X-Git-Url: http://www.average.org/gitweb/?p=pam_pcsc_cr.git;a=blobdiff_plain;f=authobj.c;h=ed20d4a41c0db67655fefbf0562e592032f090d4;hp=d2b6b7dee263124064ced1cdff93f470953f92dc;hb=b7d64e8a15a3a652d0844596307b787bc1711fa4;hpb=a76e90fbf8a269250cd749e18ed42415e51f9f45 diff --git a/authobj.c b/authobj.c index d2b6b7d..ed20d4a 100644 --- a/authobj.c +++ b/authobj.c @@ -3,102 +3,248 @@ #endif #include #include +#include #include #include "serial.h" #include "crypto.h" #include "authobj.h" -int make_challenge(const char *id, const char *pass, const char *nonce, - unsigned char *challenge, int *challengesize) +static struct _auth_chunk +make_challenge(const char *uid, const char *pass, const char *nonce) { + struct _auth_chunk ho = {0}; + unsigned long rc; serializer_t srl; + int datasize = strlen(uid) + strlen(pass) + strlen(nonce) + + 4 * sizeof(short); + unsigned char *data = alloca(datasize); + int hashsize = sizeof(ho.data); - serial_init(&srl, challenge, *challengesize); - if (serial_put(&srl, id, strlen(id)) != strlen(id)) - return aoe_serial; - if (serial_put(&srl, pass, strlen(pass)) != strlen(pass)) - return aoe_serial; - if (serial_put(&srl, nonce, strlen(nonce)) != strlen(nonce)) - return aoe_serial; - if (serial_put(&srl, NULL, 0) != 0) - return aoe_serial; - *challengesize = serial_size(&srl); - return 0; + serial_init(&srl, data, datasize); + if (serial_put(&srl, uid, strlen(uid)) != strlen(uid)) { + ho.err = "challenge: serialization of uid failed"; + } else if (serial_put(&srl, pass, strlen(pass)) != strlen(pass)) { + ho.err = "challenge: serialization of pass failed"; + } else if (serial_put(&srl, nonce, strlen(nonce)) != strlen(nonce)) { + ho.err = "challenge: serialization of nonce failed"; + } else if (serial_put(&srl, NULL, 0) != 0) { + ho.err = "challenge: serialization of terminator failed"; + } + if (!ho.err) { + if ((rc = hash(data, serial_size(&srl), &ho.data, &hashsize))) { + ho.err = crypto_errstr(rc); + } else if (hashsize != sizeof(ho.data)) { + ho.err = "challenge: hash size is wrong"; + } + } + memset(data, 0, datasize); + return ho; } -int make_authobj(const char *id, const char *pass, const char *nonce, +static struct _auth_chunk +new_key(const unsigned char *challenge, const int challengesize, + const unsigned char *secret, const int secsize) +{ + struct _auth_chunk ho = {0}; + unsigned long rc; + int keysize = sizeof(ho.data); + + if ((rc = hmac(secret, secsize, challenge, challengesize, + &ho.data, &keysize))) { + ho.err = crypto_errstr(rc); + } else if (keysize != sizeof(ho.data)) { + ho.err = "make_key: hash size is wrong"; + } + return ho; +} + +static struct _auth_chunk +make_key(const char *userid, const char *password, const char *nonce, + const unsigned char *secret, const int secsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) +{ + struct _auth_chunk ho_chal, ho_key = {0}; + + if (!userid || !password || !nonce) { + ho_key.err = "make_key: missing uid, pass or nonce"; + return ho_key; + } + ho_chal = make_challenge(userid, password, nonce); + if (ho_chal.err) { + ho_key.err = ho_chal.err; + return ho_key; + } + if (secret && secsize) { + ho_key = new_key(ho_chal.data, sizeof(ho_chal.data), + secret, secsize); + } else if (fetch_key) { + ho_key = (*fetch_key)(ho_chal.data, sizeof(ho_chal.data)); + } else { + ho_key.err = "make_key: neither secret nor fetch_key present"; + } + memset(&ho_chal, 0, sizeof(ho_chal)); + return ho_key; +} + +static struct _auth_obj +make_authobj(const char *userid, const char *password, const