From 802ee714e40372d4adcd394739959d2f362cf689 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 25 Apr 2000 13:28:03 +0000 Subject: [PATCH] Framework for authpasswd. Needs work. Behind #ifdef --- include/lutil.h | 13 + libraries/libavl/libavl.dsp | 4 + libraries/libldbm/libldbm.dsp | 4 + libraries/libldif/libldif.dsp | 4 + libraries/liblutil/authpasswd.c | 929 ++++++++++++++++++++++++++++++++ libraries/liblutil/liblutil.dsp | 8 + libraries/liblutil/passwd.c | 55 +- libraries/liblutil/ptest.c | 56 +- 8 files changed, 1041 insertions(+), 32 deletions(-) create mode 100644 libraries/liblutil/authpasswd.c diff --git a/include/lutil.h b/include/lutil.h index 230167b876..ff953206a2 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -58,6 +58,19 @@ lutil_entropy LDAP_P(( /* passwd.c */ struct berval; /* avoid pulling in lber.h */ +LIBLUTIL_F( int ) +lutil_authpasswd LDAP_P(( + const struct berval *passwd, /* stored password */ + const struct berval *cred, /* user supplied value */ + const char **methods )); + +LIBLUTIL_F( int ) +lutil_authpasswd_hash LDAP_P(( + const struct berval *cred, + struct berval **passwd, /* password to store */ + struct berval **salt, /* salt to store */ + const char *method )); + LIBLUTIL_F( int ) lutil_passwd LDAP_P(( const struct berval *passwd, /* stored password */ diff --git a/libraries/libavl/libavl.dsp b/libraries/libavl/libavl.dsp index 58104966a1..c1077b59db 100644 --- a/libraries/libavl/libavl.dsp +++ b/libraries/libavl/libavl.dsp @@ -41,6 +41,7 @@ CPP=cl.exe # PROP Output_Dir "..\..\Release" # PROP Intermediate_Dir "..\..\Release\libavl" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe @@ -62,6 +63,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\Debug" # PROP Intermediate_Dir "..\..\Debug\libavl" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /Z7 /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -83,6 +85,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SDebug" # PROP Intermediate_Dir "..\..\SDebug\libavl" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -104,6 +107,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SRelease" # PROP Intermediate_Dir "..\..\SRelease\libavl" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe diff --git a/libraries/libldbm/libldbm.dsp b/libraries/libldbm/libldbm.dsp index aafbb3850f..5c2a9e94d2 100644 --- a/libraries/libldbm/libldbm.dsp +++ b/libraries/libldbm/libldbm.dsp @@ -41,6 +41,7 @@ CPP=cl.exe # PROP Output_Dir "..\..\Release" # PROP Intermediate_Dir "..\..\Release\libldbm" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe @@ -62,6 +63,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\Debug" # PROP Intermediate_Dir "..\..\Debug\libldbm" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /Z7 /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -83,6 +85,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SDebug" # PROP Intermediate_Dir "..\..\SDebug\libldbm" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -104,6 +107,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SRelease" # PROP Intermediate_Dir "..\..\SRelease\libldbm" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe diff --git a/libraries/libldif/libldif.dsp b/libraries/libldif/libldif.dsp index aea1eeca49..112f5658f1 100644 --- a/libraries/libldif/libldif.dsp +++ b/libraries/libldif/libldif.dsp @@ -41,6 +41,7 @@ CPP=cl.exe # PROP Output_Dir "..\..\Release" # PROP Intermediate_Dir "..\..\Release\libldif" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe @@ -62,6 +63,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\Debug" # PROP Intermediate_Dir "..\..\Debug\libldif" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /Z7 /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -83,6 +85,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SDebug" # PROP Intermediate_Dir "..\..\SDebug\libldif" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -104,6 +107,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SRelease" # PROP Intermediate_Dir "..\..\SRelease\libldif" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe diff --git a/libraries/liblutil/authpasswd.c b/libraries/liblutil/authpasswd.c new file mode 100644 index 0000000000..fafd56549c --- /dev/null +++ b/libraries/liblutil/authpasswd.c @@ -0,0 +1,929 @@ +/* $OpenLDAP$ */ +/* + * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ +/* + * lutil_authpassword(authpasswd, cred) + * + * Returns true if user supplied credentials (cred) matches + * the stored authentication password (authpasswd). + * + * Due to the use of the crypt(3) function + * this routine is NOT thread-safe. + */ + +#include "portable.h" + +#include +#include +#include + +#ifdef SLAPD_KPASSWD +# include +# include +#endif + +#include + +#include +#include + +#ifdef HAVE_SHADOW_H +# include +#endif +#ifdef HAVE_PWD_H +# include +#endif + +#include + +#include "lutil_md5.h" +#include "lutil_sha1.h" +#include "lutil.h" + +static const unsigned char crypt64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; + +struct pw_scheme; + +typedef int (*PASSWD_CHK_FUNC)( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *salt, + const struct berval *cred ); + +typedef int (*PASSWD_HASH_FUNC) ( + const struct pw_scheme *scheme, + const struct berval *cred, + const struct berval *salt, + struct berval **passwd_out, + struct berval **salt_out ); + +/* password check routines */ +static int chk_md5( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *salt, + const struct berval *cred ); + +static int chk_sha1( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *salt, + const struct berval *cred ); + +static int chk_crypt( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *salt, + const struct berval *cred ); + +static int chk_ext( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *salt, + const struct berval *cred ); + +static int chk_ext_kerberos( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *cred ); + +static int chk_ext_unix( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *cred ); + + +/* password hash routines */ +static int *hash_sha1( + const struct pw_scheme *scheme, + const struct berval *cred, + const struct berval *salt, + struct berval **passwd_out, + struct berval **salt_out ); + +static int *hash_md5( + const struct pw_scheme *scheme, + const struct berval *cred, + const struct berval *salt, + struct berval **passwd_out, + struct berval **salt_out ); + +static int *hash_crypt( + const struct pw_scheme *scheme, + const struct berval *cred, + const struct berval *salt, + struct berval **passwd_out, + struct berval **salt_out ); + + +struct pw_scheme { + struct berval name; + PASSWD_CHK_FUNC chk_fn; + PASSWD_HASH_FUNC hash_fn; + int saltbytes; +}; + +static const struct pw_scheme pw_schemes[] = +{ + { {sizeof("SHA1")-1, "SHA1"}, chk_sha1, 0 /* hash_sha1 */, 4 }, + { {sizeof("MD5")-1, "MD5"}, chk_md5, 0 /* hash_md5 */, 4 }, + +#ifdef SLAPD_CRYPT + { {sizeof("CRYPT")-1, "CRYPT"}, chk_crypt, hash_crypt, 2 }, +#endif + +#ifdef EXT_PASSWD + { {sizeof("EXTERNAL")-1, "EXTERNAL"}, chk_ext, NULL, 0 }, +#endif + + { {0, NULL}, NULL, NULL, 0 } +}; + +#ifdef EXT_PASSWD +struct ext_scheme { + struct berval name; + EXT_CHK_FUNC chk_fn; +}; + +static const struct ext_scheme ext_schemes[] = +{ + { {0, NULL}, NULL, NULL, 0 } +}; +#endif + +static const struct pw_scheme *get_scheme( + const char *scheme ) +{ + int i; + + if( scheme == NULL || *scheme == '\0' ) return NULL; + + for( i=0; pw_schemes[i].name.bv_val; i++) { + if( pw_schemes[i].name.bv_len == 0 ) continue; + + if( strncasecmp( scheme, + pw_schemes[i].name.bv_val, + pw_schemes[i].name.bv_len) == 0 ) + { + return &pw_schemes[i]; + } + } + + return NULL; +} + +int lutil_authpasswd_scheme( + const char *scheme ) +{ + return get_scheme( scheme ) != NULL; +} + + +static int is_allowed_scheme( + const char* scheme, + const char** schemes ) +{ + int i; + + if( scheme == NULL || *scheme == '\0' ) return 1; + + for( i=0; schemes[i] != NULL; i++ ) { + if( strcasecmp( scheme, schemes[i] ) == 0 ) { + return 1; + } + } + return 0; +} + +static int parse_authpasswd( + char **scheme, + struct berval *salt, + struct berval *passwd ) +{ + *scheme = NULL; + return -1; +} + +/* + * Return 0 if creds are good. + */ +int +lutil_authpasswd( + const struct berval *value, /* stored authpasswd */ + const struct berval *cred, /* user cred */ + const char **schemes ) +{ + char *scheme; + struct berval salt, passwd; + const struct pw_scheme *pws; + int rc = -1; + + if (cred == NULL || cred->bv_len == 0 || + value == NULL || value->bv_len == 0 ) + { + return -1; + } + + rc = parse_authpasswd( &scheme, &salt, &passwd ); + + if( rc != 0 ) return -1; + + if( !is_allowed_scheme( scheme, schemes ) ) { + goto done; + } + + pws = get_scheme( scheme ); + + if( pws == NULL || !pws->chk_fn ) { + goto done; + }; + + rc = (pws->chk_fn)( pws, &salt, &passwd, cred ); + +done: + if( scheme != NULL ) { + ber_memfree( scheme ); + ber_memfree( salt.bv_val ); + ber_memfree( passwd.bv_val ); + } + + return rc ? -1 : 0; +} + +struct berval * lutil_authpasswd_generate( ber_len_t len ) +{ + struct berval *pw; + + if( len < 1 ) return NULL; + + pw = ber_memalloc( sizeof( struct berval ) ); + if( pw == NULL ) return NULL; + + pw->bv_len = len; + pw->bv_val = ber_memalloc( len + 1 ); + + if( pw->bv_val == NULL ) { + ber_memfree( pw ); + return NULL; + } + + if( lutil_entropy( pw->bv_val, pw->bv_len) < 0 ) { + ber_bvfree( pw ); + return NULL; + } + + for( len = 0; len < pw->bv_len; len++ ) { + pw->bv_val[len] = crypt64[ + pw->bv_val[len] % (sizeof(crypt64)-1) ]; + } + + pw->bv_val[len] = '\0'; + + return pw; +} + +int lutil_authpasswd_hash( + const struct berval * cred, + struct berval ** passwd_out, + struct berval ** salt_out, + const char * method ) +{ + const struct pw_scheme *sc; + int rc; + + if( passwd_out == NULL ) return -1; + + sc = get_scheme( method ); + if( sc == NULL || !sc->hash_fn ) return -1; + + if( sc->saltbytes && salt_out != NULL ) { + struct berval salt; + salt.bv_val = ber_memalloc( sc->saltbytes ); + + if( salt.bv_val == NULL ) { + return -1; + } + salt.bv_len = sc->saltbytes; + + if( lutil_entropy( salt.bv_val, salt.bv_len ) < 0 ) { + ber_memfree( salt.bv_val ); + return -1; + } + + rc = (sc->hash_fn)( sc, cred, &salt, passwd_out, NULL ); + ber_memfree( salt.bv_val ); + + } else if ( sc->saltbytes ) { + /* wants salt, disallow */ + return -1; + + } else { + rc = (sc->hash_fn)( sc, cred, NULL, passwd_out, salt_out ); + } + + return rc; +} + +static struct berval * base64( + const struct berval *value ) +{ + int rc; + struct berval *b64; + + assert( value != NULL ); + + if( value == NULL || value->bv_len == 0 ) return NULL; + + b64 = ber_memalloc( sizeof(struct berval) ); + if( b64 == NULL ) return NULL; + + b64->bv_len = LUTIL_BASE64_ENCODE_LEN( value->bv_len ); + b64->bv_val = ber_memalloc( b64->bv_len + 1 ); + + if( b64->bv_val == NULL ) { + ber_memfree( b64 ); + return NULL; + } + + rc = lutil_b64_ntop( + value->bv_val, value->bv_len, + b64->bv_val, b64->bv_len ); + + b64->bv_val[b64->bv_len] = '\0'; + + if( rc < 0 ) { + ber_bvfree( b64 ); + return NULL; + } + + return b64; +} + +/* PASSWORD CHECK ROUTINES */ + +static int chk_sha1( + const struct pw_scheme *sc, + const struct berval * passwd, + const struct berval * salt, + const struct berval * cred ) +{ + lutil_SHA1_CTX SHA1context; + unsigned char SHA1digest[LUTIL_SHA1_BYTES]; + int rc; + unsigned char *orig_pass = NULL; + unsigned char *orig_salt = NULL; + int saltlen; + + if( passwd == NULL || passwd->bv_len == 0 ) { + return 1; + } + + /* decode base64 password */ + orig_pass = (unsigned char *) ber_memalloc( (size_t) ( + LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); + + if( orig_pass == NULL ) { + rc = -1; + goto done; + } + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); + + if( rc < 0 ) { + goto done; + } + + /* decode base64 salt */ + if( salt != NULL && salt->bv_len > 0 ) { + orig_salt = (unsigned char *) ber_memalloc( (size_t) ( + LUTIL_BASE64_DECODE_LEN(salt->bv_len) + 1) ); + + if( orig_salt == NULL ) { + rc = -1; + goto done; + } + + saltlen = lutil_b64_pton(passwd->bv_val, orig_salt, passwd->bv_len); + + if( saltlen < 0 ) { + goto done; + } + } + + /* hash credentials with salt */ + lutil_SHA1Init(&SHA1context); + lutil_SHA1Update(&SHA1context, + (const unsigned char *) cred->bv_val, cred->bv_len); + if( orig_salt != NULL ) { + lutil_SHA1Update(&SHA1context, + orig_salt, saltlen ); + } + lutil_SHA1Final(SHA1digest, &SHA1context); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); + +done: + ber_memfree(orig_pass); + ber_memfree(orig_salt); + return rc; +} + +static int chk_md5( + const struct pw_scheme *sc, + const struct berval * passwd, + const struct berval * salt, + const struct berval * cred ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES]; + int rc; + unsigned char *orig_pass = NULL; + unsigned char *orig_salt = NULL; + int saltlen; + + if( passwd == NULL || passwd->bv_len == 0 ) { + return 1; + } + + /* decode base64 password */ + orig_pass = (unsigned char *) ber_memalloc( (size_t) ( + LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); + + if( orig_pass == NULL ) { + rc = -1; + goto done; + } + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); + + if( rc < 0 ) { + goto done; + } + + /* decode base64 salt */ + if( salt != NULL && salt->bv_len > 0 ) { + orig_salt = (unsigned char *) ber_memalloc( (size_t) ( + LUTIL_BASE64_DECODE_LEN(salt->bv_len) + 1) ); + + if( orig_salt == NULL ) { + rc = -1; + goto done; + } + + saltlen = lutil_b64_pton(passwd->bv_val, orig_salt, passwd->bv_len); + + if( saltlen < 0 ) { + goto done; + } + } + + /* hash credentials with salt */ + lutil_MD5Init(&MD5context); + lutil_MD5Update(&MD5context, + (const unsigned char *) cred->bv_val, cred->bv_len); + if( orig_salt != NULL ) { + lutil_MD5Update(&MD5context, + orig_salt, saltlen ); + } + lutil_MD5Final(MD5digest, &MD5context); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); + +done: + ber_memfree(orig_pass); + ber_memfree(orig_salt); + return rc; +} + +#ifdef SLAPD_KPASSWD +static int chk_kerberos( + const struct pw_scheme *sc, + const struct berval * passwd, + const struct berval * cred, + const struct berval * salt ) +{ + int i; + int rtn; + + for( i=0; ibv_len; i++) { + if(cred->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( cred->bv_val[i] != '\0' ) { + return 1; /* cred must behave like a string */ + } + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return 1; /* passwd must behave like a string */ + } + + rtn = 1; + +#ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */ + { +/* Portions: + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + krb5_context context; + krb5_error_code ret; + krb5_creds creds; + krb5_get_init_creds_opt get_options; + krb5_verify_init_creds_opt verify_options; + krb5_principal client, server; +#ifdef notdef + krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; +#endif + + ret = krb5_init_context( &context ); + if (ret) { + return 1; + } + +#ifdef notdef + krb5_get_init_creds_opt_set_preauth_list(&get_options, + pre_auth_types, 1); +#endif + + krb5_get_init_creds_opt_init( &get_options ); + + krb5_verify_init_creds_opt_init( &verify_options ); + + ret = krb5_parse_name( context, passwd->bv_val, &client ); + + if (ret) { + krb5_free_context( context ); + return 1; + } + + ret = krb5_get_init_creds_password( context, + &creds, client, cred->bv_val, NULL, + NULL, 0, NULL, &get_options ); + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + { + char host[MAXHOSTNAMELEN]; + + if( gethostname( host, MAXHOSTNAMELEN ) != 0 ) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + ret = krb5_sname_to_principal( context, + host, "ldap", KRB5_NT_SRV_HST, &server ); + } + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return 1; + } + + ret = krb5_verify_init_creds( context, + &creds, server, NULL, NULL, &verify_options ); + + krb5_free_principal( context, client ); + krb5_free_principal( context, server ); + krb5_free_creds_contents( context, &creds ); + krb5_free_context( context ); + + rtn = !!ret; + } +#elif defined(HAVE_KRB4) + { + /* Borrowed from Heimdal kpopper */ +/* Portions: + * Copyright (c) 1989 Regents of the University of California. + * All rights reserved. The Berkeley software License Agreement + * specifies the terms and conditions for redistribution. + */ + + int status; + char lrealm[REALM_SZ]; + char tkt[MAXHOSTNAMELEN]; + + status = krb_get_lrealm(lrealm,1); + if (status == KFAILURE) { + return 1; + } + + snprintf(tkt, sizeof(tkt), "%s_slapd.%u", + TKT_ROOT, (unsigned)getpid()); + krb_set_tkt_string (tkt); + + status = krb_verify_user( passwd->bv_val, "", lrealm, + cred->bv_val, 1, "ldap"); + + dest_tkt(); /* no point in keeping the tickets */ + + return status == KFAILURE; + } +#endif + + return rtn; +} +#endif /* SLAPD_KPASSWD */ + +#ifdef SLAPD_CRYPT +static int chk_crypt( + const struct pw_scheme *sc, + const struct berval * passwd, + const struct berval * cred ) +{ + char *cr; + int i; + + for( i=0; ibv_len; i++) { + if(cred->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( cred->bv_val[i] != '\0' ) { + return 1; /* cred must behave like a string */ + } + + if( passwd->bv_len < 2 ) { + return 1; /* passwd must be at least two characters long */ + } + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return 1; /* passwd must behave like a string */ + } + + cr = crypt( cred->bv_val, passwd->bv_val ); + + if( cr == NULL || cr[0] == '\0' ) { + /* salt must have been invalid */ + return 1; + } + + return strcmp( passwd->bv_val, cr ); +} + +# if defined( HAVE_GETSPNAM ) \ + || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) ) +static int chk_unix( + const struct pw_scheme *sc, + const struct berval * passwd, + const struct berval * cred ) +{ + int i; + char *pw,*cr; + + for( i=0; ibv_len; i++) { + if(cred->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + if( cred->bv_val[i] != '\0' ) { + return 1; /* cred must behave like a string */ + } + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return 1; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return 1; /* passwd must behave like a string */ + } + +# ifdef HAVE_GETSPNAM + { + struct spwd *spwd = getspnam(passwd->bv_val); + + if(spwd == NULL) { + return 1; /* not found */ + } + + pw = spwd->sp_pwdp; + } + +# else + { + struct passwd *pwd = getpwnam(passwd->bv_val); + + if(pwd == NULL) { + return 1; /* not found */ + } + + pw = pwd->pw_passwd; + } +# endif + + if( pw == NULL || pw[0] == '\0' || pw[1] == '\0' ) { + /* password must must be at least two characters long */ + return 1; + } + + cr = crypt(cred->bv_val, pw); + + if( cr == NULL || cr[0] == '\0' ) { + /* salt must have been invalid */ + return 1; + } + + return strcmp(pw, cr); + +} +# endif +#endif + +/* PASSWORD GENERATION ROUTINES */ + +#ifdef SLAPD_GENERATE + +static struct berval *hash_ssha1( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + lutil_SHA1_CTX SHA1context; + unsigned char SHA1digest[LUTIL_SHA1_BYTES]; + unsigned char saltdata[4]; + struct berval digest; + struct berval salt; + + digest.bv_val = SHA1digest; + digest.bv_len = sizeof(SHA1digest); + salt.bv_val = saltdata; + salt.bv_len = sizeof(saltdata); + + if( lutil_entropy( salt.bv_val, salt.bv_len) < 0 ) { + return NULL; + } + + lutil_SHA1Init( &SHA1context ); + lutil_SHA1Update( &SHA1context, + (const unsigned char *)passwd->bv_val, passwd->bv_len ); + lutil_SHA1Update( &SHA1context, + (const unsigned char *)salt.bv_val, salt.bv_len ); + lutil_SHA1Final( SHA1digest, &SHA1context ); + + return pw_string64( scheme, &digest, &salt); +} + +static struct berval *hash_sha1( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + lutil_SHA1_CTX SHA1context; + unsigned char SHA1digest[20]; + struct berval digest; + digest.bv_val = SHA1digest; + digest.bv_len = sizeof(SHA1digest); + + lutil_SHA1Init( &SHA1context ); + lutil_SHA1Update( &SHA1context, + (const unsigned char *)passwd->bv_val, passwd->bv_len ); + lutil_SHA1Final( SHA1digest, &SHA1context ); + + return pw_string64( scheme, &digest, NULL); +} + +static struct berval *hash_smd5( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + unsigned char saltdata[4]; + struct berval digest; + struct berval salt; + + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + salt.bv_val = saltdata; + salt.bv_len = sizeof(saltdata); + + if( lutil_entropy( salt.bv_val, salt.bv_len) < 0 ) { + return NULL; + } + + lutil_MD5Init( &MD5context ); + lutil_MD5Update( &MD5context, + (const unsigned char *) passwd->bv_val, passwd->bv_len ); + lutil_MD5Update( &MD5context, + (const unsigned char *) salt.bv_val, salt.bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + return pw_string64( scheme, &digest, &salt ); +} + +static struct berval *hash_md5( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[16]; + + struct berval digest; + + digest.bv_val = MD5digest; + digest.bv_len = sizeof(MD5digest); + + lutil_MD5Init( &MD5context ); + lutil_MD5Update( &MD5context, + (const unsigned char *) passwd->bv_val, passwd->bv_len ); + lutil_MD5Final( MD5digest, &MD5context ); + + return pw_string64( scheme, &digest, NULL ); +; +} + +#ifdef SLAPD_CRYPT +static struct berval *hash_crypt( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + struct berval hash; + unsigned char salt[3]; + int i; + + for( i=0; ibv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return NULL; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return NULL; /* passwd must behave like a string */ + } + + if( lutil_entropy( salt, sizeof(salt)) < 0 ) { + return NULL; + } + + salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ]; + salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ]; + salt[2] = '\0'; + + hash.bv_val = crypt( passwd->bv_val, salt ); + + if( hash.bv_val == NULL ) return NULL; + + hash.bv_len = strlen( hash.bv_val ); + + if( hash.bv_len == 0 ) { + return NULL; + } + + return pw_string( scheme, &hash ); +} +#endif +#endif \ No newline at end of file diff --git a/libraries/liblutil/liblutil.dsp b/libraries/liblutil/liblutil.dsp index c12d440cea..5914c5bd4a 100644 --- a/libraries/liblutil/liblutil.dsp +++ b/libraries/liblutil/liblutil.dsp @@ -42,6 +42,7 @@ CPP=cl.exe # PROP Output_Dir "..\..\Release" # PROP Intermediate_Dir "..\..\Release\liblutil" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe @@ -63,6 +64,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\Debug" # PROP Intermediate_Dir "..