1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
If GnuTLS is used, the lmpasswd module for USE=samba does not compile.
Forward-port an old Debian patch that upstream never applied.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Steffen Hau <steffen@hauihau.de>
X-Gentoo-Bug: http://bugs.gentoo.org/show_bug.cgi?id=233633
X-Upstream-Bug: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=4997
X-Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=245341
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -51,6 +51,26 @@ typedef unsigned char des_data_block[8];
typedef PK11Context *des_context[1];
#define DES_ENCRYPT CKA_ENCRYPT
+#elif defined(HAVE_GNUTLS_GNUTLS_H) && !defined(DES_ENCRYPT)
+# include <gcrypt.h>
+static int gcrypt_init = 0;
+
+typedef const void* des_key;
+typedef unsigned char DES_cblock[8];
+typedef DES_cblock des_data_block;
+typedef int DES_key_schedule; /* unused */
+typedef DES_key_schedule des_context; /* unused */
+#define des_failed(encrypted) 0
+#define des_finish(key, schedule)
+
+#define DES_set_key_unchecked( key, key_sched ) \
+ gcry_cipher_setkey( hd, key, 8 )
+
+#define DES_ecb_encrypt( input, output, key_sched, enc ) \
+ gcry_cipher_encrypt( hd, *output, 8, *input, 8 )
+
+#define DES_set_odd_parity( key ) do {} while(0)
+
#endif
#endif /* SLAPD_LMHASH */
@@ -651,7 +671,7 @@ static int chk_md5(
#ifdef SLAPD_LMHASH
-#if defined(HAVE_OPENSSL)
+#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS_GNUTLS_H)
/*
* abstract away setting the parity.
@@ -841,6 +861,19 @@ static int chk_lanman(
des_data_block StdText = "KGS!@#$%";
des_data_block PasswordHash1, PasswordHash2;
char PasswordHash[33], storedPasswordHash[33];
+
+#if defined(HAVE_GNUTLS_GNUTLS_H) && !defined(DES_ENCRYPT)
+ gcry_cipher_hd_t hd;
+
+ if ( !gcrypt_init ) {
+ gcry_check_version( GCRYPT_VERSION );
+ gcrypt_init = 1;
+ }
+
+ schedule = schedule; /* unused - avoid warning */
+
+ gcry_cipher_open( &hd, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0 );
+#endif /* HAVE_GNUTLS_GNUTLS_H && !DES_ENCRYPT */
for( i=0; i<cred->bv_len; i++) {
if(cred->bv_val[i] == '\0') {
@@ -883,6 +916,10 @@ static int chk_lanman(
strncpy( storedPasswordHash, passwd->bv_val, 32 );
storedPasswordHash[32] = '\0';
ldap_pvt_str2lower( storedPasswordHash );
+
+#if defined(HAVE_GNUTLS_GNUTLS_H) && !defined(DES_ENCRYPT)
+ gcry_cipher_close( hd );
+#endif /* HAVE_GNUTLS_GNUTLS_H && !DES_ENCRYPT */
return memcmp( PasswordHash, storedPasswordHash, 32) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
}
@@ -1138,6 +1175,19 @@ static int hash_lanman(
des_data_block PasswordHash1, PasswordHash2;
char PasswordHash[33];
+#if defined(HAVE_GNUTLS_GNUTLS_H) && !defined(DES_ENCRYPT)
+ gcry_cipher_hd_t hd;
+
+ if ( !gcrypt_init ) {
+ gcry_check_version( GCRYPT_VERSION );
+ gcrypt_init = 1;
+ }
+
+ schedule = schedule; /* unused - avoid warning */
+
+ gcry_cipher_open( &hd, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0 );
+#endif /* HAVE_GNUTLS_GNUTLS_H && !DES_ENCRYPT */
+
for( i=0; i<passwd->bv_len; i++) {
if(passwd->bv_val[i] == '\0') {
return LUTIL_PASSWD_ERR; /* NUL character in password */
@@ -1168,6 +1218,10 @@ static int hash_lanman(
hash->bv_val = PasswordHash;
hash->bv_len = 32;
+
+#if defined(HAVE_GNUTLS_GNUTLS_H) && !defined(DES_ENCRYPT)
+ gcry_cipher_close( hd );
+#endif /* HAVE_GNUTLS_GNUTLS_H && !DES_ENCRYPT */
return pw_string( scheme, hash );
}
|