[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Upgrade issue ("{CLEARTEXT}" not available)

To: openldap-software@OpenLDAP.org
Subject: Re: Upgrade issue ("{CLEARTEXT}" not available)
From: Michael Hall <mhall@riverside.org>
Date: Tue, 11 Oct 2005 16:49:53 -0700
Content-disposition: inline
In-reply-to: <434C41BE.7080000@symas.com>
References: <20051011215827.GA24307@riverside.org> <434C41BE.7080000@symas.com>
User-agent: Mutt/1.4i

On Tue, Oct 11, 2005 at 03:50:38PM -0700, Howard Chu wrote:

> Michael Hall wrote:
> >While upgrading from 2.2.27 to 2.2.28 (on FreeBSD 4.11, using ports) I get 
> >the
> >following error:
> >   
> >Sep 28 02:40:39 vulcan slapd[80851]: @(#) $OpenLDAP: slapd 2.2.28 (Sep 28 
> >2005
> >02:39:50) $     
> >root@vulcan.rockisland.com:/usr/local/var/tmp/usr/ports/net/ope
> >nldap22-sasl-server/work/openldap-2.2.28/servers/slapd
> >Sep 28 02:40:39 vulcan slapd[80851]: /usr/local/etc/openldap/slapd.conf: 
> >line 3
> >2: password scheme "{CLEARTEXT}" not available
> >Sep 28 02:40:39 vulcan slapd[80851]: /usr/local/etc/openldap/slapd.conf: 
> >line 3
> >2: no valid hashes found
> >Sep 28 02:40:39 vulcan slapd[80851]: slapd stopped.

<snip>

> >Any pointers or resolution for this issue?
> Sounds like ITS#4021. The fix was released in 2.3.8, and was not 
> backported to 2.2. The patch is simple, you can get it from CVS 
> libraries/liblutil/passwd.c r1.103

Please excuse my ignorance but a diff (attached) between 1.103 and
1.74.2.13 (v2.2.8) shows quite a few changes. I'm not enough of a 'C'
programmer to know what is applicable or not.

--
"Hey, Worf...I hooked Data up to a Modem...Wanna see?"

Mike Hall,
System Admin - Rock Island Communications           <mikeh@rockisland.com>
System Admin - riverside.org, ssdd.org              <mhall@riverside.org>

--- passwd.c.ORIG	Tue Oct 11 16:22:46 2005
+++ passwd.c	Tue Oct 11 16:22:19 2005
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/passwd.c,v 1.74.2.13 2005/08/13 09:29:23 ando Exp $ */
+/* $OpenLDAP: /libraries/liblutil/passwd.c,v 1.103 2005/09/29 18:30:09 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2005 The OpenLDAP Foundation.
@@ -33,14 +33,6 @@
 #include <ac/string.h>
 #include <ac/unistd.h>
 
-#ifdef SLAPD_SPASSWD
-#	ifdef HAVE_SASL_SASL_H
-#		include <sasl/sasl.h>
-#	else
-#		include <sasl.h>
-#	endif
-#endif
-
 #if defined(SLAPD_LMHASH)
 #	include <openssl/des.h>
 #endif /* SLAPD_LMHASH */
@@ -50,7 +42,7 @@
 #ifdef SLAPD_CRYPT
 # include <ac/crypt.h>
 
-# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
+# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
 #  ifdef HAVE_SHADOW_H
 #	include <shadow.h>
 #  endif
@@ -77,8 +69,14 @@
 
 #ifdef SLAPD_CRYPT
 static char *salt_format = NULL;
+static lutil_cryptfunc lutil_crypt;
+lutil_cryptfunc *lutil_cryptptr = lutil_crypt;
 #endif
 
+/* KLUDGE:
+ *  chk_fn is NULL iff name is {CLEARTEXT}
+ *	otherwise, things will break
+ */
 struct pw_scheme {
 	struct berval name;
 	LUTIL_PASSWD_CHK_FUNC *chk_fn;
@@ -112,15 +110,11 @@
 static LUTIL_PASSWD_HASH_FUNC hash_lanman;
 #endif
 
-#ifdef SLAPD_SPASSWD
-static LUTIL_PASSWD_CHK_FUNC chk_sasl;
-#endif
-
 #ifdef SLAPD_CRYPT
 static LUTIL_PASSWD_CHK_FUNC chk_crypt;
 static LUTIL_PASSWD_HASH_FUNC hash_crypt;
 
