Adding crypt(3) salt format (ITS#1202) from Jeff Costlow <j.costlow@f5.com>

with minor changes by committer --- Copyright 2001, F5 Networks, Inc, All rights reserved. This software is not subject to any license of F5 Networks. This is free software; you can redistribute and use it under the same terms as OpenLDAP itself.
2025-12-20 22:59:34 -05:00 · 2001-06-13 03:47:17 +00:00 · 2001-06-13 03:47:17 +00:00 · 8d4c20cd6d
commit 8d4c20cd6d
parent ff30a0387d
3 changed files with 56 additions and 4 deletions
--- a/include/lutil.h
+++ b/include/lutil.h
@ -95,6 +95,10 @@ LDAP_LUTIL_F( int )
 lutil_passwd_scheme LDAP_P((
 	const char *scheme ));

+LDAP_LUTIL_F( int )
+lutil_salt_format LDAP_P((
+	const char *format ));
+
 /* utils.c */
 LDAP_LUTIL_F( char* )
 lutil_progname LDAP_P((
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@ -65,6 +65,10 @@
 static const unsigned char crypt64[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";

+#ifdef SLAPD_CRYPT
+static const char *salt_format = NULL;
+#endif
+
 struct pw_scheme;

 typedef int (*PASSWD_CHK_FUNC)(
@ -1188,7 +1192,7 @@ static struct berval *hash_crypt(
 	const struct berval *passwd )
 {
 	struct berval hash;
-	unsigned char salt[9];	/* salt suitable for anything */
+	unsigned char salt[32];	/* salt suitable for most anything */
 	int i;

 	for( i=0; i<passwd->bv_len; i++) {
@ -1201,14 +1205,22 @@ static struct berval *hash_crypt(
 		return NULL;	/* passwd must behave like a string */
 	}

-	if( lutil_entropy( salt, 8) < 0 ) {
+	if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) {
 		return NULL; 
 	}

-	for( i=0; i<8; i++ ) {
+	for( i=0; i< ( sizeof(salt) - 1 ); i++ ) {
 		salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ];
 	}
-	salt[8] = '\0';
+	salt[sizeof( salt ) - 1 ] = '\0';
+
+	if( salt_format != NULL ) {
+		/* copy the salt we made into entropy before snprintfing
+		   it back into the salt */
+		char entropy[sizeof(salt)];
+		strcpy( entropy, salt );
+		snprintf( salt, sizeof(entropy), salt_format, entropy );
+	}

 	hash.bv_val = crypt( passwd->bv_val, salt );

@ -1223,3 +1235,20 @@ static struct berval *hash_crypt(
 	return pw_string( scheme, &hash );
 }
 #endif
+
+int lutil_salt_format(const char *format)
+{
+#ifdef SLAPD_CRYPT
+	if (format) {
+		if (salt_format)
+			free(salt_format);
+		salt_format = strdup(format);
+	} else {  // unset if they pass in NULL
+		if (salt_format)
+			free(salt_format);
+		salt_format = NULL;
+	}
+#endif
+
+	return 0;
+}
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -503,6 +503,25 @@ read_config( const char *fname )
 				default_passwd_hash = ch_strdup( cargv[1] );
 			}

+		} else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 ) 
+		{
+			if ( cargc < 2 ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					"%s: line %d: missing format in "
+					"\"password-crypt-salt-format <format>\" line\n",
+					fname, lineno ));
+#else
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: missing format in "
+					"\"password-crypt-salt-format <format>\" line\n",
+				    fname, lineno, 0 );
+#endif
+
+				return 1;
+			}
+
+			lutil_salt_format( cargv[1] );
+
 		/* set SASL host */
 		} else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
 			if ( cargc < 2 ) {