Bug 160008

Coding done by David Irving, Fred Brittain, and Aaron Gagnon
Reviewed by Rich Megginson - minor changes to md5_pwd.c
Tested on RHEL3 with FDS post-7.1
Does not include the OpenLDAP migration script - that will be handled separately

4 files changed, 162 insertions, 1 deletions

diff --git a/ldap/servers/plugins/pwdstorage/Makefile b/ldap/servers/plugins/pwdstorage/Makefile
index 04c14efe..32eb5a18 100644
--- a/ldap/servers/plugins/pwdstorage/Makefile
+++ b/ldap/servers/plugins/pwdstorage/Makefile
@@ -68,7 +68,8 @@ PWD_OBJS= \
 	ns-mta-md5_pwd.o \
 	sha_pwd.o \
 	ssha_pwd.o \
-	md5c.o
+	md5c.o \
+	md5_pwd.o
 
 ifneq ($(ARCH), WINNT)
 PWD_OBJS += crypt_pwd.o
diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
new file mode 100644
index 00000000..410e9c5a
--- /dev/null
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -0,0 +1,130 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ * 
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ * 
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception. 
+ * 
+ * 
+ * Copyright (C) 2005 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+/*
+ * MD5 Password Encryption/Comparison routines by David Irving, Fred Brittain,
+ * and Aaron Gagnon --  University of Maine Farmington
+ * Donated to the RedHat Directory Server Project 2005-06-10 
+ */
+
+#include <string.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <pk11func.h>
+#include <nss.h>
+#include <nssb64.h>
+#include "pwdstorage.h"
+
+#define MD5_HASH_LEN 20
+#define MD5_SUBSYSTEM_NAME "MD5 password hash"
+
+int
+md5_pw_cmp( char *userpwd, char *dbpwd )
+{
+   int rc=-1;
+   char * bver;
+   PK11Context *ctx=NULL;
+   unsigned int outLen;
+   unsigned char hash_out[MD5_HASH_LEN];
+   unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */
+   SECItem binary_item;
+
+   ctx = PK11_CreateDigestContext(SEC_OID_MD5);
+   if (ctx == NULL) {
+	   slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+					   "Could not create context for digest operation for password compare");
+	   goto loser;
+   }
+
+   /* create the hash */
+   PK11_DigestBegin(ctx);
+   PK11_DigestOp(ctx, userpwd, strlen(userpwd));
+   PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out);
+   PK11_DestroyContext(ctx, 1);
+
+   /* convert the binary hash to base64 */
+   binary_item.data = hash_out;
+   binary_item.len = outLen;
+   bver = NSSBase64_EncodeItem(NULL, b2a_out, sizeof b2a_out, &binary_item);
+   /* bver points to b2a_out upon success */
+   if (bver) {
+	   rc = strcmp(bver,dbpwd);
+   } else {
+	   slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+					   "Could not base64 encode hashed value for password compare");
+   }
+loser:
+   return rc;
+}
+
+char *
+md5_pw_enc( char *pwd )
+{
+   char * bver, *enc=NULL;
+   PK11Context *ctx=NULL;
+   unsigned int outLen;
+   unsigned char hash_out[MD5_HASH_LEN];
+   unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */
+   SECItem binary_item;
+
+   ctx = PK11_CreateDigestContext(SEC_OID_MD5);
+   if (ctx == NULL) {
+	   slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+					   "Could not create context for digest operation for password encoding");
+	   return NULL;
+   }
+
+   /* create the hash */
+   PK11_DigestBegin(ctx);
+   PK11_DigestOp(ctx, pwd, strlen(pwd));
+   PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out);
+   PK11_DestroyContext(ctx, 1);
+
+   /* convert the binary hash to base64 */
+   binary_item.data = hash_out;
+   binary_item.len = outLen;
+   bver = NSSBase64_EncodeItem(NULL, b2a_out, sizeof b2a_out, &binary_item);
+   if (bver) {
+	   enc = slapi_ch_smprintf("%c%s%c%s", PWD_HASH_PREFIX_START, MD5_SCHEME_NAME,
+							   PWD_HASH_PREFIX_END, bver );
+   } else {
+	   slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+					   "Could not base64 encode hashed value for password encoding");
+   }
+	   
+   return( enc );
+}
+
diff --git a/ldap/servers/plugins/pwdstorage/pwd_init.c b/ldap/servers/plugins/pwdstorage/pwd_init.c
index 600436d3..fa3f5d8d 100644
--- a/ldap/servers/plugins/pwdstorage/pwd_init.c
+++ b/ldap/servers/plugins/pwdstorage/pwd_init.c
@@ -55,6 +55,8 @@ static Slapi_PluginDesc clear_pdesc = { "clear-password-storage-scheme", PLUGIN_
 
 static Slapi_PluginDesc ns_mta_md5_pdesc = { "NS-MTA-MD5-password-storage-scheme", PLUGIN_MAGIC_VENDOR_STR, PRODUCTTEXT, "Netscape MD5 (NS-MTA-MD5)" };
 
+static Slapi_PluginDesc md5_pdesc = { "md5-password-storage-scheme", PLUGIN_MAGIC_VENDOR_STR, PRODUCTTEXT, "MD5 hash algorithm (MD5)" };
+
 static char *plugin_name = "NSPwdStoragePlugin";
 
 int
@@ -180,3 +182,27 @@ ns_mta_md5_pwd_storage_scheme_init( Slapi_PBlock *pb )
 	slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "<= ns_mta_md5_pwd_storage_scheme_init %d\n\n", rc );
 	return( rc );
 }
+
+int
+md5_pwd_storage_scheme_init( Slapi_PBlock *pb )
+{
+	int     rc;
+	char *name;
+
+	slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "=> md5_pwd_storage_scheme_init\n" );
+
+	rc = slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION,
+						   (void *) SLAPI_PLUGIN_VERSION_01 );
+	rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION,
+							(void *)&md5_pdesc );
+	rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN,
+							(void *) md5_pw_enc );
+	rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN,
+							(void *) md5_pw_cmp );
+	name = slapi_ch_strdup("MD5");
+	rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_NAME,
+							name );
+
+	slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "<= md5_pwd_storage_scheme_init %d\n\n", rc );
+	return( rc );
+}
diff --git a/ldap/servers/plugins/pwdstorage/pwdstorage.h b/ldap/servers/plugins/pwdstorage/pwdstorage.h
index 1f2fa484..9e0932b3 100644
--- a/ldap/servers/plugins/pwdstorage/pwdstorage.h
+++ b/ldap/servers/plugins/pwdstorage/pwdstorage.h
@@ -59,6 +59,8 @@
 #define NS_MTA_MD5_NAME_LEN 10
 #define CLEARTEXT_SCHEME_NAME "clear"
 #define CLEARTEXT_NAME_LEN  5
+#define MD5_SCHEME_NAME "MD5"
+#define MD5_NAME_LEN 3
 
 SECStatus sha1_salted_hash(unsigned char *hash_out, char *pwd, struct berval *salt);
 int sha1_pw_cmp( char *userpwd, char *dbpwd );
@@ -72,6 +74,8 @@ int crypt_pw_cmp( char *userpwd, char *dbpwd );
 char *crypt_pw_enc( char *pwd );
 #endif
 int ns_mta_md5_pw_cmp( char *userpwd, char *dbpwd );
+int md5_pw_cmp( char *userpwd, char *dbpwd );
+char *md5_pw_enc( char *pwd );
 
 
 #if !defined(NET_SSL)