From 8d4c20cd6dcc40c1028d2a9d8874eebd47b6cfcf Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Wed, 13 Jun 2001 03:47:17 +0000 Subject: [PATCH] Adding crypt(3) salt format (ITS#1202) from Jeff Costlow with minor changes by committer --- Copyright 2001, F5 Networks, Inc, All rights reserved. This software is not subject to any license of F5 Networks. This is free software; you can redistribute and use it under the same terms as OpenLDAP itself. --- include/lutil.h | 4 ++++ libraries/liblutil/passwd.c | 37 +++++++++++++++++++++++++++++++++---- servers/slapd/config.c | 19 +++++++++++++++++++ 3 files changed, 56 insertions(+), 4 deletions(-) diff --git a/include/lutil.h b/include/lutil.h index d814380622..534cfe660a 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -95,6 +95,10 @@ LDAP_LUTIL_F( int ) lutil_passwd_scheme LDAP_P(( const char *scheme )); +LDAP_LUTIL_F( int ) +lutil_salt_format LDAP_P(( + const char *format )); + /* utils.c */ LDAP_LUTIL_F( char* ) lutil_progname LDAP_P(( diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 4ba96e2da8..5a04acfdcc 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -65,6 +65,10 @@ static const unsigned char crypt64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; +#ifdef SLAPD_CRYPT +static const char *salt_format = NULL; +#endif + struct pw_scheme; typedef int (*PASSWD_CHK_FUNC)( @@ -1188,7 +1192,7 @@ static struct berval *hash_crypt( const struct berval *passwd ) { struct berval hash; - unsigned char salt[9]; /* salt suitable for anything */ + unsigned char salt[32]; /* salt suitable for most anything */ int i; for( i=0; ibv_len; i++) { @@ -1201,14 +1205,22 @@ static struct berval *hash_crypt( return NULL; /* passwd must behave like a string */ } - if( lutil_entropy( salt, 8) < 0 ) { + if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) { return NULL; } - for( i=0; i<8; i++ ) { + for( i=0; i< ( sizeof(salt) - 1 ); i++ ) { salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ]; } - salt[8] = '\0'; + salt[sizeof( salt ) - 1 ] = '\0'; + + if( salt_format != NULL ) { + /* copy the salt we made into entropy before snprintfing + it back into the salt */ + char entropy[sizeof(salt)]; + strcpy( entropy, salt ); + snprintf( salt, sizeof(entropy), salt_format, entropy ); + } hash.bv_val = crypt( passwd->bv_val, salt ); @@ -1223,3 +1235,20 @@ static struct berval *hash_crypt( return pw_string( scheme, &hash ); } #endif + +int lutil_salt_format(const char *format) +{ +#ifdef SLAPD_CRYPT + if (format) { + if (salt_format) + free(salt_format); + salt_format = strdup(format); + } else { // unset if they pass in NULL + if (salt_format) + free(salt_format); + salt_format = NULL; + } +#endif + + return 0; +} diff --git a/servers/slapd/config.c b/servers/slapd/config.c index c4e07db580..88b5db95a3 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -503,6 +503,25 @@ read_config( const char *fname ) default_passwd_hash = ch_strdup( cargv[1] ); } + } else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 ) + { + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: missing format in " + "\"password-crypt-salt-format \" line\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, "%s: line %d: missing format in " + "\"password-crypt-salt-format \" line\n", + fname, lineno, 0 ); +#endif + + return 1; + } + + lutil_salt_format( cargv[1] ); + /* set SASL host */ } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { if ( cargc < 2 ) { -- 2.39.5