passwd.c 10.9 KB
Newer Older
B
Bodo Möller 已提交
1 2
/* apps/passwd.c */

B
Bodo Möller 已提交
3 4 5 6 7
#if defined NO_MD5 || defined CHARSET_EBCDIC
# define NO_APR1
#endif

#if !defined(NO_DES) || !defined(NO_APR1)
B
Bodo Möller 已提交
8 9 10 11 12 13 14 15 16 17 18 19 20 21

#include <assert.h>
#include <string.h>

#include "apps.h"

#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/rand.h>

#ifndef NO_DES
# include <openssl/des.h>
#endif
22
#ifndef NO_APR1
U
Ulf Möller 已提交
23
# include <openssl/md5.h>
24 25
#endif

B
Bodo Möller 已提交
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

#undef PROG
#define PROG passwd_main


static unsigned const char cov_2char[64]={
	/* from crypto/des/fcrypt.c */
	0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
	0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
	0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
	0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
	0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
	0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
	0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
	0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
};

43 44 45 46
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
	char *passwd, BIO *out, int quiet, int table, int reverse,
	size_t pw_maxlen, int usecrypt, int useapr1);

B
Bodo Möller 已提交
47
/* -crypt        - standard Unix password algorithm (default, only choice)
48
 * -apr1         - MD5-based password algorithm
B
Bodo Möller 已提交
49
 * -salt string  - salt
50 51
 * -in file      - read passwords from file
 * -stdin        - read passwords from stdin
B
Bodo Möller 已提交
52 53
 * -quiet        - no warnings
 * -table        - format output as table
54
 * -reverse      - switch table columns
B
Bodo Möller 已提交
55 56
 */

57 58
int MAIN(int, char **);

B
Bodo Möller 已提交
59 60 61
int MAIN(int argc, char **argv)
	{
	int ret = 1;
62 63 64
	char *infile = NULL;
	int in_stdin = 0;
	char *salt = NULL, *passwd = NULL, **passwds = NULL;
B
Bodo Möller 已提交
65
	char *salt_malloc = NULL, *passwd_malloc = NULL;
66
	size_t passwd_malloc_size = 0;
67 68
	int pw_source_defined = 0;
	BIO *in = NULL, *out = NULL;
B
Bodo Möller 已提交
69
	int i, badopt, opt_done;
70 71
	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
	int usecrypt = 0, useapr1 = 0;
B
Bodo Möller 已提交
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
	size_t pw_maxlen = 0;

	apps_startup();

	if (bio_err == NULL)
		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
	out = BIO_new(BIO_s_file());
	if (out == NULL)
		goto err;
	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);

	badopt = 0, opt_done = 0;
	i = 0;
	while (!badopt && !opt_done && argv[++i] != NULL)
		{
		if (strcmp(argv[i], "-crypt") == 0)
B
Ben Laurie 已提交
89
			usecrypt = 1;
90 91
		else if (strcmp(argv[i], "-apr1") == 0)
			useapr1 = 1;
B
Bodo Möller 已提交
92 93 94 95 96 97 98
		else if (strcmp(argv[i], "-salt") == 0)
			{
			if ((argv[i+1] != NULL) && (salt == NULL))
				{
				passed_salt = 1;
				salt = argv[++i];
				}
99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
			else
				badopt = 1;
			}
		else if (strcmp(argv[i], "-in") == 0)
			{
			if ((argv[i+1] != NULL) && !pw_source_defined)
				{
				pw_source_defined = 1;
				infile = argv[++i];
				}
			else
				badopt = 1;
			}
		else if (strcmp(argv[i], "-stdin") == 0)
			{
			if (!pw_source_defined)
				{
				pw_source_defined = 1;
				in_stdin = 1;
				}
			else
				badopt = 1;
B
Bodo Möller 已提交
121 122 123 124 125
			}
		else if (strcmp(argv[i], "-quiet") == 0)
			quiet = 1;
		else if (strcmp(argv[i], "-table") == 0)
			table = 1;
126 127
		else if (strcmp(argv[i], "-reverse") == 0)
			reverse = 1;
B
Bodo Möller 已提交
128 129
		else if (argv[i][0] == '-')
			badopt = 1;
130 131
		else if (!pw_source_defined)
			/* non-option arguments, use as passwords */
B
Bodo Möller 已提交
132
			{
133
			pw_source_defined = 1;
B
Bodo Möller 已提交
134 135 136
			passwds = &argv[i];
			opt_done = 1;
			}
137 138
		else
			badopt = 1;
B
Bodo Möller 已提交
139 140
		}

141
	if (!usecrypt && !useapr1) /* use default */
B
Ben Laurie 已提交
142
		usecrypt = 1;
143
	if (usecrypt + useapr1 > 1) /* conflict */
B
Bodo Möller 已提交
144 145
		badopt = 1;

146 147 148 149 150 151 152 153
	/* reject unsupported algorithms */
#ifdef NO_DES
	if (usecrypt) badopt = 1;
#endif
#ifdef NO_APR1
	if (useapr1) badopt = 1;
#endif