\..\Debug\liblutil" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /Z7 /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -84,6 +86,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SDebug" # PROP Intermediate_Dir "..\..\SDebug\liblutil" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /MTd /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /Z7 /Od /I "..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FR /YX /FD /c BSC32=bscmake.exe @@ -105,6 +108,7 @@ LIB32=link.exe -lib # PROP Output_Dir "..\..\SRelease" # PROP Intermediate_Dir "..\..\SRelease\liblutil" # PROP Target_Dir "" +RSC=rc.exe # ADD BASE CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c # ADD CPP /nologo /W3 /GX /O2 /I "..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /FD /c BSC32=bscmake.exe @@ -124,6 +128,10 @@ LIB32=link.exe -lib # Name "liblutil - Win32 Single Release" # Begin Source File +SOURCE=.\authpasswd.c +# End Source File +# Begin Source File + SOURCE=.\base64.c # End Source File # Begin Source File diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 5c2c1ed29e..892a1b0f87 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -383,15 +383,16 @@ static struct berval * pw_string64( string.bv_val, string.bv_len, &b64->bv_val[sc->name.bv_len], b64len ); - b64->bv_val[b64->bv_len] = '\0'; - if( salt ) ber_memfree( string.bv_val ); - + if( rc < 0 ) { ber_bvfree( b64 ); return NULL; } + /* recompute length */ + b64->bv_len = sc->name.bv_len + rc; + assert( strlen(b64->bv_val) == b64->bv_len ); return b64; } @@ -407,7 +408,7 @@ static int chk_ssha1( int rc; unsigned char *orig_pass = NULL; - /* base64 un-encode password */ + /* decode base64 password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -417,7 +418,7 @@ static int chk_ssha1( if(rc < 0) { ber_memfree(orig_pass); - return 1; + return -1; } /* hash credentials with salt */ @@ -432,7 +433,7 @@ static int chk_ssha1( /* compare */ rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); ber_memfree(orig_pass); - return rc; + return rc ? 1 : 0; } static int chk_sha1( @@ -455,7 +456,7 @@ static int chk_sha1( if( rc != sizeof(SHA1digest) ) { ber_memfree(orig_pass); - return 1; + return -1; } /* hash credentials with salt */ @@ -467,7 +468,7 @@ static int chk_sha1( /* compare */ rc = memcmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest)); ber_memfree(orig_pass); - return rc; + return rc ? 1 : 0; } static int chk_smd5( @@ -489,7 +490,7 @@ static int chk_smd5( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); if ( rc < 0 ) { ber_memfree(orig_pass); - return 1; + return -1; } /* hash credentials with salt */ @@ -504,7 +505,7 @@ static int chk_smd5( /* compare */ rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); ber_memfree(orig_pass); - return rc; + return rc ? 1 : 0; } static int chk_md5( @@ -526,7 +527,7 @@ static int chk_md5( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); if ( rc != sizeof(MD5digest) ) { ber_memfree(orig_pass); - return 1; + return -1; } /* hash credentials with salt */ @@ -538,7 +539,7 @@ static int chk_md5( /* compare */ rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest)); ber_memfree(orig_pass); - return rc; + return rc ? 1 : 0; } #ifdef SLAPD_KPASSWD @@ -728,31 +729,31 @@ static int chk_crypt( } if( cred->bv_val[i] != '\0' ) { - return 1; /* cred must behave like a string */ + return -1; /* cred must behave like a string */ } if( passwd->bv_len < 2 ) { - return 1; /* passwd must be at least two characters long */ + return -1; /* passwd must be at least two characters long */ } for( i=0; ibv_len; i++) { if(passwd->bv_val[i] == '\0') { - return 1; /* NUL character in password */ + return -1; /* NUL character in password */ } } if( passwd->bv_val[i] != '\0' ) { - return 1; /* passwd must behave like a string */ + return -1; /* passwd must behave like a string */ } cr = crypt( cred->bv_val, passwd->bv_val ); if( cr == NULL || cr[0] == '\0' ) { /* salt must have been invalid */ - return 1; + return -1; } - return strcmp( passwd->bv_val, cr ); + return strcmp( passwd->bv_val, cr ) ? 