssha1, hash_ssha1 },
	{ BER_BVC("{SHA}"),			chk_sha1, hash_sha1 },
Kurt Zeilenga's avatar
Kurt Zeilenga committed
128
#endif
129

Kurt Zeilenga's avatar
Kurt Zeilenga committed
130
131
	{ BER_BVC("{SMD5}"),		chk_smd5, hash_smd5 },
	{ BER_BVC("{MD5}"),			chk_md5, hash_md5 },
132

133
#ifdef SLAPD_CRYPT
Kurt Zeilenga's avatar
Kurt Zeilenga committed
134
	{ BER_BVC("{CRYPT}"),		chk_crypt, hash_crypt },
Kurt Zeilenga's avatar
Kurt Zeilenga committed
135
# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
136
	{ BER_BVC("{UNIX}"),		chk_unix, NULL },
137
# endif
138
#endif
139

140
#ifdef SLAPD_CLEARTEXT
141
	/* pseudo scheme */
142
	{ BER_BVC("{CLEARTEXT}"),	NULL, hash_clear },
143
#endif
144

Kurt Zeilenga's avatar
Kurt Zeilenga committed
145
	{ BER_BVNULL, NULL, NULL }
146
147
};

148
149
150
151
int lutil_passwd_add(
	struct berval *scheme,
	LUTIL_PASSWD_CHK_FUNC *chk,
	LUTIL_PASSWD_HASH_FUNC *hash )
152
153
154
{
	struct pw_slist *ptr;

155
156
	if (!pw_inited) lutil_passwd_init();

157
158
159
	ptr = ber_memalloc( sizeof( struct pw_slist ));
	if (!ptr) return -1;
	ptr->next = pw_schemes;
160
161
162
	ptr->s.name = *scheme;
	ptr->s.chk_fn = chk;
	ptr->s.hash_fn = hash;
163
164
165
166
167
168
	pw_schemes = ptr;
	return 0;
}

void lutil_passwd_init()
{
169
	struct pw_scheme *s;
170

171
172
	pw_inited = 1;

173
	for( s=(struct pw_scheme *)pw_schemes_default; s->name.bv_val; s++) {
174
		if ( lutil_passwd_add( &s->name, s->chk_fn, s->hash_fn ) ) break;
175
176
177
178
179
180
181
182
183
184
185
186
187
	}
}

void lutil_passwd_destroy()
{
	struct pw_slist *ptr, *next;

	for( ptr=pw_schemes; ptr; ptr=next ) {
		next = ptr->next;
		ber_memfree( ptr );
	}
}

188
static const struct pw_scheme *get_scheme(
189
190
	const char* scheme )
{
191
	struct pw_slist *pws;
192
	struct berval bv;
193

194
	if (!pw_inited) lutil_passwd_init();
195

196
197
198
199
200
	bv.bv_val = strchr( scheme, '}' );
	if ( !bv.bv_val )
		return NULL;

	bv.bv_len = bv.bv_val - scheme + 1;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
201
	bv.bv_val = (char *) scheme;
202

203
	for( pws=pw_schemes; pws; pws=pws->next ) {
Pierangelo Masarati's avatar
cleanup    
Pierangelo Masarati committed
204
		if ( ber_bvstrcasecmp(&bv, &pws->s.name ) == 0 ) {
205
			return &(pws->s);
206
207
208
209
		}
	}

	return NULL;
210
211
}

212
213
214
215
216
217
218
219
220
221
int lutil_passwd_scheme(
	const char* scheme )
{
	if( scheme == NULL ) {
		return 0;
	}

	return get_scheme(scheme) != NULL;
}

222
223

static int is_allowed_scheme( 
224
225
	const char* scheme,
	const char** schemes )
226
{
227
	int i;
228

229
230
231
232
233
234
	if( schemes == NULL ) return 1;

	for( i=0; schemes[i] != NULL; i++ ) {
		if( strcasecmp( scheme, schemes[i] ) == 0 ) {
			return 1;
		}
235
	}
236
237
	return 0;
}
238

239
static struct berval *passwd_scheme(
240
	const struct pw_scheme *scheme,
241
	const struct berval * passwd,
242
	struct berval *bv,
243
244
	const char** allowed )
{
245
	if( !is_allowed_scheme( scheme->name.bv_val, allowed ) ) {
246
247
		return NULL;
	}
248

249
250
251
252
253
254
255
	if( passwd->bv_len >= scheme->name.bv_len ) {
		if( strncasecmp( passwd->bv_val, scheme->name.bv_val, scheme->name.bv_len ) == 0 ) {
			bv->bv_val = &passwd->bv_val[scheme->name.bv_len];
			bv->bv_len = passwd->bv_len - scheme->name.bv_len;

			return bv;
		}
256
257
258
259
260
	}

	return NULL;
}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
261
/*
262
 * Return 0 if creds are good.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
263
264
265
 */
int
lutil_passwd(
266
267
	const struct berval *passwd,	/* stored passwd */
	const struct berval *cred,		/* user cred */
268
269
	const char **schemes,
	const char **text )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
270
{
271
	struct pw_slist *pws;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
272

273
274
	if ( text ) *text = NULL;

275
276
277
	if (cred == NULL || cred->bv_len == 0 ||
		passwd == NULL || passwd->bv_len == 0 )
	{
278
		return -1;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
279
280
	}

281
	if (!pw_inited) lutil_passwd_init();
282
283
284

	for( pws=pw_schemes; pws; pws=pws->next ) {
		if( pws->s.chk_fn ) {
285
			struct berval x;
286
			struct berval *p = passwd_scheme( &(pws->s),
287
				passwd, &x, schemes );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
288

289
			if( p != NULL ) {
290
				return (pws->s.chk_fn)( &(pws->s.name), p, cred, text );
291
			}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
292
		}
293
	}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
294

295
#ifdef SLAPD_CLEARTEXT
296
297
298
299
	/* Do we think there is a scheme specifier here that we
	 * didn't recognize? Assume a scheme name is at least 1 character.
	 */
	if (( passwd->bv_val[0] == '{' ) &&
300
		( ber_bvchr( passwd, '}' ) > passwd->bv_val+1 ))
301
	{
302
		return 1;
303
	}
304
	if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) {
305
306
		return ( passwd->bv_len == cred->bv_len ) ?
			memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len )
307
			: 1;
308
309
	}
#endif
310
	return 1;
311
}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
312

313
int lutil_passwd_generate( struct berval *pw, ber_len_t len )
314
315
{

316
	if( len < 1 ) return -1;
317
318
319
320
321

	pw->bv_len = len;
	pw->bv_val = ber_memalloc( len + 1 );

	if( pw->bv_val == NULL ) {
322
		return -1;
323
324
	}

325
	if( lutil_entropy( (unsigned char *) pw->bv_val, pw->bv_len) < 0 ) {
326
		return -1; 
327
328
329
330
331
332
333
334
335
	}

	for( len = 0; len < pw->bv_len; len++ ) {
		pw->bv_val[len] = crypt64[
			pw->bv_val[len] % (sizeof(crypt64)-1) ];
	}

	pw->bv_val[len] = '\0';
	
336
	return 0;
337
338
}

339
int lutil_passwd_hash(
340
	const struct berval * passwd,
341
	const char * method,
342
	struct berval *hash,
343
	const char **text )
344
{
345
	const struct pw_scheme *sc = get_scheme( method );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
346

347
348
349
	hash->bv_val = NULL;
	hash->bv_len = 0;

350
	if( sc == NULL ) {
351
		if( text ) *text = "scheme not recognized";
352
		return -1;
353
354
355
	}

	if( ! sc->hash_fn ) {
356
		if( text ) *text = "scheme provided no hash function";
357
		return -1;
358
359
	}

360
	if( text ) *text = NULL;
361

362
	return (sc->hash_fn)( &sc->name, passwd, hash, text );
363
364
}

365
366
/* pw_string is only called when SLAPD_CRYPT is defined */
#if defined(SLAPD_CRYPT)
367
static int pw_string(
368
	const struct berval *sc,
Howard Chu's avatar
Howard Chu committed
369
	struct berval *passwd )
370
{
371
	struct berval pw;
372

Howard Chu's avatar
Howard Chu committed
373
374
	pw.bv_len = sc->bv_len + passwd->bv_len;
	pw.bv_val = ber_memalloc( pw.bv_len + 1 );
375

Howard Chu's avatar
Howard Chu committed
376
	if( pw.bv_val == NULL ) {
377
		return LUTIL_PASSWD_ERR;
378
379
	}

