mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19581 Commits
30 Branches
Tree: f7c44dea2e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f7c44dea2e'
${ noResults }
rspamd/src/rspamadm/pw.c

pw.c 9.3KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398 
  1. /*-

  2.  * Copyright 2016 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. #include "config.h"

  17. #include "util.h"

  18. #include "ottery.h"

  19. #include "cryptobox.h"

  20. #include "rspamd.h"

  21. #include "rspamadm.h"

  22. #include "unix-std.h"

  23. 

  24. static void rspamadm_pw (gint argc, gchar **argv,

  25. 						 const struct rspamadm_command *cmd);

  26. static const char *rspamadm_pw_help (gboolean full_help,

  27. 									 const struct rspamadm_command *cmd);

  28. static void rspamadm_pw_lua_subrs (gpointer pL);

  29. 

  30. static gboolean do_encrypt = FALSE;

  31. static gboolean do_check = FALSE;

  32. static gboolean quiet = FALSE;

  33. static gboolean list = FALSE;

  34. static gchar *type = "catena";

  35. static gchar *password = NULL;

  36. 

  37. struct rspamadm_command pw_command = {

  38. 	.name = "pw",

  39. 	.flags = 0,

  40. 	.help = rspamadm_pw_help,

  41. 	.run = rspamadm_pw,

  42. 	.lua_subrs = rspamadm_pw_lua_subrs,

  43. };

  44. 

  45. static GOptionEntry entries[] = {

  46. 		{"encrypt", 'e', 0, G_OPTION_ARG_NONE, &do_encrypt,

  47. 				"Encrypt password", NULL},

  48. 		{"check", 'c', 0, G_OPTION_ARG_NONE, &do_check,

  49. 				"Check password", NULL},

  50. 		{"quiet", 'q', 0, G_OPTION_ARG_NONE, &quiet,

  51. 				"Suppress output", NULL},

  52. 		{"password", 'p', 0, G_OPTION_ARG_STRING, &password,

  53. 				"Input password", NULL},

  54. 		{"type", 't', 0, G_OPTION_ARG_STRING, &type,

  55. 				"PBKDF type", NULL},

  56. 		{"list", 'l', 0, G_OPTION_ARG_NONE, &list,

  57. 				"List available algorithms", NULL},

  58. 		{NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL}

  59. };

  60. 

  61. static const char *

  62. rspamadm_pw_help (gboolean full_help, const struct rspamadm_command *cmd)

  63. {

  64. 	const char *help_str;

  65. 

  66. 	if (full_help) {

  67. 		help_str = "Manipulate with passwords in rspamd\n\n"

  68. 				"Usage: rspamadm pw [command]\n"

  69. 				"Where commands are:\n\n"

  70. 				"--encrypt: encrypt password (this is a default command)\n"

  71. 				"--check: check encrypted password using encrypted password\n"

  72. 				"--list: list available pbkdf algorithms\n"

  73. 				"--type: select the specified pbkdf type\n"

  74. 				"--help: shows available options and commands";

  75. 	}

  76. 	else {

  77. 		help_str = "Manage rspamd passwords";

  78. 	}

  79. 

  80. 	return help_str;

  81. }

  82. 

  83. static const struct rspamd_controller_pbkdf *

  84. rspamadm_get_pbkdf (void)

  85. {

  86. 	const struct rspamd_controller_pbkdf *pbkdf;

  87. 	guint i;

  88. 

  89. 	for (i = 0; i < RSPAMD_PBKDF_ID_MAX - 1; i ++) {

  90. 		pbkdf = &pbkdf_list[i];

  91. 

  92. 		if (strcmp (type, pbkdf->alias) == 0) {

  93. 			return pbkdf;

  94. 		}

  95. 	}

  96. 

  97. 	rspamd_fprintf (stderr, "Unknown PKDF type: %s\n", type);

  98. 	exit (EXIT_FAILURE);

  99. 

