#include "passwordbasedauthentication.h"
#include "authutils.c"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <crypt.h>

Include dependency graph for passwordbasedauthentication.c:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros
#define	__USE_GNU

#define	INVALID_HASH "1234567890$"

#define	CRYPT_GENSALT_OUTPUT_SIZE 192

#define	CRYPT_OUTPUT_SIZE 384

Functions
static int	is_prefix_supported (const char *id)

static int	get_random (char *buf, size_t buflen)

char *	crypt_gensalt_r (const char prefix, unsigned long count, const char rbytes, int nrbytes, char *output, int output_size)

struct PBASettings *	pba_init (const char pepper, unsigned int pepper_size, unsigned int count, char prefix)

void	pba_finalize (struct PBASettings *settings)

static int	pba_is_phc_compliant (const char *setting)

char *	pba_hash (struct PBASettings setting, const char password)

enum pba_rc	pba_verify_hash (const struct PBASettings setting, const char hash, const char *password)

Variables
const char	ascii64 [64]

Macro Definition Documentation

◆ __USE_GNU

#define __USE_GNU

Definition at line 16 of file passwordbasedauthentication.c.

◆ CRYPT_GENSALT_OUTPUT_SIZE

#define CRYPT_GENSALT_OUTPUT_SIZE 192

Definition at line 24 of file passwordbasedauthentication.c.

◆ CRYPT_OUTPUT_SIZE

#define CRYPT_OUTPUT_SIZE 384

Definition at line 28 of file passwordbasedauthentication.c.

◆ INVALID_HASH

#define INVALID_HASH "1234567890$"

Definition at line 22 of file passwordbasedauthentication.c.

Function Documentation

◆ crypt_gensalt_r()

char * crypt_gensalt_r	(	const char *	prefix,
		unsigned long	count,
		const char *	rbytes,
		int	nrbytes,
		char *	output,
		int	output_size
	)

Definition at line 85 of file passwordbasedauthentication.c.

{
  char *internal_rbytes = NULL;
  unsigned int written = 0, used = 0;
  unsigned long value = 0;
  if ((rbytes != NULL && nrbytes < 3) || output_size < 16
      || !is_prefix_supported (prefix))
    {
      output[0] = '*';
      goto exit;
    }
  if (rbytes == NULL)
    {
      internal_rbytes = malloc (16);
      if (get_random (internal_rbytes, 16) != 0)
        {
          output[0] = '*';
          goto exit;
        }
      nrbytes = 16;
      rbytes = internal_rbytes;
    }
  written = snprintf (output, output_size, "%srounds=%lu$",
                      prefix == NULL ? PREFIX_DEFAULT : prefix, count);
  while (written + 5 < (unsigned int) output_size
         && used + 3 < (unsigned int) nrbytes && (used * 4 / 3) < 16)
    {
      value = ((unsigned long) rbytes[used + 0] << 0)
              | ((unsigned long) rbytes[used + 1] << 8)
              | ((unsigned long) rbytes[used + 2] << 16);
      output[written] = ascii64[value & 0x3f];
      output[written + 1] = ascii64[(value >> 6) & 0x3f];
      output[written + 2] = ascii64[(value >> 12) & 0x3f];
      output[written + 3] = ascii64[(value >> 18) & 0x3f];
      written += 4;
      used += 3;
    }
  output[written] = '\0';
exit:
  if (internal_rbytes != NULL)
    free (internal_rbytes);
  return output[0] == '*' ? 0 : output;
}

References ascii64, get_random(), is_prefix_supported(), and PREFIX_DEFAULT.

Referenced by pba_hash().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ get_random()

static int get_random	(	char *	buf,
		size_t	buflen
	)

static

Definition at line 49 of file passwordbasedauthentication.c.

{
  FILE *fp = fopen ("/dev/urandom", "r");
  int result = 0;
  if (fp == NULL)
    {
      result = -1;
      goto exit;
    }
  size_t nread = fread (buf, 1, buflen, fp);
  fclose (fp);
  if (nread < buflen)
    {
      result = -2;
    }
 
exit:
  return result;
}

Referenced by crypt_gensalt_r().

Here is the caller graph for this function:

◆ is_prefix_supported()

static int is_prefix_supported ( const char * id )

static

Definition at line 32 of file passwordbasedauthentication.c.

{
  return strcmp (PREFIX_DEFAULT, id) == 0;
}

References PREFIX_DEFAULT.

Referenced by crypt_gensalt_r(), pba_hash(), pba_init(), and pba_verify_hash().

Here is the caller graph for this function:

◆ pba_finalize()

void pba_finalize ( struct PBASettings * settings )

Definition at line 152 of file passwordbasedauthentication.c.

{
  free (settings);
}

Referenced by Ensure().

Here is the caller graph for this function:

◆ pba_hash()

char * pba_hash	(	struct PBASettings *	setting,
		const char *	password
	)

pba_hash tries to create a hash based SETTING and PASSWORD. Returns a hash on success or a NULL pointer on failure

Definition at line 168 of file passwordbasedauthentication.c.