380
381
382
383
384
	AC_MEMCPY( pw.bv_val, sc->bv_val, sc->bv_len );
	AC_MEMCPY( &pw.bv_val[sc->bv_len], passwd->bv_val, passwd->bv_len );

	pw.bv_val[pw.bv_len] = '\0';
	*passwd = pw;
385

386
	return LUTIL_PASSWD_OK;
387
}
388
#endif /* SLAPD_CRYPT */
389

390
int lutil_passwd_string64(
391
	const struct berval *sc,
392
	const struct berval *hash,
393
	struct berval *b64,
394
	const struct berval *salt )
395
396
{
	int rc;
397
	struct berval string;
398
399
	size_t b64len;

400
	if( salt ) {
401
		/* need to base64 combined string */
402
403
		string.bv_len = hash->bv_len + salt->bv_len;
		string.bv_val = ber_memalloc( string.bv_len + 1 );
404

405
		if( string.bv_val == NULL ) {
406
			return LUTIL_PASSWD_ERR;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
407
408
		}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
409
		AC_MEMCPY( string.bv_val, hash->bv_val,
410
			hash->bv_len );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
411
		AC_MEMCPY( &string.bv_val[hash->bv_len], salt->bv_val,
412
413
			salt->bv_len );
		string.bv_val[string.bv_len] = '\0';
Kurt Zeilenga's avatar
Kurt Zeilenga committed
414

415
	} else {
416
		string = *hash;
417
418
	}

419
	b64len = LUTIL_BASE64_ENCODE_LEN( string.bv_len ) + 1;
420
	b64->bv_len = b64len + sc->bv_len;
421
	b64->bv_val = ber_memalloc( b64->bv_len + 1 );
422

423
424
	if( b64->bv_val == NULL ) {
		if( salt ) ber_memfree( string.bv_val );
425
		return LUTIL_PASSWD_ERR;
426
	}
427

428
	AC_MEMCPY(b64->bv_val, sc->bv_val, sc->bv_len);
429
430

	rc = lutil_b64_ntop(
431
		(unsigned char *) string.bv_val, string.bv_len,
432
		&b64->bv_val[sc->bv_len], b64len );
433

434
	if( salt ) ber_memfree( string.bv_val );
435
	
436
	if( rc < 0 ) {
437
		return LUTIL_PASSWD_ERR;
438
439
	}

440
	/* recompute length */
441
	b64->bv_len = sc->bv_len + rc;
442
	assert( strlen(b64->bv_val) == b64->bv_len );
443
	return LUTIL_PASSWD_OK;
444
445
446
447
}

/* PASSWORD CHECK ROUTINES */

Kurt Zeilenga's avatar
Kurt Zeilenga committed
448
#ifdef LUTIL_SHA1_BYTES
449
static int chk_ssha1(
450
	const struct berval *sc,
451
	const struct berval * passwd,
452
453
	const struct berval * cred,
	const char **text )
454
455
{
	lutil_SHA1_CTX SHA1context;
456
	unsigned char SHA1digest[LUTIL_SHA1_BYTES];
457
458
	int rc;
	unsigned char *orig_pass = NULL;
459
	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
460

461
	/* safety check -- must have some salt */
462
	if (decode_len <= sizeof(SHA1digest)) {
463
		return LUTIL_PASSWD_ERR;
464
465
	}

466
	/* decode base64 password */
467
	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
468

469
	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
470

471
	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
472

473
474
	/* safety check -- must have some salt */
	if (rc <= (int)(sizeof(SHA1digest))) {
475
		ber_memfree(orig_pass);
476
		return LUTIL_PASSWD_ERR;
477
	}
478
 
479
480
481
	/* hash credentials with salt */
	lutil_SHA1Init(&SHA1context);
	lutil_SHA1Update(&SHA1context,
482
		(const unsigned char *) cred->bv_val, cred->bv_len);
483
484
485
486
	lutil_SHA1Update(&SHA1context,
		(const unsigned char *) &orig_pass[sizeof(SHA1digest)],
		rc - sizeof(SHA1digest));
	lutil_SHA1Final(SHA1digest, &SHA1context);
487
 
488
489
	/* compare */
	rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
490
	ber_memfree(orig_pass);
491
	return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
492
}
493

494
static int chk_sha1(
495
	const struct berval *sc,
496
	const struct berval * passwd,
497
498
	const struct berval * cred,
	const char **text )
499
500
{
	lutil_SHA1_CTX SHA1context;
501
	unsigned char SHA1digest[LUTIL_SHA1_BYTES];
502
503
	int rc;
	unsigned char *orig_pass = NULL;
504
	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
505
 
506
	/* safety check */
507
	if (decode_len < sizeof(SHA1digest)) {
508
		return LUTIL_PASSWD_ERR;
509
510
	}

511
	/* base64 un-encode password */
512
	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
513

514
	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
515

516
	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
517
518
519

	if( rc != sizeof(SHA1digest) ) {
		ber_memfree(orig_pass);
520
		return LUTIL_PASSWD_ERR;
521
	}
522
523
524
525
526
527
528
529
530
531
 
	/* hash credentials with salt */
	lutil_SHA1Init(&SHA1context);
	lutil_SHA1Update(&SHA1context,
		(const unsigned char *) cred->bv_val, cred->bv_len);
	lutil_SHA1Final(SHA1digest, &SHA1context);
 
	/* compare */
	rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
	ber_memfree(orig_pass);
532
	return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
533
}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
534
#endif
535
536

static int chk_smd5(
537
	const struct berval *sc,
538
	const struct berval * passwd,
539
540
	const struct berval * cred,
	const char **text )
541
542
{
	lutil_MD5_CTX MD5context;
543
	unsigned char MD5digest[LUTIL_MD5_BYTES];
544
545
	int rc;
	unsigned char *orig_pass = NULL;
546
	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
547

548
	/* safety check */
549
	if (decode_len <= sizeof(MD5digest)) {
550
		return LUTIL_PASSWD_ERR;
551
552
	}

553
	/* base64 un-encode password */
554
	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
555

556
	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
557

558
	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
559

560
	if (rc <= (int)(sizeof(MD5digest))) {
561
		ber_memfree(orig_pass);
562
		return LUTIL_PASSWD_ERR;
563
564
565
566
567
	}

	/* hash credentials with salt */
	lutil_MD5Init(&MD5context);
	lutil_MD5Update(&MD5context,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
568
569
		(const unsigned char *) cred->bv_val,
		cred->bv_len );
570
	lutil_MD5Update(&MD5context,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
571
		&orig_pass[sizeof(MD5digest)],
572
573
574
575
576
		rc - sizeof(MD5digest));
	lutil_MD5Final(MD5digest, &MD5context);

	/* compare */
	rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
577
	ber_memfree(orig_pass);
578
	return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
579
580
581
}

static int chk_md5(
582
	const struct berval *sc,
583
	const struct berval * passwd,
584
585
	const struct berval * cred,
	const char **text )
586
587
{
	lutil_MD5_CTX MD5context;
588
	unsigned char MD5digest[LUTIL_MD5_BYTES];
589
590
	int rc;
	unsigned char *orig_pass = NULL;
591
	size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len);
592

593
	/* safety check */
594
	if (decode_len < sizeof(MD5digest)) {
595
		return LUTIL_PASSWD_ERR;
596
597
	}

598
	/* base64 un-encode password */
599
	orig_pass = (unsigned char *) ber_memalloc(decode_len + 1);
600

601
	if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
602

603
	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
604
605
	if ( rc != sizeof(MD5digest) ) {
		ber_memfree(orig_pass);
606
		return LUTIL_PASSWD_ERR;
607
608
	}

609
610
611
	/* hash credentials with salt */
	lutil_MD5Init(&MD5context);
	lutil_MD5Update(&MD5context,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
612
613
		(const unsigned char *) cred->bv_val,
		cred->bv_len );
614
615
616
617
618
	lutil_MD5Final(MD5digest, &MD5context);

	/* compare */
	rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
	ber_memfree(orig_pass);
619
	return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
620
}
621

622
623
624
625
626
#ifdef SLAPD_CRYPT
static int lutil_crypt(
	const char *key,
	const char *salt,
	char **hash )
627
{
628
629
	char *cr = crypt( key, salt );
	int rc;
630

631
632
633
634
635
636
637
638
639
	if( cr == NULL || cr[0] == '\0' ) {
		/* salt must have been invalid */
		rc = LUTIL_PASSWD_ERR;
	} else {
		if ( hash ) {
			*hash = ber_strdup( cr );
			rc = LUTIL_PASSWD_OK;
		} else {
			rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
640
641
		}
	}
642
	return rc;
643
644
}

