2 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
3 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6 * lutil_password(credentials, password)
8 * Returns true if user supplied credentials matches
11 * Due to the use of the crypt(3) function
12 * this routine is NOT thread-safe.
17 #include <ac/stdlib.h>
19 #include <ac/string.h>
20 #include <ac/unistd.h>
22 #include "lutil_md5.h"
23 #include "lutil_sha1.h"
33 static int supported_hash(
35 const char** methods )
43 for(i=0; methods[i] != NULL; i++) {
44 if(strcasecmp(method, methods[i]) == 0) {
52 static const char *passwd_hash(
55 const char** methods )
59 if( !supported_hash( method, methods ) ) {
65 if( strncasecmp( passwd, method, len ) == 0 ) {
73 * Return 0 if creds are good.
83 if (cred == NULL || passwd == NULL) {
87 if ((p = passwd_hash( passwd, "{MD5}", methods )) != NULL ) {
88 lutil_MD5_CTX MD5context;
89 unsigned char MD5digest[16];
90 char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */
92 lutil_MD5Init(&MD5context);
93 lutil_MD5Update(&MD5context,
94 (const unsigned char *)cred, strlen(cred));
95 lutil_MD5Final(MD5digest, &MD5context);
97 if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
98 base64digest, sizeof(base64digest)) < 0)
103 return( strcmp(p, base64digest) );
105 } else if ((p = passwd_hash( passwd, "{SHA}", methods )) != NULL ) {
106 lutil_SHA1_CTX SHA1context;
107 unsigned char SHA1digest[20];
108 char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
110 lutil_SHA1Init(&SHA1context);
111 lutil_SHA1Update(&SHA1context,
112 (const unsigned char *) cred, strlen(cred));
113 lutil_SHA1Final(SHA1digest, &SHA1context);
115 if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
116 base64digest, sizeof(base64digest)) < 0)
121 return( strcmp(p, base64digest) );
123 } else if ((p = passwd_hash( passwd, "{SSHA}", methods )) != NULL ) {
124 lutil_SHA1_CTX SHA1context;
125 unsigned char SHA1digest[20];
126 int pw_len = strlen(p);
128 unsigned char *orig_pass = NULL;
130 /* base64 un-encode password */
131 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
132 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
138 /* hash credentials with salt */
139 lutil_SHA1Init(&SHA1context);
140 lutil_SHA1Update(&SHA1context,
141 (const unsigned char *) cred, strlen(cred));
142 lutil_SHA1Update(&SHA1context,
143 (const unsigned char *) orig_pass + sizeof(SHA1digest),
144 rc - sizeof(SHA1digest));
145 lutil_SHA1Final(SHA1digest, &SHA1context);
148 rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
152 } else if ((p = passwd_hash( passwd, "{SMD5}", methods )) != NULL ) {
153 lutil_MD5_CTX MD5context;
154 unsigned char MD5digest[16];
155 int pw_len = strlen(p);
157 unsigned char *orig_pass = NULL;
159 /* base64 un-encode password */
160 orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
161 if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
167 /* hash credentials with salt */
168 lutil_MD5Init(&MD5context);
169 lutil_MD5Update(&MD5context,
170 (const unsigned char *) cred, strlen(cred));
171 lutil_MD5Update(&MD5context,
172 (const unsigned char *) orig_pass + sizeof(MD5digest),
173 rc - sizeof(MD5digest));
174 lutil_MD5Final(MD5digest, &MD5context);
177 rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
182 } else if ((p = passwd_hash( passwd, "{CRYPT}", methods )) != NULL ) {
183 return( strcmp(p, crypt(cred, p)) );
185 # if defined( HAVE_GETSPNAM ) \
186 || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
187 } else if ((p = passwd_hash( passwd, "{UNIX}", methods )) != NULL ) {
189 # ifdef HAVE_GETSPNAM
190 struct spwd *spwd = getspnam(p);
193 return 1; /* not found */
196 return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
198 struct passwd *pwd = getpwnam(p);
201 return 1; /* not found */
204 return strcmp(pwd->pw_passwd, crypt(cred, pwd->pw_passwd));
210 #ifdef SLAPD_CLEARTEXT
211 return supported_hash("{CLEARTEXT}", methods ) &&
212 strcmp(passwd, cred) != 0;