Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 145101 Details for
Bug 221905
Add SMD5 password support
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch adding SMD5 support
smd5.patch (text/plain), 7.32 KB, created by
Josh Kelley
on 2007-01-08 20:34:30 UTC
(
hide
)
Description:
Patch adding SMD5 support
Filename:
MIME Type:
Creator:
Josh Kelley
Created:
2007-01-08 20:34:30 UTC
Size:
7.32 KB
patch
obsolete
>diff -ur fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/md5_pwd.c ldapserver/ldap/servers/plugins/pwdstorage/md5_pwd.c >--- fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/md5_pwd.c 2005-06-14 11:44:19.000000000 -0400 >+++ ldapserver/ldap/servers/plugins/pwdstorage/md5_pwd.c 2006-08-02 17:32:41.000000000 -0400 >@@ -51,6 +51,9 @@ > #define MD5_HASH_LEN 20 > #define MD5_SUBSYSTEM_NAME "MD5 password hash" > >+#define SMD5_HASH_LEN 24 >+#define MD5_SALT_LEN 4 >+ > int > md5_pw_cmp( char *userpwd, char *dbpwd ) > { >@@ -128,3 +131,107 @@ > return( enc ); > } > >+int >+smd5_pw_cmp( char *userpwd, char *dbpwd ) >+{ >+ int rc=-1; >+ char * bver; >+ PK11Context *ctx=NULL; >+ unsigned int outLen; >+ unsigned char userhash[SMD5_HASH_LEN]; >+ int hash_len; >+ unsigned char quick_dbhash[MD5_HASH_LEN + MD5_SALT_LEN + 3]; >+ unsigned char *dbhash = quick_dbhash; >+ unsigned char *salt; >+ >+ ctx = PK11_CreateDigestContext(SEC_OID_MD5); >+ if (ctx == NULL) { >+ slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, >+ "Could not create context for digest operation for password compare"); >+ goto loser; >+ } >+ >+ /* >+ * Decode hash stored in database. >+ * >+ * Note that ldif_base64_decode() returns a value less than zero to >+ * indicate that a decoding error occurred, so it is critical that >+ * hash_len be a signed value. >+ */ >+ hash_len = (((strlen(dbpwd) + 3) / 4) * 3); /* maybe less */ >+ if ( hash_len > sizeof(quick_dbhash) ) { /* get more space: */ >+ dbhash = (unsigned char*) slapi_ch_malloc( hash_len ); >+ if ( dbhash == NULL ) goto loser; >+ } >+ hash_len = ldif_base64_decode( dbpwd, dbhash ); >+ printf("%i\n", hash_len); >+ salt = (void*)(dbhash + 16); // TODO: hard-coded 16 >+ // TODO: Error handling for invalid hash length? >+ >+ /* create the salted hash of the user's password */ >+ PK11_DigestBegin(ctx); >+ PK11_DigestOp(ctx, userpwd, strlen(userpwd)); >+ PK11_DigestOp(ctx, salt, MD5_SALT_LEN); >+ PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash); >+ PK11_DestroyContext(ctx, 1); >+ >+ /* bver points to b2a_out upon success */ >+ if (bver) { >+ rc = memcmp(dbhash, userhash, 16); // TODO: hard-coded 16 >+ } else { >+ slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, >+ "Could not base64 encode hashed value for password compare"); >+ } >+loser: >+ if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free( (void**)&dbhash ); >+ return rc; >+} >+ >+char * >+smd5_pw_enc( char *pwd ) >+{ >+ char * bver, *enc=NULL; >+ PK11Context *ctx=NULL; >+ unsigned int outLen; >+ unsigned char hash_out[SMD5_HASH_LEN]; >+ unsigned char *salt = hash_out + 16; // TODO: Hard-coded 16 >+ unsigned char b2a_out[SMD5_HASH_LEN*2]; /* conservative */ >+ SECItem binary_item; >+ >+ /* generate a new random salt */ >+ /* Note: the uninitialized salt array provides a little extra entropy >+ * to the random array generation, but it is not really needed since >+ * PK11_GenerateRandom takes care of seeding. In any case, it doesn't >+ * hurt. */ >+ ssha_rand_array( salt, MD5_SALT_LEN ); >+ >+ ctx = PK11_CreateDigestContext(SEC_OID_MD5); >+ if (ctx == NULL) { >+ slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, >+ "Could not create context for digest operation for password encoding"); >+ return NULL; >+ } >+ >+ /* create the hash */ >+ PK11_DigestBegin(ctx); >+ PK11_DigestOp(ctx, pwd, strlen(pwd)); >+ PK11_DigestOp(ctx, salt, MD5_SALT_LEN); >+ PK11_DigestFinal(ctx, hash_out, &outLen, sizeof hash_out); >+ PK11_DestroyContext(ctx, 1); >+ >+ /* convert the binary hash to base64 */ >+ binary_item.data = hash_out; >+ binary_item.len = outLen + MD5_SALT_LEN; >+ bver = NSSBase64_EncodeItem(NULL, b2a_out, sizeof b2a_out, &binary_item); >+ if (bver) { >+ enc = slapi_ch_smprintf("%c%s%c%s", PWD_HASH_PREFIX_START, SMD5_SCHEME_NAME, >+ PWD_HASH_PREFIX_END, bver ); >+ } else { >+ slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, >+ "Could not base64 encode hashed value for password encoding"); >+ } >+ >+ return( enc ); >+} >+ >+ >diff -ur fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/pwd_init.c ldapserver/ldap/servers/plugins/pwdstorage/pwd_init.c >--- fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/pwd_init.c 2005-09-06 17:15:15.000000000 -0400 >+++ ldapserver/ldap/servers/plugins/pwdstorage/pwd_init.c 2006-08-02 17:13:59.000000000 -0400 >@@ -69,6 +69,8 @@ > > static Slapi_PluginDesc md5_pdesc = { "md5-password-storage-scheme", PLUGIN_MAGIC_VENDOR_STR, PRODUCTTEXT, "MD5 hash algorithm (MD5)" }; > >+static Slapi_PluginDesc smd5_pdesc = { "smd5-password-storage-scheme", PLUGIN_MAGIC_VENDOR_STR, PRODUCTTEXT, "Salted MD5 hash algorithm (SMD5)" }; >+ > static char *plugin_name = "NSPwdStoragePlugin"; > > int >@@ -365,3 +367,29 @@ > slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "<= md5_pwd_storage_scheme_init %d\n\n", rc ); > return( rc ); > } >+ >+ >+int >+smd5_pwd_storage_scheme_init( Slapi_PBlock *pb ) >+{ >+ int rc; >+ char *name; >+ >+ slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "=> smd5_pwd_storage_scheme_init\n" ); >+ >+ rc = slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, >+ (void *) SLAPI_PLUGIN_VERSION_01 ); >+ rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, >+ (void *)&smd5_pdesc ); >+ rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, >+ (void *) smd5_pw_enc ); >+ rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, >+ (void *) smd5_pw_cmp ); >+ name = slapi_ch_strdup("SMD5"); >+ rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_NAME, >+ name ); >+ >+ slapi_log_error( SLAPI_LOG_PLUGIN, plugin_name, "<= smd5_pwd_storage_scheme_init %d\n\n", rc ); >+ return( rc ); >+} >+ >diff -ur fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/pwdstorage.h ldapserver/ldap/servers/plugins/pwdstorage/pwdstorage.h >--- fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/pwdstorage.h 2005-09-06 17:15:15.000000000 -0400 >+++ ldapserver/ldap/servers/plugins/pwdstorage/pwdstorage.h 2006-08-02 17:13:59.000000000 -0400 >@@ -75,6 +75,8 @@ > #define CLEARTEXT_NAME_LEN 5 > #define MD5_SCHEME_NAME "MD5" > #define MD5_NAME_LEN 3 >+#define SMD5_SCHEME_NAME "SMD5" >+#define SMD5_NAME_LEN 4 > > SECStatus sha_salted_hash(unsigned char *hash_out, char *pwd, struct berval *salt, unsigned int secOID); > int sha_pw_cmp( char *userpwd, char *dbpwd, unsigned int shaLen ); >@@ -102,6 +104,8 @@ > int ns_mta_md5_pw_cmp( char *userpwd, char *dbpwd ); > int md5_pw_cmp( char *userpwd, char *dbpwd ); > char *md5_pw_enc( char *pwd ); >+int smd5_pw_cmp ( char *userpwd, char *dbpwd ); >+char *smd5_pw_enc( char *pwd ); > > > #if !defined(NET_SSL) >diff -ur fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/ssha_pwd.c ldapserver/ldap/servers/plugins/pwdstorage/ssha_pwd.c >--- fedora-ds-1.0.2/ldap/servers/plugins/pwdstorage/ssha_pwd.c 2005-09-14 19:37:37.000000000 -0400 >+++ ldapserver/ldap/servers/plugins/pwdstorage/ssha_pwd.c 2006-08-02 17:16:00.000000000 -0400 >@@ -55,7 +55,7 @@ > > #define SHA_SALT_LENGTH 8 /* number of bytes of data in salt */ > >-static void ssha_rand_array(void *randx, size_t len); >+void ssha_rand_array(void *randx, size_t len); > > > /* *************************************************** >@@ -63,7 +63,7 @@ > that here since this module is included in libds_admin, which doesn't > link to libslapd. > *************************************************** */ >-static void >+void > ssha_rand_array(void *randx, size_t len) > { > PK11_RandomUpdate(randx, len);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=145101">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 221905
:
145101
|
366151