lib/auth_srp_passwd.c

   1 /*
   2  * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2008, 2010 Free Software
   3  * Foundation, Inc.
   4  *
   5  * Author: Nikos Mavrogiannopoulos
   6  *
   7  * This file is part of GnuTLS.
   8  *
   9  * The GnuTLS is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * as published by the Free Software Foundation; either version 2.1 of
  12  * the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  22  * USA
  23  *
  24  */
  25
  26 /* Functions for operating in an SRP passwd file are included here */
  27
  28 #include <gnutls_int.h>
  29
  30 #ifdef ENABLE_SRP
  31
  32 #include "x509_b64.h"
  33 #include "gnutls_errors.h"
  34 #include <auth_srp_passwd.h>
  35 #include "auth_srp.h"
  36 #include "gnutls_auth.h"
  37 #include "gnutls_srp.h"
  38 #include "gnutls_dh.h"
  39 #include "debug.h"
  40 #include <gnutls_str.h>
  41 #include <gnutls_datum.h>
  42 #include <gnutls_num.h>
  43 #include <random.h>
  44
  45 static int _randomize_pwd_entry (SRP_PWD_ENTRY * entry);
  46
  47 /* this function parses tpasswd.conf file. Format is:
  48  * string(username):base64(v):base64(salt):int(index)
  49  */
  50 static int
  51 pwd_put_values (SRP_PWD_ENTRY * entry, char *str)
  52 {
  53   char *p;
  54   int len, ret;
  55   opaque *verifier;
  56   size_t verifier_size;
  57   int indx;
  58
  59   p = strrchr (str, ':');       /* we have index */
  60   if (p == NULL)
  61     {
  62       gnutls_assert ();
  63       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
  64     }
  65
  66   *p = '\0';
  67   p++;
  68
  69   indx = atoi (p);
  70   if (indx == 0)
  71     {
  72       gnutls_assert ();
  73       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
  74     }
  75
  76   /* now go for salt */
  77   p = strrchr (str, ':');       /* we have salt */
  78   if (p == NULL)
  79     {
  80       gnutls_assert ();
  81       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
  82     }
  83
  84   *p = '\0';
  85   p++;
  86
  87   len = strlen (p);
  88
  89   entry->salt.size = _gnutls_sbase64_decode (p, len, &entry->salt.data);
  90
  91   if (entry->salt.size <= 0)
  92     {
  93       gnutls_assert ();
  94       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
  95     }
  96
  97   /* now go for verifier */
  98   p = strrchr (str, ':');       /* we have verifier */
  99   if (p == NULL)
 100     {
 101       _gnutls_free_datum (&entry->salt);
 102       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 103     }
 104
 105   *p = '\0';
 106   p++;
 107
 108   len = strlen (p);
 109   ret = _gnutls_sbase64_decode (p, len, &verifier);
 110   if (ret <= 0)
 111     {
 112       gnutls_assert ();
 113       _gnutls_free_datum (&entry->salt);
 114       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 115     }
 116
 117   verifier_size = ret;
 118   entry->v.data = verifier;
 119   entry->v.size = verifier_size;
 120
 121   /* now go for username */
 122   *p = '\0';
 123
 124   entry->username = gnutls_strdup (str);
 125   if (entry->username == NULL)
 126     {
 127       _gnutls_free_datum (&entry->salt);
 128       _gnutls_free_datum (&entry->v);
 129       gnutls_assert ();
 130       return GNUTLS_E_MEMORY_ERROR;
 131     }
 132
 133   return indx;
 134 }
 135
 136
 137 /* this function parses tpasswd.conf file. Format is:
 138  * int(index):base64(n):int(g)
 139  */
 140 static int
 141 pwd_put_values2 (SRP_PWD_ENTRY * entry, char *str)
 142 {
 143   char *p;
 144   int len;
 145   opaque *tmp;
 146   int ret;
 147
 148   p = strrchr (str, ':');       /* we have g */
 149   if (p == NULL)
 150     {
 151       gnutls_assert ();
 152       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 153     }
 154
 155   *p = '\0';
 156   p++;
 157
 158   /* read the generator */
 159   len = strlen (p);
 160   if (p[len - 1] == '\n' || p[len - 1] == ' ')
 161     len--;
 162   ret = _gnutls_sbase64_decode (p, len, &tmp);
 163
 164   if (ret < 0)
 165     {
 166       gnutls_assert ();
 167       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 168     }
 169
 170   entry->g.data = tmp;
 171   entry->g.size = ret;
 172
 173   /* now go for n - modulo */
 174   p = strrchr (str, ':');       /* we have n */
 175   if (p == NULL)
 176     {
 177       _gnutls_free_datum (&entry->g);
 178       gnutls_assert ();
 179       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 180     }
 181
 182   *p = '\0';
 183   p++;
 184
 185   len = strlen (p);
 186   ret = _gnutls_sbase64_decode (p, len, &tmp);
 187
 188   if (ret < 0)
 189     {
 190       gnutls_assert ();
 191       _gnutls_free_datum (&entry->g);
 192       return GNUTLS_E_SRP_PWD_PARSING_ERROR;
 193     }
 194
 195   entry->n.data = tmp;
 196   entry->n.size = ret;
 197
 198   return 0;
 199 }
 200
 201
 202 /* this function opens the tpasswd.conf file and reads the g and n
 203  * values. They are put in the entry.
 204  */
 205 static int
 206 pwd_read_conf (const char *pconf_file, SRP_PWD_ENTRY * entry, int idx)
 207 {
 208   FILE *fd;
 209   char line[2 * 1024];
 210   unsigned i, len;
 211   char indexstr[10];
 212
 213   snprintf (indexstr, sizeof(indexstr), "%u", (unsigned int)idx);
 214
 215   fd = fopen (pconf_file, "r");
 216   if (fd == NULL)
 217     {
 218       gnutls_assert ();
 219       return GNUTLS_E_FILE_ERROR;
 220     }
 221
 222   len = strlen (indexstr);
 223   while (fgets (line, sizeof (line), fd) != NULL)
 224     {
 225       /* move to first ':' */
 226       i = 0;
 227       while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
 228         {
 229           i++;
 230         }
 231       if (strncmp (indexstr, line, MAX (i, len)) == 0)
 232         {
 233           if ((idx = pwd_put_values2 (entry, line)) >= 0)
 234             return 0;
 235           else
 236             {
 237               return GNUTLS_E_SRP_PWD_ERROR;
 238             }
 239         }
 240     }
 241   return GNUTLS_E_SRP_PWD_ERROR;
 242
 243 }
 244
 245 int
 246 _gnutls_srp_pwd_read_entry (gnutls_session_t state, char *username,
 247                             SRP_PWD_ENTRY ** _entry)
 248 {
 249   gnutls_srp_server_credentials_t cred;
 250   FILE *fd;
 251   char line[2 * 1024];
 252   unsigned i, len;
 253   int ret;
 254   int idx, last_idx;
 255   SRP_PWD_ENTRY *entry;
 256
 257   *_entry = gnutls_calloc (1, sizeof (SRP_PWD_ENTRY));
 258   if (*_entry == NULL)
 259     {
 260       gnutls_assert ();
 261       return GNUTLS_E_MEMORY_ERROR;
 262     }
 263   entry = *_entry;
 264
 265   cred = (gnutls_srp_server_credentials_t)
 266     _gnutls_get_cred (state->key, GNUTLS_CRD_SRP, NULL);
 267   if (cred == NULL)
 268     {
 269       gnutls_assert ();
 270       _gnutls_srp_entry_free (entry);
 271       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 272     }
 273
 274   /* if the callback which sends the parameters is
 275    * set, use it.
 276    */
 277   if (cred->pwd_callback != NULL)
 278     {
 279       ret = cred->pwd_callback (state, username, &entry->salt,
 280                                 &entry->v, &entry->g, &entry->n);
 281
 282       if (ret == 1)
 283         {                       /* the user does not exist */
 284           if (entry->g.size != 0 && entry->n.size != 0)
 285             {
 286               ret = _randomize_pwd_entry (entry);
 287               if (ret < 0)
 288                 {
 289                   gnutls_assert ();
 290                   _gnutls_srp_entry_free (entry);
 291                   return ret;
 292                 }
 293               return 0;
 294             }
 295           else
 296             {
 297               gnutls_assert ();
 298               ret = -1;         /* error in the callback */
 299             }
 300         }
 301
 302       if (ret < 0)
 303         {
 304           gnutls_assert ();
 305           _gnutls_srp_entry_free (entry);
 306           return GNUTLS_E_SRP_PWD_ERROR;
 307         }
 308
 309       return 0;
 310     }
 311
 312   /* The callback was not set. Proceed.
 313    */
 314
 315   if (cred->password_file == NULL)
 316     {
 317       gnutls_assert ();
 318       return GNUTLS_E_SRP_PWD_ERROR;
 319     }
 320
 321   /* Open the selected password file.
 322    */
 323   fd = fopen (cred->password_file, "r");
 324   if (fd == NULL)
 325     {
 326       gnutls_assert ();
 327       _gnutls_srp_entry_free (entry);
 328       return GNUTLS_E_SRP_PWD_ERROR;
 329     }
 330
 331   last_idx = 1;                 /* a default value */
 332
 333   len = strlen (username);
 334   while (fgets (line, sizeof (line), fd) != NULL)
 335     {
 336       /* move to first ':' */
 337       i = 0;
 338       while ((line[i] != ':') && (line[i] != '\0') && (i < sizeof (line)))
 339         {
 340           i++;
 341         }
 342
 343       if (strncmp (username, line, MAX (i, len)) == 0)
 344         {
 345           if ((idx = pwd_put_values (entry, line)) >= 0)
 346             {
 347               /* Keep the last index in memory, so we can retrieve fake parameters (g,n)
 348                * when the user does not exist.
 349                */
 350               /* XXX: last_idx will not be read as both if block branches return. */
 351               last_idx = idx;
 352               if (pwd_read_conf (cred->password_conf_file, entry, idx) == 0)
 353                 {
 354                   return 0;
 355                 }
 356               else
 357                 {
 358                   gnutls_assert ();
 359                   _gnutls_srp_entry_free (entry);
 360                   return GNUTLS_E_SRP_PWD_ERROR;
 361                 }
 362             }
 363           else
 364             {
 365               gnutls_assert ();
 366               _gnutls_srp_entry_free (entry);
 367               return GNUTLS_E_SRP_PWD_ERROR;
 368             }
 369         }
 370     }
 371
 372   /* user was not found. Fake him. Actually read the g,n values from
 373    * the last index found and randomize the entry.
 374    */
 375   if (pwd_read_conf (cred->password_conf_file, entry, last_idx) == 0)
 376     {
 377       ret = _randomize_pwd_entry (entry);
 378       if (ret < 0)
 379         {
 380           gnutls_assert ();
 381           _gnutls_srp_entry_free (entry);
 382           return ret;
 383         }
 384
 385       return 0;
 386     }
 387
 388   gnutls_assert ();
 389   _gnutls_srp_entry_free (entry);
 390   return GNUTLS_E_SRP_PWD_ERROR;
 391
 392 }
 393
 394 /* Randomizes the given password entry. It actually sets the verifier
 395  * and the salt. Returns 0 on success.
 396  */
 397 static int
 398 _randomize_pwd_entry (SRP_PWD_ENTRY * entry)
 399 {
 400   unsigned char rnd;
 401   int ret;
 402
 403   if (entry->g.size == 0 || entry->n.size == 0)
 404     {
 405       gnutls_assert ();
 406       return GNUTLS_E_INTERNAL_ERROR;
 407     }
 408
 409   ret = _gnutls_rnd (GNUTLS_RND_NONCE, &rnd, 1);
 410   if (ret < 0)
 411     {
 412       gnutls_assert ();
 413       return ret;
 414     }
 415
 416   entry->salt.size = (rnd % 10) + 9;
 417
 418   entry->v.data = gnutls_malloc (20);
 419   entry->v.size = 20;
 420   if (entry->v.data == NULL)
 421     {
 422       gnutls_assert ();
 423       return GNUTLS_E_MEMORY_ERROR;
 424     }
 425
 426   ret = _gnutls_rnd (GNUTLS_RND_RANDOM, entry->v.data, 20);
 427   if (ret < 0)
 428     {
 429       gnutls_assert ();
 430       return ret;
 431     }
 432
 433   entry->salt.data = gnutls_malloc (entry->salt.size);
 434   if (entry->salt.data == NULL)
 435     {
 436       gnutls_assert ();
 437       return GNUTLS_E_MEMORY_ERROR;
 438     }
 439
 440   ret = _gnutls_rnd (GNUTLS_RND_NONCE, entry->salt.data, entry->salt.size);
 441   if (ret < 0)
 442     {
 443       gnutls_assert ();
 444       return ret;
 445     }
 446
 447   return 0;
 448 }
 449
 450 /* Free all the entry parameters, except if g and n are
 451  * the static ones defined in extra.h
 452  */
 453 void
 454 _gnutls_srp_entry_free (SRP_PWD_ENTRY * entry)
 455 {
 456   _gnutls_free_datum (&entry->v);
 457   _gnutls_free_datum (&entry->salt);
 458
 459   if (entry->g.data != gnutls_srp_1024_group_generator.data)
 460     _gnutls_free_datum (&entry->g);
 461
 462   if (entry->n.data != gnutls_srp_1024_group_prime.data &&
 463       entry->n.data != gnutls_srp_1536_group_prime.data &&
 464       entry->n.data != gnutls_srp_2048_group_prime.data)
 465     _gnutls_free_datum (&entry->n);
 466
 467   gnutls_free (entry->username);
 468   gnutls_free (entry);
 469 }
 470
 471
 472 #endif /* ENABLE SRP */