From 9225707a06d145fad128f97236166b65ae1c4f3e Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 29 Jun 1999 22:24:53 +0000 Subject: [PATCH] Modify lutil_passwd to accept a third argument char** methods to specific which methods may be used. This will facilate development of a slapd config directive "passwordMethod ..." to specify which methods should be allowed. --- include/lutil.h | 3 +- libraries/liblutil/passwd.c | 71 +++++++++++++++++++++++++--------- servers/slapd/back-bdb2/bind.c | 3 +- servers/slapd/back-ldbm/bind.c | 3 +- servers/slapd/backend.c | 2 +- 5 files changed, 59 insertions(+), 23 deletions(-) diff --git a/include/lutil.h b/include/lutil.h index 56aea51f37..a718ed6ece 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -39,7 +39,8 @@ lutil_detach LDAP_P(( LDAP_F( int ) lutil_passwd LDAP_P(( const char *cred, - const char *passwd)); + const char *passwd, + const char **methods )); LDAP_END_DECL diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index f3d5c54b8e..cbe5e6fb13 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -26,27 +26,65 @@ # include #endif +static int supported_hash( + const char* method, + const char** methods ) +{ + int i; + + if(methods == NULL) { + return 1; + } + + for(i=0; methods[i] != NULL; i++) { + if(strcasecmp(method, methods[i]) == 0) { + return 1; + } + } + + return 0; +} + +static const char *passwd_hash( + const char* passwd, + const char* method, + const char** methods ) +{ + int len; + + if( !supported_hash( method, methods ) ) { + return NULL; + } + + len = strlen(method); + + if( strncasecmp( passwd, method, len ) == 0 ) { + return &passwd[len]; + } + + return NULL; +} + /* * Return 0 if creds are good. */ - int lutil_passwd( const char *cred, - const char *passwd) + const char *passwd, + const char **methods) { + const char *p; if (cred == NULL || passwd == NULL) { return -1; } - if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) { + if ((p = passwd_hash( passwd, "{MD5}", methods )) != NULL ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[16]; char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */ - const char *p = passwd + (sizeof("{MD5}") - 1); - lutil_MD5Init(&MD5context); lutil_MD5Update(&MD5context, (const unsigned char *)cred, strlen(cred)); @@ -60,11 +98,10 @@ lutil_passwd( return( strcmp(p, base64digest) ); - } else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) { + } else if ((p = passwd_hash( passwd, "{SHA}", methods )) != NULL ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[20]; char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */ - const char *p = passwd + (sizeof("{SHA}") - 1); lutil_SHA1Init(&SHA1context); lutil_SHA1Update(&SHA1context, @@ -79,10 +116,9 @@ lutil_passwd( return( strcmp(p, base64digest) ); - } else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) { + } else if ((p = passwd_hash( passwd, "{SSHA}", methods )) != NULL ) { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[20]; - const char *p = passwd + (sizeof("{SSHA}") - 1); int pw_len = strlen(p); int rc; unsigned char *orig_pass = NULL; @@ -109,10 +145,9 @@ lutil_passwd( free(orig_pass); return(rc); - } else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) { + } else if ((p = passwd_hash( passwd, "{SMD5}", methods )) != NULL ) { lutil_MD5_CTX MD5context; unsigned char MD5digest[16]; - const char *p = passwd + (sizeof("{SMD5}") - 1); int pw_len = strlen(p); int rc; unsigned char *orig_pass = NULL; @@ -140,18 +175,15 @@ lutil_passwd( return ( rc ); #ifdef SLAPD_CRYPT - } else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) { - const char *p = passwd + (sizeof("{CRYPT}") - 1); - + } else if ((p = passwd_hash( passwd, "{CRYPT}", methods )) != NULL ) { return( strcmp(p, crypt(cred, p)) ); # if defined( HAVE_GETSPNAM ) \ || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) ) - } else if (strncasecmp(passwd, "{UNIX}", sizeof("{UNIX}") - 1) == 0 ) { - const char *u = passwd + (sizeof("{UNIX}") - 1); + } else if ((p = passwd_hash( passwd, "{UNIX}", methods )) != NULL ) { # ifdef HAVE_GETSPNAM - struct spwd *spwd = getspnam(u); + struct spwd *spwd = getspnam(p); if(spwd == NULL) { return 1; /* not found */ @@ -159,7 +191,7 @@ lutil_passwd( return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp)); # else - struct passwd *pwd = getpwnam(u); + struct passwd *pwd = getpwnam(p); if(pwd == NULL) { return 1; /* not found */ @@ -172,7 +204,8 @@ lutil_passwd( } #ifdef SLAPD_CLEARTEXT - return( strcmp(passwd, cred) ); + return supported_hash("{CLEARTEXT}", methods ) && + strcmp(passwd, cred) != 0; #else return( 1 ); #endif diff --git a/servers/slapd/back-bdb2/bind.c b/servers/slapd/back-bdb2/bind.c index 5524a0ea31..c2137fd0f9 100644 --- a/servers/slapd/back-bdb2/bind.c +++ b/servers/slapd/back-bdb2/bind.c @@ -39,7 +39,8 @@ crypted_value_find( result = lutil_passwd( (char*) cred->bv_val, - (char*) vals[i]->bv_val); + (char*) vals[i]->bv_val, + NULL ); #ifdef SLAPD_CRYPT ldap_pvt_thread_mutex_unlock( &crypt_mutex ); diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c index 97d88b921c..bf05252337 100644 --- a/servers/slapd/back-ldbm/bind.c +++ b/servers/slapd/back-ldbm/bind.c @@ -39,7 +39,8 @@ crypted_value_find( result = lutil_passwd( (char*) cred->bv_val, - (char*) vals[i]->bv_val); + (char*) vals[i]->bv_val, + NULL ); #ifdef SLAPD_CRYPT ldap_pvt_thread_mutex_unlock( &crypt_mutex ); diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index e7d6c13d4b..5b5a1f5db8 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -525,7 +525,7 @@ be_isroot_pw( Backend *be, char *ndn, struct berval *cred ) ldap_pvt_thread_mutex_lock( &crypt_mutex ); #endif - result = lutil_passwd( cred->bv_val, be->be_root_pw ); + result = lutil_passwd( cred->bv_val, be->be_root_pw, NULL ); #ifdef SLAPD_CRYPT ldap_pvt_thread_mutex_unlock( &crypt_mutex ); -- 2.39.5