openldap/libraries/liblutil/passwd.c

/*
 * lutil_password(credentials, password)
 *
 * Returns true if user supplied credentials matches
 * the stored password. 
 *
 * Due to the use of the crypt(3) function 
 * this routine is NOT thread-safe.
 */

#include "portable.h"

#include <stdlib.h>

#include <ac/string.h>
#include <ac/unistd.h>

#include "lutil_md5.h"
#include "lutil_sha1.h"
#include "lutil.h"

/*
 * Return 0 if creds are good.
 */

int
lutil_passwd(
	const char *cred,
	const char *passwd)
{

	if (cred == NULL || passwd == NULL) {
		return -1;
	}

	if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
		lutil_MD5_CTX MD5context;
		unsigned char MD5digest[16];
		char base64digest[25];  /* ceiling(sizeof(input)/3) * 4 + 1 */

		const char *p = passwd + (sizeof("{MD5}") - 1);

		lutil_MD5Init(&MD5context);
		lutil_MD5Update(&MD5context,
			       (const unsigned char *)cred, strlen(cred));
		lutil_MD5Final(MD5digest, &MD5context);

		if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
			base64digest, sizeof(base64digest)) < 0)
		{
			return ( 1 );
		}

		return( strcmp(p, base64digest) );

	} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
		lutil_SHA1_CTX SHA1context;
		unsigned char SHA1digest[20];
		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
		const char *p = passwd + (sizeof("{SHA}") - 1);

		lutil_SHA1Init(&SHA1context);
		lutil_SHA1Update(&SHA1context,
				(const unsigned char *) cred, strlen(cred));
		lutil_SHA1Final(SHA1digest, &SHA1context);

		if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
			base64digest, sizeof(base64digest)) < 0)
		{
			return ( 1 );
		}

		return( strcmp(p, base64digest) );

	} else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
		lutil_SHA1_CTX SHA1context;
		unsigned char SHA1digest[20];
		const char *p = passwd + (sizeof("{SSHA}") - 1);
		int pw_len = strlen(p);
		int rc;
		unsigned char *orig_pass = NULL;
 
		/* base64 un-encode password */
		orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
		if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
		{
			free(orig_pass);
			return ( 1 );
		}
 
		/* hash credentials with salt */
		lutil_SHA1Init(&SHA1context);
		lutil_SHA1Update(&SHA1context,
				(const unsigned char *) cred, strlen(cred));
		lutil_SHA1Update(&SHA1context,
				(const unsigned char *) orig_pass + sizeof(SHA1digest),
				rc - sizeof(SHA1digest));
		lutil_SHA1Final(SHA1digest, &SHA1context);
 
		/* compare */
		rc = strncmp((char *)orig_pass, (char *)SHA1digest, sizeof(SHA1digest));
		free(orig_pass);
		return(rc);

	} else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) {
		lutil_MD5_CTX MD5context;
		unsigned char MD5digest[16];
		const char *p = passwd + (sizeof("{SMD5}") - 1);
		int pw_len = strlen(p);
		int rc;
		unsigned char *orig_pass = NULL;

		/* base64 un-encode password */
		orig_pass = (unsigned char *)malloc((size_t)(pw_len * 0.75 + 1));
		if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)
		{
			free(orig_pass);
			return ( 1 );
		}

		/* hash credentials with salt */
		lutil_MD5Init(&MD5context);
		lutil_MD5Update(&MD5context,
				(const unsigned char *) cred, strlen(cred));
		lutil_MD5Update(&MD5context,
				(const unsigned char *) orig_pass + sizeof(MD5digest),
				rc - sizeof(MD5digest));
		lutil_MD5Final(MD5digest, &MD5context);

		/* compare */
		rc = strncmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
		free(orig_pass);
		return ( rc );

#ifdef SLAPD_CRYPT
	} else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
		const char *p = passwd + (sizeof("{CRYPT}") - 1);

		return( strcmp(p, crypt(cred, p)) );

#endif
	}

#ifdef SLAPD_CLEARTEXT
	return( strcmp(passwd, cred) );
#else
	return( 1 );
#endif

}
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`/*`
			`* lutil_password(credentials, password)`
			`*`
			`* Returns true if user supplied credentials matches`
			`* the stored password.`
			`*`
			`* Due to the use of the crypt(3) function`
			`* this routine is NOT thread-safe.`
			`*/`

			`#include "portable.h"`

Added salted MD5 and SHA support. (SSHA,SMD5) 1998-12-30 13:32:17 +08:00			`#include <stdlib.h>`

Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`#include <ac/string.h>`
			`#include <ac/unistd.h>`

			`#include "lutil_md5.h"`
			`#include "lutil_sha1.h"`
			`#include "lutil.h"`

			`/*`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`* Return 0 if creds are good.`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`*/`

			`int`
			`lutil_passwd(`
			`const char *cred,`
			`const char *passwd)`
			`{`

			`if (cred == NULL \|\| passwd == NULL) {`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`return -1;`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`}`

Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools. 1998-12-30 05:45:08 +08:00			`if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_MD5_CTX MD5context;`
			`unsigned char MD5digest[16];`
			`char base64digest[25]; /* ceiling(sizeof(input)/3) * 4 + 1 */`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00
			`const char *p = passwd + (sizeof("{MD5}") - 1);`

Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_MD5Init(&MD5context);`
			`lutil_MD5Update(&MD5context,`
gcc -W cleanup 1998-11-23 09:46:32 +08:00			`(const unsigned char *)cred, strlen(cred));`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_MD5Final(MD5digest, &MD5context);`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`base64digest, sizeof(base64digest)) < 0)`
			`{`
			`return ( 1 );`
			`}`

Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`return( strcmp(p, base64digest) );`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00
			`} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_SHA1_CTX SHA1context;`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`unsigned char SHA1digest[20];`
			`char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */`
			`const char *p = passwd + (sizeof("{SHA}") - 1);`

Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_SHA1Init(&SHA1context);`
			`lutil_SHA1Update(&SHA1context,`
gcc -W cleanup 1998-11-23 09:46:32 +08:00			`(const unsigned char *) cred, strlen(cred));`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`lutil_SHA1Final(SHA1digest, &SHA1context);`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`base64digest, sizeof(base64digest)) < 0)`
			`{`
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`return ( 1 );`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`}`

Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`return( strcmp(p, base64digest) );`
Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools. 1998-12-30 05:45:08 +08:00
Added salted MD5 and SHA support. (SSHA,SMD5) 1998-12-30 13:32:17 +08:00			`} else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {`
			`lutil_SHA1_CTX SHA1context;`
			`unsigned char SHA1digest[20];`
			`const char *p = passwd + (sizeof("{SSHA}") - 1);`
			`int pw_len = strlen(p);`
			`int rc;`
			`unsigned char *orig_pass = NULL;`

			`/* base64 un-encode password */`
Updates for NT4 (MSVC5++). Removed external include/library paths from projects. External paths should be set via Tools \| Options \| Directories. This allows each developer the freedom to install external libraries where they desire. Used libdb.lib instead of libdbs.lib to avoid thread conflicts. Added hs_regex.lib to library input. We require some form of regex, this library works (and is relatively easy for the user to install). Removed a little lint which MCVC5 detected. Need to sort out single-threaded vs multithreaded library generation. 1999-04-02 04:26:09 +08:00			`orig_pass = (unsigned char )malloc((size_t)(pw_len 0.75 + 1));`
Added salted MD5 and SHA support. (SSHA,SMD5) 1998-12-30 13:32:17 +08:00			`if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)`
			`{`
			`free(orig_pass);`
			`return ( 1 );`
			`}`

			`/* hash credentials with salt */`
			`lutil_SHA1Init(&SHA1context);`
			`lutil_SHA1Update(&SHA1context,`
			`(const unsigned char *) cred, strlen(cred));`
			`lutil_SHA1Update(&SHA1context,`
			`(const unsigned char *) orig_pass + sizeof(SHA1digest),`
			`rc - sizeof(SHA1digest));`
			`lutil_SHA1Final(SHA1digest, &SHA1context);`

			`/* compare */`
			`rc = strncmp((char )orig_pass, (char )SHA1digest, sizeof(SHA1digest));`
			`free(orig_pass);`
			`return(rc);`

			`} else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) {`
			`lutil_MD5_CTX MD5context;`
			`unsigned char MD5digest[16];`
			`const char *p = passwd + (sizeof("{SMD5}") - 1);`
			`int pw_len = strlen(p);`
			`int rc;`
			`unsigned char *orig_pass = NULL;`

			`/* base64 un-encode password */`
Updates for NT4 (MSVC5++). Removed external include/library paths from projects. External paths should be set via Tools \| Options \| Directories. This allows each developer the freedom to install external libraries where they desire. Used libdb.lib instead of libdbs.lib to avoid thread conflicts. Added hs_regex.lib to library input. We require some form of regex, this library works (and is relatively easy for the user to install). Removed a little lint which MCVC5 detected. Need to sort out single-threaded vs multithreaded library generation. 1999-04-02 04:26:09 +08:00			`orig_pass = (unsigned char )malloc((size_t)(pw_len 0.75 + 1));`
Added salted MD5 and SHA support. (SSHA,SMD5) 1998-12-30 13:32:17 +08:00			`if ((rc = lutil_b64_pton(p, orig_pass, pw_len)) < 0)`
			`{`
			`free(orig_pass);`
			`return ( 1 );`
			`}`

			`/* hash credentials with salt */`
			`lutil_MD5Init(&MD5context);`
			`lutil_MD5Update(&MD5context,`
			`(const unsigned char *) cred, strlen(cred));`
			`lutil_MD5Update(&MD5context,`
			`(const unsigned char *) orig_pass + sizeof(MD5digest),`
			`rc - sizeof(MD5digest));`
			`lutil_MD5Final(MD5digest, &MD5context);`

			`/* compare */`
			`rc = strncmp((char )orig_pass, (char )MD5digest, sizeof(MD5digest));`
			`free(orig_pass);`
			`return ( rc );`

Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools. 1998-12-30 05:45:08 +08:00			`#ifdef SLAPD_CRYPT`
			`} else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {`
			`const char *p = passwd + (sizeof("{CRYPT}") - 1);`

			`return( strcmp(p, crypt(cred, p)) );`

			`#endif`
Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`}`

Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'. 1998-12-01 11:36:37 +08:00			`#ifdef SLAPD_CLEARTEXT`
			`return( strcmp(passwd, cred) );`
			`#else`
			`return( 1 );`
			`#endif`

Add lutil_passwd() 1998-11-07 06:04:14 +08:00			`}`