passwordbasedauthentication.h File Reference

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	PBASettings

Macros
#define	MAX_PEPPER_SIZE   4
#define	COUNT_DEFAULT   20000
#define	PREFIX_DEFAULT   "$6$"

Enumerations
enum	pba_rc { VALID , UPDATE_RECOMMENDED , INVALID , ERR }

Functions
struct PBASettings *	pba_init (const char *pepper, unsigned int pepper_size, unsigned int count, char *prefix)
char *	pba_hash (struct PBASettings *setting, const char *password)
enum pba_rc	pba_verify_hash (const struct PBASettings *settings, const char *hash, const char *password)
void	pba_finalize (struct PBASettings *settings)

Macro Definition Documentation

COUNT_DEFAULT

#define COUNT_DEFAULT   20000

Definition at line 12 of file passwordbasedauthentication.h.

MAX_PEPPER_SIZE

#define MAX_PEPPER_SIZE   4

Definition at line 10 of file passwordbasedauthentication.h.

PREFIX_DEFAULT

#define PREFIX_DEFAULT   "$6$"

Definition at line 14 of file passwordbasedauthentication.h.

Enumeration Type Documentation

pba_rc

enum pba_rc

Enumerator
VALID
UPDATE_RECOMMENDED
INVALID
ERR

Definition at line 45 of file passwordbasedauthentication.h.

{
  VALID,              /* hash and password are correct */
  UPDATE_RECOMMENDED, /* password is correct but in an outdated format*/
  INVALID,            /* password is incorrect */
  ERR,                /* unexpected error */
};

Function Documentation

pba_finalize()

void pba_finalize

(

struct PBASettings *

settings

)

Definition at line 152 of file passwordbasedauthentication.c.

{
  free (settings);
}

Referenced by Ensure().

Here is the caller graph for this function:

pba_hash()

char * pba_hash	(	struct PBASettings *	setting,
		const char *	password
	)

pba_hash tries to create a hash based SETTING and PASSWORD. Returns a hash on success or a NULL pointer on failure

Definition at line 168 of file passwordbasedauthentication.c.

{
  char *result = NULL, *settings = NULL, *tmp, *rslt;
  int i;
  struct crypt_data *data = NULL;
 
  if (!setting || !password)
    goto exit;
  if (!is_prefix_supported (setting->prefix))
    goto exit;
  settings = malloc (CRYPT_GENSALT_OUTPUT_SIZE);
  if (crypt_gensalt_r (setting->prefix, setting->count, NULL, 0, settings,
                       CRYPT_GENSALT_OUTPUT_SIZE)
      == NULL)
    goto exit;
  tmp = settings + strlen (settings) - 1;
  for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
    {
      if (setting->pepper[i] != 0)
        tmp[0] = setting->pepper[i];
      tmp--;
    }
 
  data = calloc (1, sizeof (struct crypt_data));
  rslt = crypt_r (password, settings, data);
  if (rslt == NULL)
    goto exit;
  result = calloc (1, CRYPT_OUTPUT_SIZE);
  memcpy (result, rslt, CRYPT_OUTPUT_SIZE);
  // remove pepper, by jumping to begin of applied pepper within result
  // and overriding it.
  tmp = result + (tmp - settings);
  for (i = 0; i < MAX_PEPPER_SIZE; i++)
    {
      tmp++;
      if (setting->pepper[i] != 0)
        tmp[0] = '0';
    }
exit:
  if (data != NULL)
    free (data);
  if (settings != NULL)
    free (settings);
  return result;
}

References PBASettings::count, CRYPT_GENSALT_OUTPUT_SIZE, crypt_gensalt_r(), CRYPT_OUTPUT_SIZE, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, and PBASettings::prefix.

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

pba_init()

struct PBASettings * pba_init	(	const char *	pepper,
		unsigned int	pepper_size,
		unsigned int	count,
		char *	prefix
	)

Intitializes PBASettings with given PEPPER, PREFIX, COUNT.

PEPPER_SIZE must be lower or equal MAX_PEPPER_SIZE when PEPPER is set, when PEPPER is a NULL pointer, no pepper will be used and PEPPER_SIZE is ignored.

COUNT is set to COUNT_DEFAULT when it is 0, PREFIX is set to PREFIX_DEFAULT when prefix is a nullpointer.

Returns a pointer to PBASettings on success or NULL on failure.

Definition at line 133 of file passwordbasedauthentication.c.

{
  unsigned int i = 0;
  struct PBASettings *result = NULL;
  if (pepper_size > MAX_PEPPER_SIZE)
    goto exit;
  if (prefix != NULL && !is_prefix_supported (prefix))
    goto exit;
  result = malloc (sizeof (struct PBASettings));
  for (i = 0; i < MAX_PEPPER_SIZE; i++)
    result->pepper[i] = pepper != NULL && i < pepper_size ? pepper[i] : 0;
  result->count = count == 0 ? COUNT_DEFAULT : count;
  result->prefix = prefix == NULL ? PREFIX_DEFAULT : prefix;
exit:
  return result;
}

References PBASettings::count, COUNT_DEFAULT, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, PBASettings::prefix, and PREFIX_DEFAULT.

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

pba_verify_hash()

enum pba_rc pba_verify_hash	(	const struct PBASettings *	settings,
		const char *	hash,
		const char *	password
	)

pba_verify_hash tries to create hash based on PASSWORD and settings found via HASH and compares that with HASH.

Returns VALID if HASH and PASSWORD are correct; UPDATE_RECOMMENDED when the HASH and PASSWORD are correct but based on a deprecated algorithm; IVALID if HASH does not match PASSWORD; ERR if an unexpected error occurs.

Definition at line 215 of file passwordbasedauthentication.c.

{
  char *cmp, *tmp = NULL;
  struct crypt_data *data = NULL;
  int i = 0;
  enum pba_rc result = ERR;
 
  char *invalid_hash = calloc (1, CRYPT_OUTPUT_SIZE);
  memset (invalid_hash, 0, CRYPT_OUTPUT_SIZE);
  memcpy (invalid_hash, INVALID_HASH, strlen (INVALID_HASH));
 
  if (!setting)
    goto exit;
  if (!is_prefix_supported (setting->prefix))
    goto exit;
  if (pba_is_phc_compliant (hash) != 0)
    {
      int hash_size;
      hash_size = hash ? strlen (hash) : strlen (invalid_hash);
 
      data = calloc (1, sizeof (struct crypt_data));
      // manipulate hash to reapply pepper
      tmp = calloc (1, CRYPT_OUTPUT_SIZE);
 
      memset (tmp, 0, CRYPT_OUTPUT_SIZE);
      memcpy (tmp, hash ? hash : invalid_hash,
              (hash_size < CRYPT_OUTPUT_SIZE) ? hash_size
                                              : CRYPT_OUTPUT_SIZE - 1);
      cmp = strrchr (tmp, '$');
      for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
        {
          cmp--;
          if (setting->pepper[i] != 0)
            cmp[0] = setting->pepper[i];
        }
      // some crypt_r implementations cannot handle if password is a
      // NULL pointer and run into SEGMENTATION faults.
      // Therefore we set it to ""
      cmp = crypt_r (password ? password : "", tmp, data);
      if (strcmp (tmp, cmp) == 0)
        result = VALID;
      else
        result = INVALID;
    }
  else
    {
      // assume authutils hash handling
      // initialize gvm_auth utils if not already initialized
      if (initialized == FALSE && gvm_auth_init () != 0)
        {
          goto exit;
        }
      // verify result of gvm_authenticate_classic
      i = gvm_authenticate_classic (NULL, password, hash);
      if (i == 0)
        result = UPDATE_RECOMMENDED;
      else if (i == 1)
        result = INVALID;
    }
exit:
  free (invalid_hash);
  if (data != NULL)
    free (data);
  if (tmp != NULL)
    free (tmp);
  return result;
}

References CRYPT_OUTPUT_SIZE, ERR, gvm_auth_init(), gvm_authenticate_classic(), initialized, INVALID, INVALID_HASH, is_prefix_supported(), MAX_PEPPER_SIZE, pba_is_phc_compliant(), PBASettings::pepper, PBASettings::prefix, UPDATE_RECOMMENDED, and VALID.

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function: