src/srptool.c

   1 /*
   2  * Copyright (C) 2001-2012 Free Software Foundation, Inc.
   3  *
   4  * This file is part of GnuTLS.
   5  *
   6  * GnuTLS is free software: you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * GnuTLS is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include <config.h>
  22
  23 #include <stdio.h>
  24 #include <string.h>
  25 #include <stdlib.h>
  26 #include <gnutls/gnutls.h>
  27 #include <gnutls/crypto.h>      /* for random */
  28
  29 #include <sys/types.h>
  30 #include <sys/stat.h>
  31
  32 #ifndef _WIN32
  33 #include <pwd.h>
  34 #include <unistd.h>
  35 #else
  36 #include <windows.h>
  37 #endif
  38
  39 /* Gnulib portability files. */
  40 #include <getpass.h>
  41 #include <minmax.h>
  42 #include <progname.h>
  43 #include <version-etc.h>
  44
  45 #include <gettext.h>
  46 #include <srptool-args.h>
  47
  48 /* This may need some rewrite. A lot of stuff which should be here
  49  * are in the library, which is not good.
  50  */
  51
  52 int crypt_int (const char *username, const char *passwd, int salt,
  53                const char *tpasswd_conf, const char *tpasswd, int uindex);
  54 static int read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n,
  55                              char *str);
  56 static int _verify_passwd_int (const char *username, const char *passwd,
  57                                char *verifier, const char *salt,
  58                                const gnutls_datum_t * g,
  59                                const gnutls_datum_t * n);
  60
  61 static void
  62 print_num (const char *msg, const gnutls_datum_t * num)
  63 {
  64   unsigned int i;
  65
  66   printf ("%s:\t", msg);
  67
  68   for (i = 0; i < num->size; i++)
  69     {
  70       if (i != 0 && i % 12 == 0)
  71         printf ("\n\t");
  72       else if (i != 0 && i != num->size)
  73         printf (":");
  74       printf ("%.2x", num->data[i]);
  75     }
  76   printf ("\n\n");
  77
  78 }
  79
  80 static int
  81 generate_create_conf (const char *tpasswd_conf)
  82 {
  83   FILE *fd;
  84   char line[5 * 1024];
  85   int index = 1;
  86   gnutls_datum_t g, n;
  87   gnutls_datum_t str_g, str_n;
  88
  89   fd = fopen (tpasswd_conf, "w");
  90   if (fd == NULL)
  91     {
  92       fprintf (stderr, "Cannot open file '%s'\n", tpasswd_conf);
  93       return -1;
  94     }
  95
  96   for (index = 1; index <= 5; index++)
  97     {
  98
  99       if (index == 1)
 100         {
 101           n = gnutls_srp_1024_group_prime;
 102           g = gnutls_srp_1024_group_generator;
 103         }
 104       else if (index == 2)
 105         {
 106           n = gnutls_srp_1536_group_prime;
 107           g = gnutls_srp_1536_group_generator;
 108         }
 109       else if (index == 3)
 110         {
 111           n = gnutls_srp_2048_group_prime;
 112           g = gnutls_srp_2048_group_generator;
 113         }
 114       else if (index == 4)
 115         {
 116           n = gnutls_srp_3072_group_prime;
 117           g = gnutls_srp_3072_group_generator;
 118         }
 119       else if (index == 5)
 120         {
 121           n = gnutls_srp_4096_group_prime;
 122           g = gnutls_srp_4096_group_generator;
 123         }
 124       else
 125         {
 126           fprintf(stderr, "Unknown index: %d\n", index);
 127           return -1;
 128         }
 129
 130       printf ("\nGroup %d, of %d bits:\n", index, n.size * 8);
 131       print_num ("Generator", &g);
 132       print_num ("Prime", &n);
 133
 134       if (gnutls_srp_base64_encode_alloc (&n, &str_n) < 0)
 135         {
 136           fprintf (stderr, "Could not encode\n");
 137           return -1;
 138         }
 139
 140       if (gnutls_srp_base64_encode_alloc (&g, &str_g) < 0)
 141         {
 142           fprintf (stderr, "Could not encode\n");
 143           return -1;
 144         }
 145
 146       sprintf (line, "%d:%s:%s\n", index, str_n.data, str_g.data);
 147
 148       gnutls_free (str_n.data);