{
  char *result = NULL, *settings = NULL, *tmp, *rslt;
  int i;
  struct crypt_data *data = NULL;
 
  if (!setting || !password)
    goto exit;
  if (!is_prefix_supported (setting->prefix))
    goto exit;
  settings = malloc (CRYPT_GENSALT_OUTPUT_SIZE);
  if (crypt_gensalt_r (setting->prefix, setting->count, NULL, 0, settings,
                       CRYPT_GENSALT_OUTPUT_SIZE)
      == NULL)
    goto exit;
  tmp = settings + strlen (settings) - 1;
  for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
    {
      if (setting->pepper[i] != 0)
        tmp[0] = setting->pepper[i];
      tmp--;
    }
 
  data = calloc (1, sizeof (struct crypt_data));
  rslt = crypt_r (password, settings, data);
  if (rslt == NULL)
    goto exit;
  result = calloc (1, CRYPT_OUTPUT_SIZE);
  memcpy (result, rslt, CRYPT_OUTPUT_SIZE);
  // remove pepper, by jumping to begin of applied pepper within result
  // and overriding it.
  tmp = result + (tmp - settings);
  for (i = 0; i < MAX_PEPPER_SIZE; i++)
    {
      tmp++;
      if (setting->pepper[i] != 0)
        tmp[0] = '0';
    }
exit:
  if (data != NULL)
    free (data);
  if (settings != NULL)
    free (settings);
  return result;
}

References PBASettings::count, CRYPT_GENSALT_OUTPUT_SIZE, crypt_gensalt_r(), CRYPT_OUTPUT_SIZE, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, and PBASettings::prefix.

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ pba_init()

struct PBASettings * pba_init	(	const char *	pepper,
		unsigned int	pepper_size,
		unsigned int	count,
		char *	prefix
	)

Intitializes PBASettings with given PEPPER, PREFIX, COUNT.

PEPPER_SIZE must be lower or equal MAX_PEPPER_SIZE when PEPPER is set, when PEPPER is a NULL pointer, no pepper will be used and PEPPER_SIZE is ignored.

COUNT is set to COUNT_DEFAULT when it is 0, PREFIX is set to PREFIX_DEFAULT when prefix is a nullpointer.

Returns a pointer to PBASettings on success or NULL on failure.

Definition at line 133 of file passwordbasedauthentication.c.

{
  unsigned int i = 0;
  struct PBASettings *result = NULL;
  if (pepper_size > MAX_PEPPER_SIZE)
    goto exit;
  if (prefix != NULL && !is_prefix_supported (prefix))
    goto exit;
  result = malloc (sizeof (struct PBASettings));
  for (i = 0; i < MAX_PEPPER_SIZE; i++)
    result->pepper[i] = pepper != NULL && i < pepper_size ? pepper[i] : 0;
  result->count = count == 0 ? COUNT_DEFAULT : count;
  result->prefix = prefix == NULL ? PREFIX_DEFAULT : prefix;
exit:
  return result;
}

References PBASettings::count, COUNT_DEFAULT, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, PBASettings::prefix, and PREFIX_DEFAULT.

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ pba_is_phc_compliant()

static int pba_is_phc_compliant ( const char * setting )

static

Definition at line 158 of file passwordbasedauthentication.c.

{
  if (setting == NULL)
    {
      return 1;
    }
  return strlen (setting) > 1 && setting[0] == '$';
}

Referenced by Ensure(), and pba_verify_hash().

Here is the caller graph for this function:

◆ pba_verify_hash()

enum pba_rc pba_verify_hash	(	const struct PBASettings *	settings,
		const char *	hash,
		const char *	password
	)

pba_verify_hash tries to create hash based on PASSWORD and settings found via HASH and compares that with HASH.

Returns VALID if HASH and PASSWORD are correct; UPDATE_RECOMMENDED when the HASH and PASSWORD are correct but based on a deprecated algorithm; IVALID if HASH does not match PASSWORD; ERR if an unexpected error occurs.

Definition at line 215 of file passwordbasedauthentication.c.

{
  char *cmp, *tmp = NULL;
  struct crypt_data *data = NULL;
  int i = 0;
  enum pba_rc result = ERR;
 
  char *invalid_hash = calloc (1, CRYPT_OUTPUT_SIZE);
  memset (invalid_hash, 0, CRYPT_OUTPUT_SIZE);
  memcpy (invalid_hash, INVALID_HASH, strlen (INVALID_HASH));
 
  if (!setting)
    goto exit;
  if (!is_prefix_supported (setting->prefix))
    goto exit;
  if (pba_is_phc_compliant (hash) != 0)
    {
      int hash_size;
      hash_size = hash ? strlen (hash) : strlen (invalid_hash);
 
      data = calloc (1, sizeof (struct crypt_data));
      // manipulate hash to reapply pepper
      tmp = calloc (1, CRYPT_OUTPUT_SIZE);
 
      memset (tmp, 0, CRYPT_OUTPUT_SIZE);
      memcpy (tmp, hash ? hash : invalid_hash,
              (hash_size < CRYPT_OUTPUT_SIZE) ? hash_size
                                              : CRYPT_OUTPUT_SIZE - 1);
      cmp = strrchr (tmp, '$');
      for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
        {
          cmp--;
          if (setting->pepper[i] != 0)
            cmp[0] = setting->pepper[i];
        }
      // some crypt_r implementations cannot handle if password is a
      // NULL pointer and run into SEGMENTATION faults.
      // Therefore we set it to ""
      cmp = crypt_r (password ? password : "", tmp, data);
      if (strcmp (tmp, cmp) == 0)
        result = VALID;
      else
        result = INVALID;
    }
  else
    {
      // assume authutils hash handling
      // initialize gvm_auth utils if not already initialized
      if (initialized == FALSE && gvm_auth_init () != 0)
        {
          goto exit;
        }
      // verify result of gvm_authenticate_classic
      i = gvm_authenticate_classic (NULL, password, hash);
      if (i == 0)
        result = UPDATE_RECOMMENDED;
      else if (i == 1)
        result = INVALID;
    }
exit:
  free (invalid_hash);
  if (data != NULL)
    free (data);
  if (tmp != NULL)
    free (tmp);
  return result;
}