X-Git-Url: http://www.average.org/gitweb/?p=pam_pcsc_cr.git;a=blobdiff_plain;f=authobj.c;h=b402094df224cd13651227c15e47bb9184976343;hp=224cbb56b9df63998bb35ad7db846da77fe4fd95;hb=d22113b275de00c81f31641700f63be826f929dd;hpb=f5144b94c8221f81c6d7520990a7602c3ce2a5a4 diff --git a/authobj.c b/authobj.c index 224cbb5..b402094 100644 --- a/authobj.c +++ b/authobj.c @@ -1,29 +1,47 @@ +/* +Copyright (c) 2013 Eugene Crosser + +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must + not claim that you wrote the original software. If you use this + software in a product, an acknowledgment in the product documentation + would be appreciated but is not required. + + 2. Altered source versions must be plainly marked as such, and must + not be misrepresented as being the original software. + + 3. This notice may not be removed or altered from any source + distribution. +*/ + #ifdef HAVE_CONFIG_H # include "config.h" #endif #include #include +#include #include #include "serial.h" #include "crypto.h" #include "authobj.h" -#include "pcsc_cr.h" -struct _hash_obj { - const char *err; - unsigned char hash[HASHSIZE]; -}; - -static struct _hash_obj +static struct _auth_chunk make_challenge(const char *uid, const char *pass, const char *nonce) { - struct _hash_obj ho = {0}; + struct _auth_chunk ho = {0}; unsigned long rc; serializer_t srl; int datasize = strlen(uid) + strlen(pass) + strlen(nonce) + 4 * sizeof(short); unsigned char *data = alloca(datasize); - int hashsize = sizeof(ho.hash); + int hashsize = sizeof(ho.data); serial_init(&srl, data, datasize); if (serial_put(&srl, uid, strlen(uid)) != strlen(uid)) { @@ -36,9 +54,9 @@ make_challenge(const char *uid, const char *pass, const char *nonce) ho.err = "challenge: serialization of terminator failed"; } if (!ho.err) { - if ((rc = hash(data, serial_size(&srl), &ho.hash, &hashsize))) { + if ((rc = hash(data, serial_size(&srl), &ho.data, &hashsize))) { ho.err = crypto_errstr(rc); - } else if (hashsize != sizeof(ho.hash)) { + } else if (hashsize != sizeof(ho.data)) { ho.err = "challenge: hash size is wrong"; } } @@ -46,40 +64,56 @@ make_challenge(const char *uid, const char *pass, const char *nonce) return ho; } -static struct _hash_obj -make_key(const unsigned char *challenge, const int challengesize, +static struct _auth_chunk +new_key(const unsigned char *challenge, const int challengesize, const unsigned char *secret, const int secsize) { - struct _hash_obj ho = {0}; + struct _auth_chunk ho = {0}; unsigned long rc; - int keysize = sizeof(ho.hash); + int keysize = sizeof(ho.data); if ((rc = hmac(secret, secsize, challenge, challengesize, - &ho.hash, &keysize))) { + &ho.data, &keysize))) { ho.err = crypto_errstr(rc); - } else if (keysize != sizeof(ho.hash)) { + } else if (keysize != sizeof(ho.data)) { ho.err = "make_key: hash size is wrong"; } return ho; } -static struct _hash_obj -fetch_key(const unsigned char *challenge, const int challengesize) +static struct _auth_chunk +make_key(const char *userid, const char *password, const char *nonce, + const unsigned char *secret, const int secsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) { - struct _hash_obj ho = {0}; - long rc; - int keysize = sizeof(ho.hash); + struct _auth_chunk ho_chal, ho_key = {0}; - if ((rc = pcsc_cr(challenge, challengesize, ho.hash, &keysize))) { - ho.err = pcsc_errstr(rc); + if (!userid || !password || !nonce) { + ho_key.err = "make_key: missing uid, pass or nonce"; + return ho_key; } - return ho; + ho_chal = make_challenge(userid, password, nonce); + if (ho_chal.err) { + ho_key.err = ho_chal.err; + return ho_key; + } + if (secret && secsize) { + ho_key = new_key(ho_chal.data, sizeof(ho_chal.data), + secret, secsize); + } else if (fetch_key) { + ho_key = (*fetch_key)(ho_chal.data, sizeof(ho_chal.data)); + } else { + ho_key.err = "make_key: neither secret nor fetch_key present"; + } + memset(&ho_chal, 0, sizeof(ho_chal)); + return ho_key; } static struct _auth_obj -make_authobj(const unsigned char *key, const int keysize, +make_authobj(const char *userid, const char *password, const char *nonce, const unsigned char *secret, const int secsize, - const unsigned char *payload, const int paysize) + const unsigned char *payload, const int paylsize) { struct _auth_obj ao = {0}; unsigned long rc; @@ -89,17 +123,13 @@ make_authobj(const unsigned char *key, const int keysize, int datahashsize = HASHSIZE; serializer_t srl; - if (keysize < CBLKSIZE) { - ao.err = "make authobj: key too short"; - return ao; - } - datasize = ((secsize + paysize + HASHSIZE + 4 * sizeof(short) - 1) / + datasize = ((secsize + paylsize + HASHSIZE + 4 * sizeof(short) - 1) / CBLKSIZE + 1) * CBLKSIZE; data = alloca(datasize); serial_init(&srl, data, datasize); if (serial_put(&srl, secret, secsize) != secsize) { ao.err = "authobj: serialization of secret failed"; - } else if (serial_put(&srl, payload, paysize) != paysize) { + } else if (serial_put(&srl, payload, paylsize) != paylsize) { ao.err = "authobj: serialization of payload failed"; } else if ((rc = hash(data, serial_size(&srl), datahash, &datahashsize))) { @@ -108,45 +138,54 @@ make_authobj(const unsigned char *key, const int keysize, ao.err = "authobj: serialization of hash failed"; } else if (serial_put(&srl, NULL, 0) != 0) { ao.err = "authobj: serialization of terminator failed"; - } - - if (!ao.err) { + } else { unsigned long lrc; int osize = ((serial_size(&srl) -1) / CBLKSIZE + 1) * CBLKSIZE; + struct _auth_chunk ho_key; - if ((ao.buffer = malloc(osize + paysize)) == NULL) { + ho_key = make_key(userid, password, nonce, + secret, secsize, NULL); + if (ho_key.err) { + ao.err = ho_key.err; + } else if ((ao.buffer = malloc(osize + paylsize)) == NULL) { ao.err = "make authobj: malloc failed"; - } else if ((lrc = encrypt(key, CBLKSIZE, data, + } else if ((lrc = encrypt(ho_key.data, CBLKSIZE, data, ao.buffer, osize))) { ao.err = crypto_errstr(lrc); } else { ao.data = ao.buffer; ao.datasize = osize; - if (payload && paysize) { + if (payload && paylsize) { /* payload passthrough */ ao.payload = ao.data + osize; - memcpy(ao.payload, payload, paysize); - ao.paylsize = paysize; + memcpy(ao.payload, payload, paylsize); + ao.paylsize = paylsize; } } + memset(&ho_key, 0, sizeof(ho_key)); } - memset(data, 0, datasize); return ao; } static struct _auth_obj -parse_authobj(const unsigned char *key, const int keysize, - const unsigned char *buffer, const int bufsize) +parse_authobj(const char *userid, const char *password, const char *nonce, + const unsigned char *secret, const int secsize, + const unsigned char *ablob, const int blobsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) { unsigned long rc; struct _auth_obj ao = {0}; + struct _auth_chunk ho_key; - if (keysize < CBLKSIZE) { - ao.err = "parse authobj: key too short"; - } else if ((ao.buffer = malloc(bufsize)) == NULL) { + ho_key = make_key(userid, password, nonce, secret, secsize, fetch_key); + if (ho_key.err) { + ao.err = ho_key.err; + } else if ((ao.buffer = malloc(blobsize)) == NULL) { ao.err = "parse authobj: malloc failed"; - } else if ((rc = decrypt(key, CBLKSIZE, buffer, ao.buffer, bufsize))) { + } else if ((rc = decrypt(ho_key.data, CBLKSIZE, + ablob, ao.buffer, blobsize))) { ao.err = crypto_errstr(rc); } else { serializer_t srl; @@ -156,7 +195,7 @@ parse_authobj(const unsigned char *key, const int keysize, int theirhsize; unsigned long rc; - serial_init(&srl, ao.buffer, bufsize); + serial_init(&srl, ao.buffer, blobsize); if (serial_get(&srl, (void**)&ao.data, &ao.datasize)) { ao.err = "mismatch: impossible secret"; } else if (serial_get(&srl, (void**)&ao.payload, &ao.paylsize)) { @@ -173,105 +212,62 @@ parse_authobj(const unsigned char *key, const int keysize, ao.err = "mismatch: different hash"; } } + memset(&ho_key, 0, sizeof(ho_key)); return ao; } -struct _auth_obj new_authobj(const char *userid, const char *password, - const char *nonce, - const