From 7e2273b30efa1e774f9fda146caf9969566a5b96 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 30 Apr 2003 07:52:05 +0000 Subject: [PATCH] Added errmsg arg to lutil_passwd_{check,hash} functions --- include/lutil.h | 12 ++++-- libraries/liblutil/passwd.c | 67 +++++++++++++++++++++----------- servers/slapd/back-bdb/bind.c | 2 +- servers/slapd/back-bdb/passwd.c | 4 +- servers/slapd/back-ldbm/bind.c | 2 +- servers/slapd/back-ldbm/passwd.c | 4 +- servers/slapd/back-sql/bind.c | 2 +- servers/slapd/backend.c | 3 +- servers/slapd/passwd.c | 10 +++-- servers/slapd/proto-slap.h | 6 ++- servers/slapd/sasl.c | 2 +- servers/slapd/tools/slappasswd.c | 11 ++++-- 12 files changed, 79 insertions(+), 46 deletions(-) diff --git a/include/lutil.h b/include/lutil.h index 72a7225098..4cba4df7e2 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -70,11 +70,13 @@ struct lutil_pw_scheme; typedef int (LUTIL_PASSWD_CHK_FUNC)( const struct berval *scheme, const struct berval *passwd, - const struct berval *cred ); + const struct berval *cred, + const char **text ); typedef struct berval * (LUTIL_PASSWD_HASH_FUNC) ( const struct berval *scheme, - const struct berval *passwd ); + const struct berval *passwd, + const char **text ); LDAP_LUTIL_F( int ) lutil_passwd_add LDAP_P(( @@ -110,7 +112,8 @@ LDAP_LUTIL_F( int ) lutil_passwd LDAP_P(( const struct berval *passwd, /* stored password */ const struct berval *cred, /* user supplied value */ - const char **methods )); + const char **methods, + const char **text )); /* error message */ LDAP_LUTIL_F( struct berval * ) lutil_passwd_generate LDAP_P(( ber_len_t )); @@ -118,7 +121,8 @@ lutil_passwd_generate LDAP_P(( ber_len_t )); LDAP_LUTIL_F( struct berval * ) lutil_passwd_hash LDAP_P(( const struct berval *passwd, - const char *method )); + const char *method, + const char **text )); LDAP_LUTIL_F( int ) lutil_passwd_scheme LDAP_P(( diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 8cd6b1af48..70009e0771 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -288,10 +288,13 @@ int lutil_passwd( const struct berval *passwd, /* stored passwd */ const struct berval *cred, /* user cred */ - const char **schemes ) + const char **schemes, + const char **text ) { struct pw_slist *pws; + if ( text ) *text = NULL; + if (cred == NULL || cred->bv_len == 0 || passwd == NULL || passwd->bv_len == 0 ) { @@ -307,7 +310,7 @@ lutil_passwd( passwd, &x, schemes ); if( p != NULL ) { - return (pws->s.chk_fn)( &(pws->s.name), p, cred ); + return (pws->s.chk_fn)( &(pws->s.name), p, cred, text ); } } } @@ -357,14 +360,16 @@ struct berval * lutil_passwd_generate( ber_len_t len ) struct berval * lutil_passwd_hash( const struct berval * passwd, - const char * method ) + const char * method, + const char **text ) { const struct pw_scheme *sc = get_scheme( method ); + if( text ) *text = NULL; if( sc == NULL ) return NULL; if( ! sc->hash_fn ) return NULL; - return (sc->hash_fn)( &sc->name, passwd ); + return (sc->hash_fn)( &sc->name, passwd, text ); } /* pw_string is only called when SLAPD_LMHASH or SLAPD_CRYPT is defined */ @@ -459,7 +464,8 @@ static struct berval * pw_string64( static int chk_ssha1( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[LUTIL_SHA1_BYTES]; @@ -502,7 +508,8 @@ static int chk_ssha1( static int chk_sha1( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[LUTIL_SHA1_BYTES]; @@ -538,7 +545,8 @@ static int chk_sha1( static int chk_smd5( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES]; @@ -582,7 +590,8 @@ static int chk_smd5( static int chk_md5( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES]; @@ -618,7 +627,8 @@ static int chk_md5( static int chk_lanman( const struct berval *scheme, const struct berval *passwd, - const struct berval *cred ) + const struct berval *cred, + const char **text ) { struct berval *hash; @@ -631,7 +641,8 @@ static int chk_lanman( static int chk_ns_mta_md5( const struct berval *scheme, const struct berval *passwd, - const struct berval *cred ) + const struct berval *cred, + const char **text ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES], c; @@ -683,7 +694,8 @@ sasl_conn_t *lutil_passwd_sasl_conn = NULL; static int chk_sasl( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { unsigned int i; int rtn; @@ -714,11 +726,10 @@ static int chk_sasl( if( lutil_passwd_sasl_conn != NULL ) { int sc; # if SASL_VERSION_MAJOR < 2 - const char *errstr = NULL; sc = sasl_checkpass( lutil_passwd_sasl_conn, passwd->bv_val, passwd->bv_len, cred->bv_val, cred->bv_len, - &errstr ); + text ); # else sc = sasl_checkpass( lutil_passwd_sasl_conn, passwd->bv_val, passwd->bv_len, @@ -736,7 +747,8 @@ static int chk_sasl( static int chk_kerberos( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { unsigned int i; int rtn; @@ -909,7 +921,8 @@ static int chk_kerberos( static int chk_crypt( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { char *cr; unsigned int i; @@ -952,7 +965,8 @@ static int chk_crypt( static int chk_unix( const struct berval *sc, const struct berval * passwd, - const struct berval * cred ) + const struct berval * cred, + const char **text ) { unsigned int i; char *pw,*cr; @@ -1027,7 +1041,8 @@ static int chk_unix( #ifdef LUTIL_SHA1_BYTES static struct berval *hash_ssha1( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[LUTIL_SHA1_BYTES]; @@ -1056,7 +1071,8 @@ static struct berval *hash_ssha1( static struct berval *hash_sha1( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[LUTIL_SHA1_BYTES]; @@ -1075,7 +1091,8 @@ static struct berval *hash_sha1( static struct berval *hash_smd5( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES]; @@ -1104,7 +1121,8 @@ static struct berval *hash_smd5( static struct berval *hash_md5( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES]; @@ -1201,7 +1219,8 @@ static void lmPasswd_to_key( static struct berval *hash_lanman( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { int i; @@ -1249,7 +1268,8 @@ static struct berval *hash_lanman( #ifdef SLAPD_CRYPT static struct berval *hash_crypt( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { struct berval hash; unsigned char salt[32]; /* salt suitable for most anything */ @@ -1310,7 +1330,8 @@ int lutil_salt_format(const char *format) #ifdef SLAPD_CLEARTEXT static struct berval *hash_clear( const struct berval *scheme, - const struct berval *passwd ) + const struct berval *passwd, + const char **text ) { return ber_bvdup( (struct berval *) passwd ); } diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c index e9bc3bc5df..0d8717c813 100644 --- a/servers/slapd/back-bdb/bind.c +++ b/servers/slapd/back-bdb/bind.c @@ -192,7 +192,7 @@ dn2entry_retry: goto done; } - if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) { + if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; send_ldap_result( op, rs ); goto done; diff --git a/servers/slapd/back-bdb/passwd.c b/servers/slapd/back-bdb/passwd.c index b644a1b5e0..95cbf9b14d 100644 --- a/servers/slapd/back-bdb/passwd.c +++ b/servers/slapd/back-bdb/passwd.c @@ -65,10 +65,10 @@ bdb_exop_passwd( Operation *op, SlapReply *rs ) rs->sr_rspdata = slap_passwd_return( &new ); } - slap_passwd_hash( &new, &hash ); + slap_passwd_hash( &new, &hash, &rs->sr_text ); if( hash.bv_len == 0 ) { - rs->sr_text = "password hash failed"; + if( !rs->sr_text ) rs->sr_text = "password hash failed"; rc = LDAP_OTHER; goto done; } diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c index c7a57001ac..cb2f341a82 100644 --- a/servers/slapd/back-ldbm/bind.c +++ b/servers/slapd/back-ldbm/bind.c @@ -152,7 +152,7 @@ ldbm_back_bind( goto return_results; } - if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) { + if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL ); /* stop front end from sending result */ rc = 1; diff --git a/servers/slapd/back-ldbm/passwd.c b/servers/slapd/back-ldbm/passwd.c index 34c5bb523b..8df10e7708 100644 --- a/servers/slapd/back-ldbm/passwd.c +++ b/servers/slapd/back-ldbm/passwd.c @@ -63,10 +63,10 @@ ldbm_back_exop_passwd( rs->sr_rspdata = slap_passwd_return( &new ); } - slap_passwd_hash( &new, &hash ); + slap_passwd_hash( &new, &hash, &rs->sr_text ); if( hash.bv_len == 0 ) { - rs->sr_text = "password hash failed"; + if( !rs->sr_text ) rs->sr_text = "password hash failed"; rc = LDAP_OTHER; goto done; } diff --git a/servers/slapd/back-sql/bind.c b/servers/slapd/back-sql/bind.c index 74dd71a2d9..ce84c0ef27 100644 --- a/servers/slapd/back-sql/bind.c +++ b/servers/slapd/back-sql/bind.c @@ -102,7 +102,7 @@ backsql_bind( Operation *op, SlapReply *rs ) return 1; } - if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) { + if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; send_ldap_result( op, rs ); return 1; diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 7763421684..183337a25d 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -680,6 +680,7 @@ int be_isroot_pw( Operation *op ) { int result; + char *errmsg; if ( ! be_isroot( op->o_bd, &op->o_req_ndn ) ) { return 0; @@ -696,7 +697,7 @@ be_isroot_pw( Operation *op ) #endif #endif - result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL ); + result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL ); #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) #ifdef SLAPD_SPASSWD diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 2eb9a96da1..10854d5f1f 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -250,7 +250,8 @@ int slap_passwd_check( Connection *conn, Attribute *a, - struct berval *cred ) + struct berval *cred, + const char **text ) { int result = 1; struct berval *bv; @@ -263,7 +264,7 @@ slap_passwd_check( #endif for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { - if( !lutil_passwd( bv, cred, NULL ) ) { + if( !lutil_passwd( bv, cred, NULL, text ) ) { result = 0; break; } @@ -305,7 +306,8 @@ slap_passwd_generate( struct berval *pass ) void slap_passwd_hash( struct berval * cred, - struct berval * new ) + struct berval * new, + const char **text ) { struct berval *tmp; #ifdef LUTIL_SHA1_BYTES @@ -319,7 +321,7 @@ slap_passwd_hash( ldap_pvt_thread_mutex_lock( &passwd_mutex ); #endif - tmp = lutil_passwd_hash( cred , hash ); + tmp = lutil_passwd_hash( cred , hash, text ); #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) ldap_pvt_thread_mutex_unlock( &passwd_mutex ); diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 220914d158..0fc4866e5c 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -744,13 +744,15 @@ LDAP_SLAPD_F (SLAP_EXTOP_MAIN_FN) passwd_extop; LDAP_SLAPD_F (int) slap_passwd_check( Connection *conn, Attribute *attr, - struct berval *cred ); + struct berval *cred, + const char **text ); LDAP_SLAPD_F (void) slap_passwd_generate( struct berval * ); LDAP_SLAPD_F (void) slap_passwd_hash( struct berval *cred, - struct berval *hash ); + struct berval *hash, + const char **text ); LDAP_SLAPD_F (struct berval *) slap_passwd_return( struct berval *cred ); diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 4390fdcfea..789786f369 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -502,7 +502,7 @@ sasl_cb_checkpass( Operation *op, SlapReply *rs ) NULL, ACL_AUTH, NULL ) ) return 0; for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { - if ( !lutil_passwd( bv, &ci->cred, NULL ) ) { + if ( !lutil_passwd( bv, &ci->cred, NULL, &rs->sr_text ) ) { ci->rc = SASL_OK; break; } diff --git a/servers/slapd/tools/slappasswd.c b/servers/slapd/tools/slappasswd.c index c183068b30..515436f1a2 100644 --- a/servers/slapd/tools/slappasswd.c +++ b/servers/slapd/tools/slappasswd.c @@ -46,6 +46,7 @@ main( int argc, char *argv[] ) char *scheme = "{SSHA}"; char *newpw = NULL; char *pwfile = NULL; + const char *text; int i; struct berval passwd; @@ -115,15 +116,17 @@ main( int argc, char *argv[] ) passwd.bv_len = strlen(passwd.bv_val); } - hash = lutil_passwd_hash( &passwd, scheme ); + hash = lutil_passwd_hash( &passwd, scheme, &text ); if( hash == NULL || hash->bv_val == NULL ) { - fprintf( stderr, "Password generation failed.\n"); + fprintf( stderr, "Password generation failed. %s\n", + text ? text : "" ); return EXIT_FAILURE; } - if( lutil_passwd( hash, &passwd, NULL ) ) { - fprintf( stderr, "Password verification failed.\n"); + if( lutil_passwd( hash, &passwd, NULL, &text ) ) { + fprintf( stderr, "Password verification failed. %s\n", + text ? text : "" ); return EXIT_FAILURE; } -- 2.39.5