summary
history
branches
tags
files
/common/auth.c
/* Blerg is (C) 2011 The Dominion of Awesome, and is distributed under a
 * BSD-style license.  Please see the COPYING file for details.
 */
#include <sys/file.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypto_scrypt.h>
#include "config.h"
#include "configuration.h"
#include "database.h"
#include "auth.h"
#include "util.h"
#include "stringring.h"
#include "md5.h"

int auth_set_password(const char *username, const char *password) {
	char filename[FILENAME_MAX];
	struct auth_v2 auth;
	int fd, n, r;

	if (!valid_name(username) || !blerg_exists(username))
		return 0;

	n = strlen(password);
	if (n > MAX_PASSWORD_LENGTH)
		return 0;

	/* Clear the auth structure */
	memset(&auth, 0, sizeof(struct auth_v2));

	/* Set the auth version */
	auth.header.version = 2;

	/* Gather some salt */
	fd = open("/dev/urandom", O_RDONLY);
	if (fd == -1) {
		perror("Could not open /dev/urandom");
		return 0;
	}
	read(fd, auth.salt, SCRYPT_SALT_SIZE);
	close(fd);

	r = crypto_scrypt((const uint8_t *)password, n, auth.salt, SCRYPT_SALT_SIZE, SCRYPT_N, SCRYPT_r, SCRYPT_p, auth.password, SCRYPT_OUTPUT_SIZE);
	if (r != 0) {
		fprintf(stderr, "Failure in scrypt for %s\n", username);
		return 0;
	}

	/* Write the data */
	snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
	fd = open(filename, O_WRONLY | O_CREAT, 0600);
	flock(fd, LOCK_EX);
	write(fd, &auth, sizeof(struct auth_v2));
	flock(fd, LOCK_UN);
	close(fd);

	return 1;
}

int auth_get_password_version(const char *username) {
	char filename[FILENAME_MAX];
	int fd;
	char str[4];
	struct auth_header ah;
	int len = 0;

	snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
	if (access(filename, F_OK) == 0) {
		fd = open(filename, O_RDONLY);
		if (fd == -1)
			return -1;
		len = read(fd, &ah, sizeof(struct auth_header));
		close(fd);

		if (len < 0) {
			perror("reading auth file");
			return -1;
		} else if (len < sizeof(struct auth_header)) {
			fprintf(stderr, "Short read on while determining auth version for %s", username);
			return -1;
		}

		return ah.version;
	}

	snprintf(filename, FILENAME_MAX, "%s/%s/password_version", blergconf.data_path, username);
	if (access(filename, F_OK) != 0) {
		return 0;
	}

	fd = open(filename, O_RDONLY);
	if (fd == -1)
		return -1;
	len = read(fd, str, 4);
	close(fd);

	if (len < 0) {
		perror("auth_get_password_version");
		return -1;
	}

	str[len] = 0;

	/* strtol returns zero if there isn't a number */
	return strtol(str, NULL, 10);
}

int auth_get_password(const char *username, char *password) {
	char filename[FILENAME_MAX];
	int fd;
	int read_size;
	int len = 0;

	if (!valid_name(username))
		return 0;

	switch(auth_get_password_version(username)) {
	case 0:
		read_size = MD5_DIGEST_SIZE;
		break;
	case 1:
		read_size = SCRYPT_OUTPUT_SIZE;
		break;
	default:
		return 0;
	}

	snprintf(filename, FILENAME_MAX, "%s/%s/password", blergconf.data_path, username);
	fd = open(filename, O_RDONLY);
	if (fd == -1)
		return 0;
	len = read(fd, password, read_size);
	close(fd);

	if (len < 0) {
		perror("auth_get_password");
		return 0;
	} else if (len < read_size) {
		fprintf(stderr, "Short read getting password\n");
		return 0;
	}

	password[len] = 0;

	return 1;
}

int auth_get_salt(const char *username, uint8_t *salt) {
	char filename[FILENAME_MAX];
	int fd;
	int len = 0;

	if (!valid_name(username))
		return 0;

	snprintf(filename, FILENAME_MAX, "%s/%s/password_salt", blergconf.data_path, username);
	fd = open(filename, O_RDONLY);
	if (fd == -1)
		return 0;
	len = read(fd, salt, SCRYPT_SALT_SIZE);
	close(fd);

	if (len < 0) {
		perror("auth_get_salt");
		return 0;
	} else if (len < SCRYPT_SALT_SIZE) {
		fprintf(stderr, "Short read getting salt\n");
		return 0;
	}

	return 1;
}

int auth_check_password_v0(const char *username, const char *password) {
	char epw[MD5_DIGEST_SIZE + 1];
	char givenpw[MD5_DIGEST_SIZE];
	struct MD5Context ctx;

	if (auth_get_password(username, epw) == 0)
		return 0;

	MD5Init(&ctx);
	MD5Update(&ctx, username, strlen(username));
	MD5Update(&ctx, password, strlen(password));
	MD5Final((unsigned char *)givenpw, &ctx);

	if (strncmp(givenpw, epw, MD5_DIGEST_SIZE) == 0)
		return 1;
	else
		return 0;
}

int auth_get_data(const char *username, void *data, size_t data_len) {
	char filename[FILENAME_MAX];
	int fd;
	int len = 0;

	if (!valid_name(username))
		return 0;

	snprintf(filename, FILENAME_MAX, "%s/%s/auth", blergconf.data_path, username);
	fd = open(filename, O_RDONLY);
	if (fd == -1)
		return 0;
	flock(fd, LOCK_SH);
	len = read(fd, data, data_len);
	flock(fd, LOCK_UN);
	close(fd);

	if (len < 0) {
		perror("auth_get_data");
		return 0;
	} else if (len < data_len) {
		fprintf(stderr, "Short read getting auth data\n");
		return 0;
	}

	return 1;
}

int auth_check_scrypt(struct auth_v2 *auth, const char *username, const char *password) {
	unsigned char givenpw[SCRYPT_OUTPUT_SIZE];
	int r;

	r = crypto_scrypt((const uint8_t *)password, strlen(password), auth->salt, SCRYPT_SALT_SIZE, SCRYPT_N, SCRYPT_r, SCRYPT_p, givenpw, SCRYPT_OUTPUT_SIZE);
	if (r != 0) {
		fprintf(stderr, "Failure in scrypt for %s\n", username);
		return 0;
	}

	if (memcmp(givenpw, auth->password, SCRYPT_OUTPUT_SIZE) == 0)
		return 1;
	else
		return 0;
}

int auth_check_password_v1(const char *username, const char *password) {
	struct auth_v2 auth;

	if (auth_get_password(username, (char *)auth.password) == 0)
		return 0;

	if (auth_get_salt(username, auth.salt) == 0)
		return 0;

	return auth_check_scrypt(&auth, username, password);
}

int auth_check_password_v2(const char *username, const char *password) {
	struct auth_v2 auth;

	if (auth_get_data(username, (void *) &auth, sizeof(struct auth_v2)) == 0)
		return 0;

	return auth_check_scrypt(&auth, username, password);
}

int auth_check_password(const char *username, const char *password) {
	int version = auth_get_password_version(username);

	switch(version) {
	case 0:
		if (auth_check_password_v0(username, password)) {
			/* Refresh to the newest version */
			auth_set_password(username, password);
			return 1;
		} else {
			return 0;
		}
		break;
	case 1:
		if (auth_check_password_v1(username, password)) {
			/* Refresh to the newest version */
			auth_set_password(username, password);
			return 1;
		} else {
			return 0;
		}
		break;
	case 2:
		return auth_check_password_v2(username, password);
	}
	fprintf(stderr, "auth_check_password fell through. Bad password version?\n");
	return 0;
}

void hexify(char *dst, char *src, int len) {
	static char hex[] = "0123456789abcdef";
	int i;

	for (i = 0; i < len; i++) {
		dst[i * 2]     = hex[(src[i] & 0xF0) >> 4];
		dst[i * 2 + 1] = hex[src[i] & 0xF];
	}
}

char *create_random_token() {
	char buf[TOKEN_SIZE];
	char *token;
	int rand_fd;

	rand_fd = open("/dev/urandom", O_RDONLY);
	if (rand_fd == -1) {
		perror("Could not open /dev/urandom\n");
		return 0;
	}
	read(rand_fd, buf, TOKEN_SIZE);
	close(rand_fd);

	token = malloc(TOKEN_SIZE * 2 + 1);
	hexify(token, buf, TOKEN_SIZE);
	token[TOKEN_SIZE * 2] = 0;

	return token;
}

char * auth_login(const char *username, const char *password) {
	char filename[FILENAME_MAX];
	struct stringring *sr;
	char *token;


	if (!auth_check_password(username, password))
		return NULL;

	snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
	sr = stringring_open(filename);
	if (sr == NULL) {
		return NULL;
	}
	token = create_random_token();
	if (!stringring_add(sr, token)) {
		free(token);
		stringring_close(sr);
		return NULL;
	}
	stringring_close(sr);

	return token;
}

int auth_logout(const char *username, const char *token) {
	char filename[FILENAME_MAX];
	struct stringring *sr;
	int ret;

	if (!valid_name(username))
		return 0;

	snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
	if (access(filename, F_OK) != 0) {
		return 0;
	}
	sr = stringring_open(filename);
	if (sr == NULL) {
		return 0;
	}
	ret = stringring_remove(sr, token);
	stringring_close(sr);

	return ret;
}

int auth_check_token(const char *username, const char *given_token) {
	char filename[FILENAME_MAX];
	struct stringring *sr;
	int ret;

	snprintf(filename, FILENAME_MAX, "%s/%s/tokens", blergconf.data_path, username);
	if (access(filename, F_OK) != 0) {
		return 0;
	}
	sr = stringring_open(filename);
	if (sr == NULL) {
		return 0;
	}
	ret = (stringring_find(sr, given_token, AUTHENTICATION_TIMEOUT) != -1);
	if (ret == 1) {
		/* Update token timestamp */
		stringring_touch(sr, given_token);
	}
	stringring_close(sr);

	return ret;
}

/* Return a 32-bit integer "counter" that will change when the password is
 * updated.  Used to invalidate password recovery schemes after the password is
 * updated.  Returns the counter in the "counter" argument, and returns
 * true/false on success/failure. */
int auth_get_counter(const char *username, uint32_t *counter) {
	struct auth_v2 auth;
	struct MD5Context ctx;
	uint8_t md5hash[MD5_DIGEST_SIZE];

	if (auth_get_data(username, (void *) &auth, sizeof(struct auth_v2)) == 0)
		return 0;

	/* There's probably going to be some question about using MD5 here.
	 * All I really need is to quickly and repeatably scramble some bits.
	 * MD5 can still do that. */
	MD5Init(&ctx);
	MD5Update(&ctx, auth.password, SCRYPT_OUTPUT_SIZE);
	MD5Update(&ctx, auth.salt, SCRYPT_SALT_SIZE);
	MD5Final((unsigned char *)md5hash, &ctx);

	*counter = ((uint32_t *)md5hash)[0];

	return 1;
}
Generated by Itsy-Gitsy on Fri Feb 14 02:59:38 2025 -0600