search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
upload -> upload-tarballs
[gnutls.git] / src / srptool.c
blob90adfc7767232be918f773aa985a1071562e827b
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22
23 #include <stdio.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <gnutls/gnutls.h>
27 #include <gnutls/crypto.h> /* for random */
28
29 #include <sys/types.h>
30 #include <sys/stat.h>
31
32 #ifndef _WIN32
33 #include <pwd.h>
34 #include <unistd.h>
35 #else
36 #include <windows.h>
37 #endif
38
39 /* Gnulib portability files. */
40 #include <getpass.h>
41 #include <minmax.h>
42 #include <progname.h>
43 #include <version-etc.h>
44
45 #include <srptool-args.h>
46
47 /* This may need some rewrite. A lot of stuff which should be here
48 * are in the library, which is not good.
49 */
50
51 int crypt_int (const char *username, const char *passwd, int salt,
52 const char *tpasswd_conf, const char *tpasswd, int uindex);
53 static int read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n,
54 char *str);
55 static int _verify_passwd_int (const char *username, const char *passwd,
56 char *verifier, const char *salt,
57 const gnutls_datum_t * g,
58 const gnutls_datum_t * n);
59
60 static void
61 print_num (const char *msg, const gnutls_datum_t * num)
62 {
63 unsigned int i;
64
65 printf ("%s:\t", msg);
66
67 for (i = 0; i < num->size; i++)
68 {
69 if (i != 0 && i % 12 == 0)
70 printf ("\n\t");
71 else if (i != 0 && i != num->size)
72 printf (":");
73 printf ("%.2x", num->data[i]);
74 }
75 printf ("\n\n");
76
77 }
78
79 static int
80 generate_create_conf (const char *tpasswd_conf)
81 {
82 FILE *fd;
83 char line[5 * 1024];
84 int index = 1;
85 gnutls_datum_t g, n;
86 gnutls_datum_t str_g, str_n;
87
88 fd = fopen (tpasswd_conf, "w");
89 if (fd == NULL)
90 {
91 fprintf (stderr, "Cannot open file '%s'\n", tpasswd_conf);
92 return -1;
93 }
94
95 for (index = 1; index <= 5; index++)
96 {
97
98 if (index == 1)
99 {
100 n = gnutls_srp_1024_group_prime;
101 g = gnutls_srp_1024_group_generator;
102 }
103 else if (index == 2)
104 {
105 n = gnutls_srp_1536_group_prime;
106 g = gnutls_srp_1536_group_generator;
107 }
108 else if (index == 3)
109 {
110 n = gnutls_srp_2048_group_prime;
111 g = gnutls_srp_2048_group_generator;
112 }
113 else if (index == 4)
114 {
115 n = gnutls_srp_3072_group_prime;
116 g = gnutls_srp_3072_group_generator;
117 }
118 else if (index == 5)
119 {
120 n = gnutls_srp_4096_group_prime;
121 g = gnutls_srp_4096_group_generator;
122 }
123 else
124 {
125 fprintf(stderr, "Unknown index: %d\n", index);
126 return -1;
127 }
128
129 printf ("\nGroup %d, of %d bits:\n", index, n.size * 8);
130 print_num ("Generator", &g);
131 print_num ("Prime", &n);
132
133 if (gnutls_srp_base64_encode_alloc (&n, &str_n) < 0)
134 {
135 fprintf (stderr, "Could not encode\n");
136 return -1;
137 }
138
139 if (gnutls_srp_base64_encode_alloc (&g, &str_g) < 0)
140 {
141 fprintf (stderr, "Could not encode\n");
142 return -1;
143 }
144
145 sprintf (line, "%d:%s:%s\n", index, str_n.data, str_g.data);
146
147 gnutls_free (str_n.data);
148 gnutls_free (str_g.data);
149
150 fwrite (line, 1, strlen (line), fd);
151
152 }
153
154 fclose (fd);
155
156 return 0;
157
158 }
159
160 /* The format of a tpasswd file is:
161 * username:verifier:salt:index
162 *
163 * index is the index of the prime-generator pair in tpasswd.conf
164 */
165 static int
166 _verify_passwd_int (const char *username, const char *passwd,
167 char *verifier, const char *salt,
168 const gnutls_datum_t * g, const gnutls_datum_t * n)
169 {
170 char _salt[1024];
171 gnutls_datum_t tmp, raw_salt, new_verifier;
172 size_t salt_size;
173 char *pos;
174
175 if (salt == NULL || verifier == NULL)
176 return -1;
177
178 if (strlen(salt) >= sizeof(_salt))
179 {
180 fprintf (stderr, "Too long salt.\n");
181 return -1;
182 }
183
184 /* copy salt, and null terminate after the ':' */
185 strcpy (_salt, salt);
186 pos = strchr (_salt, ':');
187 if (pos != NULL)
188 *pos = 0;
189
190 /* convert salt to binary. */
191 tmp.data = (void*)_salt;
192 tmp.size = strlen (_salt);
193
194 if (gnutls_srp_base64_decode_alloc (&tmp, &raw_salt) < 0)
195 {
196 fprintf (stderr, "Could not decode salt.\n");
197 return -1;
198 }
199
200 if (gnutls_srp_verifier
201 (username, passwd, &raw_salt, g, n, &new_verifier) < 0)
202 {
203 fprintf (stderr, "Could not make the verifier\n");
204 return -1;
205 }
206
207 free (raw_salt.data);
208
209 /* encode the verifier into _salt */
210 salt_size = sizeof (_salt);
211 memset (_salt, 0, salt_size);
212 if (gnutls_srp_base64_encode (&new_verifier, _salt, &salt_size) < 0)
213 {
214 fprintf (stderr, "Encoding error\n");
215 return -1;
216 }
217
218 free (new_verifier.data);
219
220 if (strncmp (verifier, _salt, strlen (_salt)) == 0)
221 {
222 fprintf (stderr, "Password verified\n");
223 return 0;
224 }
225 else
226 {
227 fprintf (stderr, "Password does NOT match\n");
228 }
229 return -1;
230 }
231
232 static int
233 filecopy (const char *src, const char *dst)
234 {
235 FILE *fd, *fd2;
236 char line[5 * 1024];
237 char *p;
238
239 fd = fopen (dst, "w");
240 if (fd == NULL)
241 {
242 fprintf (stderr, "Cannot open '%s' for write\n", dst);
243 return -1;
244 }
245
246 fd2 = fopen (src, "r");
247 if (fd2 == NULL)
248 {
249 /* empty file */
250 fclose (fd);
251 return 0;
252 }
253
254 line[sizeof (line) - 1] = 0;
255 do
256 {
257 p = fgets (line, sizeof (line) - 1, fd2);
258 if (p == NULL)
259 break;
260
261 fputs (line, fd);
262 }
263 while (1);
264
265 fclose (fd);
266 fclose (fd2);
267
268 return 0;
269 }
270
271 /* accepts password file */
272 static int
273 find_strchr (const char *username, const char *file)
274 {
275 FILE *fd;
276 char *pos;
277 char line[5 * 1024];
278 unsigned int i;
279
280 fd = fopen (file, "r");
281 if (fd == NULL)
282 {
283 fprintf (stderr, "Cannot open file '%s'\n", file);
284 return -1;
285 }
286
287 while (fgets (line, sizeof (line), fd) != NULL)
288 {
289 /* move to first ':' */
290 i = 0;
291 while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
292 {
293 i++;
294 }
295 if (strncmp (username, line, MAX (i, strlen (username))) == 0)
296 {
297 /* find the index */
298 pos = strrchr (line, ':');
299 pos++;
300 fclose (fd);
301 return atoi (pos);
302 }
303 }
304
305 fclose (fd);
306 return -1;
307 }
308
309 /* Parses the tpasswd files, in order to verify the given
310 * username/password pair.
311 */
312 static int
313 verify_passwd (const char *conffile, const char *tpasswd,
314 const char *username, const char *passwd)
315 {
316 FILE *fd;
317 char line[5 * 1024];
318 unsigned int i;
319 gnutls_datum_t g, n;
320 int iindex;
321 char *p, *pos;
322
323 iindex = find_strchr (username, tpasswd);
324 if (iindex == -1)
325 {
326 fprintf (stderr, "Cannot find '%s' in %s\n", username, tpasswd);
327 return -1;
328 }
329
330 fd = fopen (conffile, "r");
331 if (fd == NULL)
332 {
333 fprintf (stderr, "Cannot find %s\n", conffile);
334 return -1;
335 }
336
337 do
338 {
339 p = fgets (line, sizeof (line) - 1, fd);
340 }
341 while (p != NULL && atoi (p) != iindex);
342
343 if (p == NULL)
344 {
345 fprintf (stderr, "Cannot find entry in %s\n", conffile);
346 return -1;
347 }
348 line[sizeof (line) - 1] = 0;
349
350 fclose (fd);
351
352 if ((iindex = read_conf_values (&g, &n, line)) < 0)
353 {
354 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
355 return -1;
356 }
357
358 fd = fopen (tpasswd, "r");
359 if (fd == NULL)
360 {
361 fprintf (stderr, "Cannot open file '%s'\n", tpasswd);
362 return -1;
363 }
364
365 while (fgets (line, sizeof (line), fd) != NULL)
366 {
367 /* move to first ':'
368 * This is the actual verifier.
369 */
370 i = 0;
371 while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
372 {
373 i++;
374 }
375 if (strncmp (username, line, MAX (i, strlen (username))) == 0)
376 {
377 char *verifier_pos, *salt_pos;
378
379 pos = strchr (line, ':');
380 fclose (fd);
381 if (pos == NULL)
382 {
383 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
384 return -1;
385 }
386 pos++;
387 verifier_pos = pos;
388
389 /* Move to the salt */
390 pos = strchr (pos, ':');
391 if (pos == NULL)
392 {
393 fprintf (stderr, "Cannot parse conf file '%s'\n", conffile);
394 return -1;
395 }
396 pos++;
397 salt_pos = pos;
398
399 return _verify_passwd_int (username, passwd,
400 verifier_pos, salt_pos, &g, &n);
401 }
402 }
403
404 fclose (fd);
405 return -1;
406
407 }
408
409 #define KPASSWD "/etc/tpasswd"
410 #define KPASSWD_CONF "/etc/tpasswd.conf"
411
412 static void
413 tls_log_func (int level, const char *str)
414 {
415 fprintf (stderr, "|<%d>| %s", level, str);
416 }
417
418 int main (int argc, char **argv)
419 {
420 const char *passwd;
421 int salt_size, ret;
422 int optct;
423 const char* fpasswd, *fpasswd_conf;
424 const char* username;
425 #ifndef _WIN32
426 struct passwd *pwd;
427 #endif
428
429 set_program_name (argv[0]);
430
431 if ((ret = gnutls_global_init ()) < 0)
432 {
433 fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
434 exit (1);
435 }
436
437 umask (066);
438
439 optct = optionProcess( &srptoolOptions, argc, argv);
440 argc -= optct;
441 argv += optct;
442
443 gnutls_global_set_log_function (tls_log_func);
444 gnutls_global_set_log_level (OPT_VALUE_DEBUG);
445
446 if (HAVE_OPT(CREATE_CONF))
447 {
448 return generate_create_conf (OPT_ARG(CREATE_CONF));
449 }
450
451 if (HAVE_OPT(PASSWD))
452 fpasswd = OPT_ARG(PASSWD);
453 else
454 fpasswd = (char *) KPASSWD;
455
456 if (HAVE_OPT(PASSWD_CONF))
457 fpasswd_conf = OPT_ARG(PASSWD_CONF);
458 else
459 fpasswd_conf = (char *) KPASSWD_CONF;
460
461 if (HAVE_OPT(USERNAME))
462 username = OPT_ARG(USERNAME);
463 else
464 {
465 #ifndef _WIN32
466 pwd = getpwuid (getuid ());
467
468 if (pwd == NULL)
469 {
470 fprintf (stderr, "No such user\n");
471 return -1;
472 }
473
474 username = pwd->pw_name;
475 #else
476 fprintf (stderr, "Please specify a user\n");
477 return -1;
478 #endif
479 }
480
481 salt_size = 16;
482
483 passwd = getpass ("Enter password: ");
484 if (passwd == NULL)
485 {
486 fprintf (stderr, "Please specify a password\n");
487 return -1;
488 }
489
490 /* not ready yet */
491 if (HAVE_OPT(VERIFY))
492 {
493 return verify_passwd (fpasswd_conf, fpasswd,
494 username, passwd);
495 }
496
497
498 return crypt_int (username, passwd, salt_size,
499 fpasswd_conf, fpasswd, VALUE_OPT_INDEX);
500
501 }
502
503 static char *
504 _srp_crypt (const char *username, const char *passwd, int salt_size,
505 const gnutls_datum_t * g, const gnutls_datum_t * n)
506 {
507 unsigned char salt[128];
508 static char result[1024];
509 gnutls_datum_t dat_salt, txt_salt;
510 gnutls_datum_t verifier, txt_verifier;
511
512 if ((unsigned) salt_size > sizeof (salt))
513 return NULL;
514
515 /* generate the salt
516 */
517 if (gnutls_rnd (GNUTLS_RND_NONCE, salt, salt_size) < 0)
518 {
519 fprintf (stderr, "Could not create nonce\n");
520 return NULL;
521 }
522
523 dat_salt.data = salt;
524 dat_salt.size = salt_size;
525
526 if (gnutls_srp_verifier (username, passwd, &dat_salt, g, n, &verifier) < 0)
527 {
528 fprintf (stderr, "Error getting verifier\n");
529 return NULL;
530 }
531
532 /* base64 encode the verifier */
533 if (gnutls_srp_base64_encode_alloc (&verifier, &txt_verifier) < 0)
534 {
535 fprintf (stderr, "Error encoding\n");
536 free (verifier.data);
537 return NULL;
538 }
539
540 free (verifier.data);
541
542 if (gnutls_srp_base64_encode_alloc (&dat_salt, &txt_salt) < 0)
543 {
544 fprintf (stderr, "Error encoding\n");
545 return NULL;
546 }
547
548 sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);
549 free (txt_salt.data);
550 free (txt_verifier.data);
551
552 return result;
553
554 }
555
556
557 int
558 crypt_int (const char *username, const char *passwd, int salt_size,
559 const char *tpasswd_conf, const char *tpasswd, int uindex)
560 {
561 FILE *fd;
562 char *cr;
563 gnutls_datum_t g, n;
564 char line[5 * 1024];
565 char *p, *pp;
566 int iindex;
567 char tmpname[1024];
568
569 fd = fopen (tpasswd_conf, "r");
570 if (fd == NULL)
571 {
572 fprintf (stderr, "Cannot find %s\n", tpasswd_conf);
573 return -1;
574 }
575
576 do
577 { /* find the specified uindex in file */
578 p = fgets (line, sizeof (line) - 1, fd);
579 iindex = atoi (p);
580 }
581 while (p != NULL && iindex != uindex);
582
583 if (p == NULL)
584 {
585 fprintf (stderr, "Cannot find entry in %s\n", tpasswd_conf);
586 return -1;
587 }
588 line[sizeof (line) - 1] = 0;
589
590 fclose (fd);
591 if ((iindex = read_conf_values (&g, &n, line)) < 0)
592 {
593 fprintf (stderr, "Cannot parse conf file '%s'\n", tpasswd_conf);
594 return -1;
595 }
596
597 cr = _srp_crypt (username, passwd, salt_size, &g, &n);
598 if (cr == NULL)
599 {
600 fprintf (stderr, "Cannot _srp_crypt()...\n");
601 return -1;
602 }
603 else
604 {
605 /* delete previous entry */
606 struct stat st;
607 FILE *fd2;
608 int put;
609
610 if (strlen (tpasswd) > sizeof (tmpname) + 5)
611 {
612 fprintf (stderr, "file '%s' is tooooo long\n", tpasswd);
613 return -1;
614 }
615 strcpy (tmpname, tpasswd);
616 strcat (tmpname, ".tmp");
617
618 if (stat (tmpname, &st) != -1)
619 {
620 fprintf (stderr, "file '%s' is locked\n", tpasswd);
621 return -1;
622 }
623
624 if (filecopy (tpasswd, tmpname) != 0)
625 {
626 fprintf (stderr, "Cannot copy '%s' to '%s'\n", tpasswd, tmpname);
627 return -1;
628 }
629
630 fd = fopen (tpasswd, "w");
631 if (fd == NULL)
632 {
633 fprintf (stderr, "Cannot open '%s' for write\n", tpasswd);
634 remove (tmpname);
635 return -1;
636 }
637
638 fd2 = fopen (tmpname, "r");
639 if (fd2 == NULL)
640 {
641 fprintf (stderr, "Cannot open '%s' for read\n", tmpname);
642 remove (tmpname);
643 return -1;
644 }
645
646 put = 0;
647 do
648 {
649 p = fgets (line, sizeof (line) - 1, fd2);
650 if (p == NULL)
651 break;
652
653 pp = strchr (line, ':');
654 if (pp == NULL)
655 continue;
656
657 if (strncmp (p, username,
658 MAX (strlen (username), (unsigned int) (pp - p))) == 0)
659 {
660 put = 1;
661 fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
662 }
663 else
664 {
665 fputs (line, fd);
666 }
667 }
668 while (1);
669
670 if (put == 0)
671 {
672 fprintf (fd, "%s:%s:%u\n", username, cr, iindex);
673 }
674
675 fclose (fd);
676 fclose (fd2);
677
678 remove (tmpname);
679
680 }
681
682
683 return 0;
684 }
685
686
687
688 /* this function parses tpasswd.conf file. Format is:
689 * int(index):base64(n):base64(g)
690 */
691 static int
692 read_conf_values (gnutls_datum_t * g, gnutls_datum_t * n, char *str)
693 {
694 char *p;
695 int len;
696 int index, ret;
697 gnutls_datum_t dat;
698
699 index = atoi (str);
700
701 p = strrchr (str, ':'); /* we have g */
702 if (p == NULL)
703 {
704 return -1;
705 }
706
707 *p = '\0';
708 p++;
709
710 /* read the generator */
711 len = strlen (p);
712 if (p[len - 1] == '\n')
713 len--;
714
715 dat.data = (void*)p;
716 dat.size = len;
717 ret = gnutls_srp_base64_decode_alloc (&dat, g);
718
719 if (ret < 0)
720 {
721 fprintf (stderr, "Decoding error\n");
722 return -1;
723 }
724
725 /* now go for n - modulo */
726 p = strrchr (str, ':'); /* we have n */
727 if (p == NULL)
728 {
729 return -1;
730 }
731
732 *p = '\0';
733 p++;
734
735 dat.data = (void*)p;
736 dat.size = strlen (p);
737
738 ret = gnutls_srp_base64_decode_alloc (&dat, n);
739
740 if (ret < 0)
741 {
742 fprintf (stderr, "Decoding error\n");
743 free (g->data);
744 return -1;
745 }
746
747 return index;
748 }
749
Implementation of the SSL/TLS protocol