# # old_revision [471dc0f5e3b2a6fc571aca4e14c0a5161cf7af0b] # # add_file "SoObjects/SOGo/NSData+Crypto.h" # content [c9187ee4b0ebd1f7a2eeeb0f13837493aa284580] # # add_file "SoObjects/SOGo/NSData+Crypto.m" # content [0ea66d4e8b75ff60c4e4c57980860ffcd6fe3572] # # add_file "SoObjects/SOGo/NSString+Crypto.h" # content [50ffbd75973627dda748687423fb4bbb7b798724] # # add_file "SoObjects/SOGo/NSString+Crypto.m" # content [2bb1ed1c269a147c2285a0d2f4629997d20961bf] # # patch "SoObjects/SOGo/GNUmakefile" # from [9e466added539ccacaecd830173afdf9d4755802] # to [0e4d9af53dddf014fe6fccf1d81e751d8dd2bc3c] # # patch "SoObjects/SOGo/LDAPSource.m" # from [49cd1d275323dd81ba0ad5566e542b725856c4a9] # to [29be142502d24ed06e5b41dbd330ef24efb4a4b6] # # patch "SoObjects/SOGo/NSString+Utilities.h" # from [d2661ef19253d96d64dcf11127ffe6882f90b4d4] # to [c38d80d6ebe9592a9f2ee954282718d7265dec51] # # patch "SoObjects/SOGo/NSString+Utilities.m" # from [800b97cfc8f806e14c310ed8628c94a9934fd80a] # to [eb4c7cd585c64cb8fb0273c3e89be36da11e5f24] # # patch "SoObjects/SOGo/SOGoUserManager.m" # from [9bf968b36558145edd71840dd180876c1d5d7175] # to [344659dcdf8d929bb824d8856d05c1de85ce801e] # # patch "SoObjects/SOGo/SQLSource.m" # from [8e7fb09f6d34231ed0e1c57db516961d7a8bf0bb] # to [3928a5ed6dca41cf9fa04a0f15c964b13d000747] # ============================================================ --- SoObjects/SOGo/GNUmakefile 9e466added539ccacaecd830173afdf9d4755802 +++ SoObjects/SOGo/GNUmakefile 0e4d9af53dddf014fe6fccf1d81e751d8dd2bc3c @@ -46,6 +46,8 @@ SOGo_HEADER_FILES = \ NSObject+Utilities.h \ NSString+DAV.h \ NSString+Utilities.h \ + NSString+Crypto.h \ + NSData+Crypto.h \ NSURL+DAV.h \ \ SOGoAuthenticator.h \ @@ -114,6 +116,8 @@ SOGo_OBJC_FILES = \ NSObject+Utilities.m \ NSString+DAV.m \ NSString+Utilities.m \ + NSString+Crypto.m \ + NSData+Crypto.m \ NSURL+DAV.m \ \ SOGoSession.m \ ============================================================ --- SoObjects/SOGo/LDAPSource.m 49cd1d275323dd81ba0ad5566e542b725856c4a9 +++ SoObjects/SOGo/LDAPSource.m 29be142502d24ed06e5b41dbd330ef24efb4a4b6 @@ -40,6 +40,7 @@ #import "LDAPSourceSchema.h" #import "NSArray+Utilities.h" #import "NSString+Utilities.h" +#import "NSString+Crypto.h" #import "SOGoDomainDefaults.h" #import "SOGoSystemDefaults.h" @@ -639,26 +640,13 @@ andMultipleBookingsField: (NSString *) n */ - (NSString *) _encryptPassword: (NSString *) plainPassword { - if ([_userPasswordAlgorithm caseInsensitiveCompare: @"none"] == NSOrderedSame) - { - return plainPassword; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"crypt"] == NSOrderedSame) - { - return [NSString stringWithFormat: @"{CRYPT}%@", [plainPassword asCryptStringUsingSalt: [plainPassword asMD5String]]]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"md5"] == NSOrderedSame) - { - return [NSString stringWithFormat: @"{MD5}%@", [plainPassword asMD5String]]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"sha"] == NSOrderedSame) - { - return [NSString stringWithFormat: @"{SHA}%@", [plainPassword asSHA1String]]; - } - - [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; - - return plainPassword; + NSString *password; + password = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm]; + + if (password == nil) + [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + + return [NSString stringWithFormat: @"{%@}%@", _userPasswordAlgorithm, password]; } // ============================================================ --- /dev/null +++ SoObjects/SOGo/NSData+Crypto.h c9187ee4b0ebd1f7a2eeeb0f13837493aa284580 @@ -0,0 +1,56 @@ +/* NSData+Crypto.h - this file is part of SOGo + * + * Author: Nicolas Höft + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + * Boston, MA 02111-1307, USA. + */ + +#ifndef NSDATA_CRYPTO_H +#define NSDATA_CRYPTO_H + +#import + +@class NSObject; + +@interface NSData (SOGoCryptoExtension) + +- (NSData *) asCryptedPassUsingScheme: (NSString *) passwordScheme + withSalt: (NSData *) theSalt; + +- (NSData *) asMD5; +- (NSData *) asSMD5UsingSalt: (NSData *) theSalt; +- (NSData *) asSHA1; +- (NSData *) asSSHAUsingSalt: (NSData *) theSalt; +- (NSData *) asSHA256; +- (NSData *) asSSHA256UsingSalt: (NSData *) theSalt; +- (NSData *) asSHA512; +- (NSData *) asSSHA512UsingSalt: (NSData *) theSalt; + +- (NSData *) asCryptUsingSalt: (NSData *) theSalt; +- (NSData *) asMD5CryptUsingSalt: (NSData *) theSalt; + +- (NSData *) extractSalt: (NSString *) theScheme; + ++ (NSData *) generateSaltForLength: (unsigned int) theLength + withBase64: (BOOL) doBase64; ++ (NSData *) generateSaltForLength: (unsigned int) theLength; + ++ (NSString *) encodeDataAsHexString: (NSData* ) theData; ++ (NSData *) decodeDataFromHexString: (NSString* ) theString; + +@end + +#endif /* NSDATA_CRYPTO_H */ ============================================================ --- /dev/null +++ SoObjects/SOGo/NSData+Crypto.m 0ea66d4e8b75ff60c4e4c57980860ffcd6fe3572 @@ -0,0 +1,411 @@ +/* NSData+Crypto.m - this file is part of SOGo + * + * + * Author: Nicolas Höft + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + * Boston, MA 02111-1307, USA. + */ + +#ifndef __OpenBSD__ +#include +#endif + +#include +#include +#include +#include + +#define _XOPEN_SOURCE 1 +#include +#include +#include +#include + +#import +#import "NSData+Crypto.h" + +unsigned charTo4Bits(char c); + + +@implementation NSData (SOGoCryptoExtension) + ++ (NSString *) encodeDataAsHexString: (NSData *) theData +{ + unsigned int byteLength = [theData length], byteCounter = 0; + unsigned int stringLength = (byteLength * 2) + 1, stringCounter = 0; + unsigned char dstBuffer[stringLength]; + unsigned char srcBuffer[byteLength]; + unsigned char *srcPtr = srcBuffer; + [theData getBytes: srcBuffer]; + const unsigned char t[16] = "0123456789abcdef"; + + for (; byteCounter < byteLength; byteCounter++) + { + unsigned src = *srcPtr; + dstBuffer[stringCounter++] = t[src >> 4]; + dstBuffer[stringCounter++] = t[src & 15]; + srcPtr++; + } + + dstBuffer[stringCounter] = '\0'; + return [NSString stringWithUTF8String: (char*)dstBuffer]; +} + ++ (NSData *) decodeDataFromHexString: (NSString *) theString +{ + unsigned int stringLength = [theString length]; + unsigned int byteLength = stringLength/2; + unsigned int byteCounter = 0; + unsigned char srcBuffer[stringLength]; + [theString getCString:(char *)srcBuffer]; + unsigned char *srcPtr = srcBuffer; + unsigned char dstBuffer[byteLength]; + unsigned char *dst = dstBuffer; + while (byteCounter < byteLength) + { + unsigned char c = *srcPtr++; + unsigned char d = *srcPtr++; + unsigned hi = 0, lo = 0; + hi = charTo4Bits(c); + lo = charTo4Bits(d); + if (hi == 255 || lo == 255) + { + //errorCase + return nil; + } + dstBuffer[byteCounter++] = ((hi << 4) | lo); + } + return [NSData dataWithBytes: dst length: byteLength]; +} + ++ (NSData *) generateSaltForLength: (unsigned int) theLength +{ + return [NSData generateSaltForLength: theLength withBase64: NO]; +} + ++ (NSData *) generateSaltForLength: (unsigned int) theLength + withBase64: (BOOL) doBase64 +{ + char *buf; + int fd; + NSData *data; + + fd = open("/dev/urandom", O_RDONLY); + + if (fd > 0) + { + buf = (char *)malloc(theLength); + read(fd, buf, theLength); + close(fd); + + data = [NSData dataWithBytesNoCopy: buf length: theLength freeWhenDone: YES]; + if(doBase64 == YES) + { + return [data dataByEncodingBase64WithLineLength: 1024]; + } + return data; + } + return nil; +} + +- (NSData *) asCryptedPassUsingScheme: (NSString *) passwordScheme + withSalt: (NSData *) theSalt +{ + if ([passwordScheme caseInsensitiveCompare: @"none"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"plain"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"cleartext"] == NSOrderedSame) + { + return self; + } + else if ([passwordScheme caseInsensitiveCompare: @"crypt"] == NSOrderedSame) + { + return [self asCryptUsingSalt: theSalt]; + } + else if ([passwordScheme caseInsensitiveCompare: @"md5-crypt"] == NSOrderedSame) + { + return [self asMD5CryptUsingSalt: theSalt]; + } + else if ([passwordScheme caseInsensitiveCompare: @"md5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"plain-md5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"ldap-md5"] == NSOrderedSame) + { + return [self asMD5]; + } + else if ([passwordScheme caseInsensitiveCompare: @"smd5"] == NSOrderedSame) + { + return [self asSMD5UsingSalt: theSalt]; + } + else if ([passwordScheme caseInsensitiveCompare: @"sha"] == NSOrderedSame) + { + return [self asSHA1]; + } + else if ([passwordScheme caseInsensitiveCompare: @"ssha"] == NSOrderedSame) + { + return [self asSSHAUsingSalt: theSalt]; + } + else if ([passwordScheme caseInsensitiveCompare: @"sha256"] == NSOrderedSame) + { + return [self asSHA256]; + } + else if ([passwordScheme caseInsensitiveCompare: @"ssha256"] == NSOrderedSame) + { + return [self asSSHA256UsingSalt: theSalt]; + } + else if ([passwordScheme caseInsensitiveCompare: @"sha512"] == NSOrderedSame) + { + return [self asSHA512]; + } + else if ([passwordScheme caseInsensitiveCompare: @"ssha512"] == NSOrderedSame) + { + return [self asSSHA512UsingSalt: theSalt]; + } + // in case the scheme was not detected, return nil + return nil; +} + + +- (NSData *) asMD5 +{ + unsigned char md[MD5_DIGEST_LENGTH]; + memset(md, 0, MD5_DIGEST_LENGTH); + + EVP_Digest([self bytes], [self length], md, NULL, EVP_md5(), NULL); + + return [NSData dataWithBytes: md length: MD5_DIGEST_LENGTH]; +} + +- (NSData *) asSHA1 +{ + unsigned char sha[SHA_DIGEST_LENGTH]; + memset(sha, 0, SHA_DIGEST_LENGTH); + + SHA1([self bytes], [self length], sha); + + return [NSData dataWithBytes: sha length: SHA_DIGEST_LENGTH]; +} + +- (NSData *) asSHA256 +{ + unsigned char sha[SHA256_DIGEST_LENGTH]; + memset(sha, 0, SHA256_DIGEST_LENGTH); + + SHA256([self bytes], [self length], sha); + + return [NSData dataWithBytes: sha length: SHA256_DIGEST_LENGTH]; +} + +- (NSData *) asSHA512 +{ + unsigned char sha[SHA512_DIGEST_LENGTH]; + memset(sha, 0, SHA512_DIGEST_LENGTH); + + SHA512([self bytes], [self length], sha); + + return [NSData dataWithBytes: sha length: SHA512_DIGEST_LENGTH]; +} + +- (NSData *) asSSHAUsingSalt: (NSData *) theSalt +{ + // SSHA works following: SSHA(pass, salt) = SHA1(pass + salt) + salt + NSMutableData *sshaData; + + // generate salt, if not available + if ([theSalt length] == 0) theSalt = [NSData generateSaltForLength: 8]; + + // put the pass and salt together as one data array + sshaData = [NSMutableData dataWithData: self]; + [sshaData appendData: theSalt]; + // generate SHA1 from pass + salt + sshaData = [NSMutableData dataWithData: [sshaData asSHA1]]; + // append salt again + [sshaData appendData: theSalt]; + + return sshaData; +} + +- (NSData *) asSSHA256UsingSalt: (NSData *) theSalt +{ + // SSHA256 works following: SSHA(pass, salt) = SHA256(pass + salt) + salt + NSMutableData *sshaData; + + // generate salt, if not available + if ([theSalt length] == 0) theSalt = [NSData generateSaltForLength: 8]; + + // put the pass and salt together as one data array + sshaData = [NSMutableData dataWithData: self]; + [sshaData appendData: theSalt]; + // generate SHA1 from pass + salt + sshaData = [NSMutableData dataWithData: [sshaData asSHA256]]; + // append salt again + [sshaData appendData: theSalt]; + + return sshaData; +} + +- (NSData *) asSSHA512UsingSalt: (NSData *) theSalt +{ + // SSHA512 works following: SSHA(pass, salt) = SHA512(pass + salt) + salt + NSMutableData *sshaData; + + // generate salt, if not available + if ([theSalt length] == 0) theSalt = [NSData generateSaltForLength: 8]; + + // put the pass and salt together as one data array + sshaData = [NSMutableData dataWithData: self]; + [sshaData appendData: theSalt]; + // generate SHA1 from pass + salt + sshaData = [NSMutableData dataWithData: [sshaData asSHA512]]; + // append salt again + [sshaData appendData: theSalt]; + + return sshaData; +} + +- (NSData *) asSMD5UsingSalt: (NSData *) theSalt +{ + // SMD5 works following: SMD5(pass, salt) = MD5(pass + salt) + salt + NSMutableData *smdData; + + // generate salt, if not available + if ([theSalt length] == 0) theSalt = [NSData generateSaltForLength: 8]; + + // put the pass and salt together as one data array + smdData = [NSMutableData dataWithData: self]; + [smdData appendData: theSalt]; + // generate SHA1 from pass + salt + smdData = [NSMutableData dataWithData: [smdData asMD5]]; + // append salt again + [smdData appendData: theSalt]; + + return smdData; +} + + +- (NSData *) asMD5CryptUsingSalt: (NSData *) theSalt +{ + char *buf; + NSString *saltString; + NSString *cryptString; + + // crypt() works with strings, so convert NSData to strings + cryptString = [[NSString alloc] initWithData: self encoding: NSUTF8StringEncoding]; + [cryptString autorelease]; + + if ([theSalt length] == 0) + { + // make sure these characters are all printable by using base64 + NSData *saltData = [NSData generateSaltForLength: 8 withBase64: YES]; + NSString *tmpStr = [[NSString alloc] initWithData: saltData encoding: NSASCIIStringEncoding]; + [tmpStr autorelease]; + // and prepend a "$1$" to mark this as md5-crypt + saltString = [NSString stringWithFormat: @"$1$%@$", tmpStr]; + } + else + { + saltString = [[NSString alloc] initWithData: theSalt encoding: NSUTF8StringEncoding]; + [saltString autorelease]; + } + + buf = crypt([cryptString UTF8String], [saltString UTF8String]); + return [NSData dataWithBytes: buf length: strlen(buf)]; +} + +- (NSData *) asCryptUsingSalt: (NSData *) theSalt +{ + char *buf; + NSString *saltString; + NSString *cryptString; + + // crypt() works with strings, so convert NSData to strings + cryptString = [[NSString alloc] initWithData: self encoding: NSUTF8StringEncoding]; + [cryptString autorelease]; + + if ([theSalt length] == 0) theSalt = [NSData generateSaltForLength: 8 withBase64: YES]; + + saltString = [[NSString alloc] initWithData: theSalt encoding: NSUTF8StringEncoding]; + [saltString autorelease]; + + // The salt is weak here, but who cares anyway, crypt should not + // be used anymore + buf = crypt([cryptString UTF8String], [saltString UTF8String]); + return [NSData dataWithBytes: buf length: strlen(buf)]; +} + +- (NSData *) extractSalt: (NSString *) theScheme +{ + NSRange r; + int len; + len = [self length]; + if (len == 0) + return [NSData data]; + + // for the ssha schemes the salt is appended at the endif + // so the range with the salt are bytes after each digest length + if ([theScheme caseInsensitiveCompare: @"crypt"] == NSOrderedSame || + [theScheme caseInsensitiveCompare: @"md5-crypt"] == NSOrderedSame) + { + // for crypt schemes simply use the whole string + // the crypt() function is able to extract it by itself + r = NSMakeRange(0, len); + } + else if ([theScheme caseInsensitiveCompare: @"ssha"] == NSOrderedSame) + { + r = NSMakeRange(SHA_DIGEST_LENGTH, len - SHA_DIGEST_LENGTH); + } + else if ([theScheme caseInsensitiveCompare: @"ssha256"] == NSOrderedSame) + { + r = NSMakeRange(SHA256_DIGEST_LENGTH, len - SHA256_DIGEST_LENGTH); + } + else if ([theScheme caseInsensitiveCompare: @"ssha512"] == NSOrderedSame) + { + r = NSMakeRange(SHA512_DIGEST_LENGTH, len - SHA512_DIGEST_LENGTH); + } + else if ([theScheme caseInsensitiveCompare: @"smd5"] == NSOrderedSame) + { + r = NSMakeRange(MD5_DIGEST_LENGTH, len - MD5_DIGEST_LENGTH); + } + else + { + // return empty string on unknown scheme + return [NSData data]; + } + + return [self subdataWithRange: r]; +} + +@end + +unsigned charTo4Bits(char c) +{ + unsigned bits = 0; + if (c > '/' && c < ':') + { + bits = c - '0'; + } + else if (c > '@' && c < 'G') + { + bits = (c- 'A') + 10; + } + else if (c > '`' && c < 'g') + { + bits = (c- 'a') + 10; + } + else + { + bits = 255; + } + return bits; +} ============================================================ --- /dev/null +++ SoObjects/SOGo/NSString+Crypto.h 50ffbd75973627dda748687423fb4bbb7b798724 @@ -0,0 +1,58 @@ +/* NSString+Crypto.h - this file is part of SOGo + * + * Author: Nicolas Höft + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + * Boston, MA 02111-1307, USA. + */ + +#ifndef NSSTRING_CRYPTO_H +#define NSSTRING_CRYPTO_H + +#import +#import + +typedef enum { + encDefault, + encPlain, + encHex, + encBase64, +} keyEncoding; + +@class NSObject; + +@interface NSString (SOGoCryptoExtension) + +- (BOOL) isEqualToCrypted: (NSString *) cryptedPassword + withDefaultScheme: (NSString *) theScheme; + +- (NSString *) asCryptedPassUsingScheme: (NSString *) passwordScheme + withSalt: (NSData *) theSalt + andEncoding: (keyEncoding) encoding; + +// this method uses the default encoding (base64, plain, hex) +// and generates a salt when necessary +- (NSString *) asCryptedPassUsingScheme: (NSString *) passwordScheme; + +- (NSArray *) splitPasswordWithDefaultScheme: (NSString *) defaultScheme; + +- (NSString *) asSHA1String; +- (NSString *) asMD5String; + ++ (keyEncoding) getDefaultEncodingForScheme: (NSString *) passwordScheme; + +@end + +#endif /* NSSTRING_CRYPTO_H */ ============================================================ --- /dev/null +++ SoObjects/SOGo/NSString+Crypto.m 2bb1ed1c269a147c2285a0d2f4629997d20961bf @@ -0,0 +1,248 @@ +/* NSString+Crypto.m - this file is part of SOGo + * + * + * Author: Nicolas Höft + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + * Boston, MA 02111-1307, USA. + */ + +#import +#import + +#import "NSString+Crypto.h" +#import "NSData+Crypto.h" +#import + +@implementation NSString (SOGoCryptoExtension) + +- (NSString *) extractCryptScheme +{ + NSRange r; + int len; + + len = [self length]; + if (len == 0) + return @""; + if ([self characterAtIndex:0] != '{') + return @""; + + r = [self rangeOfString:@"}" options:(NSLiteralSearch)]; + if (r.length == 0) + return @""; + + r.length = (r.location - 1); + r.location = 1; + return [[self substringWithRange:r] lowercaseString]; +} + + +// This function returns an two-element array containing +// the scheme and the rest of the (complete, including optional salt) password +- (NSArray *) splitPasswordWithDefaultScheme: (NSString *) defaultScheme +{ + NSString *scheme; + NSString *pass; + NSArray *schemeComps; + keyEncoding encoding; + + NSRange range; + int selflen, len; + + selflen = [self length]; + + scheme = [self extractCryptScheme]; + len = [scheme length]; + if (len > 0) + range = NSMakeRange (len+2, selflen-len-2); + else + range = NSMakeRange (0, selflen); + if (len == 0) + scheme = defaultScheme; + + encoding = [NSString getDefaultEncodingForScheme: scheme]; + + // get the encoding which may be part of the scheme + // e.g. ssha.hex forces a hex encoded ssha scheme + // possible is "b64" or "hex" + schemeComps = [scheme componentsSeparatedByString: @"."]; + if ([schemeComps count] == 2) + { + NSString *stringEncoding; + // scheme without encoding string is the first item + scheme = [schemeComps objectAtIndex: 0]; + // encoding string is second item + stringEncoding = [schemeComps objectAtIndex: 1]; + if ([stringEncoding caseInsensitiveCompare: @"hex"] == NSOrderedSame) + { + encoding = encHex; + } + else if ([stringEncoding caseInsensitiveCompare: @"b64"] == NSOrderedSame) + { + encoding = encBase64; + } + } + + pass = [self substringWithRange: range]; + return [NSArray arrayWithObjects: scheme, pass, [NSNumber numberWithInt: encoding], nil]; +} + + +- (BOOL) isEqualToCrypted: (NSString *) cryptedPassword + withDefaultScheme: (NSString *) theScheme +{ + NSArray *passInfo; + NSString *selfCrypted; + NSString *pass; + NSString *scheme; + NSData *salt; + NSData *decodedData; + NSNumber *encodingNumber; + keyEncoding encoding; + + // split scheme and pass + passInfo = [cryptedPassword splitPasswordWithDefaultScheme: theScheme]; + + scheme = [passInfo objectAtIndex: 0]; + pass = [passInfo objectAtIndex: 1]; + encodingNumber = [passInfo objectAtIndex: 2]; + encoding = [encodingNumber integerValue]; + + if (encoding == encHex) + { + decodedData = [NSData decodeDataFromHexString: pass]; + + if(decodedData == nil) + { + decodedData = [NSData data]; + } + else + { + // decoding was successful, now make sure + // that the pass is in lowercase since decodeDataFromHexString uses + // lowercase charaters, too + pass = [pass lowercaseString]; + } + } + else if(encoding == encBase64) + { + decodedData = [pass dataByDecodingBase64]; + if(decodedData == nil) + { + decodedData = [NSData data]; + } + } + else + { + decodedData = [pass dataUsingEncoding: NSUTF8StringEncoding]; + } + + salt = [decodedData extractSalt: scheme]; + + // encrypt self with the salt an compare the results + selfCrypted = [self asCryptedPassUsingScheme: scheme + withSalt: salt + andEncoding: encoding]; + // return always false when there was a problem + if (selfCrypted == nil) + return NO; + + if ([selfCrypted isEqualToString: pass] == YES) + return YES; + return NO; +} + +- (NSString *) asCryptedPassUsingScheme: (NSString *) passwordScheme +{ + return [self asCryptedPassUsingScheme: passwordScheme + withSalt: [NSData data] + andEncoding: encDefault]; +} + +- (NSString *) asCryptedPassUsingScheme: (NSString *) passwordScheme + withSalt: (NSData *) theSalt + andEncoding: (keyEncoding) userEncoding +{ + keyEncoding dataEncoding; + NSData* cryptedData; + // convert NSString to NSData and apply encryption scheme + cryptedData = [self dataUsingEncoding: NSUTF8StringEncoding]; + cryptedData = [cryptedData asCryptedPassUsingScheme: passwordScheme withSalt: theSalt]; + // abort on unsupported scheme or error + if (cryptedData == nil) + return nil; + + // use default encoding scheme, when set to default + if (userEncoding == encDefault) + dataEncoding = [NSString getDefaultEncodingForScheme: passwordScheme]; + else + dataEncoding = userEncoding; + + if (dataEncoding == encHex) + { + // hex