Advertisement
Guest User

apr-hash.patch

a guest
Feb 4th, 2011
216
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Diff 9.91 KB | None | 0 0
  1. diff -ru openldap-2.4.23.orig/configure openldap-2.4.23/configure
  2. --- openldap-2.4.23.orig/configure  2010-04-19 15:22:25.000000000 -0400
  3. +++ openldap-2.4.23/configure   2011-02-04 03:32:32.851466637 -0500
  4. @@ -1559,6 +1559,7 @@
  5.      --enable-aci     enable per-object ACIs (experimental) no|yes|mod [no]
  6.      --enable-cleartext   enable cleartext passwords [yes]
  7.      --enable-crypt   enable crypt(3) passwords [no]
  8. +    --enable-apr1    enable Apache MD5 passwords [no]
  9.      --enable-lmpasswd    enable LAN Manager passwords [no]
  10.      --enable-spasswd     enable (Cyrus) SASL password verification [no]
  11.      --enable-modules     enable dynamic module support [no]
  12. @@ -3191,6 +3192,29 @@
  13.  fi
  14.  
  15.  # end --enable-crypt
  16. +# OpenLDAP --enable-apr1
  17. +
  18. +   # Check whether --enable-apr1 was given.
  19. +if test "${enable_apr1+set}" = set; then
  20. +  enableval=$enable_apr1;
  21. +   ol_arg=invalid
  22. +   for ol_val in auto yes no ; do
  23. +       if test "$enableval" = "$ol_val" ; then
  24. +           ol_arg="$ol_val"
  25. +       fi
  26. +   done
  27. +   if test "$ol_arg" = "invalid" ; then
  28. +       { { echo "$as_me:$LINENO: error: bad value $enableval for --enable-apr1" >&5
  29. +echo "$as_me: error: bad value $enableval for --enable-apr1" >&2;}
  30. +   { (exit 1); exit 1; }; }
  31. +   fi
  32. +   ol_enable_apr1="$ol_arg"
  33. +
  34. +else
  35. +   ol_enable_apr1=no
  36. +fi
  37. +
  38. +# end --enable-apr1
  39.  # OpenLDAP --enable-lmpasswd
  40.  
  41.     # Check whether --enable-lmpasswd was given.
  42. @@ -37943,6 +37967,13 @@
  43.  _ACEOF
  44.  
  45.  fi
  46. +if test "$ol_enable_apr1" != no ; then
  47. +
  48. +cat >>confdefs.h <<\_ACEOF
  49. +#define SLAPD_APR1 1
  50. +_ACEOF
  51. +
  52. +fi
  53.  if test "$ol_link_spasswd" != no ; then
  54.  
  55.  cat >>confdefs.h <<\_ACEOF
  56. diff -ru openldap-2.4.23.orig/include/portable.hin openldap-2.4.23/include/portable.hin
  57. --- openldap-2.4.23.orig/include/portable.hin   2010-04-19 15:22:30.000000000 -0400
  58. +++ openldap-2.4.23/include/portable.hin    2011-02-04 03:32:32.851466637 -0500
  59. @@ -927,6 +927,9 @@
  60.  /* define to support crypt(3) passwords */
  61.  #undef SLAPD_CRYPT
  62.  
  63. +/* define to support Apache MD5 passwords */
  64. +#undef SLAPD_APR1
  65. +
  66.  /* define to support DNS SRV backend */
  67.  #undef SLAPD_DNSSRV
  68.  
  69. diff -ru openldap-2.4.23.orig/libraries/liblutil/passwd.c openldap-2.4.23/libraries/liblutil/passwd.c
  70. --- openldap-2.4.23.orig/libraries/liblutil/passwd.c    2010-04-13 16:23:06.000000000 -0400
  71. +++ openldap-2.4.23/libraries/liblutil/passwd.c 2011-02-04 03:32:43.354767827 -0500
  72. @@ -11,6 +11,15 @@
  73.   * A copy of this license is available in the file LICENSE in the
  74.   * top-level directory of the distribution or, alternatively, at
  75.   * <http://www.OpenLDAP.org/license.html>.
