2 * lutil_password(credentials, password)
4 * Returns true if user supplied credentials matches
7 * Due to the use of the crypt(3) function
8 * this routine is NOT thread-safe.
13 #include <ac/stdlib.h>
15 #include <ac/string.h>
16 #include <ac/unistd.h>
18 #include "lutil_md5.h"
19 #include "lutil_sha1.h"
29 static int supported_hash(
31 const char** methods )
39 for(i=0; methods[i] != NULL; i++) {
40 if(strcasecmp(method, methods[i]) == 0) {
48 static const char *passwd_hash(
51 const char** methods )
55 if( !supported_hash( method, methods ) ) {
61 if( strncasecmp( passwd, method, len ) == 0 ) {
69 * Return 0 if creds are good.
79 if (cred == NULL || passwd == NULL) {
83 if ((p = passwd_hash( passwd, "{MD5}", methods )) != NULL ) {
84 lutil_MD5_CTX MD5context;
85 unsigned char MD5digest[16];
86 char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */
88 lutil_MD5Init(&MD5context);
89 lutil_MD5Update(&MD5context,
90 (const unsigned char *)cred, strlen(cred));
91 lutil_MD5Final(MD5digest, &MD5context);
93 if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
94 base64digest, sizeof(base64digest)) < 0)
99 return( strcmp(p, base64digest) );
101 } else if ((p = passwd_hash( passwd, "{SHA}", methods )) != NULL ) {
102 lutil_SHA1_CTX SHA1context;
103 unsigned char SHA1digest[20];
104 char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
106 lutil_SHA1Init(&SHA1context);
107 lutil_SHA1Update(&SHA1context,
108 (const unsigned char *) cred, strlen(cred));
109 lutil_SHA1Final(SHA1digest, &SHA1context);
111 if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
112 base64digest, sizeof(base64digest)) < 0)
117 return( strcmp(p, base64digest) );
119 } else if ((p = passwd_hash( passwd, "{SSHA}", methods )) != NULL ) {
120 lutil_SHA1_CTX SHA1context;
121 unsigned char SHA1digest[20];
122 int pw_len = strlen(p);
124 unsigned char *orig_pass = NULL;
126 /* base64 un-encode password */
127 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
128 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
134 /* hash credentials with salt */
135 lutil_SHA1Init(&SHA1context);
136 lutil_SHA1Update(&SHA1context,
137 (const unsigned char *) cred, strlen(cred));
138 lutil_SHA1Update(&SHA1context,
139 (const unsigned char *) orig_pass + sizeof(SHA1digest),
140 rc - sizeof(SHA1digest));
141 lutil_SHA1Final(SHA1digest, &SHA1context);
144 rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
148 } else if ((p = passwd_hash( passwd, "{SMD5}", methods )) != NULL ) {
149 lutil_MD5_CTX MD5context;
150 unsigned char MD5digest[16];
151 int pw_len = strlen(p);
153 unsigned char *orig_pass = NULL;
155 /* base64 un-encode password */
156 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
157 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
163 /* hash credentials with salt */
164 lutil_MD5Init(&MD5context);
165 lutil_MD5Update(&MD5context,
166 (const unsigned char *) cred, strlen(cred));
167 lutil_MD5Update(&MD5context,
168 (const unsigned char *) orig_pass + sizeof(MD5digest),
169 rc - sizeof(MD5digest));
170 lutil_MD5Final(MD5digest, &MD5context);
173 rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
178 } else if ((p = passwd_hash( passwd, "{CRYPT}", methods )) != NULL ) {
179 return( strcmp(p, crypt(cred, p)) );
181 # if defined( HAVE_GETSPNAM ) \
182 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
183 } else if ((p = passwd_hash( passwd, "{UNIX}", methods )) != NULL ) {
185 # ifdef HAVE_GETSPNAM
186 struct spwd *spwd = getspnam(p);
189 return 1; /* not found */
192 return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
194 struct passwd *pwd = getpwnam(p);
197 return 1; /* not found */
200 return strcmp(pwd->pw_passwd, crypt(cred, pwd->pw_passwd));
206 #ifdef SLAPD_CLEARTEXT
207 return supported_hash("{CLEARTEXT}", methods ) &&
208 strcmp(passwd, cred) != 0;