3 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
4 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
7 * lutil_password(credentials, password)
9 * Returns true if user supplied credentials matches
10 * the stored password.
12 * Due to the use of the crypt(3) function
13 * this routine is NOT thread-safe.
19 #include <ac/stdlib.h>
21 #include <ac/string.h>
22 #include <ac/unistd.h>
27 #include "lutil_md5.h"
28 #include "lutil_sha1.h"
40 typedef int (*PASSWD_CHK_FUNC)(
41 const struct pw_scheme *scheme,
45 typedef char * (*PASSWD_GEN_FUNC) (
46 const struct pw_scheme *scheme,
52 PASSWD_CHK_FUNC chk_fn;
53 PASSWD_GEN_FUNC gen_fn;
56 /* password check routines */
58 const struct pw_scheme *scheme,
63 const struct pw_scheme *scheme,
68 const struct pw_scheme *scheme,
73 const struct pw_scheme *scheme,
78 const struct pw_scheme *scheme,
83 const struct pw_scheme *scheme,
88 /* password generation routines */
89 static char *gen_sha1(
90 const struct pw_scheme *scheme,
93 static char *gen_ssha1(
94 const struct pw_scheme *scheme,
97 static char *gen_smd5(
98 const struct pw_scheme *scheme,
101 static char *gen_md5(
102 const struct pw_scheme *scheme,
103 const char *passwd );
105 static char *gen_crypt(
106 const struct pw_scheme *scheme,
107 const char *passwd );
110 static const struct pw_scheme pw_schemes[] =
112 { "{SSHA}", sizeof("{SSHA}")-1, chk_ssha1, gen_ssha1 },
113 { "{SHA}", sizeof("{SHA}")-1, chk_sha1, gen_sha1 },
115 { "{SMD5}", sizeof("{SMD5}")-1, chk_smd5, gen_smd5 },
116 { "{MD5}", sizeof("{MD5}")-1, chk_md5, gen_md5 },
119 { "{CRYPT}", sizeof("{CRYPT}")-1, chk_crypt, gen_crypt },
121 # if defined( HAVE_GETSPNAM ) \
122 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
123 { "{UNIX}", sizeof("{UNIX}")-1, chk_unix, NULL },
126 #ifdef SLAPD_CLEARTEXT
128 { "{CLEARTEXT}", 0, NULL, NULL },
134 static const struct pw_scheme *get_scheme(
139 for( i=0; pw_schemes[i].name != NULL; i++) {
140 if( pw_schemes[i].namelen == 0 ) continue;
142 if( strncasecmp(scheme, pw_schemes[i].name,
143 pw_schemes[i].namelen) == 0 )
145 return &pw_schemes[i];
153 static int is_allowed_scheme(
155 const char** schemes )
159 if( schemes == NULL ) return 1;
161 for( i=0; schemes[i] != NULL; i++ ) {
162 if( strcasecmp( scheme, schemes[i] ) == 0 ) {
169 static const char *passwd_scheme(
170 const struct pw_scheme *scheme,
172 const char** allowed )
174 if( !is_allowed_scheme( scheme->name, allowed ) ) {
178 if( strncasecmp( passwd, scheme->name, scheme->namelen ) == 0 ) {
179 return &passwd[scheme->namelen];
186 * Return 0 if creds are good.
