[rsync/rsync.git] / authenticate.c

/* 
   Copyright (C) Andrew Tridgell 1998
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

/* support rsync authentication */
#include "rsync.h"

/***************************************************************************
encode a buffer using base64 - simple and slow algorithm. null terminates
the result.
  ***************************************************************************/
static void base64_encode(char *buf, int len, char *out)
{
	char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	int bit_offset, byte_offset, idx, i;
	unsigned char *d = (unsigned char *)buf;
	int bytes = (len*8 + 5)/6;

	memset(out, 0, bytes+1);

	for (i=0;i<bytes;i++) {
		byte_offset = (i*6)/8;
		bit_offset = (i*6)%8;
		if (bit_offset < 3) {
			idx = (d[byte_offset] >> (2-bit_offset)) & 0x3F;
		} else {
			idx = (d[byte_offset] << (bit_offset-2)) & 0x3F;
			if (byte_offset+1 < len) {
				idx |= (d[byte_offset+1] >> (8-(bit_offset-2)));
			}
		}
		out[i] = b64[idx];
	}
}

/* create a 16 byte challenge buffer */
static void gen_challenge(char *addr, char *challenge)
{
	char input[32];
	struct timeval tv;

	memset(input, 0, sizeof(input));

	strlcpy((char *)input, addr, 17);
	gettimeofday(&tv, NULL);
	SIVAL(input, 16, tv.tv_sec);
	SIVAL(input, 20, tv.tv_usec);
	SIVAL(input, 24, getpid());

	sum_init();
	sum_update(input, sizeof(input));
	sum_end(challenge);
}


/* return the secret for a user from the sercret file. maximum length
   is len. null terminate it */
static int get_secret(int module, char *user, char *secret, int len)
{
	char *fname = lp_secrets_file(module);
	int fd, found=0;
	char line[MAXPATHLEN];
	char *p, *pass=NULL;
	STRUCT_STAT st;
	int ok = 1;
	extern int am_root;

	if (!fname || !*fname) return 0;

	fd = open(fname,O_RDONLY);
	if (fd == -1) return 0;

	if (do_stat(fname, &st) == -1) {
		rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno));
		ok = 0;
	} else if ((st.st_mode & 06) != 0) {
		rprintf(FERROR,"secrets file must not be other-accessible\n");
		ok = 0;
	} else if (am_root && (st.st_uid != 0)) {
		rprintf(FERROR,"secrets file must be owned by root when running as root\n");
		ok = 0;
	}
	if (!ok) {
		rprintf(FERROR,"continuing without secrets file\n");
		close(fd);
		return 0;
	}

	while (!found) {
		int i = 0;
		memset(line, 0, sizeof(line));
		while (i<(sizeof(line)-1)) {
			if (read(fd, &line[i], 1) != 1) {
				memset(line, 0, sizeof(line));
				close(fd);
				return 0;
			}
			if (line[i] == '\r') continue;
			if (line[i] == '\n') break;
			i++;
		}
		line[i] = 0;
		if (line[0] == '#') continue;
		p = strchr(line,':');
		if (!p) continue;
		*p = 0;
		if (strcmp(user, line)) continue;
		pass = p+1;
		found = 1;
	}

	close(fd);
	if (!found) return 0;

	strlcpy(secret, pass, len);
	return 1;
}

static char *getpassf(char *filename)
{
	char buffer[100];
	int len=0;
	int fd=0;
	STRUCT_STAT st;
	int ok = 1;
	extern int am_root;
	char *envpw=getenv("RSYNC_PASSWORD");

	if (!filename) return NULL;

	if ( (fd=open(filename,O_RDONLY)) == -1) {
		rprintf(FERROR,"could not open password file \"%s\"\n",filename);
		if (envpw) rprintf(FERROR,"falling back to RSYNC_PASSWORD environment variable.\n");	
		return NULL;
	}
	
	if (do_stat(filename, &st) == -1) {
		rprintf(FERROR,"stat(%s) : %s\n", filename, strerror(errno));
		ok = 0;
	} else if ((st.st_mode & 06) != 0) {
		rprintf(FERROR,"password file must not be other-accessible\n");
		ok = 0;
	} else if (am_root && (st.st_uid != 0)) {
		rprintf(FERROR,"password file must be owned by root when running as root\n");
		ok = 0;
	}
	if (!ok) {
		rprintf(FERROR,"continuing without password file\n");
		if (envpw) rprintf(FERROR,"using RSYNC_PASSWORD environment variable.\n");
		close(fd);
		return NULL;
	}

