[rsync/rsync.git] / authenticate.c

/* 
   Copyright (C) Andrew Tridgell 1998
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

/* support rsync authentication */
#include "rsync.h"

/***************************************************************************
encode a buffer using base64 - simple and slow algorithm. null terminates
the result.
  ***************************************************************************/
static void base64_encode(char *buf, int len, char *out)
{
	char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	int bit_offset, byte_offset, idx, i;
	unsigned char *d = (unsigned char *)buf;
	int bytes = (len*8 + 5)/6;

	memset(out, 0, bytes+1);

	for (i=0;i<bytes;i++) {
		byte_offset = (i*6)/8;
		bit_offset = (i*6)%8;
		if (bit_offset < 3) {
			idx = (d[byte_offset] >> (2-bit_offset)) & 0x3F;
		} else {
			idx = (d[byte_offset] << (bit_offset-2)) & 0x3F;
			if (byte_offset+1 < len) {
				idx |= (d[byte_offset+1] >> (8-(bit_offset-2)));
			}
		}
		out[i] = b64[idx];
	}
}

/* create a 16 byte challenge buffer */
static void gen_challenge(char *addr, char *challenge)
{
	char input[32];
	struct timeval tv;

	memset(input, 0, sizeof(input));

	strlcpy((char *)input, addr, 17);
	gettimeofday(&tv, NULL);
	SIVAL(input, 16, tv.tv_sec);
	SIVAL(input, 20, tv.tv_usec);
	SIVAL(input, 24, getpid());

	sum_init();
	sum_update(input, sizeof(input));
	sum_end(challenge);
}


/* return the secret for a user from the sercret file. maximum length
   is len. null terminate it */
static int get_secret(int module, char *user, char *secret, int len)
{
	char *fname = lp_secrets_file(module);
	int fd, found=0;
	char line[MAXPATHLEN];
	char *p, *pass=NULL;
	STRUCT_STAT st;
	int ok = 1;
	extern int am_root;

	if (!fname || !*fname) return 0;

	fd = open(fname,O_RDONLY);
	if (fd == -1) return 0;

	if (do_stat(fname, &st) == -1) {
		rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno));
		ok = 0;
	} else if (lp_strict_modes(module)) {
		if ((st.st_mode & 06) != 0) {
			rprintf(FERROR,"secrets file must not be other-accessible (see strict modes option)\n");
			ok = 0;
		} else if (am_root && (st.st_uid != 0)) {
			rprintf(FERROR,"secrets file must be owned by root when running as root (see strict modes)\n");
			ok = 0;
		}
	}
	if (!ok) {
		rprintf(FERROR,"continuing without secrets file\n");
		close(fd);
		return 0;
	}

	while (!found) {
		int i = 0;
		memset(line, 0, sizeof(line));
		while (i<(sizeof(line)-1)) {
			if (read(fd, &line[i], 1) != 1) {
				memset(line, 0, sizeof(line));
				close(fd);
				return 0;
			}
			if (line[i] == '\r') continue;
			if (line[i] == '\n') break;
			i++;
		}
		line[i] = 0;
		if (line[0] == '#') continue;
		p = strchr(line,':');
		if (!p) continue;
		*p = 0;
		if (strcmp(user, line)) continue;
		pass = p+1;
		found = 1;
	}

	close(fd);
	if (!found) return 0;

	strlcpy(secret, pass, len);
	return 1;
}

static char *getpassf(char *filename)
{
	char buffer[100];
	int len=0;
	int fd=0;
	STRUCT_STAT st;
	int ok = 1;
	extern int am_root;
	char *envpw=getenv("RSYNC_PASSWORD");

	if (!filename) return NULL;

	if ( (fd=open(filename,O_RDONLY)) == -1) {
		rprintf(FERROR,"could not open password file \"%s\"\n",filename);
		if (envpw) rprintf(FERROR,"falling back to RSYNC_PASSWORD environment variable.\n");	
		return NULL;
	}
	
	if (do_stat(filename, &st) == -1) {
		rprintf(FERROR,"stat(%s) : %s\n", filename, strerror(errno));
		ok = 0;
	} else if ((st.st_mode & 06) != 0) {
		rprintf(FERROR,"password file must not be other-accessible\n");
		ok = 0;
	} else if (am_root && (st.st_uid != 0)) {
		rprintf(FERROR,"password file must be owned by root when running as root\n");
		ok = 0;
	}
	if (!ok) {
		rprintf(FERROR,"continuing without password file\n");
		if (envpw) rprintf(FERROR,"using RSYNC_PASSWORD environment variable.\n");
		close(fd);
		return NULL;
	}