190 const char *passwd, /* stored passwd */
191 const char *cred, /* user cred */
192 const char **schemes )
196 if (cred == NULL || passwd == NULL) {
200 for( i=0; pw_schemes[i].name != NULL; i++ ) {
201 if( pw_schemes[i].chk_fn ) {
202 const char *p = passwd_scheme( &pw_schemes[i],
206 return (pw_schemes[i].chk_fn)( &pw_schemes[i], p, cred );
211 #ifdef SLAPD_CLEARTEXT
212 if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) {
213 return strcmp( cred, passwd );
221 char * lutil_passwd_generate(
223 const char * method )
225 const struct pw_scheme *sc = get_scheme( method );
227 if( sc == NULL ) return NULL;
228 if( ! sc->gen_fn ) return NULL;
230 return (sc->gen_fn)( sc, passwd );
233 static char * pw_string(
234 const struct pw_scheme *sc,
237 size_t pwlen = strlen( passwd );
238 char *pw = ber_memalloc( sc->namelen + pwlen + 1 );
240 if( pw == NULL ) return NULL;
242 memcpy( pw, sc->name, sc->namelen );
243 memcpy( &pw[sc->namelen], passwd, pwlen );
244 pw[sc->namelen + pwlen] = '\0';
249 static char * pw_string64(
250 const struct pw_scheme *sc,
251 const unsigned char *hash, size_t hashlen,
252 const unsigned char *salt, size_t saltlen )
257 size_t len = hashlen;
261 /* need to base64 combined string */
262 string = ber_memalloc( hashlen + saltlen );
264 if( string == NULL ) {
268 memcpy( string, hash, len );
269 memcpy( &string[len], salt, saltlen );
274 string = (char *) hash;
277 b64len = LUTIL_BASE64_ENCODE_LEN( len ) + 1;
278 b64 = ber_memalloc( b64len + sc->namelen );
281 if( saltlen ) ber_memfree( string );
285 memcpy(b64, sc->name, sc->namelen);
287 rc = lutil_b64_ntop( string, len, &b64[sc->namelen], b64len );
289 if( saltlen ) ber_memfree( string );
299 /* PASSWORD CHECK ROUTINES */
301 static int chk_ssha1(
302 const struct pw_scheme *sc,
306 lutil_SHA1_CTX SHA1context;
307 unsigned char SHA1digest[LUTIL_SHA1_BYTES];
308 int pw_len = strlen(passwd);
310 unsigned char *orig_pass = NULL;
312 /* base64 un-encode password */
313 orig_pass = (unsigned char *) ber_memalloc( (size_t) (
314 LUTIL_BASE64_DECODE_LEN(pw_len) + 1) );
316 if( orig_pass == NULL ) return -1;
318 if ((rc = lutil_b64_pton(passwd, orig_pass, pw_len)) < 0) {
319 ber_memfree(orig_pass);
323 /* hash credentials with salt */
324 lutil_SHA1Init(&SHA1context);
325 lutil_SHA1Update(&SHA1context,
326 (const unsigned char *) cred, strlen(cred));
327 lutil_SHA1Update(&SHA1context,
328 (const unsigned char *) &orig_pass[sizeof(SHA1digest)],
329 rc - sizeof(SHA1digest));
330 lutil_SHA1Final(SHA1digest, &SHA1context);
333 rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
334 ber_memfree(orig_pass);
339 const struct pw_scheme *sc,
343 lutil_SHA1_CTX SHA1context;
344 unsigned char SHA1digest[LUTIL_SHA1_BYTES];
345 char base64digest[LUTIL_BASE64_ENCODE_LEN(sizeof(SHA1digest))+1];
347 lutil_SHA1Init(&SHA1context);
348 lutil_SHA1Update(&SHA1context,
349 (const unsigned char *) cred, strlen(cred));
350 lutil_SHA1Final(SHA1digest, &SHA1context);
352 if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
353 base64digest, sizeof(base64digest)) < 0)
358 return strcmp(passwd, base64digest);
362 const struct pw_scheme *sc,
366 lutil_MD5_CTX MD5context;
367 unsigned char MD5digest[LUTIL_MD5_BYTES];
368 int pw_len = strlen(passwd);
370 unsigned char *orig_pass = NULL;
372 /* base64 un-encode password */
373 orig_pass = (unsigned char *) ber_memalloc( (size_t) (
374 LUTIL_BASE64_DECODE_LEN(pw_len) + 1) );
376 if( orig_pass == NULL ) return -1;
378 if ((rc = lutil_b64_pton(passwd, orig_pass, pw_len)) < 0) {
379 ber_memfree(orig_pass);
383 /* hash credentials with salt */
384 lutil_MD5Init(&MD5context);
385 lutil_MD5Update(&MD5context,