 149       gnutls_free (str_g.data);
 150
 151       fwrite (line, 1, strlen (line), fd);
 152
 153     }
 154
 155   fclose (fd);
 156
 157   return 0;
 158
 159 }
 160
 161 /* The format of a tpasswd file is:
 162  * username:verifier:salt:index
 163  *
 164  * index is the index of the prime-generator pair in tpasswd.conf
 165  */
 166 static int
 167 _verify_passwd_int (const char *username, const char *passwd,
 168                     char *verifier, const char *salt,
 169                     const gnutls_datum_t * g, const gnutls_datum_t * n)
 170 {
 171   char _salt[1024];
 172   gnutls_datum_t tmp, raw_salt, new_verifier;
 173   size_t salt_size;
 174   char *pos;
 175
 176   if (salt == NULL || verifier == NULL)
 177     return -1;
 178
 179   if (strlen(salt) >= sizeof(_salt))
 180     {
 181       fprintf (stderr, "Too long salt.\n");
 182       return -1;
 183     }
 184
 185   /* copy salt, and null terminate after the ':' */
 186   strcpy (_salt, salt);
 187   pos = strchr (_salt, ':');
 188   if (pos != NULL)
 189     *pos = 0;
 190
 191   /* convert salt to binary. */
 192   tmp.data = (void*)_salt;
 193   tmp.size = strlen (_salt);
 194
 195   if (gnutls_srp_base64_decode_alloc (&tmp, &raw_salt) < 0)
 196     {
 197       fprintf (stderr, "Could not decode salt.\n");
 198       return -1;
 199     }
 200
 201   if (gnutls_srp_verifier
 202       (username, passwd, &raw_salt, g, n, &new_verifier) < 0)
 203     {
 204       fprintf (stderr, "Could not make the verifier\n");
 205       return -1;
 206     }
 207
 208   free (raw_salt.data);
 209
 210   /* encode the verifier into _salt */
 211   salt_size = sizeof (_salt);
 212   memset (_salt, 0, salt_size);
 213   if (gnutls_srp_base64_encode (&new_verifier, _salt, &salt_size) < 0)
 214     {
 215       fprintf (stderr, "Encoding error\n");
 216       return -1;
 217     }
 218
 219   free (new_verifier.data);
 220
 221   if (strncmp (verifier, _salt, strlen (_salt)) == 0)
 222     {
 223       fprintf (stderr, "Password verified\n");
 224       return 0;
 225     }
 226   else
 227     {
 228       fprintf (stderr, "Password does NOT match\n");
 229     }
 230   return -1;
 231 }
 232
 233 static int
 234 filecopy (const char *src, const char *dst)
 235 {
 236   FILE *fd, *fd2;
 237   char line[5 * 1024];
 238   char *p;
 239
 240   fd = fopen (dst, "w");
 241   if (fd == NULL)
 242     {
 243       fprintf (stderr, "Cannot open '%s' for write\n", dst);
 244       return -1;
 245     }
 246
 247   fd2 = fopen (src, "r");
 248   if (fd2 == NULL)
 249     {
 250       /* empty file */
 251       fclose (fd);
 252       return 0;
 253     }
 254
 255   line[sizeof (line) - 1] = 0;
 256   do
 257     {
 258       p = fgets (line, sizeof (line) - 1, fd2);
 259       if (p == NULL)
 260         break;
 261
 262       fputs (line, fd);
 263     }
 264   while (1);
 265
 266   fclose (fd);
 267   fclose (fd2);
 268
 269   return 0;
 270 }
 271
 272 /* accepts password file */
 273 static int
 274 find_strchr (const char *username, const char *file)
 275 {
 276   FILE *fd;
 277   char *pos;
 278   char line[5 * 1024];
 279   unsigned int i;
 280
 281   fd = fopen (file, "r");
 282   if (fd == NULL)
 283     {
 284       fprintf (stderr, "Cannot open file '%s'\n", file);
 285       return -1;
 286     }
 287
 288   while (fgets (line, sizeof (line), fd) != NULL)
 289     {
 290       /* move to first ':' */
 291       i = 0;
 292       while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
 293         {
 294           i++;
 295         }
 296       if (strncmp (username, line, MAX (i, strlen (username))) == 0)
 297         {
 298           /* find the index */
 299           pos = strrchr (line, ':');
 300           pos++;
 301           fclose (fd);
 302           return atoi (pos);
 303         }
 304     }
 305
 306   fclose (fd);
 307   return -1;
 308 }
 309
 310 /* Parses the tpasswd files, in order to verify the given
 311  * username/password pair.