B
Bodo Möller 已提交
154 155 156 157
	if (badopt) 
		{
		BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
		BIO_printf(bio_err, "where options are\n");
158
#ifndef NO_DES
B
Bodo Möller 已提交
159
		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
160 161 162 163
#endif
#ifndef NO_APR1
		BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
#endif
B
Bodo Möller 已提交
164
		BIO_printf(bio_err, "-salt string       use provided salt\n");
165 166
		BIO_printf(bio_err, "-in file           read passwords from file\n");
		BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
B
Bodo Möller 已提交
167 168
		BIO_printf(bio_err, "-quiet             no warnings\n");
		BIO_printf(bio_err, "-table             format output as table\n");
169
		BIO_printf(bio_err, "-reverse           switch table columns\n");
B
Bodo Möller 已提交
170 171 172 173
		
		goto err;
		}

174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
	if ((infile != NULL) || in_stdin)
		{
		in = BIO_new(BIO_s_file());
		if (in == NULL)
			goto err;
		if (infile != NULL)
			{
			assert(in_stdin == 0);
			if (BIO_read_filename(in, infile) <= 0)
				goto err;
			}
		else
			{
			assert(in_stdin);
			BIO_set_fp(in, stdin, BIO_NOCLOSE);
			}
		}
	
B
Ben Laurie 已提交
192
	if (usecrypt)
B
Bodo Möller 已提交
193
		pw_maxlen = 8;
194 195
	else if (useapr1)
		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
B
Bodo Möller 已提交
196 197

	if (passwds == NULL)
198 199
		{
		/* no passwords on the command line */
200 201

		passwd_malloc_size = pw_maxlen + 2;
202
		/* longer than necessary so that we can warn about truncation */
203
		passwd = passwd_malloc = Malloc(passwd_malloc_size);
204 205 206 207 208
		if (passwd_malloc == NULL)
			goto err;
		}

	if ((in == NULL) && (passwds == NULL))
B
Bodo Möller 已提交
209 210 211
		{
		/* build a null-terminated list */
		static char *passwds_static[2] = {NULL, NULL};
212
		
B
Bodo Möller 已提交
213
		passwds = passwds_static;
214
		if (in == NULL)
215
			if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", 0) != 0)
216
				goto err;
B
Bodo Möller 已提交
217 218 219
		passwds[0] = passwd_malloc;
		}

220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235
	if (in == NULL)
		{
		assert(passwds != NULL);
		assert(*passwds != NULL);
		
		do /* loop over list of passwords */
			{
			passwd = *passwds++;
			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
				quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
				goto err;
			}
		while (*passwds != NULL);
		}
	else
		/* in != NULL */
B
Bodo Möller 已提交
236
		{
237 238 239 240
		int done;

		assert (passwd != NULL);
		do
B
Bodo Möller 已提交
241
			{
242 243
			int r = BIO_gets(in, passwd, pw_maxlen + 1);
			if (r > 0)
B
Bodo Möller 已提交
244
				{
245 246 247 248
				char *c = (strchr(passwd, '\n')) ;
				if (c != NULL)
					*c = 0; /* truncate at newline */
				else
B
Bodo Möller 已提交
249
					{
250 251 252 253 254
					/* ignore rest of line */
					char trash[BUFSIZ];
					do
						r = BIO_gets(in, trash, sizeof trash);
					while ((r > 0) && (!strchr(trash, '\n')));
B
Bodo Möller 已提交
255
					}
256 257 258
				
				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
					quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
B
Bodo Möller 已提交
259 260
					goto err;
				}
261
			done = (r <= 0);
B
Bodo Möller 已提交
262
			}
263
		while (!done);
B
Bodo Möller 已提交
264
		}
265

B
Bodo Möller 已提交
266 267 268 269 270 271
err:
	ERR_print_errors(bio_err);
	if (salt_malloc)
		Free(salt_malloc);
	if (passwd_malloc)
		Free(passwd_malloc);
272 273
	if (in)
		BIO_free(in);
B
Bodo Möller 已提交
274 275 276 277
	if (out)
		BIO_free(out);
	EXIT(ret);
	}
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331


#ifndef NO_APR1
/* MD5-based password algorithm compatible to the one found in Apache
 * (should probably be available as a library function;
 * then the static buffer would not be acceptable) */
static char *apr1_crypt(const char *passwd, const char *salt)
	{
	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
	unsigned char buf[MD5_DIGEST_LENGTH];
	char *salt_out;
	int n, i;
	MD5_CTX md;
	size_t passwd_len, salt_len;

	passwd_len = strlen(passwd);
	strcpy(out_buf, "$apr1$");
	strncat(out_buf, salt, 8);
	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
	salt_out = out_buf + 6;
	salt_len = strlen(salt_out);
	assert(salt_len <= 8);
	
	MD5_Init(&md);
	MD5_Update(&md, passwd, passwd_len);
	MD5_Update(&md, "$apr1$", 6);
	MD5_Update(&md, salt_out, salt_len);
	