char *nonce, const unsigned char *secret, const int secsize, - const unsigned char *payload, const int paysize, - unsigned char *buffer, int *bufsize) + const unsigned char *payload, const int paylsize) { + struct _auth_obj ao = {0}; + unsigned long rc; unsigned char *data; int datasize; unsigned char datahash[HASHSIZE]; int datahashsize = HASHSIZE; - unsigned char *challenge; - int challengesize; - unsigned char key[HASHSIZE]; - int keysize = HASHSIZE; serializer_t srl; - datasize = ((secsize + paysize + HASHSIZE + 4 * sizeof(short) - 1) / + datasize = ((secsize + paylsize + HASHSIZE + 4 * sizeof(short) - 1) / CBLKSIZE + 1) * CBLKSIZE; data = alloca(datasize); serial_init(&srl, data, datasize); - if (serial_put(&srl, secret, secsize) != secsize) return aoe_serial; - if (serial_put(&srl, payload, paysize) != paysize) return aoe_serial; - if (hash(data, serial_size(&srl), datahash, &datahashsize)) - return aoe_size; - if (serial_put(&srl, datahash, datahashsize) != datahashsize) - return aoe_serial; - if (serial_put(&srl, NULL, 0) != 0) return aoe_serial; - datasize = ((serial_size(&srl) -1) / CBLKSIZE + 1) * CBLKSIZE; - - challengesize = ((strlen(id) + strlen(pass) + strlen(nonce) + - 4 * sizeof(short) - 1) / CBLKSIZE + 1) * CBLKSIZE; - challenge = alloca(challengesize); - if (make_challenge(id, pass, nonce, challenge, &challengesize)) - return aoe_serial; - - if (hmac(secret, secsize, challenge, challengesize, - key, &keysize)) return aoe_crypt; - - if (*bufsize < datasize) return aoe_size; - if (encrypt(key, CBLKSIZE, data, buffer, datasize)) return aoe_crypt; - *bufsize = datasize; - - return 0; + if (serial_put(&srl, secret, secsize) != secsize) { + ao.err = "authobj: serialization of secret failed"; + } else if (serial_put(&srl, payload, paylsize) != paylsize) { + ao.err = "authobj: serialization of payload failed"; + } else if ((rc = hash(data, serial_size(&srl), + datahash, &datahashsize))) { + ao.err = crypto_errstr(rc); + } else if (serial_put(&srl, datahash, datahashsize) != datahashsize) { + ao.err = "authobj: serialization of hash failed"; + } else if (serial_put(&srl, NULL, 0) != 0) { + ao.err = "authobj: serialization of terminator failed"; + } else { + unsigned long lrc; + int osize = ((serial_size(&srl) -1) / CBLKSIZE + 1) * CBLKSIZE; + struct _auth_chunk ho_key; + + ho_key = make_key(userid, password, nonce, + secret, secsize, NULL); + if (ho_key.err) { + ao.err = ho_key.err; + } else if ((ao.buffer = malloc(osize + paylsize)) == NULL) { + ao.err = "make authobj: malloc failed"; + } else if ((lrc = encrypt(ho_key.data, CBLKSIZE, data, + ao.buffer, osize))) { + ao.err = crypto_errstr(lrc); + } else { + ao.data = ao.buffer; + ao.datasize = osize; + if (payload && paylsize) { + /* payload passthrough */ + ao.payload = ao.data + osize; + memcpy(ao.payload, payload, paylsize); + ao.paylsize = paylsize; + } + } + memset(&ho_key, 0, sizeof(ho_key)); + } + memset(data, 0, datasize); + return ao; } -int parse_authobj(const unsigned char *key, const int keysize, - const unsigned char *buffer, const int bufsize, - unsigned char *secret, int *secsize, - unsigned char *payload, int *paysize) +static struct _auth_obj +parse_authobj(const char *userid, const char *password, const char *nonce, + const unsigned char *secret, const int secsize, + const unsigned char *ablob, const int blobsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) { - int datasize = bufsize; - unsigned char *data = alloca(datasize); - serializer_t srl; - int tsize; - unsigned char myhash[HASHSIZE]; - int myhashsize = HASHSIZE; - unsigned char theirhash[HASHSIZE]; - int theirhashsize = HASHSIZE; - - if (decrypt(key, CBLKSIZE, buffer, data, datasize)) - return aoe_crypt; - serial_init(&srl, data, datasize); - tsize = *secsize; - *secsize = serial_get(&srl, secret, tsize); - if (*secsize > tsize || *secsize <= 0) return aoe_serial; - tsize = *paysize; - *paysize = serial_get(&srl, payload, tsize); - if (*paysize > tsize || *paysize <= 0) return aoe_serial; - if (hash(data, serial_size(&srl), myhash, &myhashsize)) - return aoe_crypt; - theirhashsize = serial_get(&srl, theirhash, theirhashsize); - if (theirhashsize != HASHSIZE) return aoe_data; - if ((myhashsize != theirhashsize) || - memcmp(myhash, theirhash, myhashsize)) - return aoe_data; - return 0; + unsigned long rc; + struct _auth_obj ao = {0}; + struct _auth_chunk ho_key; + + ho_key = make_key(userid, password, nonce, secret, secsize, fetch_key); + if (ho_key.err) { + ao.err = ho_key.err; + } else if ((ao.buffer = malloc(blobsize)) == NULL) { + ao.err = "parse authobj: malloc failed"; + } else if ((rc = decrypt(ho_key.data, CBLKSIZE, + ablob, ao.buffer, blobsize))) { + ao.err = crypto_errstr(rc); + } else { + serializer_t srl; + unsigned char myhash[HASHSIZE]; + int myhsize = HASHSIZE; + unsigned char *theirhash; + int theirhsize; + unsigned long rc; + + serial_init(&srl, ao.buffer, blobsize); + if (serial_get(&srl, (void**)&ao.data, &ao.datasize)) { + ao.err = "mismatch: impossible secret"; + } else if (serial_get(&srl, (void**)&ao.payload, &ao.paylsize)) { + ao.err = "mismatch: impossible payload"; + } else if ((rc = hash(ao.buffer, serial_size(&srl), + myhash, &myhsize))) { + ao.err = crypto_errstr(rc); + } else if (serial_get(&srl, (void**)&theirhash, &theirhsize)) { + ao.err = "mismatch: impossible hash"; + } else if (theirhsize != HASHSIZE) { + ao.err = "mismatch: hash is of wrong size"; + } else if ((myhsize != theirhsize) || + memcmp(myhash, theirhash, myhsize)) { + ao.err = "mismatch: different hash"; + } + } + memset(&ho_key, 0, sizeof(ho_key)); + return ao; +} + +struct _auth_obj authobj(const char *userid, const char *password, + const char *oldnonce, const char *newnonce, + const unsigned char *secret, const int secsize, + const unsigned char *payload, const int paylsize, + const unsigned char *ablob, const int blobsize, + struct _auth_chunk (*fetch_key)(const unsigned char *chal, + const int csize)) +{ + const unsigned char *wsecret; + int wsecsize; + const unsigned char *wpayload; + int wpaylsize; + struct _auth_obj old_ao = {0}; + struct _auth_obj new_ao = {0}; + + if (!secret || !secsize || !payload) { + old_ao = parse_authobj(userid, password, oldnonce, + secret, secsize, + ablob, blobsize, fetch_key); + if (old_ao.err) { + new_ao.err = old_ao.err; + if (old_ao.buffer) free(old_ao.buffer); + return new_ao; + } else { + if (secret && secsize) { + wsecret = secret; + wsecsize = secsize; + } else { + wsecret = old_ao.data; + wsecsize = old_ao.datasize; + } + if (payload) { + wpayload = payload; + wpaylsize = paylsize; + } else { + wpayload = old_ao.payload; + wpaylsize = old_ao.paylsize; + } + } + } else { + wsecret = secret; + wsecsize = secsize; + wpayload = payload; + wpaylsize = paylsize; + } + + + new_ao = make_authobj(userid, password, newnonce, + wsecret, wsecsize, wpayload, wpaylsize); + + if (old_ao.data) memset(old_ao.data, 0, old_ao.datasize); + if (old_ao.payload) memset(old_ao.payload, 0, old_ao.paylsize); + if (old_ao.buffer) free(old_ao.buffer); + return new_ao; }