/* MODULE HTPasswd.c ** PASSWORD FILE ROUTINES ** ** AUTHORS: ** AL Ari Luotonen luotonen@dxcern.cern.ch ** MD Mark Donszelmann duns@vxdeop.cern.ch ** ** HISTORY: ** 7 Nov 93 MD free for crypt taken out (static data returned) ** ** ** BUGS: ** ** */ #include "HTUtils.h" #include "tcp.h" /* FROMASCII() */ #include #include "HTAAUtil.h" /* Common parts of AA */ #include "HTAAFile.h" /* File routines */ #include "HTPasswd.h" /* Implemented here */ #include "LYLeaks.h" extern char *crypt(); PRIVATE char salt_chars [65] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./"; /* PRIVATE next_rec() ** GO TO THE BEGINNING OF THE NEXT RECORD ** Otherwise like HTAAFile_nextRec() but ** does not handle continuation lines ** (because password file has none). ** ON ENTRY: ** fp is the password file from which records are read from. ** ** ON EXIT: ** returns nothing. File read pointer is located at the beginning ** of the next record. */ PRIVATE void next_rec ARGS1(FILE *, fp) { int ch = getc(fp); while (ch != EOF && ch != CR && ch != LF) ch = getc(fp); /* Skip until end-of-line */ while (ch != EOF && (ch == CR || ch == LF)) /*Skip carriage returns and linefeeds*/ ch = getc(fp); if (ch != EOF) ungetc(ch, fp); } /* PUBLIC HTAA_encryptPasswd() ** ENCRYPT PASSWORD TO THE FORM THAT IT IS SAVED ** IN THE PASSWORD FILE. ** ON ENTRY: ** password is a string of arbitrary lenght. ** ** ON EXIT: ** returns password in one-way encrypted form. ** ** NOTE: ** Uses currently the C library function crypt(), which ** only accepts at most 8 characters long strings and produces ** always 13 characters long strings. This function is ** called repeatedly so that longer strings can be encrypted. ** This is of course not as safe as encrypting the entire ** string at once, but then again, we are not that paranoid ** about the security inside the machine. ** */ PUBLIC char *HTAA_encryptPasswd ARGS1(CONST char *, password) { char salt[3]; char chunk[9]; char *result; char *tmp; CONST char *cur = password; int len = strlen(password); extern time_t theTime; int random = (int)theTime; /* This is random enough */ if (!(result = (char*)malloc(13*((strlen(password)+7)/8) + 1))) outofmem(__FILE__, "HTAA_encryptPasswd"); *result = (char)0; while (len > 0) { salt[0] = salt_chars[random%64]; salt[1] = salt_chars[(random/64)%64]; salt[2] = (char)0; strncpy(chunk, cur, 8); chunk[8] = (char)0; tmp = crypt((char*)password, salt); /*crypt() doesn't change its args*/ strcat(result, tmp); cur += 8; len -= 8; } /* while */ return result; } /* PUBLIC HTAA_passwdMatch() ** VERIFY THE CORRECTNESS OF A GIVEN PASSWORD ** AGAINST A ONE-WAY ENCRYPTED FORM OF PASSWORD. ** ON ENTRY: ** password is cleartext password. ** encrypted is one-way encrypted password, as returned ** by function HTAA_encryptPasswd(). ** This is typically read from the password ** file. ** ** ON EXIT: ** returns YES, if password matches the encrypted one. ** NO, if not, or if either parameter is NULL. ** FIX: ** Only the length of original encrypted password is ** checked -- longer given passwords are accepted if ** common length is correct (but not shorter). ** This is to allow interoperation of servers and clients ** who have a hard-coded limit of 8 to password. */ PUBLIC BOOL HTAA_passwdMatch ARGS2(CONST char *, password, CONST char *, encrypted) { char *result; int len; int status; if (!password || !encrypted) return NO; len = 13*((strlen(password)+7)/8); if (len < strlen(encrypted)) return NO; if (!(result = (char*)malloc(len + 1))) outofmem(__FILE__, "HTAA_encryptPasswd"); *result = (char)0; while (len > 0) { char salt[3]; char chunk[9]; CONST char *cur1 = password; CONST char *cur2 = encrypted; char *tmp; salt[0] = *cur2; salt[1] = *(cur2+1); salt[2] = (char)0; strncpy(chunk, cur1, 8); chunk[8] = (char)0; tmp = crypt((char*)password, salt); strcat(result, tmp); cur1 += 8; cur2 += 13; len -= 13; } /* while */ status = strncmp(result, encrypted, strlen(encrypted)); if (TRACE) fprintf(stderr, "%s `%s' (encrypted: `%s') with: `%s' => %s\n", "HTAA_passwdMatch: Matching password:", password, result, encrypted, (status==0 ? "OK" : "INCORRECT")); FREE(result); if (status==0) return YES; else return NO; } /* PUBLIC HTAAFile_readPasswdRec() ** READ A RECORD FROM THE PASSWORD FILE ** ON ENTRY: ** fp open password file ** out_username buffer to put the read username, must be at ** least MAX_USERNAME_LEN+1 characters long. ** out_passwd buffer to put the read password, must be at ** least MAX_PASSWORD_LEN+1 characters long. ** ON EXIT: ** returns EOF on end of file, ** otherwise the number of read fields ** (i.e. in a correct case returns 2). ** out_username contains the null-terminated read username. ** out_password contains the null-terminated read password. ** ** FORMAT OF PASSWORD FILE: ** username:password:maybe real name or other stuff ** (may include even colons) ** ** There may be whitespace (blanks or tabs) in the beginning and ** the end of each field. They are ignored. */ PUBLIC int HTAAFile_readPasswdRec ARGS3(FILE *, fp, char *, out_username, char *, out_password) { char terminator; terminator = HTAAFile_readField(fp, out_username, MAX_USERNAME_LEN); if (terminator == EOF) { /* End of file */ return EOF; } else if (terminator == CR || terminator == LF) { /* End of line */ next_rec(fp); return 1; } else { HTAAFile_readField(fp, out_password, MAX_PASSWORD_LEN); next_rec(fp); return 2; } } /* PUBLIC HTAA_checkPassword() ** CHECK A USERNAME-PASSWORD PAIR ** ON ENTRY: ** username is a null-terminated string containing ** the client's username. ** password is a null-terminated string containing ** the client's corresponding password. ** filename is a null-terminated absolute filename ** for password file. ** If NULL or empty, the value of ** PASSWD_FILE is used. ** ON EXIT: ** returns YES, if the username-password pair was correct. ** NO, otherwise; also, if open fails. */ PUBLIC BOOL HTAA_checkPassword ARGS3(CONST char *, username, CONST char *, password, CONST char *, filename) { FILE *fp = NULL; char user[MAX_USERNAME_LEN+1]; char pw[MAX_PASSWORD_LEN+1]; int status; if (filename && *filename) fp = fopen(filename,"r"); else fp = fopen(PASSWD_FILE,"r"); if (!fp) { if (TRACE) fprintf(stderr, "%s `%s'\n", "HTAA_checkPassword: Unable to open password file", (filename && *filename ? filename : PASSWD_FILE)); return NO; } do { if (2 == (status = HTAAFile_readPasswdRec(fp,user,pw))) { if (TRACE) fprintf(stderr, "HTAAFile_validateUser: %s \"%s\" %s \"%s:%s\"\n", "Matching username:", username, "against passwd record:", user, pw); if (username && user && !strcmp(username,user)) { /* User's record found */ if (*pw != '\0') { /* So password is required for this user */ if (!password || !HTAA_passwdMatch(password,pw)) /* Check the password */ status = EOF; /* If wrong, indicate it with EOF */ } break; /* exit loop */ } /* if username found */ } /* if record is ok */ } while (status != EOF); fclose(fp); if (TRACE) fprintf(stderr, "HTAAFile_checkPassword: (%s,%s) %scorrect\n", username, password, ((status != EOF) ? "" : "in")); if (status == EOF) return NO; /* We traversed to the end without luck */ else return YES; /* The user was found */ }