 312  */
 313 static int
 314 verify_passwd (const char *conffile, const char *tpasswd,
 315                const char *username, const char *passwd)
 316 {
 317   FILE *fd;
 318   char line[5 * 1024];
 319   unsigned int i;
 320   gnutls_datum_t g, n;
 321   int iindex;
 322   char *p, *pos;
 323
 324   iindex = find_strchr (username, tpasswd);
 325   if (iindex == -1)
 326     {
 327       fprintf (stderr, "Cannot find '%s' in %s\n", username, tpasswd);
 328       return -1;
 329     }
 330
 331   fd = fopen (conffile, "r");
 332   if (fd == NULL)
 333     {
 334       fprintf (stderr, "Cannot find %s\n", conffile);
 335       return -1;
 336     }
 337
 338   do
 339     {
 340       p = fgets (line, sizeof (line) - 1, fd);
 341     }
 342   while (p != NULL && atoi (p) != iindex);
 343
 344   if (p == NULL)
 345     {
 346       fprintf (stderr, "Cannot find entry in %s\n", conffile);
 347       return -1;
 348     }
 349   line[sizeof (line) - 1] = 0;
 350
 351   fclose (fd);
 352
 353   if ((iindex = read_conf_values (&g, &n, line)) < 0)
 354     {
 355       fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
 356       return -1;
 357     }
 358
 359   fd = fopen (tpasswd, "r");
 360   if (fd == NULL)
 361     {
 362       fprintf (stderr, "Cannot open file '%s'\n", tpasswd);
 363       return -1;
 364     }
 365
 366   while (fgets (line, sizeof (line), fd) != NULL)
 367     {
 368       /* move to first ':'
 369        * This is the actual verifier.
 370        */
 371       i = 0;
 372       while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
 373         {
 374           i++;
 375         }
 376       if (strncmp (username, line, MAX (i, strlen (username))) == 0)
 377         {
 378           char *verifier_pos, *salt_pos;
 379
 380           pos = strchr (line, ':');
 381           fclose (fd);
 382           if (pos == NULL)
 383             {
 384               fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
 385               return -1;
 386             }
 387           pos++;
 388           verifier_pos = pos;
 389
 390           /* Move to the salt */
 391           pos = strchr (pos, ':');
 392           if (pos == NULL)
 393             {
 394               fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
 395               return -1;
 396             }
 397           pos++;
 398           salt_pos = pos;
 399
 400           return _verify_passwd_int (username, passwd,
 401                                      verifier_pos, salt_pos, &g, &n);
 402         }
 403     }
 404
 405   fclose (fd);
 406   return -1;
 407
 408 }
 409
 410 #define KPASSWD "/etc/tpasswd"
 411 #define KPASSWD_CONF "/etc/tpasswd.conf"
 412
 413 static void
 414 tls_log_func (int level, const char *str)
 415 {
 416   fprintf (stderr, "|<%d>| %s", level, str);
 417 }
 418
 419 int main (int argc, char **argv)
 420 {
 421   const char *passwd;
 422   int salt_size, ret;
 423   int optct;
 424   const char* fpasswd, *fpasswd_conf;
 425   const char* username;
 426 #ifndef _WIN32
 427    struct passwd *pwd;
 428 #endif
 429
 430   set_program_name (argv[0]);
 431
 432   if ((ret = gnutls_global_init ()) < 0)
 433     {
 434       fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
 435       exit (1);
 436     }
 437
 438   umask (066);
 439
 440   optct = optionProcess( &srptoolOptions, argc, argv);
 441   argc -= optct;
 442   argv += optct;
 443
 444   gnutls_global_set_log_function (tls_log_func);
 445   gnutls_global_set_log_level (OPT_VALUE_DEBUG);
 446
 447   if (HAVE_OPT(CREATE_CONF))
 448     {
 449       return generate_create_conf (OPT_ARG(CREATE_CONF));
 450     }
 451
 452   if (HAVE_OPT(PASSWD))
 453     fpasswd = OPT_ARG(PASSWD);
 454   else
 455     fpasswd = (char *) KPASSWD;
 456
 457   if (HAVE_OPT(PASSWD_CONF))
 458     fpasswd_conf = OPT_ARG(PASSWD_CONF);
