From: Howard Chu <hyc@openldap.org>
Date: Sun, 25 Jan 2004 13:07:52 +0000 (+0000)
Subject: Copied unsupported password mechanisms to here. Move more as necessary.
X-Git-Tag: OPENLDAP_REL_ENG_2_2_BP~445
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9f3d15efb7c93b8e3593b07addd697968a4c8609;p=openldap

Copied unsupported password mechanisms to here. Move more as necessary.
---

diff --git a/contrib/slapd-modules/passwd/README b/contrib/slapd-modules/passwd/README
new file mode 100644
index 0000000000..55198ff561
--- /dev/null
+++ b/contrib/slapd-modules/passwd/README
@@ -0,0 +1,34 @@
+Copyright 2004 The OpenLDAP Foundation. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted only as authorized by the OpenLDAP
+Public License.
+
+This directory contains native slapd plugins for password mechanisms that
+are not actively supported by the project. Currently this includes the
+Kerberos and Netscape MTA-MD5 password mechanisms.
+
+To use the Kerberos plugin, add:
+
+moduleload pw-kerberos.so
+
+to your slapd configuration file.
+
+To use the Netscape plugin, add:
+
+moduleload pw-netscape.so
+
+to your slapd configuration file.
+
+No Makefile is provided. Use a command line similar to:
+
+gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c
+
+to compile the Kerberos plugin. Replace HAVE_KRB5 with HAVE_KRB4 if you want
+to use Kerberos IV. If your Kerberos header files are not in the C compiler's
+default path, you will need to add a "-I" directive for that as well.
+
+The corresponding command for the Netscape plugin would be:
+
+gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c
+
diff --git a/contrib/slapd-modules/passwd/kerberos.c b/contrib/slapd-modules/passwd/kerberos.c
new file mode 100644
index 0000000000..95250c6dba
--- /dev/null
+++ b/contrib/slapd-modules/passwd/kerberos.c
@@ -0,0 +1,208 @@
+/* $OpenLDAP$ */
+/*
+ * Copyright 1998-2004 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+
+#include <string.h>
+#include <unistd.h>
+
+#include <lber.h>
+#include <lber_pvt.h>	/* BER_BVC definition */
+#include "lutil.h"
+
+#ifdef HAVE_KRB5
+#include <krb5.h>
+#elif defined(HAVE_KRB4)
+#include <krb.h>
+#endif
+
+/* From <ldap_pvt.h> */
+LDAP_F( char *) ldap_pvt_get_fqdn LDAP_P(( char * ));
+
+static LUTIL_PASSWD_CHK_FUNC chk_kerberos;
+static const struct berval scheme = BER_BVC("{KERBEROS}");
+
+static int chk_kerberos(
+	const struct berval *sc,
+	const struct berval * passwd,
+	const struct berval * cred,
+	const char **text )
+{
+	unsigned int i;
+	int rtn;
+
+	for( i=0; i<cred->bv_len; i++) {
+		if(cred->bv_val[i] == '\0') {
+			return 1;	/* NUL character in password */
+		}
+	}
+
+	if( cred->bv_val[i] != '\0' ) {
+		return 1;	/* cred must behave like a string */
+	}
+
+	for( i=0; i<passwd->bv_len; i++) {
+		if(passwd->bv_val[i] == '\0') {
+			return 1;	/* NUL character in password */
+		}
+	}
+
+	if( passwd->bv_val[i] != '\0' ) {
+		return 1;	/* passwd must behave like a string */
+	}
+
+	rtn = 1;
+
+#ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */
+	{
+/* Portions:
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+		krb5_context context;
+   		krb5_error_code ret;
+   		krb5_creds creds;
+   		krb5_get_init_creds_opt get_options;
+   		krb5_verify_init_creds_opt verify_options;
+		krb5_principal client, server;
+#ifdef notdef
+		krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
+#endif
+
+		ret = krb5_init_context( &context );
+		if (ret) {
+			return 1;
+		}
+
+#ifdef notdef
+		krb5_get_init_creds_opt_set_preauth_list(&get_options,
+			pre_auth_types, 1);
+#endif
+
+   		krb5_get_init_creds_opt_init( &get_options );
+
+		krb5_verify_init_creds_opt_init( &verify_options );
+	
+		ret = krb5_parse_name( context, passwd->bv_val, &client );
+
+		if (ret) {
+			krb5_free_context( context );
+			return 1;
+		}
+
+		ret = krb5_get_init_creds_password( context,
+			&creds, client, cred->bv_val, NULL,
+			NULL, 0, NULL, &get_options );
+
+		if (ret) {
+			krb5_free_principal( context, client );
+			krb5_free_context( context );
+			return 1;
+		}
+
+		{
+			char *host = ldap_pvt_get_fqdn( NULL );
+
+			if( host == NULL ) {
+				krb5_free_principal( context, client );
+				krb5_free_context( context );
+				return 1;
+			}
+
+			ret = krb5_sname_to_principal( context,
+				host, "ldap", KRB5_NT_SRV_HST, &server );
+
+			ber_memfree( host );
+		}
+
+		if (ret) {
+			krb5_free_principal( context, client );
+			krb5_free_context( context );
+			return 1;
+		}
+
+		ret = krb5_verify_init_creds( context,
+			&creds, server, NULL, NULL, &verify_options );
+
+		krb5_free_principal( context, client );
+		krb5_free_principal( context, server );
+		krb5_free_cred_contents( context, &creds );
+		krb5_free_context( context );
+
+		rtn = !!ret;
+	}
+#elif	defined(HAVE_KRB4)
+	{
+		/* Borrowed from Heimdal kpopper */
+/* Portions:
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+		int status;
+		char lrealm[REALM_SZ];
+		char tkt[MAXHOSTNAMELEN];
+
+		status = krb_get_lrealm(lrealm,1);
+		if (status == KFAILURE) {
+			return 1;
+		}
+
+		snprintf(tkt, sizeof(tkt), "%s_slapd.%u",
+			TKT_ROOT, (unsigned)getpid());
+		krb_set_tkt_string (tkt);
+
+		status = krb_verify_user( passwd->bv_val, "", lrealm,
+			cred->bv_val, 1, "ldap");
+
+		dest_tkt(); /* no point in keeping the tickets */
+
+		return status == KFAILURE;
+	}
+#endif
+
+	return rtn;
+}
+
+int init_module(int argc, char *argv[]) {
+	return lutil_passwd_add( (struct berval *)&scheme, chk_kerberos, NULL );
+}
diff --git a/contrib/slapd-modules/passwd/netscape.c b/contrib/slapd-modules/passwd/netscape.c
new file mode 100644
index 0000000000..3c7d9515a4
--- /dev/null
+++ b/contrib/slapd-modules/passwd/netscape.c
@@ -0,0 +1,80 @@
+/* $OpenLDAP$ */
+/*
+ * Copyright 1998-2004 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+
+#include <string.h>
+#include <unistd.h>
+
+#include <lber.h>
+#include <lber_pvt.h>
+#include "lutil.h"
+#include "lutil_md5.h"
+
+static LUTIL_PASSWD_CHK_FUNC chk_ns_mta_md5;
+static const struct berval scheme = BER_BVC("{NS-MTA-MD5}");
+
+#define NS_MTA_MD5_PASSLEN	64
+static int chk_ns_mta_md5(
+	const struct berval *scheme,
+	const struct berval *passwd,
+	const struct berval *cred,
+	const char **text )
+{
+	lutil_MD5_CTX MD5context;
+	unsigned char MD5digest[LUTIL_MD5_BYTES], c;
+	char buffer[LUTIL_MD5_BYTES*2];
+	int i;
+
+	if( passwd->bv_len != NS_MTA_MD5_PASSLEN ) {
+		return 1;
+	}
+
+	/* hash credentials with salt */
+	lutil_MD5Init(&MD5context);
+	lutil_MD5Update(&MD5context,
+		(const unsigned char *) &passwd->bv_val[32],
+		32 );
+
+	c = 0x59;
+	lutil_MD5Update(&MD5context,
+		(const unsigned char *) &c,
+		1 );
+
+	lutil_MD5Update(&MD5context,
+		(const unsigned char *) cred->bv_val,
+		cred->bv_len );
+
+	c = 0xF7;
+	lutil_MD5Update(&MD5context,
+		(const unsigned char *) &c,
+		1 );
+
+	lutil_MD5Update(&MD5context,
+		(const unsigned char *) &passwd->bv_val[32],
+		32 );
+
+	lutil_MD5Final(MD5digest, &MD5context);
+
+	for( i=0; i < sizeof( MD5digest ); i++ ) {
+		buffer[i+i]   = "0123456789abcdef"[(MD5digest[i]>>4) & 0x0F]; 
+		buffer[i+i+1] = "0123456789abcdef"[ MD5digest[i] & 0x0F]; 
+	}
+
+	/* compare */
+	return memcmp((char *)passwd->bv_val,
+		(char *)buffer, sizeof(buffer)) ? 1 : 0;
+}
+
+int init_module(int argc, char *argv[]) {
+	return lutil_passwd_add( (struct berval *)&scheme, chk_ns_mta_md5, NULL );
+}