2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 2009-2012 The OpenLDAP Foundation.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * This work was initially developed by Jeff Turner for inclusion
17 * in OpenLDAP Software.
19 * Hash methods for passwords generation added by Cédric Delfosse.
21 * chk_sha*() replaced with libraries/liblutil/passwd.c:chk_sha1()
22 * implementation to fix a race by SATOH Fumiyasu @ OSS Technology, Inc.
27 #include <ac/string.h>
33 #ifdef SLAPD_SHA2_DEBUG
37 static int hash_sha256(
38 const struct berval *scheme,
39 const struct berval *passwd,
44 unsigned char hash256[SHA256_DIGEST_LENGTH];
46 digest.bv_val = (char *) hash256;
47 digest.bv_len = sizeof(hash256);
50 SHA256_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
51 SHA256_Final(hash256, &ct);
53 return lutil_passwd_string64(scheme, &digest, hash, NULL);
56 static int hash_sha384(
57 const struct berval *scheme,
58 const struct berval *passwd,
63 unsigned char hash384[SHA384_DIGEST_LENGTH];
65 digest.bv_val = (char *) hash384;
66 digest.bv_len = sizeof(hash384);
68 #ifdef SLAPD_SHA2_DEBUG
69 fprintf(stderr, "hashing password\n");
72 SHA384_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
73 SHA384_Final(hash384, &ct);
75 return lutil_passwd_string64(scheme, &digest, hash, NULL);
78 static int hash_sha512(
79 const struct berval *scheme,
80 const struct berval *passwd,
85 unsigned char hash512[SHA512_DIGEST_LENGTH];
87 digest.bv_val = (char *) hash512;
88 digest.bv_len = sizeof(hash512);
91 SHA512_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
92 SHA512_Final(hash512, &ct);
94 return lutil_passwd_string64(scheme, &digest, hash, NULL);
97 #ifdef SLAPD_SHA2_DEBUG
98 static void chk_sha_debug(
99 const struct berval *scheme,
100 const struct berval *passwd,
101 const struct berval *cred,
102 const char *cred_hash,
107 struct berval cred_b64;
109 cred_b64.bv_len = LUTIL_BASE64_ENCODE_LEN(cred_len) + 1;
110 cred_b64.bv_val = ber_memalloc(cred_b64.bv_len + 1);
112 if( cred_b64.bv_val == NULL ) {
117 (unsigned char *) cred_hash, cred_len,
118 cred_b64.bv_val, cred_b64.bv_len );
121 ber_memfree(cred_b64.bv_val);
125 fprintf(stderr, "Validating password\n");
126 fprintf(stderr, " Hash scheme:\t\t%s\n", scheme->bv_val);
127 fprintf(stderr, " Password to validate: %s\n", cred->bv_val);
128 fprintf(stderr, " Password hash:\t%s\n", cred_b64.bv_val);
129 fprintf(stderr, " Stored password hash:\t%s\n", passwd->bv_val);
130 fprintf(stderr, " Result:\t\t%s\n", cmp_rc ? "do not match" : "match");
132 ber_memfree(cred_b64.bv_val);
136 static int chk_sha256(
137 const struct berval *scheme, /* Scheme of hashed reference password */
138 const struct berval *passwd, /* Hashed reference password to check against */
139 const struct berval *cred, /* user-supplied password to check */
142 SHA256_CTX SHAcontext;
143 unsigned char SHAdigest[SHA256_DIGEST_LENGTH];
145 unsigned char *orig_pass = NULL;
148 if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
149 return LUTIL_PASSWD_ERR;
152 /* base64 un-encode password */
153 orig_pass = (unsigned char *) ber_memalloc( (size_t) (
154 LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
156 if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
158 rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
160 if( rc != sizeof(SHAdigest) ) {
161 ber_memfree(orig_pass);
162 return LUTIL_PASSWD_ERR;
165 /* hash credentials with salt */
166 SHA256_Init(&SHAcontext);
167 SHA256_Update(&SHAcontext,
168 (const unsigned char *) cred->bv_val, cred->bv_len);
169 SHA256_Final(SHAdigest, &SHAcontext);
172 rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest));
173 #ifdef SLAPD_SHA2_DEBUG
174 chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc);
176 ber_memfree(orig_pass);
177 return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
180 static int chk_sha384(
181 const struct berval *scheme, /* Scheme of hashed reference password */
182 const struct berval *passwd, /* Hashed reference password to check against */
183 const struct berval *cred, /* user-supplied password to check */
186 SHA384_CTX SHAcontext;
187 unsigned char SHAdigest[SHA384_DIGEST_LENGTH];
189 unsigned char *orig_pass = NULL;
192 if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
193 return LUTIL_PASSWD_ERR;
196 /* base64 un-encode password */
197 orig_pass = (unsigned char *) ber_memalloc( (size_t) (
198 LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
200 if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
202 rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
204 if( rc != sizeof(SHAdigest) ) {
205 ber_memfree(orig_pass);
206 return LUTIL_PASSWD_ERR;
209 /* hash credentials with salt */
210 SHA384_Init(&SHAcontext);
211 SHA384_Update(&SHAcontext,
212 (const unsigned char *) cred->bv_val, cred->bv_len);
213 SHA384_Final(SHAdigest, &SHAcontext);
216 rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest));
217 #ifdef SLAPD_SHA2_DEBUG
218 chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc);
220 ber_memfree(orig_pass);
221 return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
224 static int chk_sha512(
225 const struct berval *scheme, /* Scheme of hashed reference password */
226 const struct berval *passwd, /* Hashed reference password to check against */
227 const struct berval *cred, /* user-supplied password to check */
230 SHA512_CTX SHAcontext;
231 unsigned char SHAdigest[SHA512_DIGEST_LENGTH];
233 unsigned char *orig_pass = NULL;
236 if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHAdigest)) {
237 return LUTIL_PASSWD_ERR;
240 /* base64 un-encode password */
241 orig_pass = (unsigned char *) ber_memalloc( (size_t) (
242 LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
244 if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
246 rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
248 if( rc != sizeof(SHAdigest) ) {
249 ber_memfree(orig_pass);
250 return LUTIL_PASSWD_ERR;
253 /* hash credentials with salt */
254 SHA512_Init(&SHAcontext);
255 SHA512_Update(&SHAcontext,
256 (const unsigned char *) cred->bv_val, cred->bv_len);
257 SHA512_Final(SHAdigest, &SHAcontext);
260 rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest));
261 #ifdef SLAPD_SHA2_DEBUG
262 chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc);
264 ber_memfree(orig_pass);
265 return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
268 const struct berval sha256scheme = BER_BVC("{SHA256}");
269 const struct berval sha384scheme = BER_BVC("{SHA384}");
270 const struct berval sha512scheme = BER_BVC("{SHA512}");
272 int init_module(int argc, char *argv[]) {
274 result = lutil_passwd_add( (struct berval *)&sha256scheme, chk_sha256, hash_sha256 );
275 if (result != 0) return result;
276 result = lutil_passwd_add( (struct berval *)&sha384scheme, chk_sha384, hash_sha384 );
277 if (result != 0) return result;
278 result = lutil_passwd_add( (struct berval *)&sha512scheme, chk_sha512, hash_sha512 );