	 {
		MD5_CTX md2;

		MD5_Init(&md2);
		MD5_Update(&md2, passwd, passwd_len);
		MD5_Update(&md2, salt_out, salt_len);
		MD5_Update(&md2, passwd, passwd_len);
		MD5_Final(buf, &md2);
	 }
	for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
		MD5_Update(&md, buf, sizeof buf);
	MD5_Update(&md, buf, i);
	
	n = passwd_len;
	while (n)
		{
		MD5_Update(&md, (n & 1) ? "\0" : passwd, 1);
		n >>= 1;
		}
	MD5_Final(buf, &md);

	for (i = 0; i < 1000; i++)
		{
		MD5_CTX md2;

		MD5_Init(&md2);
U
Ulf Möller 已提交
332
		MD5_Update(&md2, (i & 1) ? (unsigned char *) passwd : buf,
333
		                 (i & 1) ? passwd_len : sizeof buf);
334 335 336 337
		if (i % 3)
			MD5_Update(&md2, salt_out, salt_len);
		if (i % 7)
			MD5_Update(&md2, passwd, passwd_len);
U
Ulf Möller 已提交
338
		MD5_Update(&md2, (i & 1) ? buf : (unsigned char *) passwd,
339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
		                 (i & 1) ? sizeof buf : passwd_len);
		MD5_Final(buf, &md2);
		}
	
	 {
		/* transform buf into output string */
	
		unsigned char buf_perm[sizeof buf];
		int dest, source;
		char *output;

		/* silly output permutation */
		for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
			buf_perm[dest] = buf[source];
		buf_perm[14] = buf[5];
		buf_perm[15] = buf[11];
B
Ben Laurie 已提交
355
#ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */
356
		assert(16 == sizeof buf_perm);
B
Ben Laurie 已提交
357
#endif
358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381
		
		output = salt_out + salt_len;
		assert(output == out_buf + strlen(out_buf));
		
		*output++ = '$';

		for (i = 0; i < 15; i += 3)
			{
			*output++ = cov_2char[buf_perm[i+2] & 0x3f];
			*output++ = cov_2char[((buf_perm[i+1] & 0xf) << 2) |
				                  (buf_perm[i+2] >> 6)];
			*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
				                  (buf_perm[i+1] >> 4)];
			*output++ = cov_2char[buf_perm[i] >> 2];
			}
		assert(i == 15);
		*output++ = cov_2char[buf_perm[i] & 0x3f];
		*output++ = cov_2char[buf_perm[i] >> 6];
		*output = 0;
		assert(strlen(out_buf) < sizeof(out_buf));
	 }

	return out_buf;
	}
B
Bodo Möller 已提交
382
#endif
383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471


static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
	char *passwd, BIO *out,	int quiet, int table, int reverse,
	size_t pw_maxlen, int usecrypt, int useapr1)
	{
	char *hash = NULL;

	assert(salt_p != NULL);
	assert(salt_malloc_p != NULL);

	/* first make sure we have a salt */
	if (!passed_salt)
		{
#ifndef NO_DES
		if (usecrypt)
			{
			if (*salt_malloc_p == NULL)
				{
				*salt_p = *salt_malloc_p = Malloc(3);
				if (*salt_malloc_p == NULL)
					goto err;
				}
			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
				goto err;
			(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
			(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
			(*salt_p)[2] = 0;
#ifdef CHARSET_EBCDIC
			ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert
			                                    * back to ASCII */
#endif
			}
#endif /* !NO_DES */

#ifndef NO_APR1
		if (useapr1)
			{
			int i;
			
			if (*salt_malloc_p == NULL)
				{
				*salt_p = *salt_malloc_p = Malloc(9);
				if (*salt_malloc_p == NULL)
					goto err;
				}
			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
				goto err;
			
			for (i = 0; i < 8; i++)
				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
			(*salt_p)[8] = 0;
			}
#endif /* !NO_APR1 */
		}
	
	assert(*salt_p != NULL);
	
	/* truncate password if necessary */
	if ((strlen(passwd) > pw_maxlen))
		{
		if (!quiet)
			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen);
		passwd[pw_maxlen] = 0;
		}
	assert(strlen(passwd) <= pw_maxlen);
	
	/* now compute password hash */
#ifndef NO_DES
	if (usecrypt)
		hash = des_crypt(passwd, *salt_p);
#endif
#ifndef NO_APR1
	if (useapr1)
		hash = apr1_crypt(passwd, *salt_p);
#endif
	assert(hash != NULL);

	if (table && !reverse)
		BIO_printf(out, "%s\t%s\n", passwd, hash);
	else if (table && reverse)
		BIO_printf(out, "%s\t%s\n", hash, passwd);
	else
		BIO_printf(out, "%s\n", hash);
	return 1;
	
err:
	return 0;
	}
B
Bodo Möller 已提交
472
#else
473

B
Bodo Möller 已提交
474 475 476 477 478 479
int MAIN(int argc, char **argv)
	{
	fputs("Program not available.\n", stderr)
	EXIT(1);
	}
#endif