diff options
Diffstat (limited to 'ldap/servers/plugins/pwdstorage/smd5_pwd.c')
-rw-r--r-- | ldap/servers/plugins/pwdstorage/smd5_pwd.c | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c new file mode 100644 index 00000000..f7689ed4 --- /dev/null +++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c @@ -0,0 +1,168 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations + * including the two, subject to the limitations in this paragraph. Non-GPL Code + * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from + * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2005 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifdef HAVE_CONFIG_H +# include <config.h> +#endif + +/* + * Based on MD5 Password Encryption/Comparison routines by David Irving, + * Fred Brittain, and Aaron Gagnon -- University of Maine Farmington + * Donated to the RedHat Directory Server Project 2005-06-10 + */ + +#include <string.h> +#include <sys/types.h> +#include <stdio.h> +#include <pk11func.h> +#include <nss.h> +#include <nssb64.h> +#include <sechash.h> +#include "pwdstorage.h" + +#define MD5_DEFAULT_SALT_LENGTH 4 +#define MD5_MAX_SALT_LENGTH 16 +#define SALTED_MD5_SUBSYSTEM_NAME "Salted MD5 password hash" + +int +smd5_pw_cmp( const char *userpwd, const char *dbpwd ) +{ + int rc=-1; + PK11Context *ctx=NULL; + unsigned int outLen; + unsigned char userhash[MD5_LENGTH]; + int hash_len; + unsigned char quick_dbhash[MD5_LENGTH + MD5_DEFAULT_SALT_LENGTH + 1]; + unsigned char *dbhash = quick_dbhash; + struct berval salt; + char *hashresult = NULL; + SECItem binary_item; + + ctx = PK11_CreateDigestContext(SEC_OID_MD5); + if (ctx == NULL) { + slapi_log_error(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, + "Could not create context for digest operation for password compare"); + goto loser; + } + + /* + * Decode hash stored in database. + */ + hash_len = pwdstorage_base64_decode_len(dbpwd); + if ( hash_len >= sizeof(quick_dbhash) ) { /* get more space: */ + dbhash = (char*) slapi_ch_calloc( hash_len + 1, sizeof(char) ); + if ( dbhash == NULL ) goto loser; + } else { + memset( quick_dbhash, 0, sizeof(quick_dbhash) ); + } + + hashresult = PL_Base64Decode( dbpwd, 0, dbhash ); + if (NULL == hashresult) { + slapi_log_error( SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, + "smd5_pw_cmp: userPassword \"%s\" is the wrong length " + "or is not properly encoded BASE64\n", dbpwd ); + goto loser; + } + + salt.bv_val = (void*)(dbhash + MD5_LENGTH); /* salt starts after hash value */ + salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */ + + /* create the hash */ + memset( userhash, 0, sizeof(userhash) ); + PK11_DigestBegin(ctx); + PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd)); + PK11_DigestOp(ctx, (unsigned char*)(salt.bv_val), salt.bv_len); + PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash); + PK11_DestroyContext(ctx, 1); + + /* Compare everything up to the salt. */ + rc = memcmp( userhash, dbhash, MD5_LENGTH ); + +loser: + if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash ); + return rc; +} + +char * +smd5_pw_enc( const char *pwd ) +{ + char * bver, *enc=NULL; + PK11Context *ctx=NULL; + unsigned int outLen; + unsigned char hash_out[MD5_LENGTH + MD5_DEFAULT_SALT_LENGTH]; + unsigned char b2a_out[(MD5_LENGTH*2) + (MD5_MAX_SALT_LENGTH*2)]; /* conservative */ + char *salt = hash_out + MD5_LENGTH; + struct berval saltval; + SECItem binary_item; + + ctx = PK11_CreateDigestContext(SEC_OID_MD5); + if (ctx == NULL) { + slapi_log_error(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, + "Could not create context for digest operation for password encoding"); + return NULL; + } + + /* prepare the hash output area */ + memset( hash_out, 0, sizeof(hash_out) ); + + /* generate a new random salt */ + slapi_rand_array( salt, MD5_DEFAULT_SALT_LENGTH ); + saltval.bv_val = (void*)salt; + saltval.bv_len = MD5_DEFAULT_SALT_LENGTH; + + /* create the hash */ + PK11_DigestBegin(ctx); + PK11_DigestOp(ctx, (const unsigned char *)pwd, strlen(pwd)); + PK11_DigestOp(ctx, (unsigned char*)(saltval.bv_val), saltval.bv_len); + PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out); + PK11_DestroyContext(ctx, 1); + + /* convert the binary hash to base64 */ + binary_item.data = hash_out; + binary_item.len = outLen + MD5_DEFAULT_SALT_LENGTH; + bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); + if (bver) { + enc = slapi_ch_smprintf("%c%s%c%s", PWD_HASH_PREFIX_START, SALTED_MD5_SCHEME_NAME, + PWD_HASH_PREFIX_END, bver ); + } else { + slapi_log_error(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, + "Could not base64 encode hashed value for password encoding"); + } + + return( enc ); +} + |