search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update `NEWS'.
[gnutls.git] / src / crypt.c
blobe45b90ca9aa96e6710f473c0931535b57dac937c
1 /*
2 * Copyright (C) 2004, 2005, 2006, 2007 Simon Josefsson
3 * Copyright (C) 2001,2003 Nikos Mavroyanopoulos
4 * Copyright (C) 2004 Free Software Foundation
5 *
6 * This file is part of GNUTLS.
7 *
8 * GNUTLS is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * GNUTLS is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
21 */
22
23 #include <config.h>
24
25
26
27 #ifndef ENABLE_SRP
28
29 #include <stdio.h>
30
31 int
32 main (int argc, char **argv)
33 {
34 printf ("\nSRP not supported. This program is a dummy.\n\n");
35 return 1;
36 };
37
38 void
39 srptool_version (void)
40 {
41 fprintf (stderr, "GNU TLS dummy srptool.\n");
42 }
43
44 #else
45
46 #include <stdio.h>
47 #include <string.h>
48 #include <stdlib.h>
49 #include <gnutls/gnutls.h>
50 #include <gnutls/extra.h>
51 #include <crypt-gaa.h>
52
53 #include <gc.h> /* for randomize */
54
55 #include <sys/types.h>
56 #include <sys/stat.h>
57
58 #ifndef _WIN32
59 # include <pwd.h>
60 # include <unistd.h>
61 #else
62 # include <windows.h>
63 #endif
64
65 /* Gnulib portability files. */
66 #include <getpass.h>
67
68 #define _MAX(x,y) (x>y?x:y)
69
70 /* This may need some rewrite. A lot of stuff which should be here
71 * are in the library, which is not good.
72 */
73
74 int crypt_int (const char *username, const char *passwd, int salt,
75 char *tpasswd_conf, char *tpasswd, int uindex);
76 static int read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n, char *str);
77 static int _verify_passwd_int (const char *username, const char *passwd,
78 char *verifier, char *salt,
79 const gnutls_datum_t * g,
80 const gnutls_datum_t * n);
81
82 void
83 srptool_version (void)
84 {
85 const char *v = gnutls_check_version (NULL);
86
87 printf ("srptool (GnuTLS) %s\n", LIBGNUTLS_VERSION);
88 if (strcmp (v, LIBGNUTLS_VERSION) != 0)
89 printf ("libgnutls %s\n", v);
90 }
91
92
93 static void
94 print_num (const char *msg, const gnutls_datum_t * num)
95 {
96 unsigned int i;
97
98 printf ("%s:\t", msg);
99
100 for (i = 0; i < num->size; i++)
101 {
102 if (i != 0 && i % 12 == 0)
103 printf ("\n\t");
104 else if (i != 0 && i != num->size)
105 printf (":");
106 printf ("%.2x", num->data[i]);
107 }
108 printf ("\n\n");
109
110 }
111
112 int
113 generate_create_conf (char *tpasswd_conf)
114 {
115 FILE *fd;
116 char line[5 * 1024];
117 int index = 1;
118 gnutls_datum_t g, n;
119 gnutls_datum_t str_g, str_n;
120
121 fd = fopen (tpasswd_conf, "w");
122 if (fd == NULL)
123 {
124 fprintf (stderr, "Cannot open file '%s'\n", tpasswd_conf);
125 return -1;
126 }
127
128 for (index = 1; index <= 3; index++)
129 {
130
131 if (index == 1)
132 {
133 n = gnutls_srp_1024_group_prime;
134 g = gnutls_srp_1024_group_generator;
135 }
136 else if (index == 2)
137 {
138 n = gnutls_srp_1536_group_prime;
139 g = gnutls_srp_1536_group_generator;
140 }
141 else
142 {
143 n = gnutls_srp_2048_group_prime;
144 g = gnutls_srp_2048_group_generator;
145 }
146
147 printf ("\nGroup %d, of %d bits:\n", index, n.size * 8);
148 print_num ("Generator", &g);
149 print_num ("Prime", &n);
150
151 if (gnutls_srp_base64_encode_alloc (&n, &str_n) < 0)
152 {
153 fprintf (stderr, "Could not encode\n");
154 return -1;
155 }
156
157 if (gnutls_srp_base64_encode_alloc (&g, &str_g) < 0)
158 {
159 fprintf (stderr, "Could not encode\n");
160 return -1;
161 }
162
163 sprintf (line, "%d:%s:%s\n", index, str_n.data, str_g.data);
164
165 gnutls_free (str_n.data);
166 gnutls_free (str_g.data);
167
168 fwrite (line, 1, strlen (line), fd);
169
170 }
171
172 fclose (fd);
173
174 return 0;
175
176 }
177
178 /* The format of a tpasswd file is:
179 * username:verifier:salt:index
180 *
181 * index is the index of the prime-generator pair in tpasswd.conf
182 */
183 static int
184 _verify_passwd_int (const char *username, const char *passwd,
185 char *verifier, char *salt,
186 const gnutls_datum_t * g, const gnutls_datum_t * n)
187 {
188 char _salt[1024];
189 gnutls_datum_t tmp, raw_salt, new_verifier;
190 size_t salt_size;
191 char *pos;
192
193 if (salt == NULL || verifier == NULL)
194 return -1;
195
196 /* copy salt, and null terminate after the ':' */
197 strcpy (_salt, salt);
198 pos = strchr (_salt, ':');
199 if (pos != NULL)
200 *pos = 0;
201
202 /* convert salt to binary. */
203 tmp.data = _salt;
204 tmp.size = strlen (_salt);
205
206 if (gnutls_srp_base64_decode_alloc (&tmp, &raw_salt) < 0)
207 {
208 fprintf (stderr, "Could not decode salt.\n");
209 return -1;
210 }
211
212 if (gnutls_srp_verifier
213 (username, passwd, &raw_salt, g, n, &new_verifier) < 0)
214 {
215 fprintf (stderr, "Could not make the verifier\n");
216 return -1;
217 }
218
219 free (raw_salt.data);
220
221 /* encode the verifier into _salt */
222 salt_size = sizeof (_salt);
223 if (gnutls_srp_base64_encode (&new_verifier, _salt, &salt_size) < 0)
224 {
225 fprintf (stderr, "Encoding error\n");
226 return -1;
227 }
228
229 free (new_verifier.data);
230
231 if (strncmp (verifier, _salt, strlen (_salt)) == 0)
232 {
233 fprintf (stderr, "Password verified\n");
234 return 0;
235 }
236 else
237 {
238 fprintf (stderr, "Password does NOT match\n");
239 }
240 return -1;
241 }
242
243 static int
244 filecopy (char *src, char *dst)
245 {
246 FILE *fd, *fd2;
247 char line[5 * 1024];
248 char *p;
249
250 fd = fopen (dst, "w");
251 if (fd == NULL)
252 {
253 fprintf (stderr, "Cannot open '%s' for write\n", dst);
254 return -1;
255 }
256
257 fd2 = fopen (src, "r");
258 if (fd2 == NULL)
259 {
260 /* empty file */
261 fclose (fd);
262 return 0;
263 }
264
265 line[sizeof (line) - 1] = 0;
266 do
267 {
268 p = fgets (line, sizeof (line) - 1, fd2);
269 if (p == NULL)
270 break;
271
272 fputs (line, fd);
273 }
274 while (1);
275
276 fclose (fd);
277 fclose (fd2);
278
279 return 0;
280 }
281
282 /* accepts password file */
283 static int
284 find_strchr (char *username, char *file)
285 {
286 FILE *fd;
287 char *pos;
288 char line[5 * 1024];
289 unsigned int i;
290
291 fd = fopen (file, "r");
292 if (fd == NULL)
293 {
294 fprintf (stderr, "Cannot open file '%s'\n", file);
295 return -1;
296 }
297
298 while (fgets (line, sizeof (line), fd) != NULL)
299 {
300 /* move to first ':' */
301 i = 0;
302 while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
303 {
304 i++;
305 }
306 if (strncmp (username, line, _MAX (i, strlen (username))) == 0)
307 {
308 /* find the index */
309 pos = strrchr (line, ':');
310 pos++;
311 fclose (fd);
312 return atoi (pos);
313 }
314 }
315
316 fclose (fd);
317 return -1;
318 }
319
320 /* Parses the tpasswd files, in order to verify the given
321 * username/password pair.
322 */
323 int
324 verify_passwd (char *conffile, char *tpasswd, char *username,
325 const char *passwd)
326 {
327 FILE *fd;
328 char line[5 * 1024];
329 unsigned int i;
330 gnutls_datum_t g, n;
331 int iindex;
332 char *p, *pos;
333
334 iindex = find_strchr (username, tpasswd);
335 if (iindex == -1)
336 {
337 fprintf (stderr, "Cannot find '%s' in %s\n", username, tpasswd);
338 return -1;
339 }
340
341 fd = fopen (conffile, "r");
342 if (fd == NULL)
343 {
344 fprintf (stderr, "Cannot find %s\n", conffile);
345 return -1;
346 }
347
348 do
349 {
350 p = fgets (line, sizeof (line) - 1, fd);
351 }
352 while (p != NULL && atoi (p) != iindex);
353
354 if (p == NULL)
355 {
356 fprintf (stderr, "Cannot find entry in %s\n", conffile);
357 return -1;
358 }
359 line[sizeof (line) - 1] = 0;
360
361 fclose (fd);
362
363 if ((iindex = read_conf_values (&g, &n, line)) < 0)
364 {
365 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
366 return -1;
367 }
368
369 fd = fopen (tpasswd, "r");
370 if (fd == NULL)
371 {
372 fprintf (stderr, "Cannot open file '%s'\n", tpasswd);
373 return -1;
374 }
375
376 while (fgets (line, sizeof (line), fd) != NULL)
377 {
378 /* move to first ':'
379 * This is the actual verifier.