unsigned char *secret, const int secsize, - const unsigned char *payload, const int paysize) +struct _auth_obj authobj(const char *userid, const char *password, + const char *oldnonce, const char *newnonce, + const unsigned char *secret, const int secsize, + const unsigned char *payload, const int paylsize, + const unsigned char *ablob, const int blobsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) { + const unsigned char *wsecret; + int wsecsize; + const unsigned char *wpayload; + int wpaylsize; + struct _auth_obj old_ao = {0}; struct _auth_obj new_ao = {0}; - struct _hash_obj ho_chal, ho_key; - ho_chal = make_challenge(userid, password, nonce); - if (ho_chal.err) { - new_ao.err = ho_chal.err; - return new_ao; - } - ho_key = make_key(ho_chal.hash, sizeof(ho_chal.hash), secret, secsize); - memset(&ho_chal, 0, sizeof(ho_chal)); - if (ho_key.err) { - new_ao.err = ho_key.err; - return new_ao; + if (!secret || !secsize || !payload) { + old_ao = parse_authobj(userid, password, oldnonce, + secret, secsize, + ablob, blobsize, fetch_key); + if (old_ao.err) { + new_ao.err = old_ao.err; + if (old_ao.buffer) free(old_ao.buffer); + return new_ao; + } else { + if (secret && secsize) { + wsecret = secret; + wsecsize = secsize; + } else { + wsecret = old_ao.data; + wsecsize = old_ao.datasize; + } + if (payload) { + wpayload = payload; + wpaylsize = paylsize; + } else { + wpayload = old_ao.payload; + wpaylsize = old_ao.paylsize; + } + } + } else { + wsecret = secret; + wsecsize = secsize; + wpayload = payload; + wpaylsize = paylsize; } - new_ao = make_authobj(ho_key.hash, sizeof(ho_key.hash), - secret, secsize, payload, paysize); - memset(&ho_key, 0, sizeof(ho_key)); - return new_ao; -} -struct _auth_obj verify_authobj(const char *userid, const char *password, - const char *oldnonce, const char *newnonce, - const unsigned char *authobj, const int authsize) -{ - struct _auth_obj old_ao; - struct _auth_obj new_ao = {0}; - struct _hash_obj ho_chal, ho_key; - - ho_chal = make_challenge(userid, password, oldnonce); - if (ho_chal.err) { - new_ao.err = ho_chal.err; - return new_ao; - } - ho_key = fetch_key(ho_chal.hash, sizeof(ho_chal.hash)); - memset(&ho_chal, 0, sizeof(ho_chal)); - if (ho_key.err) { - new_ao.err = ho_key.err; - return new_ao; - } - old_ao = parse_authobj(ho_key.hash, sizeof(ho_key.hash), - authobj, authsize); - memset(&ho_key, 0, sizeof(ho_key)); - if (old_ao.err) { - new_ao.err = old_ao.err; - if (old_ao.buffer) free(old_ao.buffer); - return new_ao; - } - ho_chal = make_challenge(userid, password, newnonce); - if (ho_chal.err) { - new_ao.err = ho_chal.err; - return new_ao; - } - ho_key = make_key(ho_chal.hash, sizeof(ho_chal.hash), - old_ao.data, old_ao.datasize); - memset(&ho_chal, 0, sizeof(ho_chal)); - if (ho_key.err) { - new_ao.err = ho_key.err; - return new_ao; - } - new_ao = make_authobj(ho_key.hash, sizeof(ho_key.hash), - old_ao.data, old_ao.datasize, - old_ao.payload, old_ao.paylsize); - memset(&ho_key, 0, sizeof(ho_key)); + new_ao = make_authobj(userid, password, newnonce, + wsecret, wsecsize, wpayload, wpaylsize); if (old_ao.data) memset(old_ao.data, 0, old_ao.datasize); if (old_ao.payload) memset(old_ao.payload, 0, old_ao.paylsize); if (old_ao.buffer) free(old_ao.buffer); return new_ao; } - -struct _auth_obj reload_authobj(const char *userid, const char *password, - const char *oldnonce, const char *newnonce, - const unsigned char *authobj, const int authsize, - const unsigned char *payload, const int paysize) -{ - struct _auth_obj old_ao; - struct _auth_obj new_ao = {0}; - struct _hash_obj ho_chal, ho_key; - - ho_chal = make_challenge(userid, password, oldnonce); - if (ho_chal.err) { - new_ao.err = ho_chal.err; - return new_ao; - } - ho_key = fetch_key(ho_chal.hash, sizeof(ho_chal.hash)); - memset(&ho_chal, 0, sizeof(ho_chal)); - if (ho_key.err) { - new_ao.err = ho_key.err; - return new_ao; - } - memset(&ho_key, 0, sizeof(ho_key)); - return new_ao; -}