search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Clean up RPM spec for newer distributions
[clumanager.git] / librhcm / auth_sha1.c
blobf2f1fe5f76fbe7ac4016d6cd7b9f7199d5d53357
1 /*
2 Copyright Red Hat, Inc. 2003
3
4 The Red Hat Cluster Manager API Library is free software; you can
5 redistribute it and/or modify it under the terms of the GNU Lesser
6 General Public License as published by the Free Software Foundation;
7 either version 2.1 of the License, or (at your option) any later
8 version.
9
10 The Red Hat Cluster Manager API Library is distributed in the hope
11 that it will be useful, but WITHOUT ANY WARRANTY; without even the
12 implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
13 PURPOSE. See the GNU Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with this library; if not, write to the Free Software
17 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
18 USA.
19 */
20 /** @file
21 * Very simple challenge-response, based on SHA1 + shared-secret.
22 */
23 #include <sys/mman.h>
24 #include <sys/types.h>
25 #include <stdlib.h>
26 #include <fcntl.h>
27 #include <sha1.h>
28 #include <pthread.h>
29 #include <string.h>
30 #include <errno.h>
31 #include <unistd.h>
32
33 #define KEY_SIZE 20
34
35 static pthread_mutex_t auth_mutex = PTHREAD_MUTEX_INITIALIZER;
36 static SHA1_CTX auth_sha1_ctx;
37 static int urfd = -1;
38 #if 0
39 static int rfd = -1;
40 static char __rdata[KEY_SIZE*4];
41 #endif
42
43 typedef struct _random_data {
44 int rd_size;
45 void *rd_data;
46 } random_data_t;
47
48 #ifdef DEBUG
49 #include <stdio.h>
50
51 /**
52 * Dump a buffer of bytes in human-readable hexadecimal to output.
53 *
54 * @param buf Buffer to dump
55 * @param len Length of buf
56 */
57 static void
58 hex_dump(char *buf, int len)
59 {
60 int x;
61
62 printf("0x");
63 for(x=0; x<len; x++)
64 printf("%02x", (int)(buf[x]&0x000000ff));
65 }
66 #endif
67
68
69 /**
70 * Mash pseudo random data with real (entropy) random data. This is so we
71 * don't run the system out of entropy when lots of authentication packets
72 * are being sent back and forth.
73 *
74 * @param pd Pseudo random data set.
75 * @param pdsize Pseudo random data set size.
76 * @param rd Random data set (based on system entropy).
77 * @param rdsize Random data set size.
78 */
79 #if 0
80 void
81 mash(char *pd, int psize, char *rd, int rsize)
82 {
83 int x;
84 int start = 0;
85
86 /* Pass 1: Generate pseudorandom start offset */
87 for (x = 0; x < psize; x++)
88 start ^= (int)(pd[x]&0xff);
89 start %= (rsize - psize + 1);
90 read(rfd, rd + (start % rsize), 1);
91
92 /*
93 * Pass 2: XOR pseudo w/ random data starting
94 * at pseudorandom offset...
95 */
96 for (x = 0; x < psize; x++)
97 pd[x] ^= rd[x+start];
98 }
99 #endif
100
101
102 /**
103 * Fudge random data based on /dev/urandom and previously
104 * read-in data from /dev/random.
105 *
106 * @param data random_data_t info to initialize.
107 * @param size Size of buffer (or amount to fill).
108 * @return -1 on failure; 0 on success.
109 */
110 static int
111 alloc_random_data(random_data_t *data, int size)
112 {
113 pthread_mutex_lock(&auth_mutex);
114 #if 0
115 if (rfd == -1) {
116 rfd = open("/dev/random", O_RDONLY);
117 if (rfd == -1) {
118 pthread_mutex_unlock(&auth_mutex);
119 return -1;
120 }
121 read(rfd, __rdata, sizeof(__rdata));
122 }
123 #endif
124
125 if (urfd == -1) {
126 urfd = open("/dev/urandom", O_RDONLY);
127 if (urfd == -1) {
128 #if 0
129 close(rfd);
130 rfd = -1;
131 #endif
132 pthread_mutex_unlock(&auth_mutex);
133 return -1;
134 }
135 pthread_mutex_unlock(&auth_mutex);
136 }
137
138 data->rd_size = size;
139 data->rd_data = malloc(size);
140 pthread_mutex_unlock(&auth_mutex);
141
142 if (!data->rd_data)
143 return -1;
144
145 if (size > 0) {
146 /* Kind of depends on cryptographic strength
147 of /dev/urandom this way */
148 read(urfd, (char *)(data->rd_data), size);
149 #if 0
150 mash((char *)data->rd_data, size, __rdata,
151 sizeof(__rdata));
152 #endif
153 }
154 return 0;
155 }
156
157
158 /**
159 * Munmap/free data stored in a random_data_t structure.
160 *
161 * @param data random_data_t to clear out.
162 */
163 static void
164 free_random_data(random_data_t *data)
165 {
166 free(data->rd_data);
167 }
168
169
170 /**
171 * Initialize our global SHA1 context.
172 *
173 * @param key Key we're starting with.
174 * @param keylen Length of our key.
175 * @return 0
176 */
177 int
178 auth_sha1_init(char *key, size_t keylen)
179 {
180 pthread_mutex_lock(&auth_mutex);
181 SHA1Init(&auth_sha1_ctx);
182
183 if (key && keylen)
184 SHA1Update(&auth_sha1_ctx, (uint8_t *)key, keylen);
185
186 pthread_mutex_unlock(&auth_mutex);
187 return 0;
188 }
189
190
191 /**
192 * Close our /dev/random FD & clear up our SHA1 Context.
193 */
194 int
195 auth_sha1_deinit(void)
196 {
197 pthread_mutex_lock(&auth_mutex);
198 #if 0
199 if (rfd != -1) {
200 close(rfd);
201 rfd = -1;
202 }
203 #endif
204 if (urfd != -1) {
205 close(urfd);
206 urfd = -1;
207 }
208 SHA1Init(&auth_sha1_ctx);
209 pthread_mutex_unlock(&auth_mutex);
210 return 0;
211 }
212
213
214 /**
215 * Issue SHA1 challenge. We basically just send some number of bytes read
216 * from /dev/random to the specified file descriptor. After we're done, we
217 * update a copy of our global key-SHA1 context, and compare what the
218 * client sends back with what we expect it to send back, based on our
219 * view of the secret key. If the client sends back the proper message,
220 * we report 'success'; otherwise, 'permission denied'.
221 *
222 * @param fd File descriptor to authenticate.
223 * @return -1 on fail/not authentic, 0 on success/authentic
224 */
225 int
226 auth_sha1_challenge(int fd)
227 {
228 int remain = KEY_SIZE, n;
229 uint8_t expected_sha1[20], client_sha1[20];
230 char *p, reply = 0;
231 random_data_t challenge_data;
232 SHA1_CTX ch_ctx;
233 struct timeval tv;
234 fd_set rfds;
235
236 pthread_mutex_lock(&auth_mutex);
237 memcpy(&ch_ctx, &auth_sha1_ctx, sizeof(ch_ctx));
238 pthread_mutex_unlock(&auth_mutex);
239
240 /* No random data, no authentication */
241 if (alloc_random_data(&challenge_data, KEY_SIZE) < 0)
242 return -1;
243
244 /* Figure out what we expect to receive */
245 SHA1Update(&ch_ctx, (uint8_t *)challenge_data.rd_data,
246 challenge_data.rd_size);
247 SHA1Final(expected_sha1, &ch_ctx);
248
249 #ifdef DEBUG
250 printf("Issuing challenge: ");
251 hex_dump(challenge_data.rd_data, challenge_data.rd_size);
252 printf("\n");
253 printf("Expecting: ");
254 hex_dump(expected_sha1, 20);
255 printf("\n");
256 #endif
257
258 p = challenge_data.rd_data;
259 while (remain) {
260 n = write(fd, p, remain);
261 if (n == -1) {
262 if (errno == EINTR)
263 continue;
264 free_random_data(&challenge_data);
265 return -1;
266 }
267 if (n == 0) {
268 free_random_data(&challenge_data);
269 return -1;
270 }
271
272 p += n;
273 remain -= n;
274 }
275 free_random_data(&challenge_data);
276
277 tv.tv_sec = 1;
278 tv.tv_usec = 0;
279 remain = KEY_SIZE;
280 #ifdef DEBUG
281 printf("Challenge sent, waiting for response\n");
282 #endif
283
284 p = client_sha1;
285 while (remain && (tv.tv_sec || tv.tv_usec)) {
286 FD_ZERO(&rfds);
287 FD_SET(fd, &rfds);
288
289 n = select(fd+1, &rfds, NULL, NULL, &tv);
290 if (n == -1) {
291 if (errno == EINTR)
292 continue;
293 return -1;
294 }
295 if (n == 0) {
296 errno = ETIMEDOUT;
297 return -1;
298 }
299
300 n = read(fd, p, remain);
301 if (n == -1) {
302 if (errno == EINTR)
303 continue;
304 return -1;
305 }
306 if (n == 0) {
307 errno = EPIPE;
308 return -1;
309 }
310
311 p += n;
312 remain -= n;
313 }
314
315 #ifdef DEBUG
316 printf("Received: ");
317 hex_dump(client_sha1, 20);
318 printf("\n");
319 #endif
320
321 if (remain || memcmp(expected_sha1, client_sha1, 20)) {
322 /* Notify client */
323 reply = (char)(0xff);
324 write(fd, &reply, 1);
325 errno = EACCES;
326 return -1;
327 }
328
329 #ifdef DEBUG
330 printf("Authentication successful\n");
331 #endif
332 write(fd, &reply, 1);
333 return 0;
334 }
335
336
337 /**
338 * Handle an SHA1 challenge from a server. This is generally done
339 * immediately following a connect() call. This handles the challenge
340 * data from the server, updates an SHA1 context based on our "secret"
341 * key, and sends the resulting SHA1 back to the server. If the server
342 * accepts our response, it writes a null byte to us; anything else
343 * is assumed to be a rejection.
344 *
345 * @param fd File descriptor to authenticate.
346 * @return -1 on failure/auth-failed, 0 on success
347 */
348 int
349 auth_sha1(int fd)
350 {
351 int remain = KEY_SIZE, n;
352 char key[KEY_SIZE], *p;
353 char response[20];
354 SHA1_CTX ch_ctx;
355 struct timeval tv;
356 fd_set rfds;
357
358 pthread_mutex_lock(&auth_mutex);
359 memcpy(&ch_ctx, &auth_sha1_ctx, sizeof(ch_ctx));
360 pthread_mutex_unlock(&auth_mutex);
361
362 #ifdef DEBUG
363 printf("Awaiting challenge\n");
364 #endif
365
366 /* Grab the challenge from the server */
367 tv.tv_sec = 5;
368 tv.tv_usec = 0;
369 remain = KEY_SIZE;
370 p = key;
371
372 while (remain && (tv.tv_sec || tv.tv_usec)) {
373 FD_ZERO(&rfds);
374 FD_SET(fd, &rfds);
375
376 n = select(fd+1, &rfds, NULL, NULL, &tv);
377 if (n == -1) {
378 if (errno == EINTR)
379 continue;
380 return -1;
381 }
382 if (n == 0) {
383 errno = ETIMEDOUT;
384 return -1;
385 }
386
387 n = read(fd, p, remain);
388 if (n == -1) {
389 if (errno == EINTR)
390 continue;
391 return -1;
392 }
393 if (n == 0) {
394 errno = EPIPE;
395 return -1;
396 }
397
398 remain -= n;
399 p += n;
400 }
401
402 if (remain)
403 return -1;
404
405 #ifdef DEBUG
406 printf("Received: ");
407 hex_dump(key, KEY_SIZE);
408 printf("\n");
409 #endif
410 /* Build response */
411 SHA1Update(&ch_ctx, (uint8_t *)key, KEY_SIZE);
412 SHA1Final(response, &ch_ctx);
413
414 remain = 20;
415 p = response;
416 while (remain) {
417 n = write(fd, p, remain);
418 if (n == -1) {
419 if (errno == EINTR)
420 continue;
421 return -1;
422 }
423 if (n == 0)
424 return -1;
425
426 p += n;
427 remain -= n;
428 }
429
430 #ifdef DEBUG
431 printf("Responded with: ");
432 hex_dump(response, 20);
433 printf("\n");
434 #endif
435
436 /* wait for reply from server as to whether or not we
437 are authenticated */
438 p = key; /* Reuse */
439 while (tv.tv_sec || tv.tv_usec) {
440 FD_ZERO(&rfds);
441 FD_SET(fd, &rfds);
442
443 n = select(fd+1, &rfds, NULL, NULL, &tv);
444 if (n == -1) {
445 if (errno == EINTR)
446 continue;
447 return -1;
448 }
449 if (n == 0) {
450 errno = ETIMEDOUT;
451 return -1;
452 }
453
454 n = read(fd, p, 1);
455 if (n == -1) {
456 if (errno == EINTR)
457 continue;
458 return -1;
459 }
460 if (n == 0) {
461 errno = EPIPE;
462 return -1;
463 }
464 break;
465 }
466
467 if (*p == 0) {
468 return 0;
469 }
470
471 /* Permission denied */
472 errno = EACCES;
473 return -1;
474 }
475
476
477 #ifdef STANDALONE
478 #include <arpa/inet.h>
479 #include <stdio.h>
480
481 #ifdef SERVER
482 int
483 main(int argc, char **argv)
484 {
485 char buf[256];
486 int fd, newfd, len, flag, pid;
487 struct sockaddr_in sai;
488 fd_set rfds;
489
490 printf("TCP auth_sha1 Echo Server\n");
491 if (argc < 3) {
492 fprintf(stderr,"usage: %s <port> <password>\n", argv[0]);
493 return 1;
494 }
495
496 auth_sha1_init(argv[2], strlen(argv[2]));
497
498 fd = socket(PF_INET, SOCK_STREAM, 0);