	if (envpw) rprintf(FERROR,"RSYNC_PASSWORD environment variable ignored\n");

	buffer[sizeof(buffer)-1]='\0';
	if ( (len=read(fd,buffer,sizeof(buffer)-1)) > 0)
	{
		char *p = strtok(buffer,"\n\r");
		close(fd);
		if (p) p = strdup(p);
		return p;
	}	

	return NULL;
}

/* generate a 16 byte hash from a password and challenge */
static void generate_hash(char *in, char *challenge, char *out)
{
	char buf[16];

	sum_init();
	sum_update(in, strlen(in));
	sum_update(challenge, strlen(challenge));
	sum_end(buf);

	base64_encode(buf, 16, out);
}

/* possible negotiate authentication with the client. Use "leader" to
   start off the auth if necessary 

   return NULL if authentication failed

   return "" if anonymous access

   otherwise return username
*/
char *auth_server(int fd, int module, char *addr, char *leader)
{
	char *users = lp_auth_users(module);
	char challenge[16];
	char b64_challenge[30];
	char line[MAXPATHLEN];
	static char user[100];
	char secret[100];
	char pass[30];
	char pass2[30];
	char *tok;

	/* if no auth list then allow anyone in! */
	if (!users || !*users) return "";

	gen_challenge(addr, challenge);
	
	base64_encode(challenge, 16, b64_challenge);

	io_printf(fd,"%s%s\n", leader, b64_challenge);

	if (!read_line(fd, line, sizeof(line)-1)) {
		return NULL;
	}

	memset(user, 0, sizeof(user));
	memset(pass, 0, sizeof(pass));

	if (sscanf(line,"%99s %29s", user, pass) != 2) {
		return NULL;
	}

	users = strdup(users);
	if (!users) return NULL;

	for (tok=strtok(users," ,\t"); tok; tok = strtok(NULL," ,\t")) {
		if (strcmp(tok, user) == 0) break;
	}
	free(users);

	if (!tok) {
		return NULL;
	}
	
	memset(secret, 0, sizeof(secret));
	if (!get_secret(module, user, secret, sizeof(secret)-1)) {
		memset(secret, 0, sizeof(secret));
		return NULL;
	}

	generate_hash(secret, b64_challenge, pass2);
	memset(secret, 0, sizeof(secret));
	
	if (strcmp(pass, pass2) == 0)
		return user;

	return NULL;
}


void auth_client(int fd, char *user, char *challenge)
{
	char *pass;
	char pass2[30];
	extern char *password_file;

	if (!user || !*user) return;

	if (!(pass=getpassf(password_file)) && !(pass=getenv("RSYNC_PASSWORD"))) {
		pass = getpass("Password: ");
	}

	if (!pass || !*pass) {
		pass = "";
	}

	generate_hash(pass, challenge, pass2);
	io_printf(fd, "%s %s\n", user, pass2);
}
Commit	Line	Data
31593dd6 AT	1	/*
	2	Copyright (C) Andrew Tridgell 1998
	3
	4	This program is free software; you can redistribute it and/or modify
	5	it under the terms of the GNU General Public License as published by
	6	the Free Software Foundation; either version 2 of the License, or
	7	(at your option) any later version.
	8
	9	This program is distributed in the hope that it will be useful,
	10	but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	GNU General Public License for more details.
	13
	14	You should have received a copy of the GNU General Public License
	15	along with this program; if not, write to the Free Software
	16	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	17	*/
	18
	19	/* support rsync authentication */
	20	#include "rsync.h"
	21
bcb7e502 AT	22	/***************************************************************************
	23	encode a buffer using base64 - simple and slow algorithm. null terminates
	24	the result.
	25	***************************************************************************/
	26	static void base64_encode(char buf, int len, char out)
	27	{
	28	char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	29	int bit_offset, byte_offset, idx, i;
	30	unsigned char d = (unsigned char )buf;
bcb7e502 AT	31	int bytes = (len*8 + 5)/6;
	32
	33	memset(out, 0, bytes+1);
	34
	35	for (i=0;i<bytes;i++) {
	36	byte_offset = (i*6)/8;
	37	bit_offset = (i*6)%8;
	38	if (bit_offset < 3) {
	39	idx = (d[byte_offset] >> (2-bit_offset)) & 0x3F;
	40	} else {
	41	idx = (d[byte_offset] << (bit_offset-2)) & 0x3F;
	42	if (byte_offset+1 < len) {
	43	idx \|= (d[byte_offset+1] >> (8-(bit_offset-2)));
	44	}
	45	}
	46	out[i] = b64[idx];
	47	}
	48	}
	49
	50	/* create a 16 byte challenge buffer */
	51	static void gen_challenge(char addr, char challenge)
	52	{
	53	char input[32];
	54	struct timeval tv;
	55
	56	memset(input, 0, sizeof(input));
	57
37f9805d	58	strlcpy((char *)input, addr, 17);
bcb7e502 AT	59	gettimeofday(&tv, NULL);
	60	SIVAL(input, 16, tv.tv_sec);
	61	SIVAL(input, 20, tv.tv_usec);
	62	SIVAL(input, 24, getpid());
	63
	64	sum_init();
	65	sum_update(input, sizeof(input));
	66	sum_end(challenge);
	67	}
	68
	69
	70	/* return the secret for a user from the sercret file. maximum length
	71	is len. null terminate it */
	72	static int get_secret(int module, char user, char secret, int len)
	73	{
	74	char *fname = lp_secrets_file(module);
	75	int fd, found=0;
e42c9458 AT	76	char line[MAXPATHLEN];
e42c9458 AT	77	char p, pass=NULL;
d1be2312 DD	78	STRUCT_STAT st;
	79	int ok = 1;
	80	extern int am_root;
bcb7e502 AT	81
	82	if (!fname \|\| !*fname) return 0;
	83
	84	fd = open(fname,O_RDONLY);
	85	if (fd == -1) return 0;
	86
d1be2312 DD	87	if (do_stat(fname, &st) == -1) {
	88	rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno));
	89	ok = 0;
3ca8e68f DD	90	} else if (lp_strict_modes(module)) {
	91	if ((st.st_mode & 06) != 0) {
	92	rprintf(FERROR,"secrets file must not be other-accessible (see strict modes option)\n");
	93	ok = 0;
	94	} else if (am_root && (st.st_uid != 0)) {
	95	rprintf(FERROR,"secrets file must be owned by root when running as root (see strict modes)\n");
	96	ok = 0;
	97	}
d1be2312 DD	98	}
	99	if (!ok) {
	100	rprintf(FERROR,"continuing without secrets file\n");
	101	close(fd);
	102	return 0;
	103	}
	104
bcb7e502 AT	105	while (!found) {
	106	int i = 0;
	107	memset(line, 0, sizeof(line));
	108	while (i<(sizeof(line)-1)) {
	109	if (read(fd, &line[i], 1) != 1) {
	110	memset(line, 0, sizeof(line));
	111	close(fd);
	112	return 0;
	113	}
	114	if (line[i] == '\r') continue;
	115	if (line[i] == '\n') break;
	116	i++;
	117	}
	118	line[i] = 0;
	119	if (line[0] == '#') continue;
	120	p = strchr(line,':');
	121	if (!p) continue;
	122	*p = 0;
	123	if (strcmp(user, line)) continue;
	124	pass = p+1;
	125	found = 1;
	126	}
	127
	128	close(fd);
	129	if (!found) return 0;
	130
1a016bfd	131	strlcpy(secret, pass, len);
bcb7e502 AT	132	return 1;
	133	}
	134
65575e96 AT	135	static char getpassf(char filename)
	136	{
	137	char buffer[100];
	138	int len=0;
	139	int fd=0;
	140	STRUCT_STAT st;
	141	int ok = 1;
	142	extern int am_root;
	143	char *envpw=getenv("RSYNC_PASSWORD");
	144
	145	if (!filename) return NULL;
	146
	147	if ( (fd=open(filename,O_RDONLY)) == -1) {
	148	rprintf(FERROR,"could not open password file \"%s\"\n",filename);
	149	if (envpw) rprintf(FERROR,"falling back to RSYNC_PASSWORD environment variable.\n");
	150	return NULL;
	151	}
	152
	153	if (do_stat(filename, &st) == -1) {
	154	rprintf(FERROR,"stat(%s) : %s\n", filename, strerror(errno));
	155	ok = 0;
	156	} else if ((st.st_mode & 06) != 0) {
	157	rprintf(FERROR,"password file must not be other-accessible\n");
	158	ok = 0;
	159	} else if (am_root && (st.st_uid != 0)) {
	160	rprintf(FERROR,"password file must be owned by root when running as root\n");
	161	ok = 0;
	162	}
	163	if (!ok) {
	164	rprintf(FERROR,"continuing without password file\n");
	165	if (envpw) rprintf(FERROR,"using RSYNC_PASSWORD environment variable.\n");
	166	close(fd);
	167	return NULL;
	168	}
	169
	170	if (envpw) rprintf(FERROR,"RSYNC_PASSWORD environment variable ignored\n");
	171
	172	buffer[sizeof(buffer)-1]='\0';
	173	if ( (len=read(fd,buffer,sizeof(buffer)-1)) > 0)
	174	{
379e689d	175	char *p = strtok(buffer,"\n\r");
65575e96	176	close(fd);
379e689d AT	177	if (p) p = strdup(p);
379e689d AT	178	return p;
65575e96 AT	179	}
	180
	181	return NULL;
	182	}
	183
bcb7e502	184	/* generate a 16 byte hash from a password and challenge */
6e4fb64e	185	static void generate_hash(char in, char challenge, char *out)
bcb7e502 AT	186	{
	187	char buf[16];
	188
	189	sum_init();
	190	sum_update(in, strlen(in));
	191	sum_update(challenge, strlen(challenge));
	192	sum_end(buf);
	193
	194	base64_encode(buf, 16, out);
	195	}
	196
	197	/* possible negotiate authentication with the client. Use "leader" to
d0d56395 AT	198	start off the auth if necessary
	199
	200	return NULL if authentication failed
	201
	202	return "" if anonymous access
	203
	204	otherwise return username
	205	*/
	206	char auth_server(int fd, int module, char addr, char *leader)
bcb7e502 AT	207	{
	208	char *users = lp_auth_users(module);
	209	char challenge[16];
	210	char b64_challenge[30];
e42c9458	211	char line[MAXPATHLEN];
d0d56395	212	static char user[100];
bcb7e502 AT	213	char secret[100];
	214	char pass[30];
	215	char pass2[30];
c8e78d87	216	char *tok;
bcb7e502 AT	217
bcb7e502 AT	218	/* if no auth list then allow anyone in! */
d0d56395	219	if (!users \|\| !*users) return "";
bcb7e502 AT	220
	221	gen_challenge(addr, challenge);
	222
	223	base64_encode(challenge, 16, b64_challenge);
	224
	225	io_printf(fd,"%s%s\n", leader, b64_challenge);
	226
	227	if (!read_line(fd, line, sizeof(line)-1)) {
d0d56395	228	return NULL;
bcb7e502 AT	229	}
	230
	231	memset(user, 0, sizeof(user));
	232	memset(pass, 0, sizeof(pass));
	233
	234	if (sscanf(line,"%99s %29s", user, pass) != 2) {
d0d56395	235	return NULL;
bcb7e502 AT	236	}
bcb7e502 AT	237
c8e78d87	238	users = strdup(users);
d0d56395	239	if (!users) return NULL;
c8e78d87 AT	240
	241	for (tok=strtok(users," ,\t"); tok; tok = strtok(NULL," ,\t")) {
	242	if (strcmp(tok, user) == 0) break;
	243	}
	244	free(users);
	245
	246	if (!tok) {
d0d56395	247	return NULL;
c8e78d87 AT	248	}
c8e78d87 AT	249
bcb7e502 AT	250	memset(secret, 0, sizeof(secret));
	251	if (!get_secret(module, user, secret, sizeof(secret)-1)) {
	252	memset(secret, 0, sizeof(secret));
d0d56395	253	return NULL;
bcb7e502 AT	254	}
	255
	256	generate_hash(secret, b64_challenge, pass2);
	257	memset(secret, 0, sizeof(secret));
	258
d0d56395 AT	259	if (strcmp(pass, pass2) == 0)
	260	return user;
	261
	262	return NULL;
bcb7e502 AT	263	}
	264
	265
	266	void auth_client(int fd, char user, char challenge)
	267	{
	268	char *pass;
	269	char pass2[30];
65575e96	270	extern char *password_file;
bcb7e502 AT	271
	272	if (!user \|\| !*user) return;
	273
65575e96	274	if (!(pass=getpassf(password_file)) && !(pass=getenv("RSYNC_PASSWORD"))) {
bcb7e502 AT	275	pass = getpass("Password: ");
	276	}
	277
	278	if (!pass \|\| !*pass) {
	279	pass = "";
	280	}
	281
	282	generate_hash(pass, challenge, pass2);
bcb7e502 AT	283	io_printf(fd, "%s %s\n", user, pass2);
	284	}
	285
65575e96	286