authutils.c

Go to the documentation of this file.

/* SPDX-FileCopyrightText: 2009-2023 Greenbone AG
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
 
#include "authutils.h"
 
#include <gcrypt.h> /* for gcry_md_get_algo_dlen, gcry_control, gcry_md_alg... */
#include <string.h> /* for strcmp */
 
#undef G_LOG_DOMAIN
 
#define G_LOG_DOMAIN "libgvm util"
 
static const gchar *authentication_methods[] = {"file", "ldap_connect",
                                                "radius_connect", NULL};
 
static gboolean initialized = FALSE;
 
int
gvm_auth_ldap_enabled (void)
{
#ifdef ENABLE_LDAP_AUTH
  return 1;
#else
  return 0;
#endif /* ENABLE_LDAP_AUTH */
}
 
int
gvm_auth_radius_enabled (void)
{
#ifdef ENABLE_RADIUS_AUTH
  return 1;
#else
  return 0;
#endif /* ENABLE_RADIUS_AUTH */
}
 
const gchar *
auth_method_name (auth_method_t method)
{
  if (method >= AUTHENTICATION_METHOD_LAST)
    return "ERROR";
  return authentication_methods[method];
}
 
int
gvm_auth_init (void)
{
  if (initialized == TRUE)
    {
      g_warning ("gvm_auth_init called a second time.");
      return -1;
    }
 
  /* Init Libgcrypt. */
 
  /* Check if libgcrypt is already initialized */
  if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
    {
      initialized = TRUE;
      return 0;
    }
 
  /* Version check should be the very first call because it makes sure that
   * important subsystems are initialized.
   * We pass NULL to gcry_check_version to disable the internal version mismatch
   * test. */
  if (!gcry_check_version (NULL))
    {
      g_critical ("%s: libgcrypt version check failed\n", __func__);
      return -1;
    }
 
  /* We don't want to see any warnings, e.g. because we have not yet parsed
   * program options which might be used to suppress such warnings. */
  gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
 
  /* ... If required, other initialization goes here.  Note that the process
   * might still be running with increased privileges and that the secure
   * memory has not been initialized. */
 
  /* Allocate a pool of 16k secure memory.  This make the secure memory
   * available and also drops privileges where needed. */
  gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
 
  /* It is now okay to let Libgcrypt complain when there was/is a problem with
   * the secure memory. */
  gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
 
  /* ... If required, other initialization goes here. */
 
  /* Tell Libgcrypt that initialization has completed. */
  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
 
  initialized = TRUE;
 
  return 0;
}
 
gchar *
digest_hex (int gcrypt_algorithm, const guchar *digest)
{
  unsigned int i;
  gchar *hex;
 
  gcry_error_t err = gcry_md_test_algo (gcrypt_algorithm);
  if (err != 0)
    {
      g_warning ("Could not select gcrypt algorithm: %s", gcry_strerror (err));
      return NULL;
    }
 
  hex = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm) * 2 + 1);
  for (i = 0; i < gcry_md_get_algo_dlen (gcrypt_algorithm); i++)
    {
      g_snprintf (hex + i * 2, 3, "%02x", digest[i]);
    }
 
  return hex;
}
 
gchar *
get_password_hashes (const gchar *password)
{
  g_assert (password);
 
  unsigned char *nonce_buffer[256];
  guchar *seed = g_malloc0 (gcry_md_get_algo_dlen (GCRY_MD_MD5));
  gchar *seed_hex = NULL;
  gchar *seed_pass = NULL;
  guchar *hash = g_malloc0 (gcry_md_get_algo_dlen (GCRY_MD_MD5));
  gchar *hash_hex = NULL;
  gchar *hashes_out = NULL;
 
  gcry_create_nonce (nonce_buffer, 256);
  gcry_md_hash_buffer (GCRY_MD_MD5, seed, nonce_buffer, 256);
  seed_hex = digest_hex (GCRY_MD_MD5, seed);
  seed_pass = g_strconcat (seed_hex, password, NULL);
  gcry_md_hash_buffer (GCRY_MD_MD5, hash, seed_pass, strlen (seed_pass));
  hash_hex = digest_hex (GCRY_MD_MD5, hash);
 
  hashes_out = g_strjoin (" ", hash_hex, seed_hex, NULL);
 
  g_free (seed);
  g_free (seed_hex);
  g_free (seed_pass);
  g_free (hash);
  g_free (hash_hex);
 
  return hashes_out;
}
 
gchar *
get_md5_hash_from_string (const gchar *string)
{
  g_assert (string);
 
  gchar *hash_hex = NULL;
  guchar *hash = g_malloc0 (gcry_md_get_algo_dlen (GCRY_MD_MD5));
 
  gcry_md_hash_buffer (GCRY_MD_MD5, hash, string, strlen (string));
  hash_hex = digest_hex (GCRY_MD_MD5, hash);
 
  g_free (hash);
 
  return hash_hex;
}
 
int
gvm_authenticate_classic (const gchar *username, const gchar *password,
                          const gchar *hash_arg)
{
  int gcrypt_algorithm = GCRY_MD_MD5; // FIX whatever configure used
  int ret;
  gchar *actual, *expect, *seed_pass;
  guchar *hash;
  gchar *hash_hex, **seed_hex, **split;
 
  (void) username;
  if (hash_arg == NULL)
    return 1;
  actual = g_strdup (hash_arg);
 
  split = g_strsplit_set (g_strchomp (actual), " ", 2);
  seed_hex = split + 1;
  if (*split == NULL || *seed_hex == NULL)
    {
      g_warning ("Failed to split auth contents.");
      g_strfreev (split);
      g_free (actual);
      return -1;
    }
 
  seed_pass = g_strconcat (*seed_hex, password, NULL);
  hash = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm));
  gcry_md_hash_buffer (GCRY_MD_MD5, hash, seed_pass, strlen (seed_pass));
  hash_hex = digest_hex (GCRY_MD_MD5, hash);
 
  expect = g_strjoin (" ", hash_hex, *seed_hex, NULL);
 
  g_strfreev (split);
  g_free (seed_pass);
  g_free (hash);
  g_free (hash_hex);
 
  ret = strcmp (expect, actual) ? 1 : 0;
  g_free (expect);
  g_free (actual);
  return ret;
}