  76. + *
  77. + * A portion of the code is derived from code by Poul-Henning Kamp
  78. + * which is released under the following license:
  79. + * ----------------------------------------------------------------------------
  80. + * "THE BEER-WARE LICENSE" (Revision 42):
  81. + * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
  82. + * can do whatever you want with this stuff. If we meet some day, and you think
  83. + * this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
  84. + * ----------------------------------------------------------------------------
  85.   */
  86.  
  87.  /*
  88. @@ -92,6 +101,12 @@
  89.  static const unsigned char crypt64[] =
  90.     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
  91.  
  92. +#ifdef SLAPD_APR1
  93. +static const unsigned char apr64[] =
  94. +   "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  95. +static const unsigned char apr1magic[] = "$apr1$";
  96. +#endif
  97. +
  98.  #ifdef SLAPD_CRYPT
  99.  static char *salt_format = NULL;
  100.  static lutil_cryptfunc lutil_crypt;
  101. @@ -122,6 +137,11 @@
  102.  static LUTIL_PASSWD_HASH_FUNC hash_smd5;
  103.  static LUTIL_PASSWD_HASH_FUNC hash_md5;
  104.  
  105. +#ifdef SLAPD_APR1
  106. +#define    APR1_SALT_SIZE  8
  107. +static LUTIL_PASSWD_CHK_FUNC chk_apr1;
  108. +static LUTIL_PASSWD_HASH_FUNC hash_apr1;
  109. +#endif
  110.  
  111.  #ifdef LUTIL_SHA1_BYTES
  112.  static LUTIL_PASSWD_CHK_FUNC chk_ssha1;
  113. @@ -163,6 +183,10 @@
  114.     { BER_BVC("{SMD5}"),        chk_smd5, hash_smd5 },
  115.     { BER_BVC("{MD5}"),         chk_md5, hash_md5 },
  116.  
  117. +#ifdef SLAPD_APR1
  118. +   { BER_BVC("{APR1}"),        chk_apr1, hash_apr1 },
  119. +#endif
  120. +
  121.  #ifdef SLAPD_LMHASH
  122.     { BER_BVC("{LANMAN}"),      chk_lanman, hash_lanman },
  123.  #endif /* SLAPD_LMHASH */
  124. @@ -656,6 +680,102 @@
  125.     return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
  126.  }
  127.  
  128. +#ifdef SLAPD_APR1
  129. +static int chk_apr1(
  130. +   const struct berval *sc,
  131. +   const struct berval * passwd,
  132. +   const struct berval * cred,
  133. +   const char **text )
  134. +{
  135. +   lutil_MD5_CTX MD5context, MD5context1;
  136. +   unsigned char MD5digest[LUTIL_MD5_BYTES];
  137. +   int rc, sl, n;
  138. +   unsigned char *orig_pass = NULL;
  139. +
  140. +   /* safety check */
  141. +   if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
  142. +       return LUTIL_PASSWD_ERR;
  143. +   }
  144. +
  145. +   /* base64 un-encode password */
  146. +   orig_pass = (unsigned char *) ber_memalloc( (size_t) (
  147. +       LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
  148. +
  149. +   if( orig_pass == NULL ) return LUTIL_PASSWD_ERR;
  150. +
  151. +   rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
  152. +
  153. +   if (rc <= (int)(sizeof(MD5digest))) {
  154. +       ber_memfree(orig_pass);
  155. +       return LUTIL_PASSWD_ERR;
  156. +   }
  157. +
  158. +   sl = rc - sizeof(MD5digest);
  159. +
  160. +   /* hash credentials using PHK MD5 and special magic */
  161. +   lutil_MD5Init( &MD5context );
  162. +   lutil_MD5Update( &MD5context,
  163. +       (const unsigned char *) cred->bv_val, cred->bv_len );
  164. +   lutil_MD5Update( &MD5context,
  165. +       apr1magic, sizeof(apr1magic) - 1);
  166. +   lutil_MD5Update( &MD5context,
  167. +       &orig_pass[sizeof(MD5digest)], sl );
  168. +   /* Inner hash */
  169. +   lutil_MD5Init( &MD5context1 );
  170. +   lutil_MD5Update( &MD5context1,
  171. +       (const unsigned char *) cred->bv_val, cred->bv_len );
  172. +   lutil_MD5Update( &MD5context1,
  173. +       &orig_pass[sizeof(MD5digest)], sl );
  174. +   lutil_MD5Update( &MD5context1,
  175. +       (const unsigned char *) cred->bv_val, cred->bv_len );
  176. +   lutil_MD5Final( MD5digest, &MD5context1 );
  177. +   for( n = cred->bv_len; n > 0; n -= sizeof(MD5digest) ) {
  178. +       lutil_MD5Update( &MD5context, MD5digest,
  179. +           (n > sizeof(MD5digest) ? sizeof(MD5digest) : n) );
  180. +   }
  181. +   memset( MD5digest, 0, sizeof(MD5digest) );
  182. +   for( n = cred->bv_len; n; n >>= 1 ) {
  183. +       if( n & 1 ) {
  184. +           lutil_MD5Update( &MD5context, MD5digest, 1 );
  185. +       } else {
  186. +           lutil_MD5Update( &MD5context, cred->bv_val, 1);
  187. +       }
  188. +   }
  189. +   lutil_MD5Final( MD5digest, &MD5context );
  190. +   for( n = 0; n < 1000; n++ ) {
  191. +       lutil_MD5Init( &MD5context1 );
  192. +       if( n & 1 ) {
  193. +           lutil_MD5Update( &MD5context1,
  194. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  195. +       } else {
  196. +           lutil_MD5Update( &MD5context1,
  197. +               MD5digest, sizeof(MD5digest) );
  198. +       }
  199. +       if( n % 3 ) {
  200. +           lutil_MD5Update( &MD5context1,
  201. +               &orig_pass[sizeof(MD5digest)], sl );
  202. +       }
  203. +       if( n % 7 ) {
  204. +           lutil_MD5Update( &MD5context1,
  205. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  206. +       }
  207. +       if( n & 1 ) {
  208. +           lutil_MD5Update( &MD5context1,
  209. +               MD5digest, sizeof(MD5digest) );
  210. +       } else {
  211. +           lutil_MD5Update( &MD5context1,
  212. +               (const unsigned char *) cred->bv_val, cred->bv_len );
  213. +       }
  214. +       lutil_MD5Final( MD5digest, &MD5context1 );
  215. +   }
  216. +
  217. +   /* compare */
  218. +   rc = memcmp((char *)orig_pass, (char *)MD5digest, sizeof(MD5digest));
  219. +   ber_memfree(orig_pass);
  220. +   return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
  221. +}
  222. +#endif
  223. +
  224.  #ifdef SLAPD_LMHASH
  225.  
  226.  #if defined(HAVE_OPENSSL)
  227. @@ -1129,6 +1249,93 @@
  228.  ;
  229.  }
  230.  
