[Openvas-commits] r3430 - in trunk/openvas-libraries: . libopenvas

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue May 19 19:45:50 CEST 2009 

Author: mattm
Date: 2009-05-19 19:45:49 +0200 (Tue, 19 May 2009)
New Revision: 3430

Added:
   trunk/openvas-libraries/libopenvas/openvas_auth.c
   trunk/openvas-libraries/libopenvas/openvas_auth.h
Modified:
   trunk/openvas-libraries/ChangeLog
   trunk/openvas-libraries/Makefile
   trunk/openvas-libraries/libopenvas/Makefile
Log:
	Add authentication facilities.

	* libopenvas/openvas_auth.c: New file.  Contains functions digest_hex and
	get_password_hashes from ../config-manager/src/openvascd.c.
	* libopenvas/openvas_auth.h: New file.

	* libopenvas/Makefile (openvas_auth.o): New rule.

	* Makefile (install): Add openvas_auth.h.
	(doc-full): Fix comment typo.

Modified: trunk/openvas-libraries/ChangeLog
===================================================================
--- trunk/openvas-libraries/ChangeLog	2009-05-19 13:51:55 UTC (rev 3429)
+++ trunk/openvas-libraries/ChangeLog	2009-05-19 17:45:49 UTC (rev 3430)
@@ -1,3 +1,16 @@
+2009-05-19  Matthew Mundell <mmundell at intevation.de>
+
+	Add authentication facilities.
+
+	* libopenvas/openvas_auth.c: New file.  Contains functions digest_hex and
+	get_password_hashes from ../config-manager/src/openvascd.c.
+	* libopenvas/openvas_auth.h: New file.
+
+	* libopenvas/Makefile (openvas_auth.o): New rule.
+
+	* Makefile (install): Add openvas_auth.h.
+	(doc-full): Fix comment typo.
+
 2009-05-18  Matthew Mundell <mmundell at intevation.de>
 
 	* doc/Doxyfile (EXTRACT_ALL): Turn off, to enable warnings about

Modified: trunk/openvas-libraries/Makefile
===================================================================
--- trunk/openvas-libraries/Makefile	2009-05-19 13:51:55 UTC (rev 3429)
+++ trunk/openvas-libraries/Makefile	2009-05-19 17:45:49 UTC (rev 3430)
@@ -62,6 +62,7 @@
 	$(INSTALL) -m 0444 libopenvas/resolve.h $(DESTDIR)${includedir}/openvas
 	$(INSTALL) -m 0444 libopenvas/openvas_ssh_login.h $(DESTDIR)${includedir}/openvas
 	$(INSTALL) -m 0444 libopenvas/openvas_server.h $(DESTDIR)${includedir}/openvas
+	$(INSTALL) -m 0444 libopenvas/openvas_auth.h $(DESTDIR)${includedir}/openvas
 	$(INSTALL) -m 0444 libopenvas/scanners_utils.h $(DESTDIR)${includedir}/openvas
 	$(INSTALL) -m 0444 libopenvas/services1.h $(DESTDIR)${includedir}/openvas
 	$(INSTALL) -m 0444 libopenvas/share_fd.h $(DESTDIR)${includedir}/openvas
@@ -110,7 +111,7 @@
 	doxygen doc/Doxyfile
 
 # Generates more extensive code documentation with graphs 
-# (placed in doc/generated) and builts doc/generated/latex/refman.pdf
+# (placed in doc/generated) and builds doc/generated/latex/refman.pdf
 doc-full:
 	doxygen doc/Doxyfile_full
 	if [ -d doc/generated/latex ]; then make -C doc/generated/latex; fi

Modified: trunk/openvas-libraries/libopenvas/Makefile
===================================================================
--- trunk/openvas-libraries/libopenvas/Makefile	2009-05-19 13:51:55 UTC (rev 3429)
+++ trunk/openvas-libraries/libopenvas/Makefile	2009-05-19 17:45:49 UTC (rev 3430)
@@ -31,14 +31,14 @@
 	www_funcs.o ids_send.o rand.o popen.o \
 	bpf_share.o rand.o popen.o services.o services1.o \
 	proctitle.o store.o kb.o share_fd.o hash_table_file.o \
-	openvas_ssh_login.o openvas_server.o
+	openvas_ssh_login.o openvas_server.o openvas_auth.o
 	
 LO_OBJS = plugutils.lo system.lo network.lo resolve.lo arglists.lo \
 	ftp_funcs.lo scanners_utils.lo pcap.lo hlst.lo  harglists.lo \
 	www_funcs.lo ids_send.lo \
 	rand.lo popen.lo bpf_share.lo services.lo services1.lo \
 	proctitle.lo store.lo kb.lo share_fd.lo hash_table_file.lo \
-	openvas_ssh_login.lo openvas_server.lo
+	openvas_ssh_login.lo openvas_server.lo openvas_auth.lo
 
 # += does not work with non-GNU make ...
 # CFLAGS+=-I../$(CIPHER_SUBDIR)
@@ -125,6 +125,11 @@
 openvas_server.o: openvas_server.c openvas_server.h
 	$(COMPILE) -c openvas_server.c
 
+OPENVAS_USERS_DIR = $(localstatedir)/lib/openvas/users/
+
+openvas_auth.o: openvas_auth.c openvas_auth.h
+	$(COMPILE) -DOPENVAS_USERS_DIR=\"$(OPENVAS_USERS_DIR)\" -c openvas_auth.c $(DESTDIR)
+
 libopenvas.la: $(OBJS)
 	$(LINK) -o libopenvas.la $(LO_OBJS) $(LIBS) -rpath ${libdir} \
 	-version-info ${PACKAGE_VERSION}