encoding + return [NSData encodeDataAsHexString: cryptedData]; + } + else if(dataEncoding == encBase64) + { + // base64 encoding + NSString *s = [[NSString alloc] initWithData: [cryptedData dataByEncodingBase64WithLineLength: 1024] + encoding: NSASCIIStringEncoding]; + return [s autorelease]; + } + + // plain string + return [[[NSString alloc] initWithData: cryptedData encoding: NSUTF8StringEncoding] autorelease]; +} + ++ (keyEncoding) getDefaultEncodingForScheme: (NSString *) passwordScheme +{ + // in order to keep backwards-compatibility, hex encoding is used for sha1 here + if ([passwordScheme caseInsensitiveCompare: @"md5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"plain-md5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"sha"] == NSOrderedSame) + { + return encHex; + } + else if ([passwordScheme caseInsensitiveCompare: @"smd5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"ldap-md5"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"ssha"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"sha256"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"ssha256"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"sha512"] == NSOrderedSame || + [passwordScheme caseInsensitiveCompare: @"ssha512"] == NSOrderedSame) + { + return encBase64; + } + return encPlain; +} + +// backwards-compatibility +- (NSString *) asSHA1String; +{ + NSData *cryptData; + cryptData = [self dataUsingEncoding: NSUTF8StringEncoding]; + return [NSData encodeDataAsHexString: [cryptData asSHA1] ]; +} + +// backwards-compatibility +- (NSString *) asMD5String; +{ + NSData *cryptData; + cryptData = [self dataUsingEncoding: NSUTF8StringEncoding]; + return [NSData encodeDataAsHexString: [cryptData asMD5] ]; +} + +@end ============================================================ --- SoObjects/SOGo/NSString+Utilities.h d2661ef19253d96d64dcf11127ffe6882f90b4d4 +++ SoObjects/SOGo/NSString+Utilities.h c38d80d6ebe9592a9f2ee954282718d7265dec51 @@ -66,10 +66,6 @@ - (id) objectFromJSONString; -- (NSString *) asCryptStringUsingSalt: (NSString *) theSalt; -- (NSString *) asMD5String; -- (NSString *) asSHA1String; - - (NSString *) asSafeSQLString; - (NSUInteger) countOccurrencesOfString: (NSString *) substring; ============================================================ --- SoObjects/SOGo/NSString+Utilities.m 800b97cfc8f806e14c310ed8628c94a9934fd80a +++ SoObjects/SOGo/NSString+Utilities.m eb4c7cd585c64cb8fb0273c3e89be36da11e5f24 @@ -21,10 +21,6 @@ * Boston, MA 02111-1307, USA. */ -#ifndef __OpenBSD__ -#include -#endif - #import #import #import @@ -45,12 +41,6 @@ #import "NSString+Utilities.h" -#define _XOPEN_SOURCE 1 -#include -#include -#include -#include - static NSMutableCharacterSet *urlNonEndingChars = nil; static NSMutableCharacterSet *urlAfterEndingChars = nil; static NSMutableCharacterSet *urlStartChars = nil; @@ -534,48 +524,6 @@ static int cssEscapingCount; return object; } -- (NSString *) asCryptStringUsingSalt: (NSString *) theSalt -{ - char *buf; - - // The salt is weak here, but who cares anyway, crypt should not - // be used anymore - buf = crypt([self UTF8String], [theSalt UTF8String]); - return [NSString stringWithUTF8String: buf]; -} - -- (NSString *) asMD5String -{ - unsigned char md[MD5_DIGEST_LENGTH]; - char buf[80]; - int i; - - memset(md, 0, MD5_DIGEST_LENGTH); - memset(buf, 0, 80); - - EVP_Digest((const void *) [self UTF8String], strlen([self UTF8String]), md, NULL, EVP_md5(), NULL); - for (i = 0; i < MD5_DIGEST_LENGTH; i++) - sprintf(&(buf[i*2]), "%02x", md[i]); - - return [NSString stringWithUTF8String: buf]; -} - -- (NSString *) asSHA1String -{ - unsigned char sha[SHA_DIGEST_LENGTH]; - char buf[80]; - int i; - - memset(sha, 0, SHA_DIGEST_LENGTH); - memset(buf, 0, 80); - - SHA1((const void *)[self UTF8String], strlen([self UTF8String]), sha); - for (i = 0; i < SHA_DIGEST_LENGTH; i++) - sprintf(&(buf[i*2]), "%02x", sha[i]); - - return [NSString stringWithUTF8String: buf]; -} - - (NSString *) asSafeSQLString { return [[self stringByReplacingString: @"\\" withString: @"\\\\"] ============================================================ --- SoObjects/SOGo/SOGoUserManager.m 9bf968b36558145edd71840dd180876c1d5d7175 +++ SoObjects/SOGo/SOGoUserManager.m 344659dcdf8d929bb824d8856d05c1de85ce801e @@ -33,6 +33,7 @@ #import "NSArray+Utilities.h" #import "NSString+Utilities.h" +#import "NSString+Crypto.h" #import "NSObject+Utilities.h" #import "SOGoDomainDefaults.h" #import "SOGoSource.h" ============================================================ --- SoObjects/SOGo/SQLSource.m 8e7fb09f6d34231ed0e1c57db516961d7a8bf0bb +++ SoObjects/SOGo/SQLSource.m 3928a5ed6dca41cf9fa04a0f15c964b13d000747 @@ -39,6 +39,7 @@ #import "SOGoConstants.h" #import "NSString+Utilities.h" +#import "NSString+Crypto.h" #import "SQLSource.h" @@ -47,7 +48,7 @@ * * c_uid - will be used for authentication - it's a username or username@domain.tld) * c_name - which can be identical to c_uid - will be used to uniquely identify entries) - * c_password - password of the user, plain-text, md5 or sha encoded for now + * c_password - password of the user, possible values: plain, md5, sha, ssha, sha256, ssha256, ssha2512, smd5, crypt, md5-crypt (with or without ".hex" or ".b64" appended) * c_cn - the user's common name * mail - the user's mail address * @@ -157,28 +158,8 @@ if (!plainPassword || !encryptedPassword) return NO; - if ([_userPasswordAlgorithm caseInsensitiveCompare: @"none"] == NSOrderedSame) - { - return [plainPassword isEqualToString: encryptedPassword]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"crypt"] == NSOrderedSame) - { - return [[plainPassword asCryptStringUsingSalt: encryptedPassword] isEqualToString: encryptedPassword]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"md5"] == NSOrderedSame) - { - return [[plainPassword asMD5String] isEqualToString: encryptedPassword]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"sha"] == NSOrderedSame) - { - - return [[plainPassword asSHA1String] isEqualToString: encryptedPassword]; - } - - - [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; - - return NO; + return [plainPassword isEqualToCrypted: encryptedPassword + withDefaultScheme: _userPasswordAlgorithm]; } /** @@ -189,26 +170,13 @@ */ - (NSString *) _encryptPassword: (NSString *) plainPassword { - if ([_userPasswordAlgorithm caseInsensitiveCompare: @"none"] == NSOrderedSame) - { - return plainPassword; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"crypt"] == NSOrderedSame) - { - return [plainPassword asCryptStringUsingSalt: [plainPassword asMD5String]]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"md5"] == NSOrderedSame) - { - return [plainPassword asMD5String]; - } - else if ([_userPasswordAlgorithm caseInsensitiveCompare: @"sha"] == NSOrderedSame) - { - return [plainPassword asSHA1String]; - } - - [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; - - return plainPassword; + NSString *password; + password = [plainPassword asCryptedPassUsingScheme: _userPasswordAlgorithm]; + + if (password == nil) + [self errorWithFormat: @"Unsupported user-password algorithm: %@", _userPasswordAlgorithm]; + + return [NSString stringWithFormat: @"{%@}%@", _userPasswordAlgorithm, password]; } //