1 /* $OpenBSD: ap_checkpass.c,v 1.9 2005/06/20 12:23:22 robert Exp $ */
2 
3 /* ====================================================================
4  * The Apache Software License, Version 1.1
5  *
6  * Copyright (c) 2000-2003 The Apache Software Foundation.  All rights
7  * reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. The end-user documentation included with the redistribution,
22  *    if any, must include the following acknowledgment:
23  *       "This product includes software developed by the
24  *        Apache Software Foundation (http://www.apache.org/)."
25  *    Alternately, this acknowledgment may appear in the software itself,
26  *    if and wherever such third-party acknowledgments normally appear.
27  *
28  * 4. The names "Apache" and "Apache Software Foundation" must
29  *    not be used to endorse or promote products derived from this
30  *    software without prior written permission. For written
31  *    permission, please contact apache@apache.org.
32  *
33  * 5. Products derived from this software may not be called "Apache",
34  *    nor may "Apache" appear in their name, without prior written
35  *    permission of the Apache Software Foundation.
36  *
37  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
38  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
39  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
40  * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
41  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
43  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
44  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
46  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
47  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48  * SUCH DAMAGE.
49  * ====================================================================
50  *
51  * This software consists of voluntary contributions made by many
52  * individuals on behalf of the Apache Software Foundation.  For more
53  * information on the Apache Software Foundation, please see
54  * <http://www.apache.org/>.
55  *
56  * Portions of this software are based upon public domain software
57  * originally written at the National Center for Supercomputing Applications,
58  * University of Illinois, Urbana-Champaign.
59  */
60 
61 /*
62  * Simple password verify, which 'know's about various password
63  * types, such as the simple base64 encoded crypt()s, MD5 $ marked
64  * FreeBSD style and netscape SHA1's.
65  */
66 #include <string.h>
67 
68 #include "ap_config.h"
69 #include "ap_md5.h"
70 #include "ap_sha1.h"
71 #include "ap.h"
72 
73 /*
74  * Validate a plaintext password against a smashed one.  Use either
75  * crypt() (if available), ap_MD5Encode() or ap_SHA1Encode depending
76  * upon the format of the smashed input password.
77  *
78  * Return NULL if they match, or an explanatory text string if they don't.
79  */
80 
81 API_EXPORT(char *)
ap_validate_password(const char * passwd,const char * hash)82 ap_validate_password(const char *passwd, const char *hash)
83 {
84 	char sample[120];
85 
86 	/* FreeBSD style MD5 string
87 	*/
88 	if (strncmp(hash, AP_MD5PW_ID, AP_MD5PW_IDLEN) == 0)
89 		ap_MD5Encode((const unsigned char *)passwd,
90 		    (const unsigned char *)hash, sample, sizeof(sample));
91 	/* Netscape / SHA1 ldap style strng
92 	*/
93 	else if (strncmp(hash, AP_SHA1PW_ID, AP_SHA1PW_IDLEN) == 0)
94 		ap_sha1_base64(passwd, strlen(passwd), sample);
95 	/*
96 	 * It's not our algorithm, so feed it to crypt() if possible.
97 	 */
98 	else
99 		ap_cpystrn(sample, (char *)crypt(passwd, hash),
100 		    sizeof(sample) - 1);
101 	return (strcmp(sample, hash) == 0) ? NULL : "password mismatch";
102 }
103