380 */
381 i = 0;
382 while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
383 {
384 i++;
385 }
386 if (strncmp (username, line, _MAX (i, strlen (username))) == 0)
387 {
388 char *verifier_pos, *salt_pos;
389
390 pos = strchr (line, ':');
391 fclose (fd);
392 if (pos == NULL)
393 {
394 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
395 return -1;
396 }
397 pos++;
398 verifier_pos = pos;
399
400 /* Move to the salt */
401 pos = strchr (pos, ':');
402 if (pos == NULL)
403 {
404 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
405 return -1;
406 }
407 pos++;
408 salt_pos = pos;
409
410 return _verify_passwd_int (username, passwd,
411 verifier_pos, salt_pos, &g, &n);
412 }
413 }
414
415 fclose (fd);
416 return -1;
417
418 }
419
420 #define KPASSWD "/etc/tpasswd"
421 #define KPASSWD_CONF "/etc/tpasswd.conf"
422
423 int
424 main (int argc, char **argv)
425 {
426 gaainfo info;
427 const char *passwd;
428 int salt, ret;
429 struct passwd *pwd;
430
431 if ((ret = gnutls_global_init ()) < 0)
432 {
433 fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
434 exit (1);
435 }
436
437 #ifdef HAVE_UMASK
438 umask (066);
439 #endif
440
441 if (gaa (argc, argv, &info) != -1)
442 {
443 fprintf (stderr, "Error in the arguments.\n");
444 return -1;
445 }
446
447 salt = info.salt;
448
449 if (info.create_conf != NULL)
450 {
451 return generate_create_conf (info.create_conf);
452 }
453
454 if (info.passwd == NULL)
455 info.passwd = KPASSWD;
456 if (info.passwd_conf == NULL)
457 info.passwd_conf = KPASSWD_CONF;
458
459 if (info.username == NULL)
460 {
461 #ifndef _WIN32
462 pwd = getpwuid (getuid ());
463
464 if (pwd == NULL)
465 {
466 fprintf (stderr, "No such user\n");
467 return -1;
468 }
469
470 info.username = pwd->pw_name;
471 #else
472 fprintf (stderr, "Please specify a user\n");
473 return -1;
474 #endif
475 }
476
477 salt = 16;
478
479 passwd = getpass ("Enter password: ");
480 if (passwd == NULL)
481 {
482 fprintf (stderr, "Please specify a password\n");
483 return -1;
484 }
485
486 /* not ready yet */
487 if (info.verify != 0)
488 {
489 return verify_passwd (info.passwd_conf, info.passwd,
490 info.username, passwd);
491 }
492
493
494 return crypt_int (info.username, passwd, salt,
495 info.passwd_conf, info.passwd, info.index);
496
497 }
498
499 char *
500 _srp_crypt (const char *username, const char *passwd, int salt_size,
501 const gnutls_datum_t * g, const gnutls_datum_t * n)
502 {
503 char salt[128];
504 static char result[1024];
505 gnutls_datum_t dat_salt, txt_salt;
506 gnutls_datum_t verifier, txt_verifier;
507
508 if ((unsigned) salt_size > sizeof (salt))
509 return NULL;
510
511 /* generate the salt
512 */
513 if (gc_nonce (salt, salt_size) != GC_OK)
514 {
515 fprintf (stderr, "Could not create nonce\n");
516 return NULL;
517 }
518
519 dat_salt.data = salt;
520 dat_salt.size = salt_size;
521
522 if (gnutls_srp_verifier (username, passwd, &dat_salt, g, n, &verifier) < 0)
523 {
524 fprintf (stderr, "Error getting verifier\n");
525 return NULL;
526 }
527
528 /* base64 encode the verifier */
529 if (gnutls_srp_base64_encode_alloc (&verifier, &txt_verifier) < 0)
530 {
531 fprintf (stderr, "Error encoding\n");
532 free (verifier.data);
533 return NULL;
534 }
535
536 free (verifier.data);
537
538 if (gnutls_srp_base64_encode_alloc (&dat_salt, &txt_salt) < 0)
539 {
540 fprintf (stderr, "Error encoding\n");
541 return NULL;
542 }
543
544 sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);
545 free (txt_salt.data);
546 free (txt_verifier.data);
547
548 return result;
549
550 }
551
552
553 int
554 crypt_int (const char *username, const char *passwd, int salt_size,
