Modify lutil_passwd to accept a third argument char** methods to

specific which methods may be used.  This will facilate development
of a slapd config directive "passwordMethod ..." to specify which
methods should be allowed.

include/lutil.h

@@ -39,7 +39,8 @@ lutil_detach LDAP_P((
 LDAP_F( int )
 lutil_passwd LDAP_P((
 	const char *cred,
-	const char *passwd));
+	const char *passwd,
+	const char **methods ));
 
 LDAP_END_DECL
 

libraries/liblutil/passwd.c

@@ -26,27 +26,65 @@
 #	include <pwd.h>
 #endif
 
+static int supported_hash(
+	const char* method,
+	const char** methods )
+{
+	int i;
+
+	if(methods == NULL) {
+		return 1;
+	}
+
+	for(i=0; methods[i] != NULL; i++) {
+		if(strcasecmp(method, methods[i]) == 0) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+static const char *passwd_hash(
+	const char* passwd,
+	const char* method,
+	const char** methods )
+{
+	int len;
+
+	if( !supported_hash( method, methods ) ) {
+		return NULL;
+	}
+
+	len = strlen(method);
+
+	if( strncasecmp( passwd, method, len ) == 0 ) {
+		return &passwd[len];
+	}
+
+	return NULL;
+}
+
 /*
  * Return 0 if creds are good.
  */
-
 int
 lutil_passwd(
 	const char *cred,
-	const char *passwd)
+	const char *passwd,
+	const char **methods)
 {
+	const char *p;
 
 	if (cred == NULL || passwd == NULL) {
 		return -1;
 	}
 
-	if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
+	if ((p = passwd_hash( passwd, "{MD5}", methods )) != NULL ) {
 		lutil_MD5_CTX MD5context;
 		unsigned char MD5digest[16];
 		char base64digest[25];  /* ceiling(sizeof(input)/3) * 4 + 1 */
 
-		const char *p = passwd + (sizeof("{MD5}") - 1);
-
 		lutil_MD5Init(&MD5context);
 		lutil_MD5Update(&MD5context,
 			       (const unsigned char *)cred, strlen(cred));
@@ -60,11 +98,10 @@ lutil_passwd(
 
 		return( strcmp(p, base64digest) );
 
-	} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
+	} else if ((p = passwd_hash( passwd, "{SHA}", methods )) != NULL ) {
 		lutil_SHA1_CTX SHA1context;
 		unsigned char SHA1digest[20];
 		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
-		const char *p = passwd + (sizeof("{SHA}") - 1);
 
 		lutil_SHA1Init(&SHA1context);
 		lutil_SHA1Update(&SHA1context,
@@ -79,10 +116,9 @@ lutil_passwd(
 
 		return( strcmp(p, base64digest) );
 
-	} else if (strncasecmp(passwd, "{SSHA}", sizeof("{SSHA}") - 1) == 0) {
+	} else if ((p = passwd_hash( passwd, "{SSHA}", methods )) != NULL ) {
 		lutil_SHA1_CTX SHA1context;
 		unsigned char SHA1digest[20];
-		const char *p = passwd + (sizeof("{SSHA}") - 1);
 		int pw_len = strlen(p);
 		int rc;
 		unsigned char *orig_pass = NULL;
@@ -109,10 +145,9 @@ lutil_passwd(
 		free(orig_pass);
 		return(rc);
 
-	} else if (strncasecmp(passwd, "{SMD5}", sizeof("{SMD5}") - 1) == 0) {
+	} else if ((p = passwd_hash( passwd, "{SMD5}", methods )) != NULL ) {
 		lutil_MD5_CTX MD5context;
 		unsigned char MD5digest[16];
-		const char *p = passwd + (sizeof("{SMD5}") - 1);
 		int pw_len = strlen(p);
 		int rc;
 		unsigned char *orig_pass = NULL;
@@ -140,18 +175,15 @@ lutil_passwd(
 		return ( rc );
 
 #ifdef SLAPD_CRYPT
-	} else if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
-		const char *p = passwd + (sizeof("{CRYPT}") - 1);
-
+	} else if ((p = passwd_hash( passwd, "{CRYPT}", methods )) != NULL ) {
 		return( strcmp(p, crypt(cred, p)) );
 
 # if defined( HAVE_GETSPNAM ) \
   || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
-	} else if (strncasecmp(passwd, "{UNIX}", sizeof("{UNIX}") - 1) == 0 ) {
-		const char *u = passwd + (sizeof("{UNIX}") - 1);
+	} else if ((p = passwd_hash( passwd, "{UNIX}", methods )) != NULL ) {
 
 #  ifdef HAVE_GETSPNAM
-		struct spwd *spwd = getspnam(u);
+		struct spwd *spwd = getspnam(p);
 
 		if(spwd == NULL) {
 			return 1;	/* not found */
@@ -159,7 +191,7 @@ lutil_passwd(
 
 		return strcmp(spwd->sp_pwdp, crypt(cred, spwd->sp_pwdp));
 #  else
-		struct passwd *pwd = getpwnam(u);
+		struct passwd *pwd = getpwnam(p);
 
 		if(pwd == NULL) {
 			return 1;	/* not found */
@@ -172,7 +204,8 @@ lutil_passwd(
 	}
 
 #ifdef SLAPD_CLEARTEXT
-	return( strcmp(passwd, cred) );
+	return supported_hash("{CLEARTEXT}", methods ) &&
+		strcmp(passwd, cred) != 0;
 #else
 	return( 1 );
 #endif

servers/slapd/back-bdb2/bind.c

@@ -39,7 +39,8 @@ crypted_value_find(
 
 			result = lutil_passwd(
 				(char*) cred->bv_val,
-				(char*) vals[i]->bv_val);
+				(char*) vals[i]->bv_val,
+				NULL );
 
 #ifdef SLAPD_CRYPT
 			ldap_pvt_thread_mutex_unlock( &crypt_mutex );

servers/slapd/back-ldbm/bind.c

@@ -39,7 +39,8 @@ crypted_value_find(
 
 			result = lutil_passwd(
 				(char*) cred->bv_val,
-				(char*) vals[i]->bv_val);
+				(char*) vals[i]->bv_val,
+				NULL );
 
 #ifdef SLAPD_CRYPT
 			ldap_pvt_thread_mutex_unlock( &crypt_mutex );

servers/slapd/backend.c

@@ -525,7 +525,7 @@ be_isroot_pw( Backend *be, char *ndn, struct berval *cred )
 	ldap_pvt_thread_mutex_lock( &crypt_mutex );
 #endif
 
-	result = lutil_passwd( cred->bv_val, be->be_root_pw );
+	result = lutil_passwd( cred->bv_val, be->be_root_pw, NULL );
 
 #ifdef SLAPD_CRYPT
 	ldap_pvt_thread_mutex_unlock( &crypt_mutex );