Wed, 27 Nov 2024 23:00:07 +0100
add TODO to use a future ucx feature
/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright 2013 Olaf Wintermann. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <openssl/sha.h> #if defined(__sun) && defined(__SunOS_5_10) #include <sha2.h> #define SHA256_Init SHA256Init #define SHA256_Update SHA256Update #define SHA256_Final SHA256Final #endif #include "../util/atomic.h" #include "../util/util.h" #include <cx/hash_map.h> #include "keyfile_auth.h" Keyfile* keyfile_new(CxAllocator *a) { Keyfile *keyfile = cxCalloc(a, 1, sizeof(Keyfile)); if(!keyfile) { return NULL; } keyfile->authdb.get_user = keyfile_get_user; keyfile->authdb.use_cache = 0; keyfile->users = cxHashMapCreate(a, CX_STORE_POINTERS, 16); return keyfile; } int keyfile_add_user( Keyfile *keyfile, cxmutstr name, enum KeyfileHashType hash_type, cxmutstr hash, cxmutstr *groups, size_t ngroups) { const CxAllocator *a = keyfile->users->allocator; if(hash.length < 12) { // hash too short // TODO: log return -1; } KeyfileUser *user = cxMalloc(a, sizeof(KeyfileUser)); user->user.name = cx_strdup_a(a, cx_strcast(name)).ptr; user->user.uid = -1; user->user.gid = -1; user->user.verify_password = keyfile_user_verify_password; user->user.check_group = keyfile_user_check_group; user->user.free = keyfile_user_free; user->hash_type = hash_type; user->hash = cxMalloc(a, hash.length + 1); if(!user->user.name || !user->hash) { return -1; } user->hashlen = util_base64decode(hash.ptr, hash.length, user->hash); if(ngroups > 0) { user->groups = cxCalloc(a, ngroups, sizeof(cxmutstr)); if(!user->groups) { return -1; } for(int i=0;i<ngroups;i++) { user->groups[i] = cx_strdup_a(a, cx_strcast(groups[i])); } } else { user->groups = NULL; } // add to keyfile return cxMapPut(keyfile->users, cx_hash_key(name.ptr, name.length), user); } // authdb functions User* keyfile_get_user(AuthDB *db, Session *sn, Request *rq, const char *user) { Keyfile *keyfile = (Keyfile*)db; return cxMapGet(keyfile->users, cx_hash_key_str(user)); } int keyfile_user_verify_password(User *user, const char *password) { KeyfileUser *usr = (KeyfileUser*)user; return ssha_verify(usr, password); } int keyfile_user_check_group(User *user, const char *group) { KeyfileUser *usr = (KeyfileUser*)user; cxstring grp = cx_str(group); for(int i=0;i<usr->numgroups;i++) { if(!cx_strcmp(cx_strcast(usr->groups[i]), grp)) { return 1; } } return 0; } void keyfile_user_free(User *user) { // don't free, it will be freed by keyfile_unref } int ssha_verify(KeyfileUser *user, const char *password) { /* * SSHA: SHA(pw + salt) + salt * user->hash is already base64 decoded */ size_t hlen; switch(user->hash_type) { case KEYFILE_SSHA: hlen = 20; break; case KEYFILE_SSHA256: hlen = 32; break; case KEYFILE_SSHA512: hlen = 64; break; } char *salt = user->hash + hlen; size_t saltlen = user->hashlen - hlen; size_t pwlen = strlen(password); unsigned char pwhash[64]; switch(user->hash_type) { case KEYFILE_SSHA: { SHA_CTX ctx; SHA1_Init(&ctx); SHA1_Update(&ctx, password, pwlen); SHA1_Update(&ctx, salt, saltlen); SHA1_Final(pwhash, &ctx); break; } case KEYFILE_SSHA256: { SHA256_CTX ctx; SHA256_Init(&ctx); SHA256_Update(&ctx, password, pwlen); SHA256_Update(&ctx, salt, saltlen); SHA256_Final(pwhash, &ctx); break; } case KEYFILE_SSHA512: { SHA512_CTX ctx; SHA512_Init(&ctx); SHA512_Update(&ctx, password, pwlen); SHA512_Update(&ctx, salt, saltlen); SHA512_Final(pwhash, &ctx); break; } } if(!memcmp(user->hash, pwhash, hlen)) { return 1; } else { return 0; } }