OpenVAS Libraries  9.0.3
openvas_auth.c File Reference
#include "openvas_auth.h"
#include "openvas_uuid.h"
#include "../base/openvas_file.h"
#include "../base/array.h"
#include <errno.h>
#include <gcrypt.h>
#include <glib/gstdio.h>
Include dependency graph for openvas_auth.c:

Go to the source code of this file.

Macros

#define G_LOG_DOMAIN   "lib auth"
 GLib logging domain. More...
 

Functions

int openvas_auth_ldap_enabled ()
 Return whether libraries has been compiled with LDAP support. More...
 
int openvas_auth_radius_enabled ()
 Return whether libraries has been compiled with RADIUS support. More...
 
const gchar * auth_method_name (auth_method_t method)
 Return name of auth_method_t. More...
 
int openvas_auth_init ()
 Initializes Gcrypt. More...
 
void openvas_auth_tear_down (void)
 Free memory associated to authentication configuration. More...
 
gchar * digest_hex (int gcrypt_algorithm, const guchar *digest)
 Generate a hexadecimal representation of a message digest. More...
 
gchar * get_password_hashes (int digest_algorithm, const gchar *password)
 Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user. More...
 
int openvas_authenticate_classic (const gchar *username, const gchar *password, const gchar *hash_arg)
 Authenticate a credential pair against openvas user file contents. More...
 

Macro Definition Documentation

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "lib auth"

GLib logging domain.

Definition at line 46 of file openvas_auth.c.

Function Documentation

◆ auth_method_name()

const gchar* auth_method_name ( auth_method_t  method)

Return name of auth_method_t.

Keep in sync with authentication_methods and authentication_method .

Parameters
methodAuth method.
Returns
Name of auth method.

Definition at line 102 of file openvas_auth.c.

References AUTHENTICATION_METHOD_LAST.

103 {
104  if (method >= AUTHENTICATION_METHOD_LAST)
105  return "ERROR";
106  return authentication_methods[method];
107 }

◆ digest_hex()

gchar* digest_hex ( int  gcrypt_algorithm,
const guchar *  digest 
)

Generate a hexadecimal representation of a message digest.

Parameters
gcrypt_algorithmThe libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h).
digestThe binary representation of the digest.
Returns
A pointer to the hexadecimal representation of the message digest or NULL if an unavailable message digest algorithm was selected.

Definition at line 184 of file openvas_auth.c.

References err.

Referenced by get_password_hashes(), and openvas_authenticate_classic().

185 {
186  unsigned int i;
187  gchar *hex;
188 
189  gcry_error_t err = gcry_md_test_algo (gcrypt_algorithm);
190  if (err != 0)
191  {
192  g_warning ("Could not select gcrypt algorithm: %s", gcry_strerror (err));
193  return NULL;
194  }
195 
196  hex = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm) * 2 + 1);
197  for (i = 0; i < gcry_md_get_algo_dlen (gcrypt_algorithm); i++)
198  {
199  g_snprintf (hex + i * 2, 3, "%02x", digest[i]);
200  }
201 
202  return hex;
203 }
#define err(x)
Here is the caller graph for this function:

◆ get_password_hashes()

gchar* get_password_hashes ( int  digest_algorithm,
const gchar *  password 
)

Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user.

The "auth/hash" file consist of two hashes, h_1 and h_2. h_2 (the "seed") is the message digest of (currently) 256 bytes of random data. h_1 is the message digest of h_2 concatenated with the password in plaintext.

The current implementation was taken from the openvas-adduser shell script provided with openvas-server.

Parameters
digest_algorithmThe libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h)
passwordThe password in plaintext.
Returns
A pointer to a gchar containing the two hashes separated by a space or NULL if an unavailable message digest algorithm was selected.

Definition at line 225 of file openvas_auth.c.

References digest_hex(), and err.

226 {
227  gcry_error_t err = gcry_md_test_algo (digest_algorithm);
228  if (err != 0)
229  {
230  g_warning ("Could not select gcrypt algorithm: %s", gcry_strerror (err));
231  return NULL;
232  }
233 
234  g_assert (password);
235 
236  unsigned char *nonce_buffer[256];
237  guchar *seed = g_malloc0 (gcry_md_get_algo_dlen (digest_algorithm));
238  gchar *seed_hex = NULL;
239  gchar *seed_pass = NULL;
240  guchar *hash = g_malloc0 (gcry_md_get_algo_dlen (digest_algorithm));
241  gchar *hash_hex = NULL;
242  gchar *hashes_out = NULL;
243 
244  gcry_create_nonce (nonce_buffer, 256);
245  gcry_md_hash_buffer (digest_algorithm, seed, nonce_buffer, 256);
246  seed_hex = digest_hex (digest_algorithm, seed);
247  seed_pass = g_strconcat (seed_hex, password, NULL);
248  gcry_md_hash_buffer (digest_algorithm, hash, seed_pass, strlen (seed_pass));
249  hash_hex = digest_hex (digest_algorithm, hash);
250 
251  hashes_out = g_strjoin (" ", hash_hex, seed_hex, NULL);
252 
253  g_free (seed);
254  g_free (seed_hex);
255  g_free (seed_pass);
256  g_free (hash);
257  g_free (hash_hex);
258 
259  return hashes_out;
260 }
#define err(x)
gchar * digest_hex(int gcrypt_algorithm, const guchar *digest)
Generate a hexadecimal representation of a message digest.
Definition: openvas_auth.c:184
Here is the call graph for this function:

◆ openvas_auth_init()

int openvas_auth_init ( )

Initializes Gcrypt.

Returns
0 success, -1 error.

Definition at line 115 of file openvas_auth.c.

116 {
117  if (initialized == TRUE)
118  {
119  g_warning ("openvas_auth_init called a second time.");
120  return -1;
121  }
122 
123  /* Init Libgcrypt. */
124 
125  /* Version check should be the very first call because it makes sure that
126  * important subsystems are intialized.
127  * We pass NULL to gcry_check_version to disable the internal version mismatch
128  * test. */
129  if (!gcry_check_version (NULL))
130  {
131  g_critical ("%s: libgcrypt version check failed\n", __FUNCTION__);
132  return -1;
133  }
134 
135  /* We don't want to see any warnings, e.g. because we have not yet parsed
136  * program options which might be used to suppress such warnings. */
137  gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
138 
139  /* ... If required, other initialization goes here. Note that the process
140  * might still be running with increased privileges and that the secure
141  * memory has not been intialized. */
142 
143  /* Allocate a pool of 16k secure memory. This make the secure memory
144  * available and also drops privileges where needed. */
145  gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
146 
147  /* It is now okay to let Libgcrypt complain when there was/is a problem with
148  * the secure memory. */
149  gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
150 
151  /* ... If required, other initialization goes here. */
152 
153  /* Tell Libgcrypt that initialization has completed. */
154  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
155 
156  initialized = TRUE;
157 
158  return 0;
159 }

◆ openvas_auth_ldap_enabled()

int openvas_auth_ldap_enabled ( )

Return whether libraries has been compiled with LDAP support.

Returns
1 if enabled, else 0.

Definition at line 67 of file openvas_auth.c.

68 {
69 #ifdef ENABLE_LDAP_AUTH
70  return 1;
71 #else
72  return 0;
73 #endif /* ENABLE_LDAP_AUTH */
74 }

◆ openvas_auth_radius_enabled()

int openvas_auth_radius_enabled ( )

Return whether libraries has been compiled with RADIUS support.

Returns
1 if enabled, else 0.

Definition at line 82 of file openvas_auth.c.

83 {
84 #ifdef ENABLE_RADIUS_AUTH
85  return 1;
86 #else
87  return 0;
88 #endif /* ENABLE_RADIUS_AUTH */
89 }

◆ openvas_auth_tear_down()

void openvas_auth_tear_down ( void  )

Free memory associated to authentication configuration.

This will have no effect if openvas_auth_init was not called.

Todo:
Close memleak, destroy list and content.

Definition at line 167 of file openvas_auth.c.

168 {
170 }

◆ openvas_authenticate_classic()

int openvas_authenticate_classic ( const gchar *  username,
const gchar *  password,
const gchar *  hash_arg 
)

Authenticate a credential pair against openvas user file contents.

Parameters
usernameUsername.
passwordPassword.
hash_argHash.
Returns
0 authentication success, 1 authentication failure, -1 error.

Definition at line 272 of file openvas_auth.c.

References digest_hex().

274 {
275  int gcrypt_algorithm = GCRY_MD_MD5; // FIX whatever configer used
276  int ret;
277  gchar *actual, *expect, *seed_pass;
278  guchar *hash;
279  gchar *hash_hex, **seed_hex, **split;
280 
281  (void) username;
282  if (hash_arg == NULL)
283  return 1;
284  actual = g_strdup (hash_arg);
285 
286  split = g_strsplit_set (g_strchomp (actual), " ", 2);
287  seed_hex = split + 1;
288  if (*split == NULL || *seed_hex == NULL)
289  {
290  g_warning ("Failed to split auth contents.");
291  g_strfreev (split);
292  g_free (actual);
293  return -1;
294  }
295 
296  seed_pass = g_strconcat (*seed_hex, password, NULL);
297  hash = g_malloc0 (gcry_md_get_algo_dlen (gcrypt_algorithm));
298  gcry_md_hash_buffer (GCRY_MD_MD5, hash, seed_pass, strlen (seed_pass));
299  hash_hex = digest_hex (GCRY_MD_MD5, hash);
300 
301  expect = g_strjoin (" ", hash_hex, *seed_hex, NULL);
302 
303  g_strfreev (split);
304  g_free (seed_pass);
305  g_free (hash);
306  g_free (hash_hex);
307 
308  ret = strcmp (expect, actual) ? 1 : 0;
309  g_free (expect);
310  g_free (actual);
311  return ret;
312 }
gchar * digest_hex(int gcrypt_algorithm, const guchar *digest)
Generate a hexadecimal representation of a message digest.
Definition: openvas_auth.c:184
Here is the call graph for this function: