src/server/daemon/keyfile_auth.c

Sun, 11 Aug 2024 10:09:20 +0200

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Sun, 11 Aug 2024 10:09:20 +0200
changeset 540
d9c3c23c635b
parent 490
d218607f5a7e
permissions
-rw-r--r--

fix netbuf_getbytes prematurely returns NETBUF_EOF

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2013 Olaf Wintermann. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *   1. Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *
 *   2. Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <openssl/sha.h>
#if defined(__sun) && defined(__SunOS_5_10)
#include <sha2.h>
#define SHA256_Init     SHA256Init
#define SHA256_Update   SHA256Update
#define SHA256_Final    SHA256Final
#endif

#include "../util/atomic.h"
#include "../util/util.h"

#include <cx/hash_map.h>

#include "keyfile_auth.h"

Keyfile* keyfile_new(CxAllocator *a) {
    Keyfile *keyfile = cxCalloc(a, 1, sizeof(Keyfile));
    if(!keyfile) {
        return NULL;
    }
    keyfile->authdb.get_user = keyfile_get_user;
    keyfile->authdb.use_cache = 0;
    keyfile->users = cxHashMapCreate(a, CX_STORE_POINTERS, 16);
    return keyfile;
}

int keyfile_add_user(
        Keyfile *keyfile,
        cxmutstr name,
        enum KeyfileHashType hash_type,
        cxmutstr hash,
        cxmutstr *groups,
        size_t ngroups)
{
    const CxAllocator *a = keyfile->users->allocator;
    
    if(hash.length < 12) {
        // hash too short
        // TODO: log
        return -1;
    }
    
    KeyfileUser *user = cxMalloc(a, sizeof(KeyfileUser));
    user->user.name = cx_strdup_a(a, cx_strcast(name)).ptr;
    user->user.uid = -1;
    user->user.gid = -1;
    user->user.verify_password = keyfile_user_verify_password;
    user->user.check_group = keyfile_user_check_group;
    user->user.free = keyfile_user_free;
    
    user->hash_type = hash_type;
    user->hash = cxMalloc(a, hash.length + 1);
    
    if(!user->user.name || !user->hash) {
        return -1;
    }
    
    user->hashlen = util_base64decode(hash.ptr, hash.length, user->hash);
    
    if(ngroups > 0) {
        user->groups = cxCalloc(a, ngroups, sizeof(cxmutstr));
        if(!user->groups) {
            return -1;
        }
        for(int i=0;i<ngroups;i++) {
            user->groups[i] = cx_strdup_a(a, cx_strcast(groups[i]));
        }
        
    } else {
        user->groups = NULL;
    }
    
    // add to keyfile
    return cxMapPut(keyfile->users, cx_hash_key(name.ptr, name.length), user);
}

// authdb functions

User* keyfile_get_user(AuthDB *db, Session *sn, Request *rq, const char *user) {
    Keyfile *keyfile = (Keyfile*)db;
    return cxMapGet(keyfile->users, cx_hash_key_str(user));
}

int keyfile_user_verify_password(User *user, const char *password) {
    KeyfileUser *usr = (KeyfileUser*)user;
    return ssha_verify(usr, password);
}

int keyfile_user_check_group(User *user, const char *group) {
    KeyfileUser *usr = (KeyfileUser*)user;
    cxstring grp = cx_str(group);
    for(int i=0;i<usr->numgroups;i++) {
        if(!cx_strcmp(cx_strcast(usr->groups[i]), grp)) {
            return 1;
        }
    }
    return 0;
}

void keyfile_user_free(User *user) {
    // don't free, it will be freed by keyfile_unref
}


int ssha_verify(KeyfileUser *user, const char *password) {
    /*
     * SSHA: SHA(pw + salt) + salt
     * user->hash is already base64 decoded
     */
    
    size_t hlen;
    switch(user->hash_type) {
        case KEYFILE_SSHA: hlen = 20; break;
        case KEYFILE_SSHA256: hlen = 32; break;
        case KEYFILE_SSHA512: hlen = 64; break;
    }
    
    char *salt = user->hash + hlen;
    size_t saltlen = user->hashlen - hlen;
    
    size_t pwlen = strlen(password); 
    
    unsigned char pwhash[64];
    switch(user->hash_type) {
        case KEYFILE_SSHA: {
            SHA_CTX ctx;
            SHA1_Init(&ctx);
            SHA1_Update(&ctx, password, pwlen);
            SHA1_Update(&ctx, salt, saltlen);
            SHA1_Final(pwhash, &ctx);
            break;
        }
        case KEYFILE_SSHA256: {
            SHA256_CTX ctx;
            SHA256_Init(&ctx);
            SHA256_Update(&ctx, password, pwlen);
            SHA256_Update(&ctx, salt, saltlen);
            SHA256_Final(pwhash, &ctx);
            break;
        }
        case KEYFILE_SSHA512: {
            SHA512_CTX ctx;
            SHA512_Init(&ctx);
            SHA512_Update(&ctx, password, pwlen);
            SHA512_Update(&ctx, salt, saltlen);
            SHA512_Final(pwhash, &ctx);
            break;
        }
    }
    
    if(!memcmp(user->hash, pwhash, hlen)) {
        return 1;
    } else {
        return 0;
    }
}

mercurial