499 memset(&sai, 0, sizeof(sai));
500 sai.sin_family = PF_INET;
501 sai.sin_port = htons(atoi(argv[1]));
502 sai.sin_addr.s_addr = htonl(INADDR_ANY);
503
504 flag = 1;
505 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
506 &flag, sizeof(flag));
507
508 if (bind(fd, (struct sockaddr *)&sai, sizeof(sai)) == -1) {
509 perror("bind");
510 return(-1);
511 }
512
513 if (listen(fd, 5) == -1) {
514 perror("listen");
515 return(-1);
516 }
517
518 len = sizeof(sai);
519 while (1) {
520 newfd = accept(fd, (struct sockaddr *)&sai, &len);
521
522 if (newfd == -1) {
523 perror("accept");
524 return(-1);
525 }
526
527 if (auth_sha1_challenge(newfd) == -1) {
528 perror("auth_sha1_challenge");
529 close(newfd);
530 continue;
531 }
532
533 pid = fork();
534 if (pid == 0) {
535 close(fd);
536 break;
537 }
538
539 if (pid == -1) {
540 perror("fork");
541 continue;
542 }
543
544 printf("New Child: PID%d\n", pid);
545 close(newfd);
546 }
547
548 pid = getpid();
549 while(1) {
550 FD_ZERO(&rfds);
551 FD_SET(newfd, &rfds);
552
553 if (select(newfd + 1, &rfds, NULL, NULL, NULL) == 1) {
554 memset(buf,0,sizeof(buf));
555 switch(len = read(newfd, buf, sizeof(buf))) {
556 case 0:
557 printf("[%d] Connection closed by remote host\n",
558 pid);
559 exit(0);
560 case -1:
561 fprintf(stderr, "[%d] read: %s", pid,
562 strerror(errno));
563 return(0);
564 default:
565 write(newfd, buf, len);
566 }
567 }
568 }
569 }
570 #else
571
572 int
573 main(int argc, char **argv)
574 {
575 char buf[256];
576 int fd, len;
577 struct sockaddr_in sai;
578 fd_set rfds;
579
580 printf("TCP auth_sha1 Echo Client\n");
581
582 if (argc < 3) {
583 fprintf(stderr, "usage: %s <port> <password>\n",
584 argv[0]);
585 return 1;
586 }
587
588 auth_sha1_init(argv[2], strlen(argv[2]));
589
590 fd = socket(PF_INET, SOCK_STREAM, 0);
591 memset(&sai, 0, sizeof(sai));
592 sai.sin_family = PF_INET;
593 sai.sin_port = htons(atoi(argv[1]));
594 sai.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
595
596 if (connect(fd, (struct sockaddr *)&sai, sizeof(sai)) == -1) {
597 perror("connect");
598 return(-1);
599 }
600
601 if (auth_sha1(fd) != 0) {
602 perror("auth_sha1");
603 return(-1);
604 }
605
606 printf("Authenticated. Type away.\n");
607 while(1) {
608 FD_ZERO(&rfds);
609 FD_SET(STDIN_FILENO,&rfds);
610 FD_SET(fd,&rfds);
611
612 select(1024, &rfds, NULL, NULL, NULL);
613
614 if (FD_ISSET(STDIN_FILENO,&rfds)) {
615 len = read(STDIN_FILENO, buf, sizeof(buf));
616
617 if (!len) {
618 printf("Connection closed by remote host\n");
619 return(0);
620 }
621
622 if (write(fd, buf, len) == -1) {
623 perror("write");
624 return(-1);
625 }
626 }
627
628 if (FD_ISSET(fd, &rfds)) {
629 memset(buf,0,sizeof(buf));
630 if (read(fd, buf, sizeof(buf)) == -1) {
631 perror("read");
632 return(-1);
633 }
634
635 printf("%s", buf);
636 }
637 }
638
639 return(0);
640 }
641 #endif
642 #endif
Cluster Manager