555 char *tpasswd_conf, char *tpasswd, int uindex)
556 {
557 FILE *fd;
558 char *cr;
559 gnutls_datum_t g, n;
560 char line[5 * 1024];
561 char *p, *pp;
562 int iindex;
563 char tmpname[1024];
564
565 fd = fopen (tpasswd_conf, "r");
566 if (fd == NULL)
567 {
568 fprintf (stderr, "Cannot find %s\n", tpasswd_conf);
569 return -1;
570 }
571
572 do
573 { /* find the specified uindex in file */
574 p = fgets (line, sizeof (line) - 1, fd);
575 iindex = atoi (p);
576 }
577 while (p != NULL && iindex != uindex);
578
579 if (p == NULL)
580 {
581 fprintf (stderr, "Cannot find entry in %s\n", tpasswd_conf);
582 return -1;
583 }
584 line[sizeof (line) - 1] = 0;
585
586 fclose (fd);
587 if ((iindex = read_conf_values (&g, &n, line)) < 0)
588 {
589 fprintf (stderr, "Cannot parse conf file '%s'\n", tpasswd_conf);
590 return -1;
591 }
592
593 cr = _srp_crypt (username, passwd, salt_size, &g, &n);
594 if (cr == NULL)
595 {
596 fprintf (stderr, "Cannot _srp_crypt()...\n");
597 return -1;
598 }
599 else
600 {
601 /* delete previous entry */
602 struct stat st;
603 FILE *fd2;
604 int put;
605
606 if (strlen (tpasswd) > sizeof (tmpname) + 5)
607 {
608 fprintf (stderr, "file '%s' is tooooo long\n", tpasswd);
609 return -1;
610 }
611 strcpy (tmpname, tpasswd);
612 strcat (tmpname, ".tmp");
613
614 if (stat (tmpname, &st) != -1)
615 {
616 fprintf (stderr, "file '%s' is locked\n", tpasswd);
617 return -1;
618 }
619
620 if (filecopy (tpasswd, tmpname) != 0)
621 {
622 fprintf (stderr, "Cannot copy '%s' to '%s'\n", tpasswd, tmpname);
623 return -1;
624 }
625
626 fd = fopen (tpasswd, "w");
627 if (fd == NULL)
628 {
629 fprintf (stderr, "Cannot open '%s' for write\n", tpasswd);
630 remove (tmpname);
631 return -1;
632 }
633
634 fd2 = fopen (tmpname, "r");
635 if (fd2 == NULL)
636 {
637 fprintf (stderr, "Cannot open '%s' for read\n", tmpname);
638 remove (tmpname);
639 return -1;
640 }
641
642 put = 0;
643 do
644 {
645 p = fgets (line, sizeof (line) - 1, fd2);
646 if (p == NULL)
647 break;
648
649 pp = strchr (line, ':');
650 if (pp == NULL)
651 continue;
652
653 if (strncmp
654 (p, username,
655 _MAX (strlen (username), (unsigned int) (pp - p))) == 0)
656 {
657 put = 1;
658 fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
659 }
660 else
661 {
662 fputs (line, fd);
663 }
664 }
665 while (1);
666
667 if (put == 0)
668 {
669 fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
670 }
671
672 fclose (fd);
673 fclose (fd2);
674
675 remove (tmpname);
676
677 }
678
679
680 return 0;
681 }
682
683
684
685 /* this function parses tpasswd.conf file. Format is:
686 * int(index):base64(n):base64(g)
687 */
688 static int
689 read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n, char *str)
690 {
691 char *p;
692 int len;
693 int index, ret;
694 gnutls_datum_t dat;
695
696 index = atoi (str);
697
698 p = strrchr (str, ':'); /* we have g */
699 if (p == NULL)
700 {
701 return -1;
702 }
703
704 *p = '\0';
705 p++;
706
707 /* read the generator */
708 len = strlen (p);
709 if (p[len - 1] == '\n')
710 len--;
711
712 dat.data = p;
713 dat.size = len;
714 ret = gnutls_srp_base64_decode_alloc (&dat, g);
715
716 if (ret < 0)
717 {
718 fprintf (stderr, "Decoding error\n");
719 return -1;
720 }
721
722 /* now go for n - modulo */
723 p = strrchr (str, ':'); /* we have n */
724 if (p == NULL)
725 {
726 return -1;
727 }
728
729 *p = '\0';
730 p++;
731
732 dat.data = p;
733 dat.size = strlen (p);
734
735 ret = gnutls_srp_base64_decode_alloc (&dat, n);
736
737 if (ret < 0)
738 {
739 fprintf (stderr, "Decoding error\n");
740 free (g->data);
741 return -1;
742 }
743
744 return index;
745 }
746
747 #endif /* ENABLE_SRP */
Implementation of the SSL/TLS protocol