Greenbone Vulnerability Management Libraries 22.32.0
passwordbasedauthentication.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  PBASettings

Macros

#define MAX_PEPPER_SIZE   4
#define COUNT_DEFAULT   20000
#define PREFIX_DEFAULT   "$6$"

Enumerations

enum  pba_rc { VALID , UPDATE_RECOMMENDED , INVALID , ERR }

Functions

struct PBASettingspba_init (const char *pepper, unsigned int pepper_size, unsigned int count, char *prefix)
 Init PBA.
char * pba_hash (struct PBASettings *setting, const char *password)
 Create a password hash.
enum pba_rc pba_verify_hash (const struct PBASettings *settings, const char *hash, const char *password)
 Verify a password hash.
void pba_finalize (struct PBASettings *settings)
 Cleanup PBA settings.

Macro Definition Documentation

◆ COUNT_DEFAULT

#define COUNT_DEFAULT   20000

Definition at line 12 of file passwordbasedauthentication.h.

Referenced by pba_init().

◆ MAX_PEPPER_SIZE

#define MAX_PEPPER_SIZE   4

Definition at line 10 of file passwordbasedauthentication.h.

Referenced by Ensure(), Ensure(), pba_hash(), pba_init(), and pba_verify_hash().

◆ PREFIX_DEFAULT

#define PREFIX_DEFAULT   "$6$"

Definition at line 14 of file passwordbasedauthentication.h.

Referenced by crypt_gensalt_r(), is_prefix_supported(), and pba_init().

Enumeration Type Documentation

◆ pba_rc

enum pba_rc
Enumerator
VALID 
UPDATE_RECOMMENDED 
INVALID 
ERR 

Definition at line 45 of file passwordbasedauthentication.h.

46{
47 VALID, /* hash and password are correct */
48 UPDATE_RECOMMENDED, /* password is correct but in an outdated format*/
49 INVALID, /* password is incorrect */
50 ERR, /* unexpected error */
51};

Function Documentation

◆ pba_finalize()

void pba_finalize ( struct PBASettings * settings)

Cleanup PBA settings.

Parameters
[in]settingsPBA settings.

Definition at line 189 of file passwordbasedauthentication.c.

190{
191 free (settings);
192}

Referenced by Ensure(), Ensure(), and Ensure().

Here is the caller graph for this function:

◆ pba_hash()

char * pba_hash ( struct PBASettings * setting,
const char * password )

Create a password hash.

pba_hash tries to create a hash based SETTING and PASSWORD. Returns a hash on success or a NULL pointer on failure

Parameters
[in]settingPBA settings.
[in]passwordPassword.
Returns
Hash. Must be freed with free().

Definition at line 220 of file passwordbasedauthentication.c.

221{
222 char *result = NULL, *settings = NULL, *tmp, *rslt;
223 int i;
224 struct crypt_data *data = NULL;
225
226 if (!setting || !password)
227 goto exit;
228 if (!is_prefix_supported (setting->prefix))
229 goto exit;
230 settings = malloc (CRYPT_GENSALT_OUTPUT_SIZE);
231 if (crypt_gensalt_r (setting->prefix, setting->count, NULL, 0, settings,
232 CRYPT_GENSALT_OUTPUT_SIZE)
233 == NULL)
234 goto exit;
235 tmp = settings + strlen (settings) - 1;
236 for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
237 {
238 if (setting->pepper[i] != 0)
239 tmp[0] = setting->pepper[i];
240 tmp--;
241 }
242
243 data = calloc (1, sizeof (struct crypt_data));
244 rslt = crypt_r (password, settings, data);
245 if (rslt == NULL)
246 goto exit;
247 result = calloc (1, CRYPT_OUTPUT_SIZE);
248 memcpy (result, rslt, CRYPT_OUTPUT_SIZE);
249 // remove pepper, by jumping to begin of applied pepper within result
250 // and overriding it.
251 tmp = result + (tmp - settings);
252 for (i = 0; i < MAX_PEPPER_SIZE; i++)
253 {
254 tmp++;
255 if (setting->pepper[i] != 0)
256 tmp[0] = '0';
257 }
258exit:
259 if (data != NULL)
260 free (data);
261 if (settings != NULL)
262 free (settings);
263 return result;
264}
crypt_gensalt_r
char * crypt_gensalt_r(const char *prefix, unsigned long count, const char *rbytes, int nrbytes, char *output, int output_size)
Generate string suitable for use as setting when hashing a passphrase.
Definition passwordbasedauthentication.c:104
CRYPT_OUTPUT_SIZE
#define CRYPT_OUTPUT_SIZE
Definition passwordbasedauthentication.c:28
CRYPT_GENSALT_OUTPUT_SIZE
#define CRYPT_GENSALT_OUTPUT_SIZE
Definition passwordbasedauthentication.c:24
is_prefix_supported
static int is_prefix_supported(const char *id)
Check if a prefix is supported.
Definition passwordbasedauthentication.c:39
MAX_PEPPER_SIZE
#define MAX_PEPPER_SIZE
Definition passwordbasedauthentication.h:10
PBASettings::pepper
char pepper[MAX_PEPPER_SIZE]
Definition passwordbasedauthentication.h:24

