1 /* Blerg is (C) 2011 The Dominion of Awesome, and is distributed under a
2 * BSD-style license. Please see the COPYING file for details.
12 #include <crypto_scrypt.h>
14 #include "configuration.h"
18 #include "stringring.h"
21 int auth_set_password(const char *username, const char *password) {
22 char filename[FILENAME_MAX];
26 if (!valid_name(username) || !blerg_exists(username))
30 if (n > MAX_PASSWORD_LENGTH)
33 /* Clear the auth structure */
34 memset(&auth, 0, sizeof(struct auth_v2));
36 /* Set the auth version */
37 auth.header.version = 2;
39 /* Gather some salt */
40 fd = open("/dev/urandom", O_RDONLY);
42 perror("Could not open /dev/urandom");
45 read(fd, auth.salt, SCRYPT_SALT_SIZE);
48 r = crypto_scrypt((const uint8_t *)password, n, auth.salt, SCRYPT_SALT_SIZE, SCRYPT_N, SCRYPT_r, SCRYPT_p, auth.password, SCRYPT_OUTPUT_SIZE);
50 fprintf(stderr, "Failure in scrypt for %s\n", username);
55 snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
56 fd = open(filename, O_WRONLY | O_CREAT, 0600);
58 write(fd, &auth, sizeof(struct auth_v2));
65 int auth_get_password_version(const char *username) {
66 char filename[FILENAME_MAX];
69 struct auth_header ah;
72 snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
73 if (access(filename, F_OK) == 0) {
74 fd = open(filename, O_RDONLY);
77 len = read(fd, &ah, sizeof(struct auth_header));
81 perror("reading auth file");
83 } else if (len < sizeof(struct auth_header)) {
84 fprintf(stderr, "Short read on while determining auth version for %s", username);
91 snprintf(filename, FILENAME_MAX, "%s/%s/password_version", blergconf.data_path, username);
92 if (access(filename, F_OK) != 0) {
96 fd = open(filename, O_RDONLY);
99 len = read(fd, str, 4);
103 perror("auth_get_password_version");
109 /* strtol returns zero if there isn't a number */
110 return strtol(str, NULL, 10);
113 int auth_get_password(const char *username, char *password) {
114 char filename[FILENAME_MAX];
119 if (!valid_name(username))
122 switch(auth_get_password_version(username)) {
124 read_size = MD5_DIGEST_SIZE;
127 read_size = SCRYPT_OUTPUT_SIZE;
133 snprintf(filename, FILENAME_MAX, "%s/%s/password", blergconf.data_path, username);
134 fd = open(filename, O_RDONLY);
137 len = read(fd, password, read_size);
141 perror("auth_get_password");
143 } else if (len < read_size) {
144 fprintf(stderr, "Short read getting password\n");
153 int auth_get_salt(const char *username, uint8_t *salt) {
154 char filename[FILENAME_MAX];
158 if (!valid_name(username))
161 snprintf(filename, FILENAME_MAX, "%s/%s/password_salt", blergconf.data_path, username);
162 fd = open(filename, O_RDONLY);
165 len = read(fd, salt, SCRYPT_SALT_SIZE);
169 perror("auth_get_salt");
171 } else if (len < SCRYPT_SALT_SIZE) {
172 fprintf(stderr, "Short read getting salt\n");
179 int auth_check_password_v0(const char *username, const char *password) {
180 char epw[MD5_DIGEST_SIZE + 1];
181 char givenpw[MD5_DIGEST_SIZE];
182 struct MD5Context ctx;
184 if (auth_get_password(username, epw) == 0)
188 MD5Update(&ctx, username, strlen(username));
189 MD5Update(&ctx, password, strlen(password));
190 MD5Final((unsigned char *)givenpw, &ctx);
192 if (strncmp(givenpw, epw, MD5_DIGEST_SIZE) == 0)
198 int auth_get_data(const char *username, void *data, size_t data_len) {
199 char filename[FILENAME_MAX];
203 if (!valid_name(username))
206 snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
207 fd = open(filename, O_RDONLY);
211 len = read(fd, data, data_len);
216 perror("auth_get_data");
218 } else if (len < data_len) {
219 fprintf(stderr, "Short read getting auth data\n");
226 int auth_check_scrypt(struct auth_v2 *auth, const char *username, const char *password) {
227 unsigned char givenpw[SCRYPT_OUTPUT_SIZE];
230 r = crypto_scrypt((const uint8_t *)password, strlen(password), auth->salt, SCRYPT_SALT_SIZE, SCRYPT_N, SCRYPT_r, SCRYPT_p, givenpw, SCRYPT_OUTPUT_SIZE);
232 fprintf(stderr, "Failure in scrypt for %s\n", username);
236 if (memcmp(givenpw, auth->password, SCRYPT_OUTPUT_SIZE) == 0)
242 int auth_check_password_v1(const char *username, const char *password) {
245 if (auth_get_password(username, (char *)auth.password) == 0)
248 if (auth_get_salt(username, auth.salt) == 0)
251 return auth_check_scrypt(&auth, username, password);
254 int auth_check_password_v2(const char *username, const char *password) {
257 if (auth_get_data(username, (void *) &auth, sizeof(struct auth_v2)) == 0)
260 return auth_check_scrypt(&auth, username, password);
263 int auth_check_password(const char *username, const char *password) {
264 int version = auth_get_password_version(username);
268 if (auth_check_password_v0(username, password)) {
269 /* Refresh to the newest version */
270 auth_set_password(username, password);
277 if (auth_check_password_v1(username, password)) {
278 /* Refresh to the newest version */
279 auth_set_password(username, password);
286 return auth_check_password_v2(username, password);
288 fprintf(stderr, "auth_check_password fell through. Bad password version?\n");
292 void hexify(char *dst, char *src, int len) {
293 static char hex[] = "0123456789abcdef";
296 for (i = 0; i < len; i++) {
297 dst[i * 2] = hex[(src[i] & 0xF0) >> 4];
298 dst[i * 2 + 1] = hex[src[i] & 0xF];
302 char *create_random_token() {
303 char buf[TOKEN_SIZE];
307 rand_fd = open("/dev/urandom", O_RDONLY);
309 perror("Could not open /dev/urandom\n");
312 read(rand_fd, buf, TOKEN_SIZE);
315 token = malloc(TOKEN_SIZE * 2 + 1);
316 hexify(token, buf, TOKEN_SIZE);
317 token[TOKEN_SIZE * 2] = 0;
322 char * auth_login(const char *username, const char *password) {
323 char filename[FILENAME_MAX];
324 struct stringring *sr;
328 if (!auth_check_password(username, password))
331 snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
332 sr = stringring_open(filename);
336 token = create_random_token();
337 if (!stringring_add(sr, token)) {
339 stringring_close(sr);
342 stringring_close(sr);
347 int auth_logout(const char *username, const char *token) {
348 char filename[FILENAME_MAX];
349 struct stringring *sr;
352 if (!valid_name(username))
355 snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
356 if (access(filename, F_OK) != 0) {
359 sr = stringring_open(filename);
363 ret = stringring_remove(sr, token);
364 stringring_close(sr);
369 int auth_check_token(const char *username, const char *given_token) {
370 char filename[FILENAME_MAX];
371 struct stringring *sr;
374 snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
375 if (access(filename, F_OK) != 0) {
378 sr = stringring_open(filename);
382 ret = (stringring_find(sr, given_token, AUTHENTICATION_TIMEOUT) != -1);
384 /* Update token timestamp */
385 stringring_touch(sr, given_token);
387 stringring_close(sr);
392 /* Return a 32-bit integer "counter" that will change when the password is
393 * updated. Used to invalidate password recovery schemes after the password is
394 * updated. Returns the counter in the "counter" argument, and returns
395 * true/false on success/failure. */
396 int auth_get_counter(const char *username, uint32_t *counter) {
398 struct MD5Context ctx;
399 uint8_t md5hash[MD5_DIGEST_SIZE];
401 if (auth_get_data(username, (void *) &auth, sizeof(struct auth_v2)) == 0)
404 /* There's probably going to be some question about using MD5 here.
405 * All I really need is to quickly and repeatably scramble some bits.
406 * MD5 can still do that. */
408 MD5Update(&ctx, auth.password, SCRYPT_OUTPUT_SIZE);
409 MD5Update(&ctx, auth.salt, SCRYPT_SALT_SIZE);
410 MD5Final((unsigned char *)md5hash, &ctx);
412 *counter = ((uint32_t *)md5hash)[0];
projects / blerg.git / blob