+ SHA512_Init(&ct);
+ SHA512_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len);
+ SHA512_Final(hash512, &ct);
+
+ return lutil_passwd_string64(scheme, &digest, hash, NULL);
+}
+
+#ifdef SLAPD_SHA2_DEBUG
+static void chk_sha_debug(
+ const struct berval *scheme,
+ const struct berval *passwd,
+ const struct berval *cred,
+ const char *cred_hash,
+ size_t cred_len,
+ int cmp_rc)
+{
+ int rc;
+ struct berval cred_b64;
+
+ cred_b64.bv_len = LUTIL_BASE64_ENCODE_LEN(cred_len) + 1;
+ cred_b64.bv_val = ber_memalloc(cred_b64.bv_len + 1);
+
+ if( cred_b64.bv_val == NULL ) {
+ return;
+ }
+
+ rc = lutil_b64_ntop(
+ (unsigned char *) cred_hash, cred_len,
+ cred_b64.bv_val, cred_b64.bv_len );
+
+ if( rc < 0 ) {
+ ber_memfree(cred_b64.bv_val);
+ return;
+ }
+
+ fprintf(stderr, "Validating password\n");
+ fprintf(stderr, " Hash scheme:\t\t%s\n", scheme->bv_val);
+ fprintf(stderr, " Password to validate: %s\n", cred->bv_val);
+ fprintf(stderr, " Password hash:\t%s\n", cred_b64.bv_val);
+ fprintf(stderr, " Stored password hash:\t%s\n", passwd->bv_val);
+ fprintf(stderr, " Result:\t\t%s\n", cmp_rc ? "do not match" : "match");
+
+ ber_memfree(cred_b64.bv_val);
+}
+#endif
+
+static int chk_ssha256(
+ const struct berval *scheme, /* Scheme of hashed reference password */
+ const struct berval *passwd, /* Hashed reference password to check against */
+ const struct berval *cred, /* user-supplied password to check */
+ const char **text )
+{
+ SHA256_CTX SHAcontext;
+ unsigned char SHAdigest[SHA256_DIGEST_LENGTH];
+ int rc;
+ unsigned char *orig_pass = NULL;
+
+ /* safety check */
+ if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHAdigest)) {
+ return LUTIL_PASSWD_ERR;
+ }
+
+ /* base64 un-encode password */
+ orig_pass = (unsigned char *) ber_memalloc( (size_t) (
+ LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+
+ if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
+
+ rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+
+ if( rc <= sizeof(SHAdigest) ) {
+ ber_memfree(orig_pass);
+ return LUTIL_PASSWD_ERR;
+ }
+
+ /* hash credentials with salt */
+ SHA256_Init(&SHAcontext);
+ SHA256_Update(&SHAcontext,
+ (const unsigned char *) cred->bv_val, cred->bv_len);
+ SHA256_Update(&SHAcontext,
+ (const unsigned char *) &orig_pass[sizeof(SHAdigest)],
+ rc - sizeof(SHAdigest));
+ SHA256_Final(SHAdigest, &SHAcontext);
+
+ /* compare */
+ rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest));
+ ber_memfree(orig_pass);
+ return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;