  100. 	return NULL;

  101. }

  102. 

  103. static char *

  104. rspamadm_pw_encrypt (char *password)

  105. {

  106. 	const struct rspamd_controller_pbkdf *pbkdf;

  107. 	guchar *salt, *key;

  108. 	gchar *encoded_salt, *encoded_key;

  109. 	GString *result;

  110. 	gsize plen;

  111. 

  112. 	pbkdf = rspamadm_get_pbkdf ();

  113. 	g_assert (pbkdf != NULL);

  114. 

  115. 	if (password == NULL) {

  116. 		plen = 8192;

  117. 		password = g_malloc0 (plen);

  118. 		plen = rspamd_read_passphrase (password, plen, 0, NULL);

  119. 	}

  120. 	else {

  121. 		plen = strlen (password);

  122. 	}

  123. 

  124. 	if (plen == 0) {

  125. 		fprintf (stderr, "Invalid password\n");

  126. 		exit (EXIT_FAILURE);

  127. 	}

  128. 

  129. 	salt = g_alloca (pbkdf->salt_len);

  130. 	key = g_alloca (pbkdf->key_len);

  131. 	ottery_rand_bytes (salt, pbkdf->salt_len);

  132. 	/* Derive key */

  133. 	rspamd_cryptobox_pbkdf (password, strlen (password),

  134. 			salt, pbkdf->salt_len, key, pbkdf->key_len, pbkdf->complexity,

  135. 			pbkdf->type);

  136. 

  137. 	encoded_salt = rspamd_encode_base32 (salt, pbkdf->salt_len, RSPAMD_BASE32_DEFAULT);

  138. 	encoded_key = rspamd_encode_base32 (key, pbkdf->key_len, RSPAMD_BASE32_DEFAULT);

  139. 

  140. 	result = g_string_new ("");

  141. 	rspamd_printf_gstring (result, "$%d$%s$%s", pbkdf->id, encoded_salt,

  142. 			encoded_key);

  143. 

  144. 	g_free (encoded_salt);

  145. 	g_free (encoded_key);

  146. 	rspamd_explicit_memzero (password, plen);

  147. 	g_free (password);

  148. 	password = result->str;

  149. 	g_string_free (result, FALSE); /* Not freeing memory */

  150. 

  151. 	return password;

  152. }

  153. 

  154. static const gchar *

  155. rspamd_encrypted_password_get_str (const gchar *password, gsize skip,

  156. 		gsize *length)

  157. {

  158. 	const gchar *str, *start, *end;

  159. 	gsize size;

  160. 

  161. 	start = password + skip;

  162. 	end = start;

  163. 	size = 0;

  164. 

  165. 	while (*end != '\0' && g_ascii_isalnum (*end)) {

  166. 		size++;

  167. 		end++;

  168. 	}

  169. 

  170. 	if (size) {

  171. 		str = start;

  172. 		*length = size;

  173. 	}

  174. 	else {

  175. 		str = NULL;

  176. 	}

  177. 

  178. 	return str;

  179. }

  180. 

  181. static void

  182. rspamadm_pw_check (void)

  183. {

  184. 	const struct rspamd_controller_pbkdf *pbkdf = NULL;

  185. 	GIOChannel *in;

  186. 	GString *encrypted_pwd;

  187. 	const gchar *salt, *hash;

  188. 	const gchar *start, *end;

  189. 	guchar *salt_decoded, *key_decoded, *local_key;

  190. 	gsize salt_len, key_len, size;

  191. 	gchar test_password[8192];

  192. 	gsize plen, term = 0, i;

  193. 	gint id;

  194. 	gboolean ret = FALSE;

  195. 

  196. 	if (password == NULL) {

  197. 		encrypted_pwd = g_string_new ("");

  198. 		in = g_io_channel_unix_new (STDIN_FILENO);

  199. 		rspamd_printf ("Enter encrypted password: ");

  200. 		fflush (stdout);

  201. 		g_io_channel_read_line_string (in, encrypted_pwd, &term, NULL);

  202. 

  203. 		if (term != 0) {

  204. 			g_string_erase (encrypted_pwd, term, encrypted_pwd->len - term);

  205. 		}

  206. 		g_io_channel_unref (in);

  207. 	}

  208. 	else {

  209. 		encrypted_pwd = g_string_new (password);

  210. 	}

  211. 

  212. 	if (encrypted_pwd->str[0] == '$') {

  213. 		/* Parse id */

  214. 		start = encrypted_pwd->str + 1;

  215. 		end = start;

  216. 		size = 0;

  217. 

  218. 		while (*end != '\0' && g_ascii_isdigit (*end)) {

  219. 			size++;

  220. 			end++;

  221. 		}

  222. 

  223. 		if (size > 0) {

  224. 			gchar *endptr;

  225. 			id = strtoul (start, &endptr, 10);

  226. 

  227. 			if ((endptr == NULL || *endptr == *end)) {

  228. 				for (i = 0; i < RSPAMD_PBKDF_ID_MAX - 1; i ++) {

  229. 					pbkdf = &pbkdf_list[i];

  230. 

  231. 					if (pbkdf->id == id) {

  232. 						ret = TRUE;

  233. 						break;

  234. 					}

  235. 				}

  236. 			}

  237. 		}

  238. 	}

  239. 

  240. 	if (!ret) {

  241. 		rspamd_fprintf (stderr, "Invalid password format\n");

  242. 		exit (EXIT_FAILURE);

  243. 	}

  244. 

  245. 	if (encrypted_pwd->len < pbkdf->salt_len + pbkdf->key_len + 3) {

  246. 		msg_err ("incorrect salt: password length: %z, must be at least %z characters",

  247. 				encrypted_pwd->len, pbkdf->salt_len);

  248. 		exit (EXIT_FAILURE);

  249. 	}

  250. 

  251. 	/* get salt */

  252. 	salt = rspamd_encrypted_password_get_str (encrypted_pwd->str, 3, &salt_len);

  253. 	/* get hash */

  254. 	hash = rspamd_encrypted_password_get_str (encrypted_pwd->str,

  255. 			3 + salt_len + 1,

  256. 			&key_len);

  257. 	if (salt != NULL && hash != NULL) {

  258. 

  259. 		/* decode salt */

  260. 		salt_decoded = rspamd_decode_base32 (salt, salt_len, &salt_len, RSPAMD_BASE32_DEFAULT);

  261. 

  262. 		if (salt_decoded == NULL || salt_len != pbkdf->salt_len) {

  263. 			/* We have some unknown salt here */

  264. 			msg_err ("incorrect salt: %z, while %z expected",

  265. 					salt_len, pbkdf->salt_len);

  266. 			exit (EXIT_FAILURE);

  267. 		}

  268. 

  269. 		key_decoded = rspamd_decode_base32 (hash, key_len, &key_len, RSPAMD_BASE32_DEFAULT);

  270. 

  271. 		if (key_decoded == NULL || key_len != pbkdf->key_len) {

  272. 			/* We have some unknown salt here */

  273. 			msg_err ("incorrect key: %z, while %z expected",

  274. 					key_len, pbkdf->key_len);

  275. 			exit (EXIT_FAILURE);

  276. 		}

  277. 

  278. 		plen = rspamd_read_passphrase (test_password, sizeof (test_password),

  279. 				0, NULL);

  280. 		if (plen == 0) {

  281. 			fprintf (stderr, "Invalid password\n");

  282. 			exit (EXIT_FAILURE);

  283. 		}

  284. 

  285. 		local_key = g_alloca (pbkdf->key_len);

  286. 		rspamd_cryptobox_pbkdf (test_password, plen,

  287. 				salt_decoded, salt_len,

  288. 				local_key, pbkdf->key_len,

  289. 				pbkdf->complexity,

  290. 				pbkdf->type);

  291. 		rspamd_explicit_memzero (test_password, plen);

  292. 