 459   else
 460     fpasswd_conf = (char *) KPASSWD_CONF;
 461
 462   if (HAVE_OPT(USERNAME))
 463     username = OPT_ARG(USERNAME);
 464   else
 465     {
 466 #ifndef _WIN32
 467       pwd = getpwuid (getuid ());
 468
 469       if (pwd == NULL)
 470         {
 471           fprintf (stderr, "No such user\n");
 472           return -1;
 473         }
 474
 475       username = pwd->pw_name;
 476 #else
 477       fprintf (stderr, "Please specify a user\n");
 478       return -1;
 479 #endif
 480     }
 481
 482   salt_size = 16;
 483
 484   passwd = getpass ("Enter password: ");
 485   if (passwd == NULL)
 486     {
 487       fprintf (stderr, "Please specify a password\n");
 488       return -1;
 489     }
 490
 491 /* not ready yet */
 492   if (HAVE_OPT(VERIFY))
 493     {
 494       return verify_passwd (fpasswd_conf, fpasswd,
 495                             username, passwd);
 496     }
 497
 498
 499   return crypt_int (username, passwd, salt_size,
 500                     fpasswd_conf, fpasswd, VALUE_OPT_INDEX);
 501
 502 }
 503
 504 static char *
 505 _srp_crypt (const char *username, const char *passwd, int salt_size,
 506             const gnutls_datum_t * g, const gnutls_datum_t * n)
 507 {
 508   unsigned char salt[128];
 509   static char result[1024];
 510   gnutls_datum_t dat_salt, txt_salt;
 511   gnutls_datum_t verifier, txt_verifier;
 512
 513   if ((unsigned) salt_size > sizeof (salt))
 514     return NULL;
 515
 516   /* generate the salt
 517    */
 518   if (gnutls_rnd (GNUTLS_RND_NONCE, salt, salt_size) < 0)
 519     {
 520       fprintf (stderr, "Could not create nonce\n");
 521       return NULL;
 522     }
 523
 524   dat_salt.data = salt;
 525   dat_salt.size = salt_size;
 526
 527   if (gnutls_srp_verifier (username, passwd, &dat_salt, g, n, &verifier) < 0)
 528     {
 529       fprintf (stderr, "Error getting verifier\n");
 530       return NULL;
 531     }
 532
 533   /* base64 encode the verifier */
 534   if (gnutls_srp_base64_encode_alloc (&verifier, &txt_verifier) < 0)
 535     {
 536       fprintf (stderr, "Error encoding\n");
 537       free (verifier.data);
 538       return NULL;
 539     }
 540
 541   free (verifier.data);
 542
 543   if (gnutls_srp_base64_encode_alloc (&dat_salt, &txt_salt) < 0)
 544     {
 545       fprintf (stderr, "Error encoding\n");
 546       return NULL;
 547     }
 548
 549   sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);
 550   free (txt_salt.data);
 551   free (txt_verifier.data);
 552
 553   return result;
 554
 555 }
 556
 557
 558 int
 559 crypt_int (const char *username, const char *passwd, int salt_size,
 560            const char *tpasswd_conf, const char *tpasswd, int uindex)
 561 {
 562   FILE *fd;
 563   char *cr;
 564   gnutls_datum_t g, n;
 565   char line[5 * 1024];
 566   char *p, *pp;
 567   int iindex;
 568   char tmpname[1024];
 569
 570   fd = fopen (tpasswd_conf, "r");
 571   if (fd == NULL)
 572     {
 573       fprintf (stderr, "Cannot find %s\n", tpasswd_conf);
 574       return -1;
 575     }
 576
 577   do
 578     {                           /* find the specified uindex in file */
 579       p = fgets (line, sizeof (line) - 1, fd);
 580       iindex = atoi (p);
 581     }
 582   while (p != NULL && iindex != uindex);
 583
 584   if (p == NULL)
 585     {
 586       fprintf (stderr, "Cannot find entry in %s\n", tpasswd_conf);
 587       return -1;
 588     }
 589   line[sizeof (line) - 1] = 0;
 590
 591   fclose (fd);
 592   if ((iindex = read_conf_values (&g, &n, line)) < 0)
 593     {
 594       fprintf (stderr, "Cannot parse conf file '%s'\n", tpasswd_conf);
 595       return -1;
 596     }
 597
 598   cr = _srp_crypt (username, passwd, salt_size, &g, &n);
 599   if (cr == NULL)
 600     {
 601       fprintf (stderr, "Cannot _srp_crypt()...\n");
 602       return -1;
 603     }
