From e9e99fe612c2bd77e6409cfdc5ee8502a24da3cf Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 7 Feb 2011 01:09:47 +0000 Subject: [PATCH] Add APR1 to Makefile/README. Add {BSDMD5} mechanism. --- contrib/slapd-modules/passwd/Makefile | 13 ++++- contrib/slapd-modules/passwd/README | 13 ++++- contrib/slapd-modules/passwd/apr1.c | 68 +++++++++++++++++++++++---- 3 files changed, 82 insertions(+), 12 deletions(-) diff --git a/contrib/slapd-modules/passwd/Makefile b/contrib/slapd-modules/passwd/Makefile index 48a2881fdc..1e49e6abe0 100644 --- a/contrib/slapd-modules/passwd/Makefile +++ b/contrib/slapd-modules/passwd/Makefile @@ -1,7 +1,7 @@ # $OpenLDAP$ CPPFLAGS+=-I../../../include -I../../../servers/slapd -all: kerberos.la netscape.la radius.la +all: kerberos.la netscape.la radius.la apr1.la kerberos.lo: kerberos.c $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -DHAVE_KRB5 -Wall -c $? @@ -24,14 +24,23 @@ radius.la: radius.lo $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \ -rpath $(PREFIX)/lib -module -o $@ $? -lradius +apr1.lo: apr1.c + $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -Wall -c $? + +apr1.la: apr1.lo + $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \ + -rpath $(PREFIX)/lib -module -o $@ $? + clean: rm -f kerberos.lo kerberos.la rm -f netscape.lo netscape.la rm -f radius.lo radius.la + rm -f apr1.lo apr1.la -install: kerberos.la netscape.la radius.la +install: kerberos.la netscape.la radius.la apr1.la mkdir -p $(PREFIX)/lib/openldap $(LIBTOOL) --mode=install cp kerberos.la $(PREFIX)/lib/openldap $(LIBTOOL) --mode=install cp netscape.la $(PREFIX)/lib/openldap $(LIBTOOL) --mode=install cp radius.la $(PREFIX)/lib/openldap + $(LIBTOOL) --mode=install cp apr1.la $(PREFIX)/lib/openldap $(LIBTOOL) --finish $(PREFIX)/lib diff --git a/contrib/slapd-modules/passwd/README b/contrib/slapd-modules/passwd/README index e6f08280c8..c9ef3bf7ef 100644 --- a/contrib/slapd-modules/passwd/README +++ b/contrib/slapd-modules/passwd/README @@ -1,6 +1,7 @@ This directory contains native slapd plugins for password mechanisms that are not actively supported by the project. Currently this includes the -Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms. +Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms. The Apache +APR1 MD5 and BSD/Paul Henning Kamp MD5 mechanisms are also included. To use the Kerberos plugin, add: @@ -14,6 +15,12 @@ moduleload pw-netscape.so to your slapd configuration file. +To use the APR1/BSD/MD5 plugin, add: + +moduleload pw-apr1.so + +to your slapd configuration file. + To use the RADIUS plugin, add: moduleload pw-radius.so @@ -42,6 +49,10 @@ gcc -shared -I../../../include -Wall -g -o pw-radius.so radius.c -lradius (Actually, you might want to statically link the RADIUS client library libradius.a into the module). +The corresponding command for the APR1 plugin would be: + +gcc -shared -I../../../include -Wall -g -o pw-apr1.so apr1.c + --- This work is part of OpenLDAP Software . diff --git a/contrib/slapd-modules/passwd/apr1.c b/contrib/slapd-modules/passwd/apr1.c index f669736812..2078e57fa8 100644 --- a/contrib/slapd-modules/passwd/apr1.c +++ b/contrib/slapd-modules/passwd/apr1.c @@ -23,9 +23,16 @@ #include +/* the only difference between this and straight PHK is the magic */ static LUTIL_PASSWD_CHK_FUNC chk_apr1; static LUTIL_PASSWD_HASH_FUNC hash_apr1; -static const struct berval scheme = BER_BVC("{APR1}"); +static const struct berval scheme_apr1 = BER_BVC("{APR1}"); +static const struct berval magic_apr1 = BER_BVC("$apr1$"); + +static LUTIL_PASSWD_CHK_FUNC chk_bsdmd5; +static LUTIL_PASSWD_HASH_FUNC hash_bsdmd5; +static const struct berval scheme_bsdmd5 = BER_BVC("{BSDMD5}"); +static const struct berval magic_bsdmd5 = BER_BVC("$1$"); static const unsigned char apr64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; @@ -41,9 +48,10 @@ static const unsigned char apr64[] = * this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp * ---------------------------------------------------------------------------- */ -static void do_apr_hash( +static void do_phk_hash( const struct berval *passwd, const struct berval *salt, + const struct berval *magic, unsigned char *digest) { lutil_MD5_CTX ctx, ctx1; @@ -52,7 +60,7 @@ static void do_apr_hash( /* Start hashing */ lutil_MD5Init(&ctx); lutil_MD5Update(&ctx, (const unsigned char *) passwd->bv_val, passwd->bv_len); - lutil_MD5Update(&ctx, "$apr1$", 6); + lutil_MD5Update(&ctx, (const unsigned char *) magic->bv_val, magic->bv_len); lutil_MD5Update(&ctx, (const unsigned char *) salt->bv_val, salt->bv_len); /* Inner hash */ lutil_MD5Init(&ctx1); @@ -100,8 +108,9 @@ static void do_apr_hash( } } -static int chk_apr1( +static int chk_phk( const struct berval *scheme, + const struct berval *magic, const struct berval *passwd, const struct berval *cred, const char **text) @@ -133,7 +142,7 @@ static int chk_apr1( salt.bv_len = rc - sizeof(digest); /* the only difference between this and straight PHK is the magic */ - do_apr_hash(cred, &salt, digest); + do_phk_hash(cred, magic, &salt, digest); if (text) *text = NULL; @@ -144,8 +153,27 @@ static int chk_apr1( return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } -static int hash_apr1( +static int chk_apr1( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + return chk_phk(scheme, &magic_apr1, passwd, cred, text); +} + +static int chk_bsdmd5( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + return chk_phk(scheme, &magic_bsdmd5, passwd, cred, text); +} + +static int hash_phk( const struct berval *scheme, + const struct berval *magic, const struct berval *passwd, struct berval *hash, const char **text) @@ -168,8 +196,7 @@ static int hash_apr1( for (n = 0; n < salt.bv_len; n++) salt.bv_val[n] = apr64[salt.bv_val[n] % (sizeof(apr64) - 1)]; - /* the only difference between this and straight PHK is the magic */ - do_apr_hash(passwd, &salt, digest_buf); + do_phk_hash(passwd, magic, &salt, digest_buf); if (text) *text = NULL; @@ -177,6 +204,29 @@ static int hash_apr1( return lutil_passwd_string64(scheme, &digest, hash, &salt); } +static int hash_apr1( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text) +{ + return hash_phk(scheme, &magic_apr1, passwd, hash, text); +} + +static int hash_bsdmd5( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text) +{ + return hash_phk(scheme, &magic_bsdmd5, passwd, hash, text); +} + int init_module(int argc, char *argv[]) { - return lutil_passwd_add((struct berval *) &scheme, chk_apr1, hash_apr1); + int rc; + rc = lutil_passwd_add((struct berval *) &scheme_apr1, chk_apr1, hash_apr1); + if ( !rc ) + rc = lutil_passwd_add((struct berval *) &scheme_bsdmd5, + chk_bsdmd5, hash_bsdmd5); + return rc; } -- 2.39.2