386 (const unsigned char *) cred, strlen(cred));
387 lutil_MD5Update(&MD5context,
388 (const unsigned char *) &orig_pass[sizeof(MD5digest)],
389 rc - sizeof(MD5digest));
390 lutil_MD5Final(MD5digest, &MD5context);
393 rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
394 ber_memfree(orig_pass);
399 const struct pw_scheme *sc,
403 lutil_MD5_CTX MD5context;
404 unsigned char MD5digest[LUTIL_MD5_BYTES];
405 char base64digest[LUTIL_BASE64_ENCODE_LEN(sizeof(MD5digest))+1];
407 lutil_MD5Init(&MD5context);
408 lutil_MD5Update(&MD5context,
409 (const unsigned char *)cred, strlen(cred));
410 lutil_MD5Final(MD5digest, &MD5context);
412 if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
413 base64digest, sizeof(base64digest)) < 0 )
418 return strcmp(passwd, base64digest);
422 static int chk_crypt(
423 const struct pw_scheme *sc,
427 return strcmp(passwd, crypt(cred, passwd));
430 # if defined( HAVE_GETSPNAM ) \
431 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
433 const struct pw_scheme *sc,
437 # ifdef HAVE_GETSPNAM
438 struct spwd *spwd = getspnam(p);
441 return 1; /* not found */
444 return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
446 struct passwd *pwd = getpwnam(p);
449 return 1; /* not found */
452 return strcmp(pwd->pw_passwd, crypt(cred, pwd->pw_passwd));
458 /* PASSWORD CHECK ROUTINES */
459 static char *gen_ssha1(
460 const struct pw_scheme *scheme,
463 lutil_SHA1_CTX SHA1context;
464 unsigned char SHA1digest[LUTIL_SHA1_BYTES];
465 unsigned char salt[4];
467 if( lutil_entropy( salt, sizeof(salt)) < 0 ) {
471 lutil_SHA1Init( &SHA1context );
472 lutil_SHA1Update( &SHA1context,
473 (const unsigned char *)passwd, strlen(passwd) );
474 lutil_SHA1Update( &SHA1context,
475 (const unsigned char *)salt, sizeof(salt) );
476 lutil_SHA1Final( SHA1digest, &SHA1context );
478 return pw_string64( scheme,
479 SHA1digest, sizeof(SHA1digest),
483 static char *gen_sha1(
484 const struct pw_scheme *scheme,
487 lutil_SHA1_CTX SHA1context;
488 unsigned char SHA1digest[20];
490 lutil_SHA1Init( &SHA1context );
491 lutil_SHA1Update( &SHA1context,
492 (const unsigned char *)passwd, strlen(passwd) );
493 lutil_SHA1Final( SHA1digest, &SHA1context );
495 return pw_string64( scheme,
496 SHA1digest, sizeof(SHA1digest),
500 static char *gen_smd5(
501 const struct pw_scheme *scheme,
504 lutil_MD5_CTX MD5context;
505 unsigned char MD5digest[16];
506 unsigned char salt[4];
508 if( lutil_entropy( salt, sizeof(salt)) < 0 ) {
512 lutil_MD5Init( &MD5context );
513 lutil_MD5Update( &MD5context,
514 (const unsigned char *) passwd, strlen(passwd) );
515 lutil_MD5Update( &MD5context,
516 (const unsigned char *) salt, sizeof(salt) );
517 lutil_MD5Final( MD5digest, &MD5context );
519 return pw_string64( scheme,
520 MD5digest, sizeof(MD5digest),
521 salt, sizeof(salt) );
524 static char *gen_md5(
525 const struct pw_scheme *scheme,
528 lutil_MD5_CTX MD5context;
529 unsigned char MD5digest[16];
531 lutil_MD5Init( &MD5context );
532 lutil_MD5Update( &MD5context,
533 (const unsigned char *) passwd, strlen(passwd) );
535 lutil_MD5Final( MD5digest, &MD5context );
537 return pw_string64( scheme,
538 MD5digest, sizeof(MD5digest),
543 static char *gen_crypt(
544 const struct pw_scheme *scheme,
547 static const unsigned char crypt64[] =
548 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
551 unsigned char salt[2];
553 if( lutil_entropy( salt, sizeof(salt)) < 0 ) {
557 salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ];
558 salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ];
560 hash = crypt( passwd, salt );
562 if( hash = NULL ) return NULL;
564 return pw_string( scheme, hash );