diff options
Diffstat (limited to 'ldap/servers/plugins/pwdstorage/sha_pwd.c')
-rw-r--r-- | ldap/servers/plugins/pwdstorage/sha_pwd.c | 56 |
1 files changed, 26 insertions, 30 deletions
diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c index ea0afdd0..e54feab7 100644 --- a/ldap/servers/plugins/pwdstorage/sha_pwd.c +++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c @@ -67,20 +67,21 @@ static char *plugin_name = "NSPwdStoragePlugin"; */ int -sha_pw_cmp (char *userpwd, char *dbpwd, unsigned int shaLen ) +sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen ) { /* * SHA passwords are stored in the database as shaLen bytes of * hash, followed by zero or more bytes of salt, all BASE64 encoded. */ int result = 1; /* failure */ - unsigned char userhash[MAX_SHA_HASH_SIZE]; - unsigned char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3]; - unsigned char *dbhash = quick_dbhash; + char userhash[MAX_SHA_HASH_SIZE]; + char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3]; + char *dbhash = quick_dbhash; struct berval salt; int hash_len; /* must be a signed valued -- see below */ unsigned int secOID; char *schemeName; + char *hashresult = NULL; /* Determine which algorithm we're using */ switch (shaLen) { @@ -107,24 +108,20 @@ sha_pw_cmp (char *userpwd, char *dbpwd, unsigned int shaLen ) /* * Decode hash stored in database. - * - * Note that ldif_base64_decode() returns a value less than zero to - * indicate that a decoding error occurred, so it is critical that - * hash_len be a signed value. */ - hash_len = (((strlen(dbpwd) + 3) / 4) * 3); /* maybe less */ + hash_len = (strlen(dbpwd) * 3) / 4; /* includes the trailing = if any */ if ( hash_len > sizeof(quick_dbhash) ) { /* get more space: */ - dbhash = (unsigned char*) slapi_ch_malloc( hash_len ); + dbhash = (char*) slapi_ch_malloc( hash_len ); if ( dbhash == NULL ) goto loser; } - hash_len = ldif_base64_decode( dbpwd, dbhash ); - if (hash_len < 0) { + hashresult = PL_Base64Decode( dbpwd, 0, dbhash ); + if (NULL == hashresult) { slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, hasherrmsg, schemeName, dbpwd ); goto loser; } else if ( hash_len >= shaLen ) { salt.bv_val = (void*)(dbhash + shaLen); - salt.bv_len = hash_len - shaLen; - } else if ( hash_len == DS40B1_SALTED_SHA_LENGTH ) { + salt.bv_len = SHA_SALT_LENGTH; + } else if ( hash_len >= DS40B1_SALTED_SHA_LENGTH ) { salt.bv_val = (void*)dbhash; salt.bv_len = 8; } else { /* unsupported, invalid BASE64 (hash_len < 0), or similar */ @@ -139,19 +136,19 @@ sha_pw_cmp (char *userpwd, char *dbpwd, unsigned int shaLen ) } /* the proof is in the comparison... */ - result = ( hash_len == DS40B1_SALTED_SHA_LENGTH ) ? - ( memcmp( userhash, dbhash + 8, hash_len - 8 )) : - ( memcmp( userhash, dbhash, shaLen )); + result = ( hash_len >= shaLen ) ? + ( memcmp( userhash, dbhash, shaLen )) : /* include salt */ + ( memcmp( userhash, dbhash + 8, hash_len - 8 )); /* exclude salt */ loser: - if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free( (void**)&dbhash ); + if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( &dbhash ); return result; } char * -sha_pw_enc( char *pwd, unsigned int shaLen ) +sha_pw_enc( const char *pwd, unsigned int shaLen ) { - unsigned char hash[MAX_SHA_HASH_SIZE]; + char hash[MAX_SHA_HASH_SIZE]; char *enc; char *schemeName; unsigned int schemeNameLen; @@ -196,8 +193,7 @@ sha_pw_enc( char *pwd, unsigned int shaLen ) sprintf( enc, "%c%s%c", PWD_HASH_PREFIX_START, schemeName, PWD_HASH_PREFIX_END ); - (void)ldif_base64_encode( hash, enc + 2 + schemeNameLen, - shaLen, -1 ); + (void)PL_Base64Encode( hash, shaLen, enc + 2 + schemeNameLen ); return( enc ); } @@ -206,25 +202,25 @@ sha_pw_enc( char *pwd, unsigned int shaLen ) * Wrapper password comparison functions */ int -sha1_pw_cmp (char *userpwd, char *dbpwd ) +sha1_pw_cmp (const char *userpwd, const char *dbpwd ) { return sha_pw_cmp( userpwd, dbpwd, SHA1_LENGTH ); } int -sha256_pw_cmp (char *userpwd, char *dbpwd ) +sha256_pw_cmp (const char *userpwd, const char *dbpwd ) { return sha_pw_cmp( userpwd, dbpwd, SHA256_LENGTH ); } int -sha384_pw_cmp (char *userpwd, char *dbpwd ) +sha384_pw_cmp (const char *userpwd, const char *dbpwd ) { return sha_pw_cmp( userpwd, dbpwd, SHA384_LENGTH ); } int -sha512_pw_cmp (char *userpwd, char *dbpwd ) +sha512_pw_cmp (const char *userpwd, const char *dbpwd ) { return sha_pw_cmp( userpwd, dbpwd, SHA512_LENGTH ); } @@ -233,25 +229,25 @@ sha512_pw_cmp (char *userpwd, char *dbpwd ) * Wrapper password encryption functions */ char * -sha1_pw_enc( char *pwd ) +sha1_pw_enc( const char *pwd ) { return sha_pw_enc( pwd, SHA1_LENGTH ); } char * -sha256_pw_enc( char *pwd ) +sha256_pw_enc( const char *pwd ) { return sha_pw_enc( pwd, SHA256_LENGTH ); } char * -sha384_pw_enc( char *pwd ) +sha384_pw_enc( const char *pwd ) { return sha_pw_enc( pwd, SHA384_LENGTH ); } char * -sha512_pw_enc( char *pwd ) +sha512_pw_enc( const char *pwd ) { return sha_pw_enc( pwd, SHA512_LENGTH ); } |