[dovecot-cvs] dovecot/src/auth password-scheme-md5crypt.c, 1.2, 1.3 password-scheme-rpa.c, 1.2, 1.3 password-scheme.c, 1.23, 1.24

tss at dovecot.org tss at dovecot.org
Mon Oct 9 00:18:21 UTC 2006 

Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv426

Modified Files:
	password-scheme-md5crypt.c password-scheme-rpa.c 
	password-scheme.c 
Log Message:
Based on password length detect if it's hex-encoded or sha1-encoded. Also
use MD[45]_RESULTLEN macros instead of hardcoded 16 value.



Index: password-scheme-md5crypt.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/password-scheme-md5crypt.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- password-scheme-md5crypt.c	16 Jan 2005 16:47:27 -0000	1.2
+++ password-scheme-md5crypt.c	8 Oct 2006 23:18:17 -0000	1.3
@@ -49,7 +49,7 @@
 const char *password_generate_md5_crypt(const char *pw, const char *salt)
 {
 	const char *sp,*ep;
-	unsigned char	final[16];
+	unsigned char	final[MD5_RESULTLEN];
 	int sl,pl,i,j;
 	struct md5_context ctx,ctx1;
 	unsigned long l;
@@ -87,8 +87,8 @@
 	md5_update(&ctx1,sp,sl);
 	md5_update(&ctx1,pw,pw_len);
 	md5_final(&ctx1,final);
-	for(pl = pw_len; pl > 0; pl -= 16)
-		md5_update(&ctx,final,pl>16 ? 16 : pl);
+	for(pl = pw_len; pl > 0; pl -= MD5_RESULTLEN)
+		md5_update(&ctx,final,pl>MD5_RESULTLEN ? MD5_RESULTLEN : pl);
 
 	/* Don't leave anything around in vm they could use. */
 	safe_memset(final, 0, sizeof(final));
@@ -118,7 +118,7 @@
 		if(i & 1)
 			md5_update(&ctx1,pw,pw_len);
 		else
-			md5_update(&ctx1,final,16);
+			md5_update(&ctx1,final,MD5_RESULTLEN);
 
 		if(i % 3)
 			md5_update(&ctx1,sp,sl);
@@ -127,7 +127,7 @@
 			md5_update(&ctx1,pw,pw_len);
 
 		if(i & 1)
-			md5_update(&ctx1,final,16);
+			md5_update(&ctx1,final,MD5_RESULTLEN);
 		else
 			md5_update(&ctx1,pw,pw_len);
 		md5_final(&ctx1,final);

Index: password-scheme-rpa.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/password-scheme-rpa.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- password-scheme-rpa.c	8 Oct 2004 17:51:47 -0000	1.2
+++ password-scheme-rpa.c	8 Oct 2006 23:18:18 -0000	1.3
@@ -26,7 +26,7 @@
 
 const char *password_generate_rpa(const char *pw)
 {
-	unsigned char hash[16];
+	unsigned char hash[MD5_RESULTLEN];
 	unsigned char *ucs2be_pw;
 	size_t size;
 

Index: password-scheme.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/password-scheme.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -r1.23 -r1.24
--- password-scheme.c	17 Jun 2006 16:01:14 -0000	1.23
+++ password-scheme.c	8 Oct 2006 23:18:18 -0000	1.24
@@ -153,28 +153,43 @@
 	return str_c(str);
 }
 
+static const void *
+password_decode(const char *password, unsigned int result_len)
+{
+	buffer_t *buf;
+	size_t len;
+
+	len = strlen(password);
+	if (len == result_len*2) {
+		/* hex-encoded */
+		buf = buffer_create_static_hard(pool_datastack_create(),
+						result_len);
+
+		if (hex_to_binary(password, buf) < 0)
+			return NULL;
+	} else {
+		/* base64-encoded */
+		buf = buffer_create_static_hard(pool_datastack_create(),
+						MAX_BASE64_DECODED_SIZE(len));
+
+		if (base64_decode(password, len, NULL, buf) < 0)
+			return NULL;
+	}
+
+	return buf->used != result_len ? NULL : buf->data;
+}
+
 static bool sha1_verify(const char *plaintext, const char *password,
 			const char *user __attr_unused__)
 {
 	unsigned char sha1_digest[SHA1_RESULTLEN];
 	const char *data;
-	buffer_t *buf;
-	size_t size, password_len;
 
 	sha1_get_digest(plaintext, strlen(plaintext), sha1_digest);
 
-	password_len = strlen(password);
-	buf = buffer_create_static_hard(pool_datastack_create(),
-					MAX_BASE64_DECODED_SIZE(password_len));
-
-	if (base64_decode(password, password_len, NULL, buf) < 0) {
-		i_error("sha1_verify(%s): failed decoding SHA base64", user);
-		return 0;
-	}
-
-	data = buffer_get_data(buf, &size);
-	if (size < SHA1_RESULTLEN) {
-		i_error("sha1_verify(%s): invalid SHA base64 decode", user);
+	data = password_decode(password, SHA1_RESULTLEN);
+	if (data == NULL) {
+		i_error("sha1_verify(%s): Invalid password encoding", user);
 		return 0;
 	}
 
@@ -237,7 +252,7 @@
 				 const char *user __attr_unused__)
 {
 	unsigned char smd5_digest[20];
-	unsigned char *salt = &smd5_digest[16];
+	unsigned char *salt = &smd5_digest[MD5_RESULTLEN];
 	struct md5_context ctx;
 	string_t *str;
 
@@ -256,7 +271,7 @@
 static bool smd5_verify(const char *plaintext, const char *password,
 			const char *user __attr_unused__)
 {
-	unsigned char md5_digest[16];
+	unsigned char md5_digest[MD5_RESULTLEN];
 	buffer_t *buf;
 	const char *data;
 	size_t size, password_len;
@@ -273,16 +288,16 @@
 	}
 
 	data = buffer_get_data(buf, &size);
-	if (size <= 16) {
+	if (size <= MD5_RESULTLEN) {
 		i_error("smd5_verify(%s): invalid SMD5 base64 decode", user);
 		return 0;
 	}
 
 	md5_init(&ctx);
 	md5_update(&ctx, plaintext, strlen(plaintext));
-	md5_update(&ctx, &data[16], size-16);
+	md5_update(&ctx, &data[MD5_RESULTLEN], size-MD5_RESULTLEN);
 	md5_final(&ctx, md5_digest);
-	return memcmp(md5_digest, data, 16) == 0;
+	return memcmp(md5_digest, data, MD5_RESULTLEN) == 0;
 }
 
 static bool plain_verify(const char *plaintext, const char *password,
@@ -312,7 +327,7 @@
 static bool digest_md5_verify(const char *plaintext, const char *password,
 			      const char *user)
 {
-	unsigned char digest[16];
+	unsigned char digest[MD5_RESULTLEN];
 	const char *realm, *str;
 
 	/* user:realm:passwd */
@@ -330,7 +345,7 @@
 static const char *digest_md5_generate(const char *plaintext, const char *user)
 {
 	const char *realm, *str;
-	unsigned char digest[16];
+	unsigned char digest[MD5_RESULTLEN];
 
 	if (user == NULL)
 		i_fatal("digest_md5_generate(): username not given");
@@ -348,18 +363,24 @@
 static bool plain_md4_verify(const char *plaintext, const char *password,
 			     const char *user __attr_unused__)
 {
-	unsigned char digest[16];
-	const char *str;
+	unsigned char digest[MD4_RESULTLEN];
+	const void *data;
 
 	md4_get_digest(plaintext, strlen(plaintext), digest);
-	str = binary_to_hex(digest, sizeof(digest));
-	return strcasecmp(str, password) == 0;
+
+	data = password_decode(password, MD4_RESULTLEN);
+	if (data == NULL) {
+		i_error("plain_md4_verify(%s): Invalid password encoding",
+			user);
+		return 0;
+	}
+	return memcmp(digest, data, MD4_RESULTLEN) == 0;
 }
 
 static const char *plain_md4_generate(const char *plaintext,
 				      const char *user __attr_unused__)
 {
-	unsigned char digest[16];
+	unsigned char digest[MD4_RESULTLEN];
 
 	md4_get_digest(plaintext, strlen(plaintext), digest);
 	return binary_to_hex(digest, sizeof(digest));
@@ -368,18 +389,24 @@
 static bool plain_md5_verify(const char *plaintext, const char *password,
 			     const char *user __attr_unused__)
 {
-	unsigned char digest[16];
-	const char *str;
+	unsigned char digest[MD5_RESULTLEN];
+	const void *data;
 
 	md5_get_digest(plaintext, strlen(plaintext), digest);
-	str = binary_to_hex(digest, sizeof(digest));
-	return strcasecmp(str, password) == 0;
+
+	data = password_decode(password, MD5_RESULTLEN);
+	if (data == NULL) {
+		i_error("plain_md5_verify(%s): Invalid password encoding",
+			user);
+		return 0;
+	}
+	return memcmp(digest, data, MD5_RESULTLEN) == 0;
 }
 
 static const char *plain_md5_generate(const char *plaintext,
 				      const char *user __attr_unused__)
 {
-	unsigned char digest[16];
+	unsigned char digest[MD5_RESULTLEN];
 
 	md5_get_digest(plaintext, strlen(plaintext), digest);
 	return binary_to_hex(digest, sizeof(digest));
@@ -388,7 +415,7 @@
 static const char *ldap_md5_generate(const char *plaintext,
 				     const char *user __attr_unused__)
 {
-	unsigned char digest[16];
+	unsigned char digest[MD5_RESULTLEN];
 	string_t *str;
 
 	md5_get_digest(plaintext, strlen(plaintext), digest);
@@ -397,35 +424,6 @@
 	return str_c(str);
 }
 
-static bool ldap_md5_verify(const char *plaintext, const char *password,
-			    const char *user __attr_unused__)
-{
-	unsigned char md5_digest[16];
-	buffer_t *buf;
-	const char *data;
-	size_t size, password_len;
-
-	md5_get_digest(plaintext, strlen(plaintext), md5_digest);
-
-	password_len = strlen(password);
-	buf = buffer_create_static_hard(pool_datastack_create(),
-					MAX_BASE64_DECODED_SIZE(password_len));
-
-	if (base64_decode(password, password_len, NULL, buf) < 0) {
-		i_error("ldap_md5_verify(%s): failed decoding MD5 base64",
-			user);
-		return 0;
-	}
-
-	data = buffer_get_data(buf, &size);
-	if (size != 16) {
-		i_error("ldap_md5_verify(%s): invalid MD5 base64 decode", user);
-		return 0;
-	}
-
-	return memcmp(md5_digest, data, 16) == 0;
-}
-
 static bool lm_verify(const char *plaintext, const char *password,
 		      const char *user __attr_unused__)
 {
@@ -475,7 +473,7 @@
 	{ "DIGEST-MD5", digest_md5_verify, digest_md5_generate },
 	{ "PLAIN-MD4", plain_md4_verify, plain_md4_generate },
 	{ "PLAIN-MD5", plain_md5_verify, plain_md5_generate },
-	{ "LDAP-MD5", ldap_md5_verify, ldap_md5_generate },
+	{ "LDAP-MD5", plain_md5_verify, ldap_md5_generate },
 	{ "LANMAN", lm_verify, lm_generate },
 	{ "NTLM", ntlm_verify, ntlm_generate },
 	{ "RPA", rpa_verify, rpa_generate },

More information about the dovecot-cvs mailing list