-#if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
+#if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
 static LUTIL_PASSWD_CHK_FUNC chk_unix;
 #endif
 #endif
@@ -148,20 +142,16 @@
 	{ BER_BVC("{LANMAN}"),		chk_lanman, hash_lanman },
 #endif /* SLAPD_LMHASH */
 
-#ifdef SLAPD_SPASSWD
-	{ BER_BVC("{SASL}"),		chk_sasl, NULL },
-#endif
-
 #ifdef SLAPD_CRYPT
 	{ BER_BVC("{CRYPT}"),		chk_crypt, hash_crypt },
-# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
+# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
 	{ BER_BVC("{UNIX}"),		chk_unix, NULL },
 # endif
 #endif
 
 #ifdef SLAPD_CLEARTEXT
 	/* pseudo scheme */
-	{ {0, "{CLEARTEXT}"},		NULL, hash_clear },
+	{ BER_BVC("{CLEARTEXT}"),	NULL, hash_clear },
 #endif
 
 	{ BER_BVNULL, NULL, NULL }
@@ -223,9 +213,7 @@
 	bv.bv_val = (char *) scheme;
 
 	for( pws=pw_schemes; pws; pws=pws->next ) {
-		if( bv.bv_len != pws->s.name.bv_len )
-			continue;
-		if( strncasecmp(bv.bv_val, pws->s.name.bv_val, bv.bv_len ) == 0 ) {
+		if ( ber_bvstrcasecmp(&bv, &pws->s.name ) == 0 ) {
 			return &(pws->s);
 		}
 	}
@@ -317,10 +305,17 @@
 	}
 
 #ifdef SLAPD_CLEARTEXT
+	/* Do we think there is a scheme specifier here that we
+	* didn't recognize? Assume a scheme name is at least 1 character.
+	*/
+	if (( passwd->bv_val[0] == '{' ) &&
+		( strchr( passwd->bv_val, '}' ) > passwd->bv_val+1 ))
+	{
+		return 1;
+	}
 	if( is_allowed_scheme("{CLEARTEXT}", schemes ) ) {
-		return (( passwd->bv_len == cred->bv_len ) &&
-				( passwd->bv_val[0] != '{' /*'}'*/ ))
-			? memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len )
+		return ( passwd->bv_len == cred->bv_len ) ?
+			memcmp( passwd->bv_val, cred->bv_val, passwd->bv_len )
 			: 1;
 	}
 #endif
@@ -766,64 +761,29 @@
 }
 #endif /* SLAPD_LMHASH */
 
-#ifdef SLAPD_SPASSWD
-#ifdef HAVE_CYRUS_SASL
-sasl_conn_t *lutil_passwd_sasl_conn = NULL;
-#endif
-
-static int chk_sasl(
-	const struct berval *sc,
-	const struct berval * passwd,
-	const struct berval * cred,
-	const char **text )
+#ifdef SLAPD_CRYPT
+static int lutil_crypt(
+	const char *key,
+	const char *salt,
+	char **hash )
 {
-	unsigned int i;
-	int rtn;
-
-	for( i=0; i<cred->bv_len; i++) {
-		if(cred->bv_val[i] == '\0') {
-			return LUTIL_PASSWD_ERR;	/* NUL character in password */
-		}
-	}
-
-	if( cred->bv_val[i] != '\0' ) {
-		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
-	}
+	char *cr = crypt( key, salt );
+	int rc;
 
-	for( i=0; i<passwd->bv_len; i++) {
-		if(passwd->bv_val[i] == '\0') {
-			return LUTIL_PASSWD_ERR;	/* NUL character in password */
+	if( cr == NULL || cr[0] == '\0' ) {
+		/* salt must have been invalid */
+		rc = LUTIL_PASSWD_ERR;
+	} else {
+		if ( hash ) {
+			*hash = ber_strdup( cr );
+			rc = LUTIL_PASSWD_OK;
+		} else {
+			rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
 		}
 	}
-
-	if( passwd->bv_val[i] != '\0' ) {
-		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
-	}
-
-	rtn = LUTIL_PASSWD_ERR;
-
-#ifdef HAVE_CYRUS_SASL
-	if( lutil_passwd_sasl_conn != NULL ) {
-		int sc;
-# if SASL_VERSION_MAJOR < 2
-		sc = sasl_checkpass( lutil_passwd_sasl_conn,
-			passwd->bv_val, passwd->bv_len,
-			cred->bv_val, cred->bv_len,
-			text );
-# else
-		sc = sasl_checkpass( lutil_passwd_sasl_conn,
-			passwd->bv_val, passwd->bv_len,
-			cred->bv_val, cred->bv_len );
-# endif
-		rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
-	}
-#endif
-
-	return rtn;
+	return rc;
 }
-#endif
 