645
static int chk_crypt(
646
	const struct berval *sc,
647
	const struct berval * passwd,
648
649
	const struct berval * cred,
	const char **text )
650
{
Howard Chu's avatar
Howard Chu committed
651
	unsigned int i;
652
653
654

	for( i=0; i<cred->bv_len; i++) {
		if(cred->bv_val[i] == '\0') {
655
			return LUTIL_PASSWD_ERR;	/* NUL character in password */
656
657
658
659
		}
	}

	if( cred->bv_val[i] != '\0' ) {
660
		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
661
662
	}

663
	if( passwd->bv_len < 2 ) {
664
		return LUTIL_PASSWD_ERR;	/* passwd must be at least two characters long */
665
666
	}

667
668
	for( i=0; i<passwd->bv_len; i++) {
		if(passwd->bv_val[i] == '\0') {
669
			return LUTIL_PASSWD_ERR;	/* NUL character in password */
670
671
672
673
		}
	}

	if( passwd->bv_val[i] != '\0' ) {
674
		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
675
676
	}

677
	return lutil_cryptptr( cred->bv_val, passwd->bv_val, NULL );
678
}
679

Kurt Zeilenga's avatar
Kurt Zeilenga committed
680
# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
681
static int chk_unix(
682
	const struct berval *sc,
683
	const struct berval * passwd,
684
685
	const struct berval * cred,
	const char **text )
686
{
Howard Chu's avatar
Howard Chu committed
687
	unsigned int i;
Howard Chu's avatar
Howard Chu committed
688
	char *pw;
689
690
691

	for( i=0; i<cred->bv_len; i++) {
		if(cred->bv_val[i] == '\0') {
692
			return LUTIL_PASSWD_ERR;	/* NUL character in password */
693
694
695
		}
	}
	if( cred->bv_val[i] != '\0' ) {
696
		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
697
698
	}

699
700
	for( i=0; i<passwd->bv_len; i++) {
		if(passwd->bv_val[i] == '\0') {
701
			return LUTIL_PASSWD_ERR;	/* NUL character in password */
702
703
704
705
		}
	}

	if( passwd->bv_val[i] != '\0' ) {
706
		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
707
708
	}

709
	{
710
		struct passwd *pwd = getpwnam(passwd->bv_val);
711

712
		if(pwd == NULL) {
713
			return LUTIL_PASSWD_ERR;	/* not found */
714
		}
715

716
		pw = pwd->pw_passwd;
717
	}
718
#  ifdef HAVE_GETSPNAM
719
	{
720
		struct spwd *spwd = getspnam(passwd->bv_val);
721

722
723
		if(spwd != NULL) {
			pw = spwd->sp_pwdp;
724
		}
725
726
727
728
729
	}
#  endif
#  ifdef HAVE_AIX_SECURITY
	{
		struct userpw *upw = getuserpw(passwd->bv_val);
730

731
732
733
		if (upw != NULL) {
			pw = upw->upw_passwd;
		}
734
	}
735
#  endif
736

737
738
	if( pw == NULL || pw[0] == '\0' || pw[1] == '\0' ) {
		/* password must must be at least two characters long */
739
		return LUTIL_PASSWD_ERR;
740
	}
741

742
	return lutil_cryptptr( cred->bv_val, pw, NULL );
743
}
744
# endif
745
#endif
746

747
748
/* PASSWORD GENERATION ROUTINES */

Kurt Zeilenga's avatar
Kurt Zeilenga committed
749
#ifdef LUTIL_SHA1_BYTES
750
static int hash_ssha1(
751
	const struct berval *scheme,
752
	const struct berval  *passwd,
753
	struct berval *hash,
754
	const char **text )
755
756
{
	lutil_SHA1_CTX  SHA1context;
757
	unsigned char   SHA1digest[LUTIL_SHA1_BYTES];
758
	char            saltdata[SALT_SIZE];
759
760
	struct berval digest;
	struct berval salt;
761

762
	digest.bv_val = (char *) SHA1digest;
763
764
765
766
	digest.bv_len = sizeof(SHA1digest);
	salt.bv_val = saltdata;
	salt.bv_len = sizeof(saltdata);

767
	if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) {
768
		return LUTIL_PASSWD_ERR; 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
769
770
	}

771
772
	lutil_SHA1Init( &SHA1context );
	lutil_SHA1Update( &SHA1context,
773
		(const unsigned char *)passwd->bv_val, passwd->bv_len );
774
	lutil_SHA1Update( &SHA1context,