From: Aki Tuomi Date: Tue, 11 Mar 2025 11:29:15 +0000 (+0200) Subject: lib-auth: Move crypt_verify() password-scheme-crypt.c internal function X-Git-Tag: 2.4.1~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=79c69eef65f45ae5ffc86c1c9b5b6da55c75d7bd;p=thirdparty%2Fdovecot%2Fcore.git lib-auth: Move crypt_verify() password-scheme-crypt.c internal function --- diff --git a/src/lib-auth/password-scheme-crypt.c b/src/lib-auth/password-scheme-crypt.c index 4abc8bfbd5..8fafe1a044 100644 --- a/src/lib-auth/password-scheme-crypt.c +++ b/src/lib-auth/password-scheme-crypt.c @@ -3,6 +3,7 @@ #include "lib.h" #include "mycrypt.h" #include "password-scheme.h" +#include "password-scheme-private.h" #include "crypt-blowfish.h" #include "randgen.h" @@ -19,6 +20,43 @@ #define CRYPT_SHA2_ROUNDS_MAX 999999999 #define CRYPT_SHA2_SALT_LEN 16 +static int crypt_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, + const unsigned char *raw_password, size_t size, + const char **error_r) +{ + const char *password, *crypted; + + if (size > 4 && raw_password[0] == '$' && raw_password[1] == '2' && + raw_password[3] == '$') + return password_verify(plaintext, params, "BLF-CRYPT", + raw_password, size, error_r); + + if (size == 0) { + /* the default mycrypt() handler would return match */ + return 0; + } + + if (size > 1 && !password_schemes_weak_allowed()) { + if (raw_password[0] != '$') { + *error_r = "Weak password scheme 'DES-CRYPT' used and refused"; + return -1; + } else if (raw_password[1] == '1') { + *error_r = "Weak password scheme 'MD5-CRYPT' used and refused"; + return -1; + } + } + + password = t_strndup(raw_password, size); + crypted = mycrypt(plaintext, password); + if (crypted == NULL) { + /* really shouldn't happen unless the system is broken */ + *error_r = t_strdup_printf("crypt() failed: %m"); + return -1; + } + + return str_equals_timing_almost_safe(crypted, password) ? 1 : 0; +} + static void crypt_generate_des(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) diff --git a/src/lib-auth/password-scheme.c b/src/lib-auth/password-scheme.c index c69bc201bd..17f626610d 100644 --- a/src/lib-auth/password-scheme.c +++ b/src/lib-auth/password-scheme.c @@ -321,43 +321,6 @@ password_scheme_detect(const char *plain_password, const char *crypted_password, return key; } -int crypt_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, - const unsigned char *raw_password, size_t size, - const char **error_r) -{ - const char *password, *crypted; - - if (size > 4 && raw_password[0] == '$' && raw_password[1] == '2' && - raw_password[3] == '$') - return password_verify(plaintext, params, "BLF-CRYPT", - raw_password, size, error_r); - - if (size == 0) { - /* the default mycrypt() handler would return match */ - return 0; - } - - if (size > 1 && !g_allow_weak) { - if (raw_password[0] != '$') { - *error_r = "Weak password scheme 'DES-CRYPT' used and refused"; - return -1; - } else if (raw_password[1] == '1') { - *error_r = "Weak password scheme 'MD5-CRYPT' used and refused"; - return -1; - } - } - - password = t_strndup(raw_password, size); - crypted = mycrypt(plaintext, password); - if (crypted == NULL) { - /* really shouldn't happen unless the system is broken */ - *error_r = t_strdup_printf("crypt() failed: %m"); - return -1; - } - - return str_equals_timing_almost_safe(crypted, password) ? 1 : 0; -} - static int md5_verify(const char *plaintext, const struct password_generate_params *params, const unsigned char *raw_password, size_t size, const char **error_r) diff --git a/src/lib-auth/password-scheme.h b/src/lib-auth/password-scheme.h index f5c7ff4922..7307a60fad 100644 --- a/src/lib-auth/password-scheme.h +++ b/src/lib-auth/password-scheme.h @@ -99,11 +99,6 @@ int password_generate_otp(const char *pw, const char *state_data, unsigned int algo, const char **result_r) ATTR_NULL(2); -int crypt_verify(const char *plaintext, - const struct password_generate_params *params, - const unsigned char *raw_password, size_t size, - const char **error_r); - int scram_scheme_parse(const struct hash_method *hmethod, const char *name, const unsigned char *credentials, size_t size, unsigned int *iter_count_r, const char **salt_r,