3 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
4 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
7 * lutil_password(credentials, password)
9 * Returns true if user supplied credentials matches
10 * the stored password.
12 * Due to the use of the crypt(3) function
13 * this routine is NOT thread-safe.
18 #include <ac/stdlib.h>
20 #include <ac/string.h>
21 #include <ac/unistd.h>
23 #include "lutil_md5.h"
24 #include "lutil_sha1.h"
34 static int is_allowed_scheme(
36 const char** schemes )
44 for(i=0; schemes[i] != NULL; i++) {
45 if(strcasecmp(scheme, schemes[i]) == 0) {
53 const char *lutil_passwd_schemes[] = {
59 # if defined( HAVE_GETSPNAM ) \
60 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
63 #ifdef SLAPD_CLEARTEXT
64 "{CLEARTEXT}", /* psuedo scheme */
69 int lutil_passwd_scheme( char *scheme ) {
70 return is_allowed_scheme( scheme, lutil_passwd_schemes );
73 static const char *passwd_scheme(
76 const char** schemes )
80 if( !is_allowed_scheme( scheme, schemes ) ) {
86 if( strncasecmp( passwd, scheme, len ) == 0 ) {
94 * Return 0 if creds are good.
100 const char **schemes)
104 if (cred == NULL || passwd == NULL) {
108 if ((p = passwd_scheme( passwd, "{MD5}", schemes )) != NULL ) {
109 lutil_MD5_CTX MD5context;
110 unsigned char MD5digest[16];
111 char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */
113 lutil_MD5Init(&MD5context);
114 lutil_MD5Update(&MD5context,
115 (const unsigned char *)cred, strlen(cred));
116 lutil_MD5Final(MD5digest, &MD5context);
118 if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
119 base64digest, sizeof(base64digest)) < 0)
124 return( strcmp(p, base64digest) );
126 } else if ((p = passwd_scheme( passwd, "{SHA}", schemes )) != NULL ) {
127 lutil_SHA1_CTX SHA1context;
128 unsigned char SHA1digest[20];
129 char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
131 lutil_SHA1Init(&SHA1context);
132 lutil_SHA1Update(&SHA1context,
133 (const unsigned char *) cred, strlen(cred));
134 lutil_SHA1Final(SHA1digest, &SHA1context);
136 if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
137 base64digest, sizeof(base64digest)) < 0)
142 return( strcmp(p, base64digest) );
144 } else if ((p = passwd_scheme( passwd, "{SSHA}", schemes )) != NULL ) {
145 lutil_SHA1_CTX SHA1context;
146 unsigned char SHA1digest[20];
147 int pw_len = strlen(p);
149 unsigned char *orig_pass = NULL;
151 /* base64 un-encode password */
152 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
153 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
159 /* hash credentials with salt */
160 lutil_SHA1Init(&SHA1context);
161 lutil_SHA1Update(&SHA1context,
162 (const unsigned char *) cred, strlen(cred));
163 lutil_SHA1Update(&SHA1context,
164 (const unsigned char *) orig_pass + sizeof(SHA1digest),
165 rc - sizeof(SHA1digest));
166 lutil_SHA1Final(SHA1digest, &SHA1context);
169 rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
173 } else if ((p = passwd_scheme( passwd, "{SMD5}", schemes )) != NULL ) {
174 lutil_MD5_CTX MD5context;
175 unsigned char MD5digest[16];
176 int pw_len = strlen(p);
178 unsigned char *orig_pass = NULL;
180 /* base64 un-encode password */
181 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
182 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
188 /* hash credentials with salt */
189 lutil_MD5Init(&MD5context);
190 lutil_MD5Update(&MD5context,
191 (const unsigned char *) cred, strlen(cred));
192 lutil_MD5Update(&MD5context,
193 (const unsigned char *) orig_pass + sizeof(MD5digest),
194 rc - sizeof(MD5digest));
195 lutil_MD5Final(MD5digest, &MD5context);
198 rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
203 } else if ((p = passwd_scheme( passwd, "{CRYPT}", schemes )) != NULL ) {
204 return( strcmp(p, crypt(cred, p)) );
206 # if defined( HAVE_GETSPNAM ) \
207 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
208 } else if ((p = passwd_scheme( passwd, "{UNIX}", schemes )) != NULL ) {
210 # ifdef HAVE_GETSPNAM
211 struct spwd *spwd = getspnam(p);
214 return 1; /* not found */
217 return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
219 struct passwd *pwd = getpwnam(p);
222 return 1; /* not found */
225 return strcmp(pwd->pw_passwd, crypt(cred, pwd->pw_passwd));
231 #ifdef SLAPD_CLEARTEXT
232 return is_allowed_scheme("{CLEARTEXT}", schemes ) &&
233 strcmp(passwd, cred) != 0;