1 : 0; } # if defined( HAVE_GETSPNAM ) \ @@ -767,21 +768,21 @@ static int chk_unix( for( i=0; ibv_len; i++) { if(cred->bv_val[i] == '\0') { - return 1; /* NUL character in password */ + return -1; /* NUL character in password */ } } if( cred->bv_val[i] != '\0' ) { - return 1; /* cred must behave like a string */ + return -1; /* cred must behave like a string */ } for( i=0; ibv_len; i++) { if(passwd->bv_val[i] == '\0') { - return 1; /* NUL character in password */ + return -1; /* NUL character in password */ } } if( passwd->bv_val[i] != '\0' ) { - return 1; /* passwd must behave like a string */ + return -1; /* passwd must behave like a string */ } # ifdef HAVE_GETSPNAM @@ -789,7 +790,7 @@ static int chk_unix( struct spwd *spwd = getspnam(passwd->bv_val); if(spwd == NULL) { - return 1; /* not found */ + return -1; /* not found */ } pw = spwd->sp_pwdp; @@ -800,7 +801,7 @@ static int chk_unix( struct passwd *pwd = getpwnam(passwd->bv_val); if(pwd == NULL) { - return 1; /* not found */ + return -1; /* not found */ } pw = pwd->pw_passwd; @@ -809,17 +810,17 @@ static int chk_unix( if( pw == NULL || pw[0] == '\0' || pw[1] == '\0' ) { /* password must must be at least two characters long */ - return 1; + return -1; } cr = crypt(cred->bv_val, pw); if( cr == NULL || cr[0] == '\0' ) { /* salt must have been invalid */ - return 1; + return -1; } - return strcmp(pw, cr); + return strcmp(pw, cr) ? 1 : 0; } # endif diff --git a/libraries/liblutil/ptest.c b/libraries/liblutil/ptest.c index b682e5537e..2bc7379f01 100644 --- a/libraries/liblutil/ptest.c +++ b/libraries/liblutil/ptest.c @@ -20,22 +20,29 @@ #include "lutil.h" +// #define SLAP_AUTHPASSWD 1 + /* * Password Test Program */ char *hash[] = { - "{SMD5}", "{SSHA}", - "{MD5}", "{SHA}", +#ifdef SLAP_AUTHPASSWD + "SHA1", "MD5", +#else #ifdef SLAPD_CRYPT "{CRYPT}", +#endif + "{SSHA}", "{SMD5}", + "{SHA}", "{MD5}", + "{BOGUS}", #endif NULL }; static struct berval pw[] = { { sizeof("secret")-1, "secret" }, - { sizeof("binary\0secret")-1, "secret\0binary" }, + { sizeof("binary\0secret")-1, "binary\0secret" }, { 0, NULL } }; @@ -44,16 +51,55 @@ main( int argc, char *argv[] ) { int i, j, rc; struct berval *passwd; +#ifdef SLAP_AUTHPASSWD + struct berval *salt; +#endif + struct berval bad; + bad.bv_val = "bad password"; + bad.bv_len = sizeof("bad password")-1; for( i= 0; hash[i]; i++ ) { for( j = 0; pw[j].bv_len; j++ ) { +#ifdef SLAP_AUTHPASSWD + rc = lutil_authpasswd_hash( &pw[j], + &passwd, &salt, hash[i] ); + + if( rc ) +#else passwd = lutil_passwd_hash( &pw[j], hash[i] ); + + if( passwd == NULL ) +#endif + { + printf("%s generate fail: %s (%d)\n", + hash[i], pw[j].bv_val, pw[j].bv_len ); + continue; + } + + +#ifdef SLAP_AUTHPASSWD + rc = lutil_authpasswd( &pw[j], passwd, salt, NULL ); +#else rc = lutil_passwd( passwd, &pw[j], NULL ); +#endif - printf("%s (%d): %s (%d) %s\n", + printf("%s (%d): %s (%d)\t(%d) %s\n", pw[j].bv_val, pw[j].bv_len, passwd->bv_val, passwd->bv_len, - rc == 0 ? "OKAY" : "BAD" ); + rc, rc == 0 ? "OKAY" : "BAD" ); + +#ifdef SLAP_AUTHPASSWD + rc = lutil_authpasswd( passwd, salt, &bad, NULL ); +#else + rc = lutil_passwd( passwd, &bad, NULL ); +#endif + + printf("%s (%d): %s (%d)\t(%d) %s\n", + bad.bv_val, bad.bv_len, passwd->bv_val, passwd->bv_len, + rc, rc != 0 ? "OKAY" : "BAD" ); } + + printf("\n"); } + return EXIT_SUCCESS; } \ No newline at end of file -- 2.39.5