X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fpasswd.c;h=9ca25dd1da811fe44934e5e7cce3d4208973cadf;hp=06155979f444a4b1d837bacc07ccf39a534f365c;hb=9f9ab1dc667186c533454c87f70295fcb67b4e8a;hpb=3ebf0be142ea19ee2b452d9403d6bc5b14cc41ae diff --git a/apps/passwd.c b/apps/passwd.c index 06155979f4..9ca25dd1da 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -1,10 +1,10 @@ /* apps/passwd.c */ -#if defined NO_MD5 || defined CHARSET_EBCDIC -# define NO_APR1 +#if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC +# define NO_MD5CRYPT_1 #endif -#if !defined(NO_DES) || !defined(NO_APR1) +#if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1) #include #include @@ -15,12 +15,11 @@ #include #include #include - -#ifndef NO_DES +#ifndef OPENSSL_NO_DES # include #endif -#ifndef NO_APR1 -# include +#ifndef NO_MD5CRYPT_1 +# include #endif @@ -42,30 +41,36 @@ static unsigned const char cov_2char[64]={ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, char *passwd, BIO *out, int quiet, int table, int reverse, - size_t pw_maxlen, int usecrypt, int useapr1); + size_t pw_maxlen, int usecrypt, int use1, int useapr1); -/* -crypt - standard Unix password algorithm (default, only choice) - * -apr1 - MD5-based password algorithm +/* -crypt - standard Unix password algorithm (default) + * -1 - MD5-based password algorithm + * -apr1 - MD5-based password algorithm, Apache variant * -salt string - salt * -in file - read passwords from file * -stdin - read passwords from stdin + * -noverify - never verify when reading password from terminal * -quiet - no warnings * -table - format output as table * -reverse - switch table columns */ +int MAIN(int, char **); + int MAIN(int argc, char **argv) { int ret = 1; char *infile = NULL; int in_stdin = 0; + int in_noverify = 0; char *salt = NULL, *passwd = NULL, **passwds = NULL; char *salt_malloc = NULL, *passwd_malloc = NULL; + size_t passwd_malloc_size = 0; int pw_source_defined = 0; BIO *in = NULL, *out = NULL; int i, badopt, opt_done; int passed_salt = 0, quiet = 0, table = 0, reverse = 0; - int usecrypt = 0, useapr1 = 0; + int usecrypt = 0, use1 = 0, useapr1 = 0; size_t pw_maxlen = 0; apps_startup(); @@ -73,10 +78,19 @@ int MAIN(int argc, char **argv) if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + + if (!load_config(bio_err, NULL)) + goto err; out = BIO_new(BIO_s_file()); if (out == NULL) goto err; BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif badopt = 0, opt_done = 0; i = 0; @@ -84,6 +98,8 @@ int MAIN(int argc, char **argv) { if (strcmp(argv[i], "-crypt") == 0) usecrypt = 1; + else if (strcmp(argv[i], "-1") == 0) + use1 = 1; else if (strcmp(argv[i], "-apr1") == 0) useapr1 = 1; else if (strcmp(argv[i], "-salt") == 0) @@ -116,6 +132,8 @@ int MAIN(int argc, char **argv) else badopt = 1; } + else if (strcmp(argv[i], "-noverify") == 0) + in_noverify = 1; else if (strcmp(argv[i], "-quiet") == 0) quiet = 1; else if (strcmp(argv[i], "-table") == 0) @@ -135,32 +153,34 @@ int MAIN(int argc, char **argv) badopt = 1; } - if (!usecrypt && !useapr1) /* use default */ + if (!usecrypt && !use1 && !useapr1) /* use default */ usecrypt = 1; - if (usecrypt + useapr1 > 1) /* conflict */ + if (usecrypt + use1 + useapr1 > 1) /* conflict */ badopt = 1; /* reject unsupported algorithms */ -#ifdef NO_DES +#ifdef OPENSSL_NO_DES if (usecrypt) badopt = 1; #endif -#ifdef NO_APR1 - if (useapr1) badopt = 1; +#ifdef NO_MD5CRYPT_1 + if (use1 || useapr1) badopt = 1; #endif if (badopt) { BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n"); BIO_printf(bio_err, "where options are\n"); -#ifndef NO_DES +#ifndef OPENSSL_NO_DES BIO_printf(bio_err, "-crypt standard Unix password algorithm (default)\n"); #endif -#ifndef NO_APR1 - BIO_printf(bio_err, "-apr1 MD5-based password algorithm\n"); +#ifndef NO_MD5CRYPT_1 + BIO_printf(bio_err, "-1 MD5-based password algorithm\n"); + BIO_printf(bio_err, "-apr1 MD5-based password algorithm, Apache variant\n"); #endif BIO_printf(bio_err, "-salt string use provided salt\n"); BIO_printf(bio_err, "-in file read passwords from file\n"); BIO_printf(bio_err, "-stdin read passwords from stdin\n"); + BIO_printf(bio_err, "-noverify never verify when reading password from terminal\n"); BIO_printf(bio_err, "-quiet no warnings\n"); BIO_printf(bio_err, "-table format output as table\n"); BIO_printf(bio_err, "-reverse switch table columns\n"); @@ -188,13 +208,16 @@ int MAIN(int argc, char **argv) if (usecrypt) pw_maxlen = 8; - else if (useapr1) + else if (use1 || useapr1) pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */ if (passwds == NULL) { /* no passwords on the command line */ - passwd = passwd_malloc = Malloc(pw_maxlen + 1); + + passwd_malloc_size = pw_maxlen + 2; + /* longer than necessary so that we can warn about truncation */ + passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size); if (passwd_malloc == NULL) goto err; } @@ -206,7 +229,7 @@ int MAIN(int argc, char **argv) passwds = passwds_static; if (in == NULL) - if (EVP_read_pw_string(passwd_malloc, pw_maxlen + 1, "Password: ", 0) != 0) + if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", !(passed_salt || in_noverify)) != 0) goto err; passwds[0] = passwd_malloc; } @@ -220,7 +243,7 @@ int MAIN(int argc, char **argv) { passwd = *passwds++; if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out, - quiet, table, reverse, pw_maxlen, usecrypt, useapr1)) + quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1)) goto err; } while (*passwds != NULL); @@ -249,90 +272,104 @@ int MAIN(int argc, char **argv) } if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out, - quiet, table, reverse, pw_maxlen, usecrypt, useapr1)) + quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1)) goto err; } done = (r <= 0); } while (!done); } + ret = 0; err: ERR_print_errors(bio_err); if (salt_malloc) - Free(salt_malloc); + OPENSSL_free(salt_malloc); if (passwd_malloc) - Free(passwd_malloc); + OPENSSL_free(passwd_malloc); if (in) BIO_free(in); if (out) - BIO_free(out); - EXIT(ret); + BIO_free_all(out); + apps_shutdown(); + OPENSSL_EXIT(ret); } -#ifndef NO_APR1 -/* MD5-based password algorithm compatible to the one found in Apache - * (should probably be available as a library function; - * then the static buffer would not be acceptable) */ -static char *apr1_crypt(const char *passwd, const char *salt) +#ifndef NO_MD5CRYPT_1 +/* MD5-based password algorithm (should probably be available as a library + * function; then the static buffer would not be acceptable). + * For magic string "1", this should be compatible to the MD5-based BSD + * password algorithm. + * For 'magic' string "apr1", this is compatible to the MD5-based Apache + * password algorithm. + * (Apparently, the Apache password algorithm is identical except that the + * 'magic' string was changed -- the laziest application of the NIH principle + * I've ever encountered.) + */ +static char *md5crypt(const char *passwd, const char *magic, const char *salt) { static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */ unsigned char buf[MD5_DIGEST_LENGTH]; char *salt_out; - int n, i; - MD5_CTX md; + int n; + unsigned int i; + EVP_MD_CTX md,md2; size_t passwd_len, salt_len; passwd_len = strlen(passwd); - strcpy(out_buf, "$apr1$"); + out_buf[0] = '$'; + out_buf[1] = 0; + assert(strlen(magic) <= 4); /* "1" or "apr1" */ + strncat(out_buf, magic, 4); + strncat(out_buf, "$", 1); strncat(out_buf, salt, 8); assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */ - salt_out = out_buf + 6; + salt_out = out_buf + 2 + strlen(magic); salt_len = strlen(salt_out); assert(salt_len <= 8); - MD5_Init(&md); - MD5_Update(&md, passwd, passwd_len); - MD5_Update(&md, "$apr1$", 6); - MD5_Update(&md, salt_out, salt_len); + EVP_MD_CTX_init(&md); + EVP_DigestInit_ex(&md,EVP_md5(), NULL); + EVP_DigestUpdate(&md, passwd, passwd_len); + EVP_DigestUpdate(&md, "$", 1); + EVP_DigestUpdate(&md, magic, strlen(magic)); + EVP_DigestUpdate(&md, "$", 1); + EVP_DigestUpdate(&md, salt_out, salt_len); - { - MD5_CTX md2; + EVP_MD_CTX_init(&md2); + EVP_DigestInit_ex(&md2,EVP_md5(), NULL); + EVP_DigestUpdate(&md2, passwd, passwd_len); + EVP_DigestUpdate(&md2, salt_out, salt_len); + EVP_DigestUpdate(&md2, passwd, passwd_len); + EVP_DigestFinal_ex(&md2, buf, NULL); - MD5_Init(&md2); - MD5_Update(&md2, passwd, passwd_len); - MD5_Update(&md2, salt_out, salt_len); - MD5_Update(&md2, passwd, passwd_len); - MD5_Final(buf, &md2); - } for (i = passwd_len; i > sizeof buf; i -= sizeof buf) - MD5_Update(&md, buf, sizeof buf); - MD5_Update(&md, buf, i); + EVP_DigestUpdate(&md, buf, sizeof buf); + EVP_DigestUpdate(&md, buf, i); n = passwd_len; while (n) { - MD5_Update(&md, (n & 1) ? "\0" : passwd, 1); + EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1); n >>= 1; } - MD5_Final(buf, &md); + EVP_DigestFinal_ex(&md, buf, NULL); for (i = 0; i < 1000; i++) { - MD5_CTX md2; - - MD5_Init(&md2); - MD5_Update(&md2, (i & 1) ? (unsigned char *) passwd : buf, - (i & 1) ? passwd_len : sizeof buf); + EVP_DigestInit_ex(&md2,EVP_md5(), NULL); + EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *) passwd : buf, + (i & 1) ? passwd_len : sizeof buf); if (i % 3) - MD5_Update(&md2, salt_out, salt_len); + EVP_DigestUpdate(&md2, salt_out, salt_len); if (i % 7) - MD5_Update(&md2, passwd, passwd_len); - MD5_Update(&md2, (i & 1) ? buf : (unsigned char *) passwd, - (i & 1) ? sizeof buf : passwd_len); - MD5_Final(buf, &md2); + EVP_DigestUpdate(&md2, passwd, passwd_len); + EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *) passwd, + (i & 1) ? sizeof buf : passwd_len); + EVP_DigestFinal_ex(&md2, buf, NULL); } + EVP_MD_CTX_cleanup(&md2); { /* transform buf into output string */ @@ -346,7 +383,9 @@ static char *apr1_crypt(const char *passwd, const char *salt) buf_perm[dest] = buf[source]; buf_perm[14] = buf[5]; buf_perm[15] = buf[11]; +#ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */ assert(16 == sizeof buf_perm); +#endif output = salt_out + salt_len; assert(output == out_buf + strlen(out_buf)); @@ -368,6 +407,7 @@ static char *apr1_crypt(const char *passwd, const char *salt) *output = 0; assert(strlen(out_buf) < sizeof(out_buf)); } + EVP_MD_CTX_cleanup(&md); return out_buf; } @@ -376,7 +416,7 @@ static char *apr1_crypt(const char *passwd, const char *salt) static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, char *passwd, BIO *out, int quiet, int table, int reverse, - size_t pw_maxlen, int usecrypt, int useapr1) + size_t pw_maxlen, int usecrypt, int use1, int useapr1) { char *hash = NULL; @@ -386,12 +426,12 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, /* first make sure we have a salt */ if (!passed_salt) { -#ifndef NO_DES +#ifndef OPENSSL_NO_DES if (usecrypt) { if (*salt_malloc_p == NULL) { - *salt_p = *salt_malloc_p = Malloc(3); + *salt_p = *salt_malloc_p = OPENSSL_malloc(3); if (*salt_malloc_p == NULL) goto err; } @@ -405,16 +445,16 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, * back to ASCII */ #endif } -#endif /* !NO_DES */ +#endif /* !OPENSSL_NO_DES */ -#ifndef NO_APR1 - if (useapr1) +#ifndef NO_MD5CRYPT_1 + if (use1 || useapr1) { int i; if (*salt_malloc_p == NULL) { - *salt_p = *salt_malloc_p = Malloc(9); + *salt_p = *salt_malloc_p = OPENSSL_malloc(9); if (*salt_malloc_p == NULL) goto err; } @@ -425,7 +465,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */ (*salt_p)[8] = 0; } -#endif /* !NO_APR1 */ +#endif /* !NO_MD5CRYPT_1 */ } assert(*salt_p != NULL); @@ -434,19 +474,20 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, if ((strlen(passwd) > pw_maxlen)) { if (!quiet) - BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen); + /* XXX: really we should know how to print a size_t, not cast it */ + BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned)pw_maxlen); passwd[pw_maxlen] = 0; } assert(strlen(passwd) <= pw_maxlen); /* now compute password hash */ -#ifndef NO_DES +#ifndef OPENSSL_NO_DES if (usecrypt) - hash = des_crypt(passwd, *salt_p); + hash = DES_crypt(passwd, *salt_p); #endif -#ifndef NO_APR1 - if (useapr1) - hash = apr1_crypt(passwd, *salt_p); +#ifndef NO_MD5CRYPT_1 + if (use1 || useapr1) + hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p); #endif assert(hash != NULL); @@ -466,6 +507,6 @@ err: int MAIN(int argc, char **argv) { fputs("Program not available.\n", stderr) - EXIT(1); + OPENSSL_EXIT(1); } #endif