 604   else
 605     {
 606       /* delete previous entry */
 607       struct stat st;
 608       FILE *fd2;
 609       int put;
 610
 611       if (strlen (tpasswd) > sizeof (tmpname) + 5)
 612         {
 613           fprintf (stderr, "file '%s' is tooooo long\n", tpasswd);
 614           return -1;
 615         }
 616       strcpy (tmpname, tpasswd);
 617       strcat (tmpname, ".tmp");
 618
 619       if (stat (tmpname, &st) != -1)
 620         {
 621           fprintf (stderr, "file '%s' is locked\n", tpasswd);
 622           return -1;
 623         }
 624
 625       if (filecopy (tpasswd, tmpname) != 0)
 626         {
 627           fprintf (stderr, "Cannot copy '%s' to '%s'\n", tpasswd, tmpname);
 628           return -1;
 629         }
 630
 631       fd = fopen (tpasswd, "w");
 632       if (fd == NULL)
 633         {
 634           fprintf (stderr, "Cannot open '%s' for write\n", tpasswd);
 635           remove (tmpname);
 636           return -1;
 637         }
 638
 639       fd2 = fopen (tmpname, "r");
 640       if (fd2 == NULL)
 641         {
 642           fprintf (stderr, "Cannot open '%s' for read\n", tmpname);
 643           remove (tmpname);
 644           return -1;
 645         }
 646
 647       put = 0;
 648       do
 649         {
 650           p = fgets (line, sizeof (line) - 1, fd2);
 651           if (p == NULL)
 652             break;
 653
 654           pp = strchr (line, ':');
 655           if (pp == NULL)
 656             continue;
 657
 658           if (strncmp (p, username,
 659                        MAX (strlen (username), (unsigned int) (pp - p))) == 0)
 660             {
 661               put = 1;
 662               fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
 663             }
 664           else
 665             {
 666               fputs (line, fd);
 667             }
 668         }
 669       while (1);
 670
 671       if (put == 0)
 672         {
 673           fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
 674         }
 675
 676       fclose (fd);
 677       fclose (fd2);
 678
 679       remove (tmpname);
 680
 681     }
 682
 683
 684   return 0;
 685 }
 686
 687
 688
 689 /* this function parses tpasswd.conf file. Format is:
 690  * int(index):base64(n):base64(g)
 691  */
 692 static int
 693 read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n, char *str)
 694 {
 695   char *p;
 696   int len;
 697   int index, ret;
 698   gnutls_datum_t dat;
 699
 700   index = atoi (str);
 701
 702   p = strrchr (str, ':');       /* we have g */
 703   if (p == NULL)
 704     {
 705       return -1;
 706     }
 707
 708   *p = '\0';
 709   p++;
 710
 711   /* read the generator */
 712   len = strlen (p);
 713   if (p[len - 1] == '\n')
 714     len--;
 715
 716   dat.data = (void*)p;
 717   dat.size = len;
 718   ret = gnutls_srp_base64_decode_alloc (&dat, g);
 719
 720   if (ret < 0)
 721     {
 722       fprintf (stderr, "Decoding error\n");
 723       return -1;
 724     }
 725
 726   /* now go for n - modulo */
 727   p = strrchr (str, ':');       /* we have n */
 728   if (p == NULL)
 729     {
 730       return -1;
 731     }
 732
 733   *p = '\0';
 734   p++;
 735
 736   dat.data = (void*)p;
 737   dat.size = strlen (p);
 738
 739   ret = gnutls_srp_base64_decode_alloc (&dat, n);
 740
 741   if (ret < 0)
 742     {
 743       fprintf (stderr, "Decoding error\n");
 744       free (g->data);
 745       return -1;
 746     }
 747
 748   return index;
 749 }
 750
 751 extern void srptool_version (void);
 752
 753 void
 754 srptool_version (void)
 755 {
 756   const char *p = PACKAGE_NAME;
 757   if (strcmp (gnutls_check_version (NULL), PACKAGE_VERSION) != 0)
 758     p = PACKAGE_STRING;
 759   version_etc (stdout, "srptool", p, gnutls_check_version (NULL),
 760                "Nikos Mavrogiannopoulos", (char *) NULL);
 761 }