X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Fliblutil%2Fpasswd.c;h=8cd6b1af484d93224541522b11533b1a9b12804e;hb=a26cca88ddf591e00ea7287e288fcbf56e08582b;hp=8fc3a07ac97e99702160c790953666af8081e8fe;hpb=7fad68f7b4f851b068ecc409249e298303d6d196;p=openldap diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 8fc3a07ac9..8cd6b1af48 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ /* @@ -21,9 +21,14 @@ #include #include #include +#include #ifdef SLAPD_SPASSWD -# include +# ifdef HAVE_SASL_SASL_H +# include +# else +# include +# endif #endif #ifdef SLAPD_KPASSWD @@ -31,24 +36,36 @@ # include #endif +/* KPASSWD/krb.h brings in a conflicting des.h so don't use both. + * configure currently requires OpenSSL to enable LMHASH. Obviously + * this requirement can be fulfilled by the KRB DES library as well. + */ +#if defined(SLAPD_LMHASH) && !defined(DES_ENCRYPT) +# include +#endif /* SLAPD_LMHASH */ + #include -#include -#include +#ifdef SLAPD_CRYPT +# include -#ifdef HAVE_SHADOW_H +# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) +# ifdef HAVE_SHADOW_H # include -#endif -#ifdef HAVE_PWD_H +# endif +# ifdef HAVE_PWD_H # include -#endif -#ifdef HAVE_AIX_SECURITY +# endif +# ifdef HAVE_AIX_SECURITY # include +# endif +# endif #endif #include #include "ldap_pvt.h" +#include "lber_pvt.h" #include "lutil_md5.h" #include "lutil_sha1.h" @@ -57,140 +74,158 @@ static const unsigned char crypt64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; -struct pw_scheme; - -typedef int (*PASSWD_CHK_FUNC)( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); - -typedef struct berval * (*PASSWD_HASH_FUNC) ( - const struct pw_scheme *scheme, - const struct berval *passwd ); +#ifdef SLAPD_CRYPT +static char *salt_format = NULL; +#endif struct pw_scheme { struct berval name; - PASSWD_CHK_FUNC chk_fn; - PASSWD_HASH_FUNC hash_fn; + LUTIL_PASSWD_CHK_FUNC *chk_fn; + LUTIL_PASSWD_HASH_FUNC *hash_fn; +}; + +struct pw_slist { + struct pw_slist *next; + struct pw_scheme s; }; /* password check routines */ -static int chk_md5( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); -static int chk_smd5( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +static LUTIL_PASSWD_CHK_FUNC chk_md5; +static LUTIL_PASSWD_CHK_FUNC chk_smd5; +static LUTIL_PASSWD_HASH_FUNC hash_smd5; +static LUTIL_PASSWD_HASH_FUNC hash_md5; -static int chk_ssha1( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); -static int chk_sha1( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +#ifdef LUTIL_SHA1_BYTES +static LUTIL_PASSWD_CHK_FUNC chk_ssha1; +static LUTIL_PASSWD_CHK_FUNC chk_sha1; +static LUTIL_PASSWD_HASH_FUNC hash_sha1; +static LUTIL_PASSWD_HASH_FUNC hash_ssha1; +#endif + +#ifdef SLAPD_LMHASH +static LUTIL_PASSWD_CHK_FUNC chk_lanman; +static LUTIL_PASSWD_HASH_FUNC hash_lanman; +#endif + +#ifdef SLAPD_NS_MTA_MD5 +static LUTIL_PASSWD_CHK_FUNC chk_ns_mta_md5; +#endif #ifdef SLAPD_SPASSWD -static int chk_sasl( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +static LUTIL_PASSWD_CHK_FUNC chk_sasl; #endif #ifdef SLAPD_KPASSWD -static int chk_kerberos( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +static LUTIL_PASSWD_CHK_FUNC chk_kerberos; #endif #ifdef SLAPD_CRYPT -static int chk_crypt( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +static LUTIL_PASSWD_CHK_FUNC chk_crypt; +static LUTIL_PASSWD_HASH_FUNC hash_crypt; #if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) -static int chk_unix( - const struct pw_scheme *scheme, - const struct berval *passwd, - const struct berval *cred ); +static LUTIL_PASSWD_CHK_FUNC chk_unix; #endif #endif - /* password hash routines */ -static struct berval *hash_sha1( - const struct pw_scheme *scheme, - const struct berval *passwd ); -static struct berval *hash_ssha1( - const struct pw_scheme *scheme, - const struct berval *passwd ); - -static struct berval *hash_smd5( - const struct pw_scheme *scheme, - const struct berval *passwd ); +#ifdef SLAPD_CLEARTEXT +static LUTIL_PASSWD_HASH_FUNC hash_clear; +#endif -static struct berval *hash_md5( - const struct pw_scheme *scheme, - const struct berval *passwd ); +static struct pw_slist *pw_schemes; -#ifdef SLAPD_CRYPT -static struct berval *hash_crypt( - const struct pw_scheme *scheme, - const struct berval *passwd ); +static const struct pw_scheme pw_schemes_default[] = +{ +#ifdef LUTIL_SHA1_BYTES + { BER_BVC("{SSHA}"), chk_ssha1, hash_ssha1 }, + { BER_BVC("{SHA}"), chk_sha1, hash_sha1 }, #endif + { BER_BVC("{SMD5}"), chk_smd5, hash_smd5 }, + { BER_BVC("{MD5}"), chk_md5, hash_md5 }, -static const struct pw_scheme pw_schemes[] = -{ - { {sizeof("{SSHA}")-1, "{SSHA}"}, chk_ssha1, hash_ssha1 }, - { {sizeof("{SHA}")-1, "{SHA}"}, chk_sha1, hash_sha1 }, +#ifdef SLAPD_LMHASH + { BER_BVC("{LANMAN}"), chk_lanman, hash_lanman }, +#endif /* SLAPD_LMHASH */ - { {sizeof("{SMD5}")-1, "{SMD5}"}, chk_smd5, hash_smd5 }, - { {sizeof("{MD5}")-1, "{MD5}"}, chk_md5, hash_md5 }, +#ifdef SLAPD_NS_MTA_MD5 + { BER_BVC("{NS-MTA-MD5}"), chk_ns_mta_md5, NULL }, +#endif /* SLAPD_NS_MTA_MD5 */ #ifdef SLAPD_SPASSWD - { {sizeof("{SASL}")-1, "{SASL}"}, chk_sasl, NULL }, + { BER_BVC("{SASL}"), chk_sasl, NULL }, #endif #ifdef SLAPD_KPASSWD - { {sizeof("{KERBEROS}")-1, "{KERBEROS}"}, chk_kerberos, NULL }, + { BER_BVC("{KERBEROS}"), chk_kerberos, NULL }, #endif #ifdef SLAPD_CRYPT - { {sizeof("{CRYPT}")-1, "{CRYPT}"}, chk_crypt, hash_crypt }, + { BER_BVC("{CRYPT}"), chk_crypt, hash_crypt }, # if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) - { {sizeof("{UNIX}")-1, "{UNIX}"}, chk_unix, NULL }, + { BER_BVC("{UNIX}"), chk_unix, NULL }, # endif #endif #ifdef SLAPD_CLEARTEXT - /* psuedo scheme */ - { {0, "{CLEARTEXT}"}, NULL, NULL }, + /* pseudo scheme */ + { {0, "{CLEARTEXT}"}, NULL, hash_clear }, #endif - { {0, NULL}, NULL, NULL } + { BER_BVNULL, NULL, NULL } }; +int lutil_passwd_add( + struct berval *scheme, + LUTIL_PASSWD_CHK_FUNC *chk, + LUTIL_PASSWD_HASH_FUNC *hash ) +{ + struct pw_slist *ptr; + + ptr = ber_memalloc( sizeof( struct pw_slist )); + if (!ptr) return -1; + ptr->next = pw_schemes; + ptr->s.name = *scheme; + ptr->s.chk_fn = chk; + ptr->s.hash_fn = hash; + pw_schemes = ptr; + return 0; +} + +void lutil_passwd_init() +{ + struct pw_slist *ptr; + struct pw_scheme *s; + + for( s=(struct pw_scheme *)pw_schemes_default; s->name.bv_val; s++) { + if ( lutil_passwd_add( &s->name, s->chk_fn, s->hash_fn )) break; + } +} + +void lutil_passwd_destroy() +{ + struct pw_slist *ptr, *next; + + for( ptr=pw_schemes; ptr; ptr=next ) { + next = ptr->next; + ber_memfree( ptr ); + } +} + static const struct pw_scheme *get_scheme( const char* scheme ) { - int i; + struct pw_slist *pws; - for( i=0; pw_schemes[i].name.bv_val; i++) { - if( pw_schemes[i].name.bv_len == 0 ) continue; + if (!pw_schemes) lutil_passwd_init(); - if( strncasecmp(scheme, pw_schemes[i].name.bv_val, - pw_schemes[i].name.bv_len) == 0 ) - { - return &pw_schemes[i]; + for( pws=pw_schemes; pws; pws=pws->next ) { + if( strcasecmp(scheme, pws->s.name.bv_val ) == 0 ) { + return &(pws->s); } } @@ -227,6 +262,7 @@ static int is_allowed_scheme( static struct berval *passwd_scheme( const struct pw_scheme *scheme, const struct berval * passwd, + struct berval *bv, const char** allowed ) { if( !is_allowed_scheme( scheme->name.bv_val, allowed ) ) { @@ -235,10 +271,6 @@ static struct berval *passwd_scheme( if( passwd->bv_len >= scheme->name.bv_len ) { if( strncasecmp( passwd->bv_val, scheme->name.bv_val, scheme->name.bv_len ) == 0 ) { - struct berval *bv = ber_memalloc( sizeof(struct berval) ); - - if( bv == NULL ) return NULL; - bv->bv_val = &passwd->bv_val[scheme->name.bv_len]; bv->bv_len = passwd->bv_len - scheme->name.bv_len; @@ -258,7 +290,7 @@ lutil_passwd( const struct berval *cred, /* user cred */ const char **schemes ) { - int i; + struct pw_slist *pws; if (cred == NULL || cred->bv_len == 0 || passwd == NULL || passwd->bv_len == 0 ) @@ -266,27 +298,24 @@ lutil_passwd( return -1; } - for( i=0; pw_schemes[i].name.bv_val != NULL; i++ ) { - if( pw_schemes[i].chk_fn ) { - struct berval *p = passwd_scheme( &pw_schemes[i], - passwd, schemes ); + if (!pw_schemes) lutil_passwd_init(); + + for( pws=pw_schemes; pws; pws=pws->next ) { + if( pws->s.chk_fn ) { + struct berval x; + struct berval *p = passwd_scheme( &(pws->s), + passwd, &x, schemes ); if( p != NULL ) { - int rc = (pw_schemes[i].chk_fn)( &pw_schemes[i], p, cred ); - - /* only free the berval structure as the bv_val points - * into passwd->bv_val - */ - ber_memfree( p ); - - return rc; + return (pws->s.chk_fn)( &(pws->s.name), p, cred ); } } } #ifdef SLAPD_CLEARTEXT if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) { - return passwd->bv_len == cred->bv_len + return (( passwd->bv_len == cred->bv_len ) && + ( passwd->bv_val[0] != '{' /*'}'*/ )) ? memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len ) : 1; } @@ -335,17 +364,19 @@ struct berval * lutil_passwd_hash( if( sc == NULL ) return NULL; if( ! sc->hash_fn ) return NULL; - return (sc->hash_fn)( sc, passwd ); + return (sc->hash_fn)( &sc->name, passwd ); } +/* pw_string is only called when SLAPD_LMHASH or SLAPD_CRYPT is defined */ +#if defined(SLAPD_LMHASH) || defined(SLAPD_CRYPT) static struct berval * pw_string( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval *passwd ) { struct berval *pw = ber_memalloc( sizeof( struct berval ) ); if( pw == NULL ) return NULL; - pw->bv_len = sc->name.bv_len + passwd->bv_len; + pw->bv_len = sc->bv_len + passwd->bv_len; pw->bv_val = ber_memalloc( pw->bv_len + 1 ); if( pw->bv_val == NULL ) { @@ -353,15 +384,16 @@ static struct berval * pw_string( return NULL; } - AC_MEMCPY( pw->bv_val, sc->name.bv_val, sc->name.bv_len ); - AC_MEMCPY( &pw->bv_val[sc->name.bv_len], passwd->bv_val, passwd->bv_len ); + AC_MEMCPY( pw->bv_val, sc->bv_val, sc->bv_len ); + AC_MEMCPY( &pw->bv_val[sc->bv_len], passwd->bv_val, passwd->bv_len ); pw->bv_val[pw->bv_len] = '\0'; return pw; } +#endif /* SLAPD_LMHASH || SLAPD_CRYPT */ static struct berval * pw_string64( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval *hash, const struct berval *salt ) { @@ -393,7 +425,7 @@ static struct berval * pw_string64( } b64len = LUTIL_BASE64_ENCODE_LEN( string.bv_len ) + 1; - b64->bv_len = b64len + sc->name.bv_len; + b64->bv_len = b64len + sc->bv_len; b64->bv_val = ber_memalloc( b64->bv_len + 1 ); if( b64->bv_val == NULL ) { @@ -402,11 +434,11 @@ static struct berval * pw_string64( return NULL; } - AC_MEMCPY(b64->bv_val, sc->name.bv_val, sc->name.bv_len); + AC_MEMCPY(b64->bv_val, sc->bv_val, sc->bv_len); rc = lutil_b64_ntop( string.bv_val, string.bv_len, - &b64->bv_val[sc->name.bv_len], b64len ); + &b64->bv_val[sc->bv_len], b64len ); if( salt ) ber_memfree( string.bv_val ); @@ -416,15 +448,16 @@ static struct berval * pw_string64( } /* recompute length */ - b64->bv_len = sc->name.bv_len + rc; + b64->bv_len = sc->bv_len + rc; assert( strlen(b64->bv_val) == b64->bv_len ); return b64; } /* PASSWORD CHECK ROUTINES */ +#ifdef LUTIL_SHA1_BYTES static int chk_ssha1( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { @@ -432,7 +465,12 @@ static int chk_ssha1( unsigned char SHA1digest[LUTIL_SHA1_BYTES]; int rc; unsigned char *orig_pass = NULL; - + + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) { + return -1; + } + /* decode base64 password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -441,7 +479,7 @@ static int chk_ssha1( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if(rc < 0) { + if (rc <= sizeof(SHA1digest)) { ber_memfree(orig_pass); return -1; } @@ -462,7 +500,7 @@ static int chk_ssha1( } static int chk_sha1( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { @@ -495,9 +533,10 @@ static int chk_sha1( ber_memfree(orig_pass); return rc ? 1 : 0; } +#endif static int chk_smd5( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { @@ -506,6 +545,11 @@ static int chk_smd5( int rc; unsigned char *orig_pass = NULL; + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) { + return -1; + } + /* base64 un-encode password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -513,7 +557,8 @@ static int chk_smd5( if( orig_pass == NULL ) return -1; rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if ( rc < 0 ) { + + if (rc <= sizeof(MD5digest)) { ber_memfree(orig_pass); return -1; } @@ -535,7 +580,7 @@ static int chk_smd5( } static int chk_md5( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { @@ -569,17 +614,78 @@ static int chk_md5( return rc ? 1 : 0; } +#ifdef SLAPD_LMHASH +static int chk_lanman( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred ) +{ + struct berval *hash; + + hash = hash_lanman( scheme, cred ); + return memcmp( &hash->bv_val[scheme->bv_len], passwd->bv_val, 32); +} +#endif /* SLAPD_LMHASH */ + +#ifdef SLAPD_NS_MTA_MD5 +static int chk_ns_mta_md5( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES], c; + char buffer[LUTIL_MD5_BYTES + LUTIL_MD5_BYTES + 1]; + int i; + + /* hash credentials with salt */ + lutil_MD5Init(&MD5context); + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + c = 0x59; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) cred->bv_val, + cred->bv_len ); + + c = 0xF7; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + lutil_MD5Final(MD5digest, &MD5context); + + for( i=0; i < sizeof( MD5digest ); i++ ) { + buffer[i+i] = "0123456789abcdef"[(MD5digest[i]>>4) & 0x0F]; + buffer[i+i+1] = "0123456789abcdef"[ MD5digest[i] & 0x0F]; + } + + /* compare */ + return memcmp((char *)passwd->bv_val, (char *)buffer, sizeof(buffer)) + ? 1 : 0; +} +#endif + #ifdef SLAPD_SPASSWD #ifdef HAVE_CYRUS_SASL sasl_conn_t *lutil_passwd_sasl_conn = NULL; #endif static int chk_sasl( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { - int i; + unsigned int i; int rtn; for( i=0; ibv_len; i++) { @@ -606,14 +712,18 @@ static int chk_sasl( #ifdef HAVE_CYRUS_SASL if( lutil_passwd_sasl_conn != NULL ) { - const char *errstr = NULL; int sc; - +# if SASL_VERSION_MAJOR < 2 + const char *errstr = NULL; sc = sasl_checkpass( lutil_passwd_sasl_conn, passwd->bv_val, passwd->bv_len, cred->bv_val, cred->bv_len, &errstr ); - +# else + sc = sasl_checkpass( lutil_passwd_sasl_conn, + passwd->bv_val, passwd->bv_len, + cred->bv_val, cred->bv_len ); +# endif rtn = ( sc != SASL_OK ); } #endif @@ -624,11 +734,11 @@ static int chk_sasl( #ifdef SLAPD_KPASSWD static int chk_kerberos( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { - int i; + unsigned int i; int rtn; for( i=0; ibv_len; i++) { @@ -797,12 +907,12 @@ static int chk_kerberos( #ifdef SLAPD_CRYPT static int chk_crypt( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { char *cr; - int i; + unsigned int i; for( i=0; ibv_len; i++) { if(cred->bv_val[i] == '\0') { @@ -840,11 +950,11 @@ static int chk_crypt( # if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) static int chk_unix( - const struct pw_scheme *sc, + const struct berval *sc, const struct berval * passwd, const struct berval * cred ) { - int i; + unsigned int i; char *pw,*cr; for( i=0; ibv_len; i++) { @@ -914,8 +1024,9 @@ static int chk_unix( /* PASSWORD GENERATION ROUTINES */ +#ifdef LUTIL_SHA1_BYTES static struct berval *hash_ssha1( - const struct pw_scheme *scheme, + const struct berval *scheme, const struct berval *passwd ) { lutil_SHA1_CTX SHA1context; @@ -944,7 +1055,7 @@ static struct berval *hash_ssha1( } static struct berval *hash_sha1( - const struct pw_scheme *scheme, + const struct berval *scheme, const struct berval *passwd ) { lutil_SHA1_CTX SHA1context; @@ -960,9 +1071,10 @@ static struct berval *hash_sha1( return pw_string64( scheme, &digest, NULL); } +#endif static struct berval *hash_smd5( - const struct pw_scheme *scheme, + const struct berval *scheme, const struct berval *passwd ) { lutil_MD5_CTX MD5context; @@ -991,7 +1103,7 @@ static struct berval *hash_smd5( } static struct berval *hash_md5( - const struct pw_scheme *scheme, + const struct berval *scheme, const struct berval *passwd ) { lutil_MD5_CTX MD5context; @@ -1011,14 +1123,137 @@ static struct berval *hash_md5( ; } +#ifdef SLAPD_LMHASH +/* pseudocode from RFC2433 + * A.2 LmPasswordHash() + * + * LmPasswordHash( + * IN 0-to-14-oem-char Password, + * OUT 16-octet PasswordHash ) + * { + * Set UcasePassword to the uppercased Password + * Zero pad UcasePassword to 14 characters + * + * DesHash( 1st 7-octets of UcasePassword, + * giving 1st 8-octets of PasswordHash ) + * + * DesHash( 2nd 7-octets of UcasePassword, + * giving 2nd 8-octets of PasswordHash ) + * } + * + * + * A.3 DesHash() + * + * DesHash( + * IN 7-octet Clear, + * OUT 8-octet Cypher ) + * { + * * + * * Make Cypher an irreversibly encrypted form of Clear by + * * encrypting known text using Clear as the secret key. + * * The known text consists of the string + * * + * * KGS!@#$% + * * + * + * Set StdText to "KGS!@#$%" + * DesEncrypt( StdText, Clear, giving Cypher ) + * } + * + * + * A.4 DesEncrypt() + * + * DesEncrypt( + * IN 8-octet Clear, + * IN 7-octet Key, + * OUT 8-octet Cypher ) + * { + * * + * * Use the DES encryption algorithm [4] in ECB mode [9] + * * to encrypt Clear into Cypher such that Cypher can + * * only be decrypted back to Clear by providing Key. + * * Note that the DES algorithm takes as input a 64-bit + * * stream where the 8th, 16th, 24th, etc. bits are + * * parity bits ignored by the encrypting algorithm. + * * Unless you write your own DES to accept 56-bit input + * * without parity, you will need to insert the parity bits + * * yourself. + * * + * } + */ + +static void lmPasswd_to_key( + const unsigned char *lmPasswd, + des_cblock *key) +{ + /* make room for parity bits */ + ((char *)key)[0] = lmPasswd[0]; + ((char *)key)[1] = ((lmPasswd[0]&0x01)<<7) | (lmPasswd[1]>>1); + ((char *)key)[2] = ((lmPasswd[1]&0x03)<<6) | (lmPasswd[2]>>2); + ((char *)key)[3] = ((lmPasswd[2]&0x07)<<5) | (lmPasswd[3]>>3); + ((char *)key)[4] = ((lmPasswd[3]&0x0F)<<4) | (lmPasswd[4]>>4); + ((char *)key)[5] = ((lmPasswd[4]&0x1F)<<3) | (lmPasswd[5]>>5); + ((char *)key)[6] = ((lmPasswd[5]&0x3F)<<2) | (lmPasswd[6]>>6); + ((char *)key)[7] = ((lmPasswd[6]&0x7F)<<1); + + des_set_odd_parity( key ); +} + +static struct berval *hash_lanman( + const struct berval *scheme, + const struct berval *passwd ) +{ + + int i; + char UcasePassword[15]; + des_cblock key; + des_key_schedule schedule; + des_cblock StdText = "KGS!@#$%"; + des_cblock hash1, hash2; + char lmhash[33]; + struct berval hash; + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return NULL; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return NULL; /* passwd must behave like a string */ + } + + strncpy( UcasePassword, passwd->bv_val, 14 ); + UcasePassword[14] = '\0'; + ldap_pvt_str2upper( UcasePassword ); + + lmPasswd_to_key( UcasePassword, &key ); + des_set_key_unchecked( &key, schedule ); + des_ecb_encrypt( &StdText, &hash1, schedule , DES_ENCRYPT ); + + lmPasswd_to_key( &UcasePassword[7], &key ); + des_set_key_unchecked( &key, schedule ); + des_ecb_encrypt( &StdText, &hash2, schedule , DES_ENCRYPT ); + + sprintf( lmhash, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + hash1[0],hash1[1],hash1[2],hash1[3],hash1[4],hash1[5],hash1[6],hash1[7], + hash2[0],hash2[1],hash2[2],hash2[3],hash2[4],hash2[5],hash2[6],hash2[7] ); + + hash.bv_val = lmhash; + hash.bv_len = 32; + + return pw_string( scheme, &hash ); +} +#endif /* SLAPD_LMHASH */ + #ifdef SLAPD_CRYPT static struct berval *hash_crypt( - const struct pw_scheme *scheme, + const struct berval *scheme, const struct berval *passwd ) { struct berval hash; - unsigned char salt[3]; - int i; + unsigned char salt[32]; /* salt suitable for most anything */ + unsigned int i; for( i=0; ibv_len; i++) { if(passwd->bv_val[i] == '\0') { @@ -1030,13 +1265,22 @@ static struct berval *hash_crypt( return NULL; /* passwd must behave like a string */ } - if( lutil_entropy( salt, sizeof(salt)) < 0 ) { + if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) { return NULL; } - salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ]; - salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ]; - salt[2] = '\0'; + for( i=0; i< ( sizeof(salt) - 1 ); i++ ) { + salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ]; + } + salt[sizeof( salt ) - 1 ] = '\0'; + + if( salt_format != NULL ) { + /* copy the salt we made into entropy before snprintfing + it back into the salt */ + char entropy[sizeof(salt)]; + strcpy( entropy, salt ); + snprintf( salt, sizeof(entropy), salt_format, entropy ); + } hash.bv_val = crypt( passwd->bv_val, salt ); @@ -1051,3 +1295,24 @@ static struct berval *hash_crypt( return pw_string( scheme, &hash ); } #endif + +int lutil_salt_format(const char *format) +{ +#ifdef SLAPD_CRYPT + free( salt_format ); + + salt_format = format != NULL ? strdup( format ) : NULL; +#endif + + return 0; +} + +#ifdef SLAPD_CLEARTEXT +static struct berval *hash_clear( + const struct berval *scheme, + const struct berval *passwd ) +{ + return ber_bvdup( (struct berval *) passwd ); +} +#endif +