-#ifdef SLAPD_CRYPT
 static int chk_crypt(
 	const struct berval *sc,
 	const struct berval * passwd,
@@ -831,7 +791,6 @@
 	const char **text )
 {
 	unsigned int i;
-	char *cr;
 
 	for( i=0; i<cred->bv_len; i++) {
 		if(cred->bv_val[i] == '\0') {
@@ -857,17 +816,10 @@
 		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
 	}
 
-	cr = crypt( cred->bv_val, passwd->bv_val );
-
-	if( cr == NULL || cr[0] == '\0' ) {
-		/* salt must have been invalid */
-		return LUTIL_PASSWD_ERR;
-	}
-
-	return strcmp( passwd->bv_val, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+	return lutil_cryptptr( cred->bv_val, passwd->bv_val, NULL );
 }
 
-# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
+# if defined( HAVE_GETPWNAM ) && defined( HAVE_STRUCT_PASSWD_PW_PASSWD )
 static int chk_unix(
 	const struct berval *sc,
 	const struct berval * passwd,
@@ -875,7 +827,7 @@
 	const char **text )
 {
 	unsigned int i;
-	char *pw, *cr;
+	char *pw;
 
 	for( i=0; i<cred->bv_len; i++) {
 		if(cred->bv_val[i] == '\0') {
@@ -929,15 +881,7 @@
 		return LUTIL_PASSWD_ERR;
 	}
 
-	cr = crypt(cred->bv_val, pw);
-
-	if( cr == NULL || cr[0] == '\0' ) {
-		/* salt must have been invalid */
-		return LUTIL_PASSWD_ERR;
-	}
-
-	return strcmp(pw, cr) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
-
+	return lutil_cryptptr( cred->bv_val, pw, NULL );
 }
 # endif
 #endif
@@ -1111,6 +1055,8 @@
 {
 	unsigned char salt[32];	/* salt suitable for most anything */
 	unsigned int i;
+	char *save;
+	int rc;
 
 	for( i=0; i<passwd->bv_len; i++) {
 		if(passwd->bv_val[i] == '\0') {
@@ -1139,17 +1085,22 @@
 		snprintf( (char *) salt, sizeof(entropy), salt_format, entropy );
 	}
 
-	hash->bv_val = crypt( passwd->bv_val, (char *) salt );
+	rc = lutil_cryptptr( passwd->bv_val, (char *) salt, &hash->bv_val );
+	if ( rc != LUTIL_PASSWD_OK ) return rc;
 
 	if( hash->bv_val == NULL ) return -1;
 
 	hash->bv_len = strlen( hash->bv_val );
 
+	save = hash->bv_val;
+
 	if( hash->bv_len == 0 ) {
-		return LUTIL_PASSWD_ERR;
+		rc = LUTIL_PASSWD_ERR;
+	} else {
+		rc = pw_string( scheme, hash );
 	}
-
-	return pw_string( scheme, hash );
+	ber_memfree( save );
+	return rc;
 }
 #endif
 
@@ -1158,7 +1109,7 @@
 #ifdef SLAPD_CRYPT
 	free( salt_format );
 
-	salt_format = format != NULL ? strdup( format ) : NULL;
+	salt_format = format != NULL ? ber_strdup( format ) : NULL;
 #endif
 
 	return 0;

Follow-Ups:
- Re: Upgrade issue ("{CLEARTEXT}" not available)
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- Upgrade issue ("{CLEARTEXT}" not available)
  - From: Michael Hall <mhall@riverside.org>
- Re: Upgrade issue ("{CLEARTEXT}" not available)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Upgrade issue ("{CLEARTEXT}" not available)
Next by Date: Re: Upgrade issue ("{CLEARTEXT}" not available)
Index(es):
- Chronological
- Thread