X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Fliblutil%2Fpasswd.c;h=a8f69dc5ff3baea01409fbf8db9d1c8aa3fdc06a;hb=a2ee84112150c83c0edb555af31fc1409e4f3e2f;hp=89b45b92c309796d565aa9b2f12e3eed2feb9e14;hpb=d4a4a4cd25ee0c8e3e08628347aad2bcbcb4c894;p=openldap

diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index 89b45b92c3..a8f69dc5ff 100644
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -10,6 +10,8 @@
 
 #include "portable.h"
 
+#include <stdlib.h>
+
 #include <ac/string.h>
 #include <ac/unistd.h>
 
@@ -18,6 +20,7 @@
 #include "lutil.h"
 
 /*
+ * Return 0 if creds are good.
  */
 
 int
@@ -27,53 +30,121 @@ lutil_passwd(
 {
 
 	if (cred == NULL || passwd == NULL) {
-		return 0;
+		return -1;
 	}
 
-	if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
-		const char *p = passwd + (sizeof("{CRYPT}") - 1);
-
-		return( strcmp(p, crypt(cred, p)) != 0 );
-
-	} else if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
-		ldap_MD5_CTX MD5context;
-		unsigned char MD5digest[20];
-		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
+	if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
+		lutil_MD5_CTX MD5context;
+		unsigned char MD5digest[16];
+		char base64digest[25];  /* ceiling(sizeof(input)/3) * 4 + 1 */
 
 		const char *p = passwd + (sizeof("{MD5}") - 1);
 
-		ldap_MD5Init(&MD5context);
-		ldap_MD5Update(&MD5context,
-			cred, strlen(cred));
-		ldap_MD5Final(MD5digest, &MD5context);
+		lutil_MD5Init(&MD5context);
+		lutil_MD5Update(&MD5context,
+			       (const unsigned char *)cred, strlen(cred));
+		lutil_MD5Final(MD5digest, &MD5context);
 
-		if ( b64_ntop(MD5digest, sizeof(MD5digest),
+		if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
 			base64digest, sizeof(base64digest)) < 0)
 		{
 			return ( 1 );
 		}
 
-		return (strcmp(p, base64digest) != 0);
+		return( strcmp(p, base64digest) );
 
 	} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
-		ldap_SHA1_CTX SHA1context;
+		lutil_SHA1_CTX SHA1context;
 		unsigned char SHA1digest[20];
 		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
 		const char *p = passwd + (sizeof("{SHA}") - 1);
 
-		ldap_SHA1Init(&SHA1context);
-		ldap_SHA1Update(&SHA1context,
-			(unsigned char *) cred, strlen(cred));
-		ldap_SHA1Final(SHA1digest, &SHA1context);
+		lutil_SHA1Init(&SHA1context);
+		lutil_SHA1Update(&SHA1context,
+				(const unsigned char *) cred, strlen(cred));
+		lutil_SHA1Final(SHA1digest, &SHA1context);
 
-		if (b64_ntop(SHA1digest, sizeof(SHA1digest),
+		if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
 			base64digest, sizeof(base64digest)) < 0)
 		{
-			return ( 0 );
+			return ( 1 );
 		}
 
-		return( strcmp(p, base64digest) != 0 );
+		return( strcmp(p, base64digest) );
+
+	} else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
+		lutil_SHA1_CTX SHA1context;
+		unsigned char SHA1digest[20];
+		const char *p = passwd + (sizeof("{SSHA}") - 1);
+		int pw_len = strlen(p);
+		int rc;
+		unsigned char *orig_pass = NULL;
+ 
+		/* base64 un-encode password */
+		orig_pass = (unsigned char *)malloc(pw_len * 0.75 + 1);
+		if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
+		{
+			free(orig_pass);
+			return ( 1 );
+		}
+ 
+		/* hash credentials with salt */
+		lutil_SHA1Init(&SHA1context);
+		lutil_SHA1Update(&SHA1context,
+				(const unsigned char *) cred, strlen(cred));
+		lutil_SHA1Update(&SHA1context,
+				(const unsigned char *) orig_pass + sizeof(SHA1digest),
+				rc - sizeof(SHA1digest));
+		lutil_SHA1Final(SHA1digest, &SHA1context);
+ 
+		/* compare */
+		rc = strncmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
+		free(orig_pass);
+		return(rc);
+
+	} else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) {
+		lutil_MD5_CTX MD5context;
+		unsigned char MD5digest[16];
+		const char *p = passwd + (sizeof("{SMD5}") - 1);
+		int pw_len = strlen(p);
+		int rc;
+		unsigned char *orig_pass = NULL;
+
+		/* base64 un-encode password */
+		orig_pass = (unsigned char *)malloc(pw_len * 0.75 + 1);
+		if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
+		{
+			free(orig_pass);
+			return ( 1 );
+		}
+
+		/* hash credentials with salt */
+		lutil_MD5Init(&MD5context);
+		lutil_MD5Update(&MD5context,
+				(const unsigned char *) cred, strlen(cred));
+		lutil_MD5Update(&MD5context,
+				(const unsigned char *) orig_pass + sizeof(MD5digest),
+				rc - sizeof(MD5digest));
+		lutil_MD5Final(MD5digest, &MD5context);
+
+		/* compare */
+		rc = strncmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
+		free(orig_pass);
+		return ( rc );
+
+#ifdef SLAPD_CRYPT
+	} else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
+		const char *p = passwd + (sizeof("{CRYPT}") - 1);
+
+		return( strcmp(p, crypt(cred, p)) );
+
+#endif
 	}
 
-	return( strcmp(passwd, cred) != 0 );
+#ifdef SLAPD_CLEARTEXT
+	return( strcmp(passwd, cred) );
+#else
+	return( 1 );
+#endif
+
 }