Added: trunk/openvas-libraries/libopenvas/openvas_auth.c
===================================================================
--- trunk/openvas-libraries/libopenvas/openvas_auth.c	2009-05-19 13:51:55 UTC (rev 3429)
+++ trunk/openvas-libraries/libopenvas/openvas_auth.c	2009-05-19 17:45:49 UTC (rev 3430)
@@ -0,0 +1,182 @@
+/* OpenVAS-Client
+ * $Id$
+ * Description: SSH Key management.
+ *
+ * Authors:
+ * Matthew Mundell <matt at mundell.ukfsn.org>
+ * Michael Wiegand <michael.wiegand at greenbone.net>
+ *
+ * Copyright:
+ * Copyright (C) 2009 Greenbone Networks GmbH
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+ * USA.
+ */
+
+#include "openvas_auth.h"
+#include <gcrypt.h>
+
+/**
+ * @brief Generate a hexadecimal representation of a message digest.
+ *
+ * @param gcrypt_algorithm The libgcrypt message digest algorithm used to
+ * create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in
+ * gcrypt.h).
+ * @param digest The binary representation of the digest.
+ *
+ * @return A pointer to the hexadecimal representation of the message digest
+ * or NULL if an unavailable message digest algorithm was selected.
+ */
+gchar *
+digest_hex (int gcrypt_algorithm, const guchar * digest)
+{
+  gcry_error_t err = gcry_md_test_algo (gcrypt_algorithm);
+  if (err != 0)
+    {
+      g_warning ("Could not select gcrypt algorithm: %s",
+                 gcry_strerror (err));
+      return NULL;
+    }
+
+  gchar *hex = g_malloc0(gcry_md_get_algo_dlen (gcrypt_algorithm) * 2 + 1);
+  int i;
+
+  for (i = 0; i < gcry_md_get_algo_dlen (gcrypt_algorithm); i++)
+    {
+      g_snprintf(hex + i * 2, 3, "%02x", digest[i]);
+    }
+
+  return hex;
+}
+
+/**
+ * @brief Generate a pair of hashes to be used in the OpenVAS "auth/hash" file
+ * for the user.
+ *
+ * The "auth/hash" file consist of two hashes, h_1 and h_2. h_2 (the "seed")
+ * is the message digest of (currently) 256 bytes of random data. h_1 is the
+ * message digest of h_2 concatenated with the password in plaintext.
+ *
+ * The current implementation was taken from the openvas-adduser shell script
+ * provided with openvas-server.
+ *
+ * @param gcrypt_algorithm The libgcrypt message digest algorithm used to
+ * create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in
+ * gcrypt.h)
+ * @param password The password in plaintext.
+ *
+ * @return A pointer to a gchar containing the two hashes separated by a
+ * space or NULL if an unavailable message digest algorithm was selected.
+ */
+gchar *
+get_password_hashes (int gcrypt_algorithm, const gchar * password)
+{
+  gcry_error_t err = gcry_md_test_algo (gcrypt_algorithm);
+  if (err != 0)
+    {
+      g_warning ("Could not select gcrypt algorithm: %s",
+                 gcry_strerror (err));
+      return NULL;
+    }
+
+  g_assert (password);
+
+  unsigned char *nonce_buffer[256];
+  guchar *seed = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm));
+  gchar *seed_hex = NULL;
+  gchar *seed_pass = NULL;
+  guchar *hash = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm));
+  gchar *hash_hex = NULL;
+  gchar *hashes_out = NULL;
+
+  gcry_create_nonce (nonce_buffer, 256);
+  gcry_md_hash_buffer (GCRY_MD_MD5, seed, nonce_buffer, 256);
+  seed_hex = digest_hex (GCRY_MD_MD5, seed);
+  seed_pass = g_strconcat (seed_hex, password, NULL);
+  gcry_md_hash_buffer (GCRY_MD_MD5, hash, seed_pass, strlen (seed_pass));
+  hash_hex = digest_hex (GCRY_MD_MD5, hash);
+
+  hashes_out = g_strjoin (" ", hash_hex, seed_hex, NULL);
+
+  g_free (seed);
+  g_free (seed_hex);
+  g_free (seed_pass);
+  g_free (hash);
+  g_free (hash_hex);
+
+  return hashes_out;
+}
+
+/**
+ * @brief Authenticate a credential pair.
+ *
+ * @param username Username.
+ * @param password Password.
+ *
+ * @return 0 if authentic, -1 on error, else 1.
+ */
+int
+openvas_authenticate (const gchar * username, const gchar * password)
+{
+  int gcrypt_algorithm = GCRY_MD_MD5; // FIX whatever configer used
+  int ret;
+  gchar* actual;
+  gchar* expect;
+  GError* error = NULL;
+  gchar *seed_pass = NULL;
+  guchar *hash = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm));
+  gchar *hash_hex = NULL;
+  gchar **seed_hex;
+  gchar **split;
+
+  gchar *file_name = g_build_filename (OPENVAS_USERS_DIR,
+                                       username,
+                                       "auth",
+                                       "hash",
+                                       NULL);
+  g_file_get_contents (file_name, &actual, NULL, &error);
+  g_free (file_name);
+  if (error)
+    {
+      g_warning ("Failed to read auth contents: %s.", error->message);
+      g_error_free (error);
+      return -1;
+    }
+
+  split = g_strsplit_set (g_strchomp (actual), " ", 2);
+  seed_hex = split + 1;
+  if (*split == NULL || *seed_hex == NULL)
+    {
+      g_warning ("Failed to split auth contents.");
+      g_strfreev (split);
+      return -1;
+    }
+
+  seed_pass = g_strconcat (*seed_hex, password, NULL);
+  gcry_md_hash_buffer (GCRY_MD_MD5, hash, seed_pass, strlen (seed_pass));
+  hash_hex = digest_hex (GCRY_MD_MD5, hash);
+
+  expect = g_strjoin (" ", hash_hex, *seed_hex, NULL);
+
+  g_strfreev (split);
+  g_free (seed_pass);
+  g_free (hash);
+  g_free (hash_hex);
+
+  ret = strcmp (expect, actual) ? 1 : 0;
+  g_free (expect);
+  g_free (actual);
+  return ret;
+}

Added: trunk/openvas-libraries/libopenvas/openvas_auth.h
===================================================================
--- trunk/openvas-libraries/libopenvas/openvas_auth.h	2009-05-19 13:51:55 UTC (rev 3429)
+++ trunk/openvas-libraries/libopenvas/openvas_auth.h	2009-05-19 17:45:49 UTC (rev 3430)
@@ -0,0 +1,42 @@
+/* OpenVAS-Client
+ * $Id$
+ * Description: SSH Key management.
+ *
+ * Authors:
+ * Matthew Mundell <matt at mundell.ukfsn.org>
+ * Michael Wiegand <michael.wiegand at greenbone.net>
+ *
+ * Copyright:
+ * Copyright (C) 2009 Greenbone Networks GmbH
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+ * USA.
+ */
+
+#ifndef _OPENVAS_AUTH_H
+#define _OPENVAS_AUTH_H
+
+#include <glib.h>
+
+gchar *
+get_password_hashes (int, const gchar *);
+
+gchar *
+digest_hex (int, const guchar *);
+
+int
+openvas_authenticate (const gchar *, const gchar *);
+
+#endif

More information about the Openvas-commits mailing list