  231. +#ifdef SLAPD_APR1
  232. +static int hash_apr1(
  233. +   const struct berval *scheme,
  234. +   const struct berval  *passwd,
  235. +   struct berval *hash,
  236. +   const char **text )
  237. +{
  238. +   lutil_MD5_CTX   MD5context, MD5context1;
  239. +   unsigned char   MD5digest[LUTIL_MD5_BYTES];
  240. +   char            saltdata[APR1_SALT_SIZE];
  241. +   struct berval digest;
  242. +   struct berval salt;
  243. +   int n;
  244. +
  245. +   digest.bv_val = (char *) MD5digest;
  246. +   digest.bv_len = sizeof(MD5digest);
  247. +   salt.bv_val = saltdata;
  248. +   salt.bv_len = sizeof(saltdata);
  249. +
  250. +   if( lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0 ) {
  251. +       return LUTIL_PASSWD_ERR;
  252. +   }
  253. +   for( n = 0; n < salt.bv_len; n++ ) {
  254. +       salt.bv_val[n] = apr64[salt.bv_val[n] % (sizeof(apr64) - 1)];
  255. +   }
  256. +
  257. +   /* hash credentials using PHK MD5 and special magic */
  258. +   lutil_MD5Init( &MD5context );
  259. +   lutil_MD5Update( &MD5context,
  260. +       (const unsigned char *) passwd->bv_val, passwd->bv_len );
  261. +   lutil_MD5Update( &MD5context,
  262. +       apr1magic, sizeof(apr1magic) - 1);
  263. +   lutil_MD5Update( &MD5context,
  264. +       (const unsigned char *) salt.bv_val, salt.bv_len );
  265. +   /* Inner hash */
  266. +   lutil_MD5Init( &MD5context1 );
  267. +   lutil_MD5Update( &MD5context1,
  268. +       (const unsigned char *) passwd->bv_val, passwd->bv_len );
  269. +   lutil_MD5Update( &MD5context1,
  270. +       (const unsigned char *) salt.bv_val, salt.bv_len );
  271. +   lutil_MD5Update( &MD5context1,
  272. +       (const unsigned char *) passwd->bv_val, passwd->bv_len );
  273. +   lutil_MD5Final( MD5digest, &MD5context1 );
  274. +   for( n = passwd->bv_len; n > 0; n -= sizeof(MD5digest) ) {
  275. +       lutil_MD5Update( &MD5context, MD5digest,
  276. +           (n > sizeof(MD5digest) ? sizeof(MD5digest) : n) );
  277. +   }
  278. +   memset( MD5digest, 0, sizeof(MD5digest) );
  279. +   for( n = passwd->bv_len; n; n >>= 1 ) {
  280. +       if( n & 1 ) {
  281. +           lutil_MD5Update( &MD5context, MD5digest, 1 );
  282. +       } else {
  283. +           lutil_MD5Update( &MD5context, passwd->bv_val, 1);
  284. +       }
  285. +   }
  286. +   lutil_MD5Final( MD5digest, &MD5context );
  287. +   for( n = 0; n < 1000; n++ ) {
  288. +       lutil_MD5Init( &MD5context1 );
  289. +       if( n & 1 ) {
  290. +           lutil_MD5Update( &MD5context1,
  291. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  292. +       } else {
  293. +           lutil_MD5Update( &MD5context1,
  294. +               MD5digest, sizeof(MD5digest) );
  295. +       }
  296. +       if( n % 3 ) {
  297. +           lutil_MD5Update( &MD5context1,
  298. +               (const unsigned char *) salt.bv_val, salt.bv_len );
  299. +       }
  300. +       if( n % 7 ) {
  301. +           lutil_MD5Update( &MD5context1,
  302. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  303. +       }
  304. +       if( n & 1 ) {
  305. +           lutil_MD5Update( &MD5context1,
  306. +               MD5digest, sizeof(MD5digest) );
  307. +       } else {
  308. +           lutil_MD5Update( &MD5context1,
  309. +               (const unsigned char *) passwd->bv_val, passwd->bv_len );
  310. +       }
  311. +       lutil_MD5Final( MD5digest, &MD5context1 );
  312. +   }
  313. +
  314. +   return pw_string64( scheme, &digest, hash, &salt );
  315. +}
  316. +#endif
  317. +
  318.  #ifdef SLAPD_LMHASH
  319.  static int hash_lanman(
  320.     const struct berval *scheme,
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement