diff --new-file -ur nsm.orig/include/nsm_base64.h nsm/include/nsm_base64.h --- nsm.orig/include/nsm_base64.h Thu Jan 1 01:00:00 1970 +++ nsm/include/nsm_base64.h Mon Mar 20 10:10:26 2000 @@ -0,0 +1,27 @@ +/* + * base64.h - Net SecurityMaster (NSM) + * base64 encoding and decoding routines + * + * Copyright © 1992-1996 Hervé Schauer Consultants, Paris, France + * Copyright © 1996-1997 Security On-Line software, Paris, France + * + * All rights reserved. + * + * Author: Marc Baudoin + * + * $Id: base64.h,v 1.1 2000/03/20 09:10:26 gil Exp $ + * + */ + +/* The base64 encoding is described in RFC 1421 */ + +#ifndef _BASE64_H +#define _BASE64_H + +unsigned char * +base64_encode ( unsigned char *str ) ; + +unsigned char * +base64_decode ( unsigned char *base64_str ); + +#endif diff --new-file -ur nsm.orig/include/nsm_sha1.h nsm/include/nsm_sha1.h --- nsm.orig/include/nsm_sha1.h Thu Jan 1 01:00:00 1970 +++ nsm/include/nsm_sha1.h Thu Jun 29 00:35:00 2000 @@ -0,0 +1,23 @@ +/* $OpenBSD$ */ + +/* + * SHA-1 in C + * By Steve Reid + * 100% Public Domain + */ + +#ifndef _SHA1_H_ +#define _SHA1_H_ + +typedef struct { + u_int32_t state[5]; + u_int32_t count[2]; + unsigned char buffer[64]; +} SHA1_CTX; + +void SHA1Transform __P((u_int32_t state[5], unsigned char buffer[64])); +void SHA1Init __P((SHA1_CTX * context)); +void SHA1Update __P((SHA1_CTX * context, unsigned char * data, unsigned int len)); +void SHA1Final __P((unsigned char digest[20], SHA1_CTX * context)); + +#endif /* _SHA1_H_ */ diff --new-file -ur nsm.orig/lib/Makefile.in nsm/lib/Makefile.in --- nsm.orig/lib/Makefile.in Wed Jun 28 21:48:25 2000 +++ nsm/lib/Makefile.in Fri Jun 30 16:26:17 2000 @@ -34,7 +34,8 @@ proxy.o proxyfilter.o \ rpc.o rpc-cli.o rpc-srv.o \ rule.o services.o signal-utils.o snk.o ulm.o xactivcard.o \ - nsm_version.o nsm_file_lock.o interface.o timeout.o ldap.o + nsm_version.o nsm_file_lock.o interface.o timeout.o ldap.o \ + sha1.o base64.o all : libnsm.a @@ -74,6 +75,7 @@ interface.o : @top_srcdir@/include/interface.h timeout.o : @top_srcdir@/include/timeout.h ldap.o : @top_srcdir@/include/nsm_ldap.h @top_srcdir@/include/nsm.h +base64.o : @top_srcdir@/include/nsm_base64.h clean : $(RM) $(OBJS) libnsm.a diff --new-file -ur nsm.orig/lib/base64.c nsm/lib/base64.c --- nsm.orig/lib/base64.c Thu Jan 1 01:00:00 1970 +++ nsm/lib/base64.c Fri Jun 30 14:27:46 2000 @@ -0,0 +1,173 @@ +/* + * base64.c - Net SecurityMaster (NSM) + * base64 encoding and decoding routines + * + * Copyright © 1992-1996 Hervé Schauer Consultants, Paris, France + * Copyright © 1996-2000 Security On-Line software, Paris, France + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * + * Author: Marc Baudoin + * + */ + +/* The base64 encoding is described in RFC 1421 */ + +static char *const cvsid = "$Id: base64.c,v 1.1 2000/03/20 09:10:26 gil Exp $" ; + +#include +#include + +#include + +#include + +#include + +#include "nsm_base64.h" + +#define is_base64(c) ( ( c >= 'A' && c <= 'Z' ) \ + || ( c >= 'a' && c <= 'z' ) \ + || ( c >= '0' && c <= '9' ) \ + || c == '+' || c == '/' ) + +static unsigned char *base64_encoding = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ; + +static unsigned long base64_decoding[] = +{ + 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , + 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , + 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , + 70 , 70 , 70 , 70 , 62 , 70 , 70 , 70 , 63 , 52 , 53 , 54 , 55 , + 56 , 57 , 58 , 59 , 60 , 61 , 70 , 70 , 70 , 70 , 70 , 70 , 70 , + 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , + 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , + 70 , 70 , 70 , 70 , 70 , 70 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , + 33 , 34 , 35 , 36 , 37 , 38 , 39 , 40 , 41 , 42 , 43 , 44 , 45 , + 46 , 47 , 48 , 49 , 50 , 51 +} ; + +unsigned char * +base64_encode ( unsigned char *str ) +{ + int length = strlen ( str ) ; + int base64_length = ( ( ( length + 2 ) / 3 ) * 4 ) + 1 ; + unsigned char *base64_str ; + int i , base64_i ; + + base64_str = ( unsigned char * ) + malloc ( base64_length * sizeof ( unsigned char ) ) ; + if ( base64_str == NULL ) + { + return NULL ; + } + + for ( i = base64_i = 0 ; i < length ; i += 3 , str += 3 ) + { + unsigned long byte = htonl ( * ( unsigned long * ) str ) ; + + base64_str[ base64_i ++ ] = base64_encoding[ ( byte >> 26 ) & 0x3F ] ; + base64_str[ base64_i ++ ] = base64_encoding[ ( byte >> 20 ) & 0x3F ] ; + if ( ( length - i ) < 3 && length % 3 == 1 ) + { + base64_str[ base64_i ++ ] = '=' ; + base64_str[ base64_i ++ ] = '=' ; + break ; + } + base64_str[ base64_i ++ ] = base64_encoding[ ( byte >> 14 ) & 0x3F ] ; + if ( ( length - i ) < 3 && length % 3 == 2 ) + { + base64_str[ base64_i ++ ] = '=' ; + break ; + } + base64_str[ base64_i ++ ] = base64_encoding[ ( byte >> 8 ) & 0x3F ] ; + } + base64_str[ base64_i ] = '\0' ; + + return base64_str ; +} + +unsigned char * +base64_decode ( unsigned char *base64_str ) +{ + int base64_length = strlen ( base64_str ) ; + int length = ( ( base64_length / 4 ) * 3 ) ; + unsigned char *str ; + int i ; + + str = ( unsigned char * ) + malloc ( ( length + 1 ) * sizeof ( unsigned char ) ) ; + if ( str == NULL ) + { + return NULL ; + } + + for ( i = 0 ; i < length ; i += 3 ) + { + unsigned long byte = 0 ; + + if ( ! is_base64 ( *base64_str ) ) + { + free (str); + str = NULL; + break; + } + byte = base64_decoding[ * ( base64_str ++ ) ] << 26 ; + if ( ! is_base64 ( *base64_str ) ) + { + free (str); + str = NULL; + break; + } + byte |= base64_decoding[ * ( base64_str ++ ) ] << 20 ; + if ( *base64_str == '=' ) + { + byte = ntohl ( byte ) ; + memcpy ( str + i , &byte , 1 ) ; + str [ i + 1 ] = '\0' ; + break ; + } + if ( ! is_base64 ( *base64_str ) ) + { + free (str); + str = NULL; + break; + } + byte |= base64_decoding[ * ( base64_str ++ ) ] << 14 ; + if ( *base64_str == '=' ) + { + byte = ntohl ( byte ) ; + memcpy ( str + i , &byte , 2 ) ; + str [ i + 2 ] = '\0' ; + break ; + } + if ( ! is_base64 ( *base64_str ) ) + { + free (str); + str = NULL; + break; + } + byte |= base64_decoding[ * ( base64_str ++ ) ] << 8 ; + byte = ntohl ( byte ) ; + memcpy ( str + i , &byte , 3 ) ; + str [ i + 3 ] = '\0' ; + } + + return str ; +} + + diff --new-file -ur nsm.orig/lib/password.c nsm/lib/password.c --- nsm.orig/lib/password.c Wed Jun 28 21:48:26 2000 +++ nsm/lib/password.c Fri Jun 30 23:36:54 2000 @@ -52,6 +52,9 @@ #include "nsm_ldap.h" +#include "nsm_sha1.h" +#include "nsm_base64.h" + /* ------------------------------------------------------------------------- */ config_password_t *init_password ( config_t *config ) @@ -159,6 +162,49 @@ /* ------------------------------------------------------------------------- */ +u_char *nsm_sha ( u_char *clear ) +{ + #define SHA_DIGEST_LENGTH 20 + SHA1_CTX c; + u_char md[ SHA_DIGEST_LENGTH + 1 ]; + u_char *store; + + memset ( md , 0 , SHA_DIGEST_LENGTH + 1 ); + + store = ( u_char * ) malloc ( 33 * sizeof ( u_char ) ) ; + memset ( store , 0 , 33 ); + + SHA1Init ( &c ); + SHA1Update ( &c , clear , strlen ( clear ) ); + SHA1Final ( &( md[0] ) , &c ); + + strcpy ( store , "{SHA}" ); + strcat ( store , base64_encode ( md ) ); + + return ( store ); +} + +/* ------------------------------------------------------------------------- */ + +int hash_is_sha ( u_char *cyphered ) +{ + return ( strncmp ( cyphered , "{SHA}" , 5 ) ? false : true ); +} + +/* ------------------------------------------------------------------------- */ + +u_char *nsm_crypt ( u_char *clear , u_char *cyphered ) +{ + if( hash_is_sha ( cyphered ) == true ) + { + return ( nsm_sha ( clear ) ); + } + + return ( crypt ( clear , cyphered ) ); +} + +/* ------------------------------------------------------------------------- */ + bool password_check ( u_char *cyphered , u_char *clear ) { if ( cyphered == NULL ) @@ -166,7 +212,7 @@ return false ; } - return ( strcmp ( cyphered , crypt ( clear , cyphered ) ) == 0 + return ( strcmp ( cyphered , nsm_crypt ( clear , cyphered ) ) == 0 ? true : false ) ; } diff --new-file -ur nsm.orig/lib/sha1.c nsm/lib/sha1.c --- nsm.orig/lib/sha1.c Thu Jan 1 01:00:00 1970 +++ nsm/lib/sha1.c Fri Jun 30 14:23:17 2000 @@ -0,0 +1,173 @@ +/* $OpenBSD$ */ + +/* + * SHA-1 in C + * By Steve Reid + * 100% Public Domain + * + * Test Vectors (from FIPS PUB 180-1) + * "abc" + * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D + * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 + * A million repetitions of "a" + * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +*/ + +/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */ +/* #define SHA1HANDSOFF * Copies data before messing with it. */ + +#define SHA1HANDSOFF + +#include + +#include + +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) + +/* blk0() and blk() perform the initial expand. */ +/* I got the idea of expanding during the round function from SSLeay */ +#if BYTE_ORDER == LITTLE_ENDIAN +#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) +#else +#define blk0(i) block->l[i] +#endif +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) + +/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); + + +/* Hash a single 512-bit block. This is the core of the algorithm. */ + +void SHA1Transform(u_int32_t state[5], unsigned char buffer[64]) +{ +u_int32_t a, b, c, d, e; +typedef union { + unsigned char c[64]; + unsigned int l[16]; +} CHAR64LONG16; +CHAR64LONG16* block; +#ifdef SHA1HANDSOFF + static unsigned char workspace[64]; + + block = (CHAR64LONG16 *)workspace; + bcopy(buffer, block, 64); +#else + block = (CHAR64LONG16 *)buffer; +#endif + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + /* Wipe variables */ + a = b = c = d = e = 0; +} + + +/* SHA1Init - Initialize new context */ + +void SHA1Init(SHA1_CTX *context) +{ + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; + context->count[0] = context->count[1] = 0; +} + + +/* Run your data through this. */ + +void SHA1Update(SHA1_CTX *context, unsigned char *data, unsigned int len) +{ +unsigned int i; +unsigned int j; + + j = context->count[0]; + if ((context->count[0] += len << 3) < j) context->count[1] += (len>>29)+1; + j = (j >> 3) & 63; + if ((j + len) > 63) { + bcopy(data, &context->buffer[j], (i = 64-j)); + SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) { + SHA1Transform(context->state, &data[i]); + } + j = 0; + } + else i = 0; + bcopy(&data[i], &context->buffer[j], len - i); +} + + +/* Add padding and return the message digest. */ + +void SHA1Final(unsigned char digest[20], SHA1_CTX *context) +{ +unsigned int i; +unsigned char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] + >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ + } + SHA1Update(context, (unsigned char *)"\200", 1); + while ((context->count[0] & 504) != 448) { + SHA1Update(context, (unsigned char *)"\0", 1); + } + SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + + if (digest) + for (i = 0; i < 20; i++) { + digest[i] = (unsigned char) + ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); + } +#if 0 /* We want to use this for "keyfill" */ + /* Wipe variables */ + i = 0; + bzero(context->buffer, 64); + bzero(context->state, 20); + bzero(context->count, 8); + bzero(&finalcount, 8); +#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ + SHA1Transform(context->state, context->buffer); +#endif +#endif +} Binary files nsm.orig/lib/sta09449 and nsm/lib/sta09449 differ diff --new-file -ur nsm.orig/nsm-httpd/Makefile.in nsm/nsm-httpd/Makefile.in --- nsm.orig/nsm-httpd/Makefile.in Mon Apr 10 12:57:43 2000 +++ nsm/nsm-httpd/Makefile.in Fri Jun 30 14:29:36 2000 @@ -30,13 +30,13 @@ all : nsm-httpd httpd -nsm-httpd : nsm-httpd.o http.o base64.o \ +nsm-httpd : nsm-httpd.o http.o \ @top_srcdir@/lib/libnsm.a @top_srcdir@/missing/libmissing.a - $(CC) $(CFLAGS) -o $@ nsm-httpd.o http.o base64.o \ + $(CC) $(CFLAGS) -o $@ nsm-httpd.o http.o \ @top_srcdir@/lib/libnsm.a @top_srcdir@/missing/libmissing.a \ $(MSGCATLIBS) $(LIBS) -nsm-httpd.o : nsm-httpd.c http.h base64.h \ +nsm-httpd.o : nsm-httpd.c http.h \ @top_srcdir@/include/authorization.h \ @top_srcdir@/include/nsm.h \ @top_srcdir@/include/expiration.h \ @@ -51,9 +51,6 @@ http.o : http.c http.h $(CC) $(CFLAGS) $(MSGCATINCLUDES) -c http.c -base64.o : base64.c base64.h - $(CC) $(CFLAGS) -c base64.c - httpd : mime-support.o httpd.o cgi.o http.o \ @top_srcdir@/lib/libnsm.a @top_srcdir@/missing/libmissing.a $(CC) $(CFLAGS) -o $@ mime-support.o httpd.o cgi.o http.o \ @@ -67,7 +64,7 @@ $(CC) $(CFLAGS) -c cgi.c clean : - $(RM) nsm-httpd nsm-httpd.o http.o base64.o httpd httpd.o cgi.o mime-support.o + $(RM) nsm-httpd nsm-httpd.o http.o httpd httpd.o cgi.o mime-support.o distclean : clean $(RM) Makefile diff --new-file -ur nsm.orig/nsm-httpd/nsm-httpd.c nsm/nsm-httpd/nsm-httpd.c --- nsm.orig/nsm-httpd/nsm-httpd.c Wed Jun 28 21:48:26 2000 +++ nsm/nsm-httpd/nsm-httpd.c Fri Jun 30 14:28:25 2000 @@ -123,7 +123,7 @@ #endif #include "http.h" -#include "base64.h" +#include "nsm_base64.h" #include "check.h" #define min(x,y) ( ( x < y ) ? x : y )