Added errmsg arg to lutil_passwd_{check,hash} functions

diff --git a/include/lutil.h b/include/lutil.h
index 72a722509857544292e59b5cd906e1cb4c9917b9..4cba4df7e261e57ebeff3a5f1b0170da4ae81875 100644 (file)
--- a/include/lutil.h
+++ b/include/lutil.h
@@ -70,11 +70,13 @@ struct lutil_pw_scheme;
 typedef int (LUTIL_PASSWD_CHK_FUNC)(
        const struct berval *scheme,
        const struct berval *passwd,
-       const struct berval *cred );
+       const struct berval *cred,
+       const char **text );
 
 typedef struct berval * (LUTIL_PASSWD_HASH_FUNC) (
        const struct berval *scheme,
-       const struct berval *passwd );
+       const struct berval *passwd,
+       const char **text );
 
 LDAP_LUTIL_F( int )
 lutil_passwd_add LDAP_P((
@@ -110,7 +112,8 @@ LDAP_LUTIL_F( int )
 lutil_passwd LDAP_P((
        const struct berval *passwd,    /* stored password */
        const struct berval *cred,      /* user supplied value */
-       const char **methods ));
+       const char **methods,
+       const char **text ));                   /* error message */
 
 LDAP_LUTIL_F( struct berval * )
 lutil_passwd_generate LDAP_P(( ber_len_t ));
@@ -118,7 +121,8 @@ lutil_passwd_generate LDAP_P(( ber_len_t ));
 LDAP_LUTIL_F( struct berval * )
 lutil_passwd_hash LDAP_P((
        const struct berval *passwd,
-       const char *method ));
+       const char *method,
+       const char **text ));
 
 LDAP_LUTIL_F( int )
 lutil_passwd_scheme LDAP_P((

diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index 8cd6b1af484d93224541522b11533b1a9b12804e..70009e0771260a04c9df6b8436ca217b9907d837 100644 (file)
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -288,10 +288,13 @@ int
 lutil_passwd(
        const struct berval *passwd,    /* stored passwd */
        const struct berval *cred,              /* user cred */
-       const char **schemes )
+       const char **schemes,
+       const char **text )
 {
        struct pw_slist *pws;
 
+       if ( text ) *text = NULL;
+
        if (cred == NULL || cred->bv_len == 0 ||
                passwd == NULL || passwd->bv_len == 0 )
        {
@@ -307,7 +310,7 @@ lutil_passwd(
                                passwd, &x, schemes );
 
                        if( p != NULL ) {
-                               return (pws->s.chk_fn)( &(pws->s.name), p, cred );
+                               return (pws->s.chk_fn)( &(pws->s.name), p, cred, text );
                        }
                }
        }
@@ -357,14 +360,16 @@ struct berval * lutil_passwd_generate( ber_len_t len )
 
 struct berval * lutil_passwd_hash(
        const struct berval * passwd,
-       const char * method )
+       const char * method,
+       const char **text )
 {
        const struct pw_scheme *sc = get_scheme( method );
 
+       if( text ) *text = NULL;
        if( sc == NULL ) return NULL;
        if( ! sc->hash_fn ) return NULL;
 
-       return (sc->hash_fn)( &sc->name, passwd );
+       return (sc->hash_fn)( &sc->name, passwd, text );
 }
 
 /* pw_string is only called when SLAPD_LMHASH or SLAPD_CRYPT is defined */
@@ -459,7 +464,8 @@ static struct berval * pw_string64(
 static int chk_ssha1(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        lutil_SHA1_CTX SHA1context;
        unsigned char SHA1digest[LUTIL_SHA1_BYTES];
@@ -502,7 +508,8 @@ static int chk_ssha1(
 static int chk_sha1(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        lutil_SHA1_CTX SHA1context;
        unsigned char SHA1digest[LUTIL_SHA1_BYTES];
@@ -538,7 +545,8 @@ static int chk_sha1(
 static int chk_smd5(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        lutil_MD5_CTX MD5context;
        unsigned char MD5digest[LUTIL_MD5_BYTES];
@@ -582,7 +590,8 @@ static int chk_smd5(
 static int chk_md5(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        lutil_MD5_CTX MD5context;
        unsigned char MD5digest[LUTIL_MD5_BYTES];
@@ -618,7 +627,8 @@ static int chk_md5(
 static int chk_lanman(
        const struct berval *scheme,
        const struct berval *passwd,
-       const struct berval *cred )
+       const struct berval *cred,
+       const char **text )
 {
        struct berval *hash;
 
@@ -631,7 +641,8 @@ static int chk_lanman(
 static int chk_ns_mta_md5(
        const struct berval *scheme,
        const struct berval *passwd,
-       const struct berval *cred )
+       const struct berval *cred,
+       const char **text )
 {
        lutil_MD5_CTX MD5context;
        unsigned char MD5digest[LUTIL_MD5_BYTES], c;
@@ -683,7 +694,8 @@ sasl_conn_t *lutil_passwd_sasl_conn = NULL;
 static int chk_sasl(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        unsigned int i;
        int rtn;
@@ -714,11 +726,10 @@ static int chk_sasl(
        if( lutil_passwd_sasl_conn != NULL ) {
                int sc;
 # if SASL_VERSION_MAJOR < 2
-               const char *errstr = NULL;
                sc = sasl_checkpass( lutil_passwd_sasl_conn,
                        passwd->bv_val, passwd->bv_len,
                        cred->bv_val, cred->bv_len,
-                       &errstr );
+                       text );
 # else
                sc = sasl_checkpass( lutil_passwd_sasl_conn,
                        passwd->bv_val, passwd->bv_len,
@@ -736,7 +747,8 @@ static int chk_sasl(
 static int chk_kerberos(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        unsigned int i;
        int rtn;
@@ -909,7 +921,8 @@ static int chk_kerberos(
 static int chk_crypt(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        char *cr;
        unsigned int i;
@@ -952,7 +965,8 @@ static int chk_crypt(
 static int chk_unix(
        const struct berval *sc,
        const struct berval * passwd,
-       const struct berval * cred )
+       const struct berval * cred,
+       const char **text )
 {
        unsigned int i;
        char *pw,*cr;
@@ -1027,7 +1041,8 @@ static int chk_unix(
 #ifdef LUTIL_SHA1_BYTES
 static struct berval *hash_ssha1(
        const struct berval *scheme,
-       const struct berval  *passwd )
+       const struct berval  *passwd,
+       const char **text )
 {
        lutil_SHA1_CTX  SHA1context;
        unsigned char   SHA1digest[LUTIL_SHA1_BYTES];
@@ -1056,7 +1071,8 @@ static struct berval *hash_ssha1(
 
 static struct berval *hash_sha1(
        const struct berval *scheme,
-       const struct berval  *passwd )
+       const struct berval  *passwd,
+       const char **text )
 {
        lutil_SHA1_CTX  SHA1context;
        unsigned char   SHA1digest[LUTIL_SHA1_BYTES];
@@ -1075,7 +1091,8 @@ static struct berval *hash_sha1(
 
 static struct berval *hash_smd5(
        const struct berval *scheme,
-       const struct berval  *passwd )
+       const struct berval  *passwd,
+       const char **text )
 {
        lutil_MD5_CTX   MD5context;
        unsigned char   MD5digest[LUTIL_MD5_BYTES];
@@ -1104,7 +1121,8 @@ static struct berval *hash_smd5(
 
 static struct berval *hash_md5(
        const struct berval *scheme,
-       const struct berval  *passwd )
+       const struct berval  *passwd,
+       const char **text )
 {
        lutil_MD5_CTX   MD5context;
        unsigned char   MD5digest[LUTIL_MD5_BYTES];
@@ -1201,7 +1219,8 @@ static void lmPasswd_to_key(
 
 static struct berval *hash_lanman(
        const struct berval *scheme,
-       const struct berval *passwd )
+       const struct berval *passwd,
+       const char **text )
 {
 
        int i;
@@ -1249,7 +1268,8 @@ static struct berval *hash_lanman(
 #ifdef SLAPD_CRYPT
 static struct berval *hash_crypt(
        const struct berval *scheme,
-       const struct berval *passwd )
+       const struct berval *passwd,
+       const char **text )
 {
        struct berval hash;
        unsigned char salt[32]; /* salt suitable for most anything */
@@ -1310,7 +1330,8 @@ int lutil_salt_format(const char *format)
 #ifdef SLAPD_CLEARTEXT
 static struct berval *hash_clear(
        const struct berval *scheme,
-       const struct berval  *passwd )
+       const struct berval  *passwd,
+       const char **text )
 {
        return ber_bvdup( (struct berval *) passwd );
 }

diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c
index e9bc3bc5df697ab3dcedad82b604b2c83c9f45a5..0d8717c8134ce4e1186ece827630ebd4a5a3a2fc 100644 (file)
--- a/servers/slapd/back-bdb/bind.c
+++ b/servers/slapd/back-bdb/bind.c
@@ -192,7 +192,7 @@ dn2entry_retry:
                        goto done;
                }
 
-               if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) {
+               if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) {
                        rs->sr_err = LDAP_INVALID_CREDENTIALS;
                        send_ldap_result( op, rs );
                        goto done;

diff --git a/servers/slapd/back-bdb/passwd.c b/servers/slapd/back-bdb/passwd.c
index b644a1b5e0420c6d901a424eb8885aba3c97d735..95cbf9b14dcaa773478d003d4d291ce95b60b22d 100644 (file)
--- a/servers/slapd/back-bdb/passwd.c
+++ b/servers/slapd/back-bdb/passwd.c
@@ -65,10 +65,10 @@ bdb_exop_passwd( Operation *op, SlapReply *rs )
                rs->sr_rspdata = slap_passwd_return( &new );
        }
 
-       slap_passwd_hash( &new, &hash );
+       slap_passwd_hash( &new, &hash, &rs->sr_text );
 
        if( hash.bv_len == 0 ) {
-               rs->sr_text = "password hash failed";
+               if( !rs->sr_text ) rs->sr_text = "password hash failed";
                rc = LDAP_OTHER;
                goto done;
        }

diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c
index c7a57001ac3c653208bcd0fb97d2e77cf6b9ede0..cb2f341a82f692817e183bbe0e529dcd4d566e8a 100644 (file)
--- a/servers/slapd/back-ldbm/bind.c
+++ b/servers/slapd/back-ldbm/bind.c
@@ -152,7 +152,7 @@ ldbm_back_bind(
                        goto return_results;
                }
 
-               if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) {
+               if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) {
                        send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
                        /* stop front end from sending result */
                        rc = 1;

diff --git a/servers/slapd/back-ldbm/passwd.c b/servers/slapd/back-ldbm/passwd.c
index 34c5bb523bb429bf433081c377981dcd53886fac..8df10e7708ce5983ea3fd5119c2eb306bf119920 100644 (file)
--- a/servers/slapd/back-ldbm/passwd.c
+++ b/servers/slapd/back-ldbm/passwd.c
@@ -63,10 +63,10 @@ ldbm_back_exop_passwd(
                rs->sr_rspdata = slap_passwd_return( &new );
        }
 
-       slap_passwd_hash( &new, &hash );
+       slap_passwd_hash( &new, &hash, &rs->sr_text );
 
        if( hash.bv_len == 0 ) {
-               rs->sr_text = "password hash failed";
+               if( !rs->sr_text ) rs->sr_text = "password hash failed";
                rc = LDAP_OTHER;
                goto done;
        }

diff --git a/servers/slapd/back-sql/bind.c b/servers/slapd/back-sql/bind.c
index 74dd71a2d963d35428f820a4043009c01838cdf0..ce84c0ef27abc8906ab43c8bef1944036666511e 100644 (file)
--- a/servers/slapd/back-sql/bind.c
+++ b/servers/slapd/back-sql/bind.c
@@ -102,7 +102,7 @@ backsql_bind( Operation *op, SlapReply *rs )
                return 1;
        }
 
-       if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) {
+       if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) {
                rs->sr_err = LDAP_INVALID_CREDENTIALS;
                send_ldap_result( op, rs );
                return 1;

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 776342168475af0af8fdcfb6ceb415e1c84cc5e0..183337a25d5c601525f88285866125f15c3bc2f7 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -680,6 +680,7 @@ int
 be_isroot_pw( Operation *op )
 {
        int result;
+       char *errmsg;
 
        if ( ! be_isroot( op->o_bd, &op->o_req_ndn ) ) {
                return 0;
@@ -696,7 +697,7 @@ be_isroot_pw( Operation *op )
 #endif
 #endif
 
-       result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL );
+       result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
 
 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 #ifdef SLAPD_SPASSWD

diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index 2eb9a96da15ce7be328c628354abdb385876cb5b..10854d5f1fe6edcfb760d0c00a2228d6a4945633 100644 (file)
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -250,7 +250,8 @@ int
 slap_passwd_check(
        Connection *conn,
        Attribute *a,
-       struct berval *cred )
+       struct berval *cred,
+       const char **text )
 {
        int result = 1;
        struct berval *bv;
@@ -263,7 +264,7 @@ slap_passwd_check(
 #endif
 
        for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
-               if( !lutil_passwd( bv, cred, NULL ) ) {
+               if( !lutil_passwd( bv, cred, NULL, text ) ) {
                        result = 0;
                        break;
                }
@@ -305,7 +306,8 @@ slap_passwd_generate( struct berval *pass )
 void
 slap_passwd_hash(
        struct berval * cred,
-       struct berval * new )
+       struct berval * new,
+       const char **text )
 {
        struct berval *tmp;
 #ifdef LUTIL_SHA1_BYTES
@@ -319,7 +321,7 @@ slap_passwd_hash(
        ldap_pvt_thread_mutex_lock( &passwd_mutex );
 #endif
 
-       tmp = lutil_passwd_hash( cred , hash );
+       tmp = lutil_passwd_hash( cred , hash, text );
        
 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
        ldap_pvt_thread_mutex_unlock( &passwd_mutex );

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 220914d158b4817e8b3b7ed8ec863bf723725dee..0fc4866e5c281e24f5209b0764492610a9eee75a 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -744,13 +744,15 @@ LDAP_SLAPD_F (SLAP_EXTOP_MAIN_FN) passwd_extop;
 LDAP_SLAPD_F (int) slap_passwd_check(
        Connection                      *conn,
        Attribute                       *attr,
-       struct berval           *cred );
+       struct berval           *cred,
+       const char                      **text );
 
 LDAP_SLAPD_F (void) slap_passwd_generate( struct berval * );
 
 LDAP_SLAPD_F (void) slap_passwd_hash(
        struct berval           *cred,
-       struct berval           *hash );
+       struct berval           *hash,
+       const char              **text );
 
 LDAP_SLAPD_F (struct berval *) slap_passwd_return(
        struct berval           *cred );

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 4390fdcfea9b9ba4225b7140c838174513c66118..789786f3698b7b61ae23a5a9045378ec6088433a 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -502,7 +502,7 @@ sasl_cb_checkpass( Operation *op, SlapReply *rs )
                NULL, ACL_AUTH, NULL ) ) return 0;
 
        for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
-               if ( !lutil_passwd( bv, &ci->cred, NULL ) ) {
+               if ( !lutil_passwd( bv, &ci->cred, NULL, &rs->sr_text ) ) {
                        ci->rc = SASL_OK;
                        break;
                }

diff --git a/servers/slapd/tools/slappasswd.c b/servers/slapd/tools/slappasswd.c
index c183068b3034aa9545531304e2b0bf4849702c6a..515436f1a27d1c6a2386e0a852a94a62fe5a938a 100644 (file)
--- a/servers/slapd/tools/slappasswd.c
+++ b/servers/slapd/tools/slappasswd.c
@@ -46,6 +46,7 @@ main( int argc, char *argv[] )
        char    *scheme = "{SSHA}";
        char    *newpw = NULL;
        char    *pwfile = NULL;
+       const char *text;
 
        int             i;
        struct berval passwd;
@@ -115,15 +116,17 @@ main( int argc, char *argv[] )
                passwd.bv_len = strlen(passwd.bv_val);
        }
 
-       hash = lutil_passwd_hash( &passwd, scheme );
+       hash = lutil_passwd_hash( &passwd, scheme, &text );
 
        if( hash == NULL || hash->bv_val == NULL ) {
-               fprintf( stderr, "Password generation failed.\n");
+               fprintf( stderr, "Password generation failed. %s\n",
+                       text ? text : "" );
                return EXIT_FAILURE;
        }
 
-       if( lutil_passwd( hash, &passwd, NULL ) ) {
-               fprintf( stderr, "Password verification failed.\n");
+       if( lutil_passwd( hash, &passwd, NULL, &text ) ) {
+               fprintf( stderr, "Password verification failed. %s\n",
+                       text ? text : "" );
                return EXIT_FAILURE;
        }