References PBASettings::count, CRYPT_GENSALT_OUTPUT_SIZE, crypt_gensalt_r(), CRYPT_OUTPUT_SIZE, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, and PBASettings::prefix.

Referenced by Ensure(), Ensure(), Ensure(), and Ensure().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ pba_init()

struct PBASettings * pba_init ( const char * pepper,
unsigned int pepper_size,
unsigned int count,
char * prefix )

Init PBA.

Intitializes PBASettings with given PEPPER, PREFIX, COUNT.

PEPPER_SIZE must be lower or equal MAX_PEPPER_SIZE when PEPPER is set, when PEPPER is a NULL pointer, no pepper will be used and PEPPER_SIZE is ignored.

COUNT is set to COUNT_DEFAULT when it is 0, PREFIX is set to PREFIX_DEFAULT when prefix is a nullpointer.

Returns a pointer to PBASettings on success or NULL on failure.

Parameters
[in]pepperA static hidden addition to the randomly generated salt.
[in]pepper_sizeThe size of pepper; it must not be larger than MAX_PEPPER_SIZE.
[in]countNumber of rounds used to calculate the hash. 0 to use COUNT_DEFAULT.
[in]prefixThe algorithm used, if NULL then the most secure available algorithm will be used.
Returns
Settings, or NULL on error. Free with pba_finalize.

Definition at line 165 of file passwordbasedauthentication.c.

167{
168 unsigned int i = 0;
169 struct PBASettings *result = NULL;
170 if (pepper_size > MAX_PEPPER_SIZE)
171 goto exit;
172 if (prefix != NULL && !is_prefix_supported (prefix))
173 goto exit;
174 result = malloc (sizeof (struct PBASettings));
175 for (i = 0; i < MAX_PEPPER_SIZE; i++)
176 result->pepper[i] = pepper != NULL && i < pepper_size ? pepper[i] : 0;
177 result->count = count == 0 ? COUNT_DEFAULT : count;
178 result->prefix = prefix == NULL ? PREFIX_DEFAULT : prefix;
179exit:
180 return result;
181}
COUNT_DEFAULT
#define COUNT_DEFAULT
Definition passwordbasedauthentication.h:12
PREFIX_DEFAULT
#define PREFIX_DEFAULT
Definition passwordbasedauthentication.h:14

References PBASettings::count, COUNT_DEFAULT, is_prefix_supported(), MAX_PEPPER_SIZE, PBASettings::pepper, PBASettings::prefix, and PREFIX_DEFAULT.

Referenced by Ensure(), Ensure(), and Ensure().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ pba_verify_hash()

enum pba_rc pba_verify_hash ( const struct PBASettings * setting,
const char * hash,
const char * password )

Verify a password hash.

pba_verify_hash tries to create hash based on PASSWORD and settings found via HASH and compares that with HASH.

Returns VALID if HASH and PASSWORD are correct; UPDATE_RECOMMENDED when the HASH and PASSWORD are correct but based on a deprecated algorithm; IVALID if HASH does not match PASSWORD; ERR if an unexpected error occurs.

Parameters
[in]settingPBA settings.
[in]hashHash.
[in]passwordPassword.
Returns
Validity. VALID, UPDATE_RECOMMENDED, ...

Definition at line 276 of file passwordbasedauthentication.c.

278{
279 char *cmp, *tmp = NULL;
280 struct crypt_data *data = NULL;
281 int i = 0;
282 enum pba_rc result = ERR;
283
284 char *invalid_hash = calloc (1, CRYPT_OUTPUT_SIZE);
285 memset (invalid_hash, 0, CRYPT_OUTPUT_SIZE);
286 memcpy (invalid_hash, INVALID_HASH, strlen (INVALID_HASH));
287
288 if (!setting)
289 goto exit;
290 if (!is_prefix_supported (setting->prefix))
291 goto exit;
292 if (pba_is_phc_compliant (hash) != 0)
293 {
294 int hash_size;
295 hash_size = hash ? strlen (hash) : strlen (invalid_hash);
296
297 data = calloc (1, sizeof (struct crypt_data));
298 // manipulate hash to reapply pepper
299 tmp = calloc (1, CRYPT_OUTPUT_SIZE);
300
301 memset (tmp, 0, CRYPT_OUTPUT_SIZE);
302 memcpy (tmp, hash ? hash : invalid_hash,
303 (hash_size < CRYPT_OUTPUT_SIZE) ? hash_size
304 : CRYPT_OUTPUT_SIZE - 1);
305 cmp = strrchr (tmp, '$');
306 for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
307 {
308 cmp--;
309 if (setting->pepper[i] != 0)
310 cmp[0] = setting->pepper[i];
311 }
312 // some crypt_r implementations cannot handle if password is a
313 // NULL pointer and run into SEGMENTATION faults.
314 // Therefore we set it to ""
315 cmp = crypt_r (password ? password : "", tmp, data);
316 if (strcmp (tmp, cmp) == 0)
317 result = VALID;
318 else
319 result = INVALID;
320 }
321 else
322 {
323 // assume authutils hash handling
324 // initialize gvm_auth utils if not already initialized
325 if (initialized == FALSE && gvm_auth_init () != 0)
326 {
327 goto exit;
328 }
329 // verify result of gvm_authenticate_classic
330 i = gvm_authenticate_classic (NULL, password, hash);
331 if (i == 0)
332 result = UPDATE_RECOMMENDED;
333 else if (i == 1)
334 result = INVALID;
335 }
336exit:
337 free (invalid_hash);
338 if (data != NULL)
339 free (data);
340 if (tmp != NULL)
341 free (tmp);
342 return result;
343}
gvm_authenticate_classic
int gvm_authenticate_classic(const gchar *username, const gchar *password, const gchar *hash_arg)
Authenticate a credential pair against user file contents.
Definition authutils.c:274
gvm_auth_init
int gvm_auth_init(void)
Initializes Gcrypt.
Definition authutils.c:109
initialized
static gboolean initialized
Flag whether the config file was read.
Definition authutils.c:33
pba_is_phc_compliant
static int pba_is_phc_compliant(const char *setting)
Check if a PBA settings is PHC compliant.
Definition passwordbasedauthentication.c:202
INVALID_HASH
#define INVALID_HASH
Definition passwordbasedauthentication.c:22

References CRYPT_OUTPUT_SIZE, ERR, gvm_auth_init(), gvm_authenticate_classic(), initialized, INVALID, INVALID_HASH, is_prefix_supported(), MAX_PEPPER_SIZE, pba_is_phc_compliant(), PBASettings::pepper, PBASettings::prefix, UPDATE_RECOMMENDED, and VALID.

Referenced by Ensure(), Ensure(), and Ensure().

Here is the call graph for this function:
Here is the caller graph for this function: