Want more features on Pastebin? Sign Up, it's FREE!
Guest

apr-hash.patch

By: a guest on Feb 4th, 2011  |  syntax: Diff  |  size: 9.91 KB  |  views: 152  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. diff -ru openldap-2.4.23.orig/configure openldap-2.4.23/configure
  2. --- openldap-2.4.23.orig/configure      2010-04-19 15:22:25.000000000 -0400
  3. +++ openldap-2.4.23/configure   2011-02-04 03:32:32.851466637 -0500
  4. @@ -1559,6 +1559,7 @@
  5.      --enable-aci         enable per-object ACIs (experimental) no|yes|mod [no]
  6.      --enable-cleartext   enable cleartext passwords [yes]
  7.      --enable-crypt       enable crypt(3) passwords [no]
  8. +    --enable-apr1        enable Apache MD5 passwords [no]
  9.      --enable-lmpasswd    enable LAN Manager passwords [no]
  10.      --enable-spasswd     enable (Cyrus) SASL password verification [no]
  11.      --enable-modules     enable dynamic module support [no]
  12. @@ -3191,6 +3192,29 @@
  13.  fi
  14.  
  15.  # end --enable-crypt
  16. +# OpenLDAP --enable-apr1
  17. +
  18. +       # Check whether --enable-apr1 was given.
  19. +if test "${enable_apr1+set}" = set; then
  20. +  enableval=$enable_apr1;
  21. +       ol_arg=invalid
  22. +       for ol_val in auto yes no ; do
  23. +               if test "$enableval" = "$ol_val" ; then
  24. +                       ol_arg="$ol_val"
  25. +               fi
  26. +       done
  27. +       if test "$ol_arg" = "invalid" ; then
  28. +               { { echo "$as_me:$LINENO: error: bad value $enableval for --enable-apr1" >&5
  29. +echo "$as_me: error: bad value $enableval for --enable-apr1" >&2;}
  30. +   { (exit 1); exit 1; }; }
  31. +       fi
  32. +       ol_enable_apr1="$ol_arg"
  33. +
  34. +else
  35. +       ol_enable_apr1=no
  36. +fi
  37. +
  38. +# end --enable-apr1
  39.  # OpenLDAP --enable-lmpasswd
  40.  
  41.         # Check whether --enable-lmpasswd was given.
  42. @@ -37943,6 +37967,13 @@
  43.  _ACEOF
  44.  
  45.  fi
  46. +if test "$ol_enable_apr1" != no ; then
  47. +
  48. +cat >>confdefs.h <<\_ACEOF
  49. +#define SLAPD_APR1 1
  50. +_ACEOF
  51. +
  52. +fi
  53.  if test "$ol_link_spasswd" != no ; then
  54.  
  55.  cat >>confdefs.h <<\_ACEOF
  56. diff -ru openldap-2.4.23.orig/include/portable.hin openldap-2.4.23/include/portable.hin
  57. --- openldap-2.4.23.orig/include/portable.hin   2010-04-19 15:22:30.000000000 -0400
  58. +++ openldap-2.4.23/include/portable.hin        2011-02-04 03:32:32.851466637 -0500
  59. @@ -927,6 +927,9 @@
  60.  /* define to support crypt(3) passwords */
  61.  #undef SLAPD_CRYPT
  62.  
  63. +/* define to support Apache MD5 passwords */
  64. +#undef SLAPD_APR1
  65. +
  66.  /* define to support DNS SRV backend */
  67.  #undef SLAPD_DNSSRV
  68.  
  69. diff -ru openldap-2.4.23.orig/libraries/liblutil/passwd.c openldap-2.4.23/libraries/liblutil/passwd.c
  70. --- openldap-2.4.23.orig/libraries/liblutil/passwd.c    2010-04-13 16:23:06.000000000 -0400
  71. +++ openldap-2.4.23/libraries/liblutil/passwd.c 2011-02-04 03:32:43.354767827 -0500
  72. @@ -11,6 +11,15 @@
  73.   * A copy of this license is available in the file LICENSE in the
  74.   * top-level directory of the distribution or, alternatively, at
  75.   * <http://www.OpenLDAP.org/license.html>.
  76. + *
  77. + * A portion of the code is derived from code by Poul-Henning Kamp
  78. + * which is released under the following license:
  79. + * ----------------------------------------------------------------------------
  80. + * "THE BEER-WARE LICENSE" (Revision 42):
  81. + * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
  82. + * can do whatever you want with this stuff. If we meet some day, and you think
  83. + * this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
  84. + * ----------------------------------------------------------------------------
  85.   */
  86.  
  87.  /*
  88. @@ -92,6 +101,12 @@
  89.  static const unsigned char crypt64[] =
  90.         "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
  91.  
  92. +#ifdef SLAPD_APR1
  93. +static const unsigned char apr64[] =
  94. +       "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  95. +static const unsigned char apr1magic[] = "$apr1$";
  96. +#endif
  97. +
  98.  #ifdef SLAPD_CRYPT
  99.  static char *salt_format = NULL;
  100.  static lutil_cryptfunc lutil_crypt;
  101. @@ -122,6 +137,11 @@
  102.  static LUTIL_PASSWD_HASH_FUNC hash_smd5;
  103.  static LUTIL_PASSWD_HASH_FUNC hash_md5;
  104.  
  105. +#ifdef SLAPD_APR1
  106. +#define        APR1_SALT_SIZE  8
  107. +static LUTIL_PASSWD_CHK_FUNC chk_apr1;
  108. +static LUTIL_PASSWD_HASH_FUNC hash_apr1;
  109. +#endif
  110.  
  111.  #ifdef LUTIL_SHA1_BYTES
  112.  static LUTIL_PASSWD_CHK_FUNC chk_ssha1;
  113. @@ -163,6 +183,10 @@
  114.         { BER_BVC("{SMD5}"),            chk_smd5, hash_smd5 },
  115.         { BER_BVC("{MD5}"),                     chk_md5, hash_md5 },
  116.  
  117. +#ifdef SLAPD_APR1
  118. +       { BER_BVC("{APR1}"),            chk_apr1, hash_apr1 },
  119. +#endif
  120. +
  121.  #ifdef SLAPD_LMHASH
  122.         { BER_BVC("{LANMAN}"),          chk_lanman, hash_lanman },
  123.  #endif /* SLAPD_LMHASH */
  124. @@ -656,6 +680,102 @@
  125.         return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
  126.  }
  127.  
  128. +#ifdef SLAPD_APR1
  129. +static int chk_apr1(
  130. +       const struct berval *sc,
  131. +       const struct berval * passwd,
  132. +       const struct berval * cred,
  133. +       const char **text )
  134. +{
  135. +       lutil_MD5_CTX MD5context, MD5context1;
  136. +       unsigned char MD5digest[LUTIL_MD5_BYTES];
  137. +       int rc, sl, n;
  138. +       unsigned char *orig_pass = NULL;
  139. +
  140. +       /* safety check */
  141. +       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
  142. +               return LUTIL_PASSWD_ERR;
  143. +       }
  144. +
  145. +       /* base64 un-encode password */
  146. +       orig_pass = (unsigned char *) ber_memalloc( (size_t) (
  147. +               LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
  148. +
  149. +       if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
  150. +
  151. +       rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
  152. +
  153. +       if (rc <= (int)(sizeof(MD5digest))) {
  154. +               ber_memfree(orig_pass);
  155. +               return LUTIL_PASSWD_ERR;
  156. +       }
  157. +
  158. +       sl = rc - sizeof(MD5digest);
  159. +
  160. +       /* hash credentials using PHK MD5 and special magic */
  161. +       lutil_MD5Init( &MD5context );
  162. +       lutil_MD5Update( &MD5context,
  163. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  164. +       lutil_MD5Update( &MD5context,
  165. +               apr1magic, sizeof(apr1magic) - 1);
  166. +       lutil_MD5Update( &MD5context,
  167. +               &orig_pass[sizeof(MD5digest)], sl );
  168. +       /* Inner hash */
  169. +       lutil_MD5Init( &MD5context1 );
  170. +       lutil_MD5Update( &MD5context1,
  171. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  172. +       lutil_MD5Update( &MD5context1,
  173. +               &orig_pass[sizeof(MD5digest)], sl );
  174. +       lutil_MD5Update( &MD5context1,
  175. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  176. +       lutil_MD5Final( MD5digest, &MD5context1 );
  177. +       for( n = cred->bv_len; n > 0; n -= sizeof(MD5digest) ) {
  178. +               lutil_MD5Update( &MD5context, MD5digest,
  179. +                       (n > sizeof(MD5digest) ? sizeof(MD5digest) : n) );
  180. +       }
  181. +       memset( MD5digest, 0, sizeof(MD5digest) );
  182. +       for( n = cred->bv_len; n; n >>= 1 ) {
  183. +               if( n & 1 ) {
  184. +                       lutil_MD5Update( &MD5context, MD5digest, 1 );
  185. +               } else {
  186. +                       lutil_MD5Update( &MD5context, cred->bv_val, 1);
  187. +               }
  188. +       }
  189. +       lutil_MD5Final( MD5digest, &MD5context );
  190. +       for( n = 0; n < 1000; n++ ) {
  191. +               lutil_MD5Init( &MD5context1 );
  192. +               if( n & 1 ) {
  193. +                       lutil_MD5Update( &MD5context1,
  194. +                               (const unsigned char *) cred->bv_val, cred->bv_len );
  195. +               } else {
  196. +                       lutil_MD5Update( &MD5context1,
  197. +                               MD5digest, sizeof(MD5digest) );
  198. +               }
  199. +               if( n % 3 ) {
  200. +                       lutil_MD5Update( &MD5context1,
  201. +                               &orig_pass[sizeof(MD5digest)], sl );
  202. +               }
  203. +               if( n % 7 ) {
  204. +                       lutil_MD5Update( &MD5context1,
  205. +                               (const unsigned char *) cred->bv_val, cred->bv_len );
  206. +               }
  207. +               if( n & 1 ) {
  208. +                       lutil_MD5Update( &MD5context1,
  209. +                               MD5digest, sizeof(MD5digest) );
  210. +               } else {
  211. +                       lutil_MD5Update( &MD5context1,
  212. +                               (const unsigned char *) cred->bv_val, cred->bv_len );
  213. +               }
  214. +               lutil_MD5Final( MD5digest, &MD5context1 );
  215. +       }
  216. +
  217. +       /* compare */
  218. +       rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
  219. +       ber_memfree(orig_pass);
  220. +       return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
  221. +}
  222. +#endif
  223. +
  224.  #ifdef SLAPD_LMHASH
  225.  
  226.  #if defined(HAVE_OPENSSL)
  227. @@ -1129,6 +1249,93 @@
  228.  ;
  229.  }
  230.  
  231. +#ifdef SLAPD_APR1
  232. +static int hash_apr1(
  233. +       const struct berval *scheme,
  234. +       const struct berval  *passwd,
  235. +       struct berval *hash,
  236. +       const char **text )
  237. +{
  238. +       lutil_MD5_CTX   MD5context, MD5context1;
  239. +       unsigned char   MD5digest[LUTIL_MD5_BYTES];
  240. +       char            saltdata[APR1_SALT_SIZE];
  241. +       struct berval digest;
  242. +       struct berval salt;
  243. +       int n;
  244. +
  245. +       digest.bv_val = (char *) MD5digest;
  246. +       digest.bv_len = sizeof(MD5digest);
  247. +       salt.bv_val = saltdata;
  248. +       salt.bv_len = sizeof(saltdata);
  249. +
  250. +       if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) {
  251. +               return LUTIL_PASSWD_ERR;
  252. +       }
  253. +       for( n = 0; n < salt.bv_len; n++ ) {
  254. +               salt.bv_val[n] = apr64[salt.bv_val[n] % (sizeof(apr64) - 1)];
  255. +       }
  256. +
  257. +       /* hash credentials using PHK MD5 and special magic */
  258. +       lutil_MD5Init( &MD5context );
  259. +       lutil_MD5Update( &MD5context,
  260. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  261. +       lutil_MD5Update( &MD5context,
  262. +               apr1magic, sizeof(apr1magic) - 1);
  263. +       lutil_MD5Update( &MD5context,
  264. +               (const unsigned char *) salt.bv_val, salt.bv_len );
  265. +       /* Inner hash */
  266. +       lutil_MD5Init( &MD5context1 );
  267. +       lutil_MD5Update( &MD5context1,
  268. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  269. +       lutil_MD5Update( &MD5context1,
  270. +               (const unsigned char *) salt.bv_val, salt.bv_len );
  271. +       lutil_MD5Update( &MD5context1,
  272. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  273. +       lutil_MD5Final( MD5digest, &MD5context1 );
  274. +       for( n = passwd->bv_len; n > 0; n -= sizeof(MD5digest) ) {
  275. +               lutil_MD5Update( &MD5context, MD5digest,
  276. +                       (n > sizeof(MD5digest) ? sizeof(MD5digest) : n) );
  277. +       }
  278. +       memset( MD5digest, 0, sizeof(MD5digest) );
  279. +       for( n = passwd->bv_len; n; n >>= 1 ) {
  280. +               if( n & 1 ) {
  281. +                       lutil_MD5Update( &MD5context, MD5digest, 1 );
  282. +               } else {
  283. +                       lutil_MD5Update( &MD5context, passwd->bv_val, 1);
  284. +               }
  285. +       }
  286. +       lutil_MD5Final( MD5digest, &MD5context );
  287. +       for( n = 0; n < 1000; n++ ) {
  288. +               lutil_MD5Init( &MD5context1 );
  289. +               if( n & 1 ) {
  290. +                       lutil_MD5Update( &MD5context1,
  291. +                               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  292. +               } else {
  293. +                       lutil_MD5Update( &MD5context1,
  294. +                               MD5digest, sizeof(MD5digest) );
  295. +               }
  296. +               if( n % 3 ) {
  297. +                       lutil_MD5Update( &MD5context1,
  298. +                               (const unsigned char *) salt.bv_val, salt.bv_len );
  299. +               }
  300. +               if( n % 7 ) {
  301. +                       lutil_MD5Update( &MD5context1,
  302. +                               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  303. +               }
  304. +               if( n & 1 ) {
  305. +                       lutil_MD5Update( &MD5context1,
  306. +                               MD5digest, sizeof(MD5digest) );
  307. +               } else {
  308. +                       lutil_MD5Update( &MD5context1,
  309. +                               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  310. +               }
  311. +               lutil_MD5Final( MD5digest, &MD5context1 );
  312. +       }
  313. +
  314. +       return pw_string64( scheme, &digest, hash, &salt );
  315. +}
  316. +#endif
  317. +
  318.  #ifdef SLAPD_LMHASH
  319.  static int hash_lanman(
  320.         const struct berval *scheme,
clone this paste RAW Paste Data