	if (envpw) rprintf(FERROR,"RSYNC_PASSWORD environment variable ignored\n");

	buffer[sizeof(buffer)-1]='\0';
	if ( (len=read(fd,buffer,sizeof(buffer)-1)) > 0)
	{
		close(fd);
		return strdup(strtok(buffer,"\n\r"));
	}	

	return NULL;
}

/* generate a 16 byte hash from a password and challenge */
static void generate_hash(char *in, char *challenge, char *out)
{
	char buf[16];

	sum_init();
	sum_update(in, strlen(in));
	sum_update(challenge, strlen(challenge));
	sum_end(buf);

	base64_encode(buf, 16, out);
}

/* possible negotiate authentication with the client. Use "leader" to
   start off the auth if necessary 

   return NULL if authentication failed

   return "" if anonymous access

   otherwise return username
*/
char *auth_server(int fd, int module, char *addr, char *leader)
{
	char *users = lp_auth_users(module);
	char challenge[16];
	char b64_challenge[30];
	char line[MAXPATHLEN];
	static char user[100];
	char secret[100];
	char pass[30];
	char pass2[30];
	char *tok;

	/* if no auth list then allow anyone in! */
	if (!users || !*users) return "";

	gen_challenge(addr, challenge);
	
	base64_encode(challenge, 16, b64_challenge);

	io_printf(fd,"%s%s\n", leader, b64_challenge);

	if (!read_line(fd, line, sizeof(line)-1)) {
		return NULL;
	}

	memset(user, 0, sizeof(user));
	memset(pass, 0, sizeof(pass));

	if (sscanf(line,"%99s %29s", user, pass) != 2) {
		return NULL;
	}

	users = strdup(users);
	if (!users) return NULL;

	for (tok=strtok(users," ,\t"); tok; tok = strtok(NULL," ,\t")) {
		if (strcmp(tok, user) == 0) break;
	}
	free(users);

	if (!tok) {
		return NULL;
	}
	
	memset(secret, 0, sizeof(secret));
	if (!get_secret(module, user, secret, sizeof(secret)-1)) {
		memset(secret, 0, sizeof(secret));
		return NULL;
	}

	generate_hash(secret, b64_challenge, pass2);
	memset(secret, 0, sizeof(secret));
	
	if (strcmp(pass, pass2) == 0)
		return user;

	return NULL;
}


void auth_client(int fd, char *user, char *challenge)
{
	char *pass;
	char pass2[30];
	extern char *password_file;

	if (!user || !*user) return;

	if (!(pass=getpassf(password_file)) && !(pass=getenv("RSYNC_PASSWORD"))) {
		pass = getpass("Password: ");
	}

	if (!pass || !*pass) {
		pass = "";
	}

	generate_hash(pass, challenge, pass2);
	io_printf(fd, "%s %s\n", user, pass2);
}
Commit	Line	Data
31593dd6 AT	1	/*
	2	Copyright (C) Andrew Tridgell 1998
	3
	4	This program is free software; you can redistribute it and/or modify
	5	it under the terms of the GNU General Public License as published by
	6	the Free Software Foundation; either version 2 of the License, or
	7	(at your option) any later version.
	8
	9	This program is distributed in the hope that it will be useful,
	10	but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	GNU General Public License for more details.
	13
	14	You should have received a copy of the GNU General Public License
	15	along with this program; if not, write to the Free Software
	16	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	17	*/
	18
	19	/* support rsync authentication */
	20	#include "rsync.h"
	21
bcb7e502 AT	22	/***************************************************************************
	23	encode a buffer using base64 - simple and slow algorithm. null terminates
	24	the result.
	25	***************************************************************************/
	26	static void base64_encode(char buf, int len, char out)
	27	{
	28	char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	29	int bit_offset, byte_offset, idx, i;
	30	unsigned char d = (unsigned char )buf;
bcb7e502 AT	31	int bytes = (len*8 + 5)/6;
	32
	33	memset(out, 0, bytes+1);
	34
	35	for (i=0;i<bytes;i++) {
	36	byte_offset = (i*6)/8;
	37	bit_offset = (i*6)%8;
	38	if (bit_offset < 3) {
	39	idx = (d[byte_offset] >> (2-bit_offset)) & 0x3F;
	40	} else {
	41	idx = (d[byte_offset] << (bit_offset-2)) & 0x3F;
	42	if (byte_offset+1 < len) {
	43	idx \|= (d[byte_offset+1] >> (8-(bit_offset-2)));
	44	}
	45	}
	46	out[i] = b64[idx];
	47	}
	48	}
	49
	50	/* create a 16 byte challenge buffer */
	51	static void gen_challenge(char addr, char challenge)
	52	{
	53	char input[32];
	54	struct timeval tv;
	55
	56	memset(input, 0, sizeof(input));
	57
37f9805d	58	strlcpy((char *)input, addr, 17);
bcb7e502 AT	59	gettimeofday(&tv, NULL);
	60	SIVAL(input, 16, tv.tv_sec);
	61	SIVAL(input, 20, tv.tv_usec);
	62	SIVAL(input, 24, getpid());
	63
	64	sum_init();
	65	sum_update(input, sizeof(input));
	66	sum_end(challenge);
	67	}
	68
	69
	70	/* return the secret for a user from the sercret file. maximum length
	71	is len. null terminate it */
	72	static int get_secret(int module, char user, char secret, int len)
	73	{
	74	char *fname = lp_secrets_file(module);
	75	int fd, found=0;
e42c9458 AT	76	char line[MAXPATHLEN];
e42c9458 AT	77	char p, pass=NULL;
d1be2312 DD	78	STRUCT_STAT st;
	79	int ok = 1;
	80	extern int am_root;
bcb7e502 AT	81
	82	if (!fname \|\| !*fname) return 0;
	83
	84	fd = open(fname,O_RDONLY);
	85	if (fd == -1) return 0;
	86
d1be2312 DD	87	if (do_stat(fname, &st) == -1) {
	88	rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno));
	89	ok = 0;
	90	} else if ((st.st_mode & 06) != 0) {
	91	rprintf(FERROR,"secrets file must not be other-accessible\n");
	92	ok = 0;
	93	} else if (am_root && (st.st_uid != 0)) {
	94	rprintf(FERROR,"secrets file must be owned by root when running as root\n");
	95	ok = 0;
	96	}
	97	if (!ok) {
	98	rprintf(FERROR,"continuing without secrets file\n");
	99	close(fd);
	100	return 0;
	101	}
	102
bcb7e502 AT	103	while (!found) {
	104	int i = 0;
	105	memset(line, 0, sizeof(line));
	106	while (i<(sizeof(line)-1)) {
	107	if (read(fd, &line[i], 1) != 1) {
	108	memset(line, 0, sizeof(line));
	109	close(fd);
	110	return 0;
	111	}
	112	if (line[i] == '\r') continue;
	113	if (line[i] == '\n') break;
	114	i++;
	115	}
	116	line[i] = 0;
	117	if (line[0] == '#') continue;
	118	p = strchr(line,':');
	119	if (!p) continue;
	120	*p = 0;
	121	if (strcmp(user, line)) continue;
	122	pass = p+1;
	123	found = 1;
	124	}
	125
	126	close(fd);
	127	if (!found) return 0;
	128
1a016bfd	129	strlcpy(secret, pass, len);
bcb7e502 AT	130	return 1;
	131	}
	132
65575e96 AT	133	static char getpassf(char filename)
	134	{
	135	char buffer[100];
	136	int len=0;
	137	int fd=0;
	138	STRUCT_STAT st;
	139	int ok = 1;
	140	extern int am_root;
	141	char *envpw=getenv("RSYNC_PASSWORD");
	142
	143	if (!filename) return NULL;
	144
	145	if ( (fd=open(filename,O_RDONLY)) == -1) {
	146	rprintf(FERROR,"could not open password file \"%s\"\n",filename);
	147	if (envpw) rprintf(FERROR,"falling back to RSYNC_PASSWORD environment variable.\n");
	148	return NULL;
	149	}
	150
	151	if (do_stat(filename, &st) == -1) {
	152	rprintf(FERROR,"stat(%s) : %s\n", filename, strerror(errno));
	153	ok = 0;
	154	} else if ((st.st_mode & 06) != 0) {
	155	rprintf(FERROR,"password file must not be other-accessible\n");
	156	ok = 0;
	157	} else if (am_root && (st.st_uid != 0)) {
	158	rprintf(FERROR,"password file must be owned by root when running as root\n");
	159	ok = 0;
	160	}
	161	if (!ok) {
	162	rprintf(FERROR,"continuing without password file\n");
	163	if (envpw) rprintf(FERROR,"using RSYNC_PASSWORD environment variable.\n");
	164	close(fd);
	165	return NULL;
	166	}
	167
	168	if (envpw) rprintf(FERROR,"RSYNC_PASSWORD environment variable ignored\n");
	169
	170	buffer[sizeof(buffer)-1]='\0';
	171	if ( (len=read(fd,buffer,sizeof(buffer)-1)) > 0)
	172	{
	173	close(fd);
	174	return strdup(strtok(buffer,"\n\r"));
	175	}
	176
	177	return NULL;
	178	}
	179
bcb7e502	180	/* generate a 16 byte hash from a password and challenge */
6e4fb64e	181	static void generate_hash(char in, char challenge, char *out)
bcb7e502 AT	182	{
	183	char buf[16];
	184
	185	sum_init();
	186	sum_update(in, strlen(in));
	187	sum_update(challenge, strlen(challenge));
	188	sum_end(buf);
	189
	190	base64_encode(buf, 16, out);
	191	}
	192
	193	/* possible negotiate authentication with the client. Use "leader" to
d0d56395 AT	194	start off the auth if necessary
	195
	196	return NULL if authentication failed
	197
	198	return "" if anonymous access
	199
	200	otherwise return username
	201	*/
	202	char auth_server(int fd, int module, char addr, char *leader)
bcb7e502 AT	203	{
	204	char *users = lp_auth_users(module);
	205	char challenge[16];
	206	char b64_challenge[30];
e42c9458	207	char line[MAXPATHLEN];
d0d56395	208	static char user[100];
bcb7e502 AT	209	char secret[100];
	210	char pass[30];
	211	char pass2[30];
c8e78d87	212	char *tok;
bcb7e502 AT	213
bcb7e502 AT	214	/* if no auth list then allow anyone in! */
d0d56395	215	if (!users \|\| !*users) return "";
bcb7e502 AT	216
	217	gen_challenge(addr, challenge);
	218
	219	base64_encode(challenge, 16, b64_challenge);
	220
	221	io_printf(fd,"%s%s\n", leader, b64_challenge);
	222
	223	if (!read_line(fd, line, sizeof(line)-1)) {
d0d56395	224	return NULL;
bcb7e502 AT	225	}
	226
	227	memset(user, 0, sizeof(user));
	228	memset(pass, 0, sizeof(pass));
	229
	230	if (sscanf(line,"%99s %29s", user, pass) != 2) {
d0d56395	231	return NULL;
bcb7e502 AT	232	}
bcb7e502 AT	233
c8e78d87	234	users = strdup(users);
d0d56395	235	if (!users) return NULL;
c8e78d87 AT	236
	237	for (tok=strtok(users," ,\t"); tok; tok = strtok(NULL," ,\t")) {
	238	if (strcmp(tok, user) == 0) break;
	239	}
	240	free(users);
	241
	242	if (!tok) {
d0d56395	243	return NULL;
c8e78d87 AT	244	}
c8e78d87 AT	245
bcb7e502 AT	246	memset(secret, 0, sizeof(secret));
	247	if (!get_secret(module, user, secret, sizeof(secret)-1)) {
	248	memset(secret, 0, sizeof(secret));
d0d56395	249	return NULL;
bcb7e502 AT	250	}
	251
	252	generate_hash(secret, b64_challenge, pass2);
	253	memset(secret, 0, sizeof(secret));
	254
d0d56395 AT	255	if (strcmp(pass, pass2) == 0)
	256	return user;
	257
	258	return NULL;
bcb7e502 AT	259	}
	260
	261
	262	void auth_client(int fd, char user, char challenge)
	263	{
	264	char *pass;
	265	char pass2[30];
65575e96	266	extern char *password_file;
bcb7e502 AT	267
	268	if (!user \|\| !*user) return;
	269
65575e96	270	if (!(pass=getpassf(password_file)) && !(pass=getenv("RSYNC_PASSWORD"))) {
bcb7e502 AT	271	pass = getpass("Password: ");
	272	}
	273
	274	if (!pass \|\| !*pass) {
	275	pass = "";
	276	}
	277
	278	generate_hash(pass, challenge, pass2);
bcb7e502 AT	279	io_printf(fd, "%s %s\n", user, pass2);
	280	}
	281
65575e96	282