2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 2009-2012 The OpenLDAP Foundation.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * This work was initially developed by Jeff Turner for inclusion
17 * in OpenLDAP Software.
19 * Hash methods for passwords generation added by Cédric Delfosse.
24 #include <ac/string.h>
31 #ifdef SLAPD_SHA2_DEBUG
35 char * sha256_hex_hash(const char * passwd) {
38 unsigned char hash[SHA256_DIGEST_LENGTH];
39 static char real_hash[LUTIL_BASE64_ENCODE_LEN(SHA256_DIGEST_LENGTH)+1]; /* extra char for \0 */
42 SHA256_Update(&ct, (const uint8_t*)passwd, strlen(passwd));
43 SHA256_Final(hash, &ct);
45 /* base64 encode it */
50 LUTIL_BASE64_ENCODE_LEN(SHA256_DIGEST_LENGTH)+1
57 char * sha384_hex_hash(const char * passwd) {
60 unsigned char hash[SHA384_DIGEST_LENGTH];
61 static char real_hash[LUTIL_BASE64_ENCODE_LEN(SHA384_DIGEST_LENGTH)+1]; /* extra char for \0 */
64 SHA384_Update(&ct, (const uint8_t*)passwd, strlen(passwd));
65 SHA384_Final(hash, &ct);
67 /* base64 encode it */
72 LUTIL_BASE64_ENCODE_LEN(SHA384_DIGEST_LENGTH)+1
78 char * sha512_hex_hash(const char * passwd) {
81 unsigned char hash[SHA512_DIGEST_LENGTH];
82 static char real_hash[LUTIL_BASE64_ENCODE_LEN(SHA512_DIGEST_LENGTH)+1]; /* extra char for \0 */
85 SHA512_Update(&ct, (const uint8_t*)passwd, strlen(passwd));
86 SHA512_Final(hash, &ct);
88 /* base64 encode it */
93 LUTIL_BASE64_ENCODE_LEN(SHA512_DIGEST_LENGTH)+1
99 static int hash_sha256(
100 const struct berval *scheme,
101 const struct berval *passwd,
106 unsigned char hash256[SHA256_DIGEST_LENGTH];
107 struct berval digest;
108 digest.bv_val = (char *) hash256;
109 digest.bv_len = sizeof(hash256);
112 SHA256_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
113 SHA256_Final(hash256, &ct);
115 return lutil_passwd_string64(scheme, &digest, hash, NULL);
118 static int hash_sha384(
119 const struct berval *scheme,
120 const struct berval *passwd,
125 unsigned char hash384[SHA384_DIGEST_LENGTH];
126 struct berval digest;
127 digest.bv_val = (char *) hash384;
128 digest.bv_len = sizeof(hash384);
130 #ifdef SLAPD_SHA2_DEBUG
131 fprintf(stderr, "hashing password\n");
134 SHA384_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
135 SHA384_Final(hash384, &ct);
137 return lutil_passwd_string64(scheme, &digest, hash, NULL);
140 static int hash_sha512(
141 const struct berval *scheme,
142 const struct berval *passwd,
147 unsigned char hash512[SHA512_DIGEST_LENGTH];
148 struct berval digest;
149 digest.bv_val = (char *) hash512;
150 digest.bv_len = sizeof(hash512);
153 SHA512_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
154 SHA512_Final(hash512, &ct);
156 return lutil_passwd_string64(scheme, &digest, hash, NULL);
159 static int chk_sha256(
160 const struct berval *scheme, /* Scheme of hashed reference password */
161 const struct berval *passwd, /* Hashed reference password to check against */
162 const struct berval *cred, /* user-supplied password to check */
165 #ifdef SLAPD_SHA2_DEBUG
166 fprintf(stderr, "Validating password\n");
167 fprintf(stderr, " Password to validate: %s\n", cred->bv_val);
168 fprintf(stderr, " Hashes to: %s\n", sha256_hex_hash(cred->bv_val));
169 fprintf(stderr, " Stored password scheme: %s\n", scheme->bv_val);
170 fprintf(stderr, " Stored password value: %s\n", passwd->bv_val);
171 fprintf(stderr, " -> Passwords %s\n", strcmp(sha256_hex_hash(cred->bv_val), passwd->bv_val) == 0 ? "match" : "do not match");
173 return (strcmp(sha256_hex_hash(cred->bv_val), passwd->bv_val));
176 static int chk_sha384(
177 const struct berval *scheme, /* Scheme of hashed reference password */
178 const struct berval *passwd, /* Hashed reference password to check against */
179 const struct berval *cred, /* user-supplied password to check */
182 #ifdef SLAPD_SHA2_DEBUG
183 fprintf(stderr, "Validating password\n");
184 fprintf(stderr, " Password to validate: %s\n", cred->bv_val);
185 fprintf(stderr, " Hashes to: %s\n", sha384_hex_hash(cred->bv_val));
186 fprintf(stderr, " Stored password scheme: %s\n", scheme->bv_val);
187 fprintf(stderr, " Stored password value: %s\n", passwd->bv_val);
188 fprintf(stderr, " -> Passwords %s\n", strcmp(sha384_hex_hash(cred->bv_val), passwd->bv_val) == 0 ? "match" : "do not match");
190 return (strcmp(sha384_hex_hash(cred->bv_val), passwd->bv_val));
193 static int chk_sha512(
194 const struct berval *scheme, /* Scheme of hashed reference password */
195 const struct berval *passwd, /* Hashed reference password to check against */
196 const struct berval *cred, /* user-supplied password to check */
199 #ifdef SLAPD_SHA2_DEBUG
200 fprintf(stderr, " Password to validate: %s\n", cred->bv_val);
201 fprintf(stderr, " Hashes to: %s\n", sha512_hex_hash(cred->bv_val));
202 fprintf(stderr, " Stored password scheme: %s\n", scheme->bv_val);
203 fprintf(stderr, " Stored password value: %s\n", passwd->bv_val);
204 fprintf(stderr, " -> Passwords %s\n", strcmp(sha512_hex_hash(cred->bv_val), passwd->bv_val) == 0 ? "match" : "do not match");
206 return (strcmp(sha512_hex_hash(cred->bv_val), passwd->bv_val));
209 const struct berval sha256scheme = BER_BVC("{SHA256}");
210 const struct berval sha384scheme = BER_BVC("{SHA384}");
211 const struct berval sha512scheme = BER_BVC("{SHA512}");
213 int init_module(int argc, char *argv[]) {
215 result = lutil_passwd_add( (struct berval *)&sha256scheme, chk_sha256, hash_sha256 );
216 if (result != 0) return result;
217 result = lutil_passwd_add( (struct berval *)&sha384scheme, chk_sha384, hash_sha384 );
218 if (result != 0) return result;
219 result = lutil_passwd_add( (struct berval *)&sha512scheme, chk_sha512, hash_sha512 );