From 530a2db1776fca545436cbac2987f6b86f6c7048 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Apr 24 2018 15:00:01 +0000 Subject: Ticket 49649 - Use reentrant crypt_r() Bug Description: We were previously using crypt() which is not thread safe and reuired a lock. Using pwdhash cli tool caused a crash because the lock was not created when invoked by the cli. Fix Description: Use crypt_r() instead which does not require any locking. https://pagure.io/389-ds-base/issue/49649 Reviewed by: Simon(Thanks!) --- diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c index a72da47..59b1397 100644 --- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c +++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c @@ -29,8 +29,6 @@ #include #include "pwdstorage.h" -static PRLock *cryptlock = NULL; /* Some implementations of crypt are not thread safe. ie. ours & Irix */ - /* characters used in crypt encoding */ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; @@ -42,38 +40,20 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ int -crypt_start(Slapi_PBlock *pb __attribute__((unused))) -{ - if (!cryptlock) { - cryptlock = PR_NewLock(); - } - return 0; -} - -int -crypt_close(Slapi_PBlock *pb __attribute__((unused))) -{ - if (cryptlock) { - PR_DestroyLock(cryptlock); - cryptlock = NULL; - } - return 0; -} - -int crypt_pw_cmp(const char *userpwd, const char *dbpwd) { int rc; char *cp; - PR_Lock(cryptlock); - /* we use salt (first 2 chars) of encoded password in call to crypt() */ - cp = crypt(userpwd, dbpwd); + struct crypt_data data; + data.initialized = 0; + + /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ + cp = crypt_r(userpwd, dbpwd, &data); if (cp) { rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); } else { rc = -1; } - PR_Unlock(cryptlock); return rc; } @@ -86,6 +66,8 @@ crypt_pw_enc_by_hash(const char *pwd, int hash_algo) char *enc = NULL; long v; static unsigned int seed = 0; + struct crypt_data data; + data.initialized = 0; if (seed == 0) { seed = (unsigned int)slapi_rand(); @@ -111,12 +93,10 @@ crypt_pw_enc_by_hash(const char *pwd, int hash_algo) algo_salt = strdup(salt); } - PR_Lock(cryptlock); - cry = crypt(pwd, algo_salt); + cry = crypt_r(pwd, algo_salt, &data); if (cry != NULL) { enc = slapi_ch_smprintf("%c%s%c%s", PWD_HASH_PREFIX_START, CRYPT_SCHEME_NAME, PWD_HASH_PREFIX_END, cry); } - PR_Unlock(cryptlock); slapi_ch_free_string(&algo_salt); return (enc); diff --git a/ldap/servers/plugins/pwdstorage/pwd_init.c b/ldap/servers/plugins/pwdstorage/pwd_init.c index afa10f1..8efe4d6 100644 --- a/ldap/servers/plugins/pwdstorage/pwd_init.c +++ b/ldap/servers/plugins/pwdstorage/pwd_init.c @@ -245,8 +245,6 @@ crypt_pwd_storage_scheme_init(Slapi_PBlock *pb) (void *)SLAPI_PLUGIN_VERSION_01); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&crypt_pdesc); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)&crypt_start); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *)&crypt_close); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, (void *)crypt_pw_enc); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, @@ -269,8 +267,6 @@ crypt_md5_pwd_storage_scheme_init(Slapi_PBlock *pb) (void *)SLAPI_PLUGIN_VERSION_01); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&crypt_md5_pdesc); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)&crypt_start); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *)&crypt_close); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, (void *)crypt_pw_md5_enc); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, @@ -293,8 +289,6 @@ crypt_sha256_pwd_storage_scheme_init(Slapi_PBlock *pb) (void *)SLAPI_PLUGIN_VERSION_01); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&crypt_sha256_pdesc); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)&crypt_start); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *)&crypt_close); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, (void *)crypt_pw_sha256_enc); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, @@ -317,8 +311,6 @@ crypt_sha512_pwd_storage_scheme_init(Slapi_PBlock *pb) (void *)SLAPI_PLUGIN_VERSION_01); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&crypt_sha512_pdesc); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)&crypt_start); - rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *)&crypt_close); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_ENC_FN, (void *)crypt_pw_sha512_enc); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, diff --git a/ldap/servers/plugins/pwdstorage/pwdstorage.h b/ldap/servers/plugins/pwdstorage/pwdstorage.h index f495349..7b46bb9 100644 --- a/ldap/servers/plugins/pwdstorage/pwdstorage.h +++ b/ldap/servers/plugins/pwdstorage/pwdstorage.h @@ -74,8 +74,6 @@ char *sha512_pw_enc(const char *pwd); char *salted_sha512_pw_enc(const char *pwd); int clear_pw_cmp(const char *userpwd, const char *dbpwd); char *clear_pw_enc(const char *pwd); -int crypt_start(Slapi_PBlock *pb); -int crypt_close(Slapi_PBlock *pb); int crypt_pw_cmp(const char *userpwd, const char *dbpwd); char *crypt_pw_enc(const char *pwd); char *crypt_pw_md5_enc(const char *pwd);