  293. 		if (!rspamd_constant_memcmp (key_decoded, local_key, pbkdf->key_len)) {

  294. 			if (!quiet) {

  295. 				rspamd_printf ("password incorrect\n");

  296. 			}

  297. 			exit (EXIT_FAILURE);

  298. 		}

  299. 

  300. 		g_free (salt_decoded);

  301. 		g_free (key_decoded);

  302. 		g_string_free (encrypted_pwd, TRUE);

  303. 	}

  304. 	else {

  305. 		msg_err ("bad encrypted password format");

  306. 		exit (EXIT_FAILURE);

  307. 	}

  308. 

  309. 	if (!quiet) {

  310. 		rspamd_printf ("password correct\n");

  311. 	}

  312. }

  313. 

  314. static gint

  315. rspamadm_pw_lua_encrypt (lua_State *L)

  316. {

  317. 	const gchar *pw_in = NULL;

  318. 	gchar *ret, *tmp = NULL;

  319. 

  320. 	if (lua_type (L, 1) == LUA_TSTRING) {

  321. 		pw_in = lua_tostring (L, 1);

  322. 		tmp = g_strdup (pw_in);

  323. 	}

  324. 

  325. 	ret = rspamadm_pw_encrypt (tmp);

  326. 

  327. 	lua_pushstring (L, ret);

  328. 	g_free (ret);

  329. 

  330. 	return 1;

  331. }

  332. 

  333. 

  334. static void

  335. rspamadm_pw_lua_subrs (gpointer pL)

  336. {

  337. 	lua_State *L = pL;

  338. 

  339. 	lua_pushstring (L, "pw_encrypt");

  340. 	lua_pushcfunction (L, rspamadm_pw_lua_encrypt);

  341. 	lua_settable (L, -3);

  342. }

  343. 

  344. static void

  345. rspamadm_alg_list (void)

  346. {

  347. 	const struct rspamd_controller_pbkdf *pbkdf;

  348. 	guint i;

  349. 

  350. 	for (i = 0; i < RSPAMD_PBKDF_ID_MAX - 1; i ++) {

  351. 		pbkdf = &pbkdf_list[i];

  352. 

  353. 		rspamd_printf ("%s: %s - %s\n", pbkdf->alias, pbkdf->name,

  354. 				pbkdf->description);

  355. 	}

  356. }

  357. 

  358. static void

  359. rspamadm_pw (gint argc, gchar **argv, const struct rspamadm_command *cmd)

  360. {

  361. 	GOptionContext *context;

  362. 	GError *error = NULL;

  363. 

  364. 	context = g_option_context_new ("pw [--encrypt | --check] - manage rspamd passwords");

  365. 	g_option_context_set_summary (context,

  366. 			"Summary:\n  Rspamd administration utility version "

  367. 					RVERSION

  368. 					"\n  Release id: "

  369. 					RID);

  370. 	g_option_context_add_main_entries (context, entries, NULL);

  371. 

  372. 	if (!g_option_context_parse (context, &argc, &argv, &error)) {

  373. 		fprintf (stderr, "option parsing failed: %s\n", error->message);

  374. 		g_error_free (error);

  375. 		g_option_context_free (context);

  376. 		exit (EXIT_FAILURE);

  377. 	}

  378. 

  379. 	g_option_context_free (context);

  380. 

  381. 	if (list) {

  382. 		rspamadm_alg_list ();

  383. 		exit (EXIT_SUCCESS);

  384. 	}

  385. 

  386. 	if (!do_encrypt && !do_check) {

  387. 		do_encrypt = TRUE;

  388. 	}

  389. 

  390. 	if (do_encrypt) {

  391. 		gchar *encr = rspamadm_pw_encrypt (password);

  392. 		rspamd_printf ("%s\n", encr);

  393. 		g_free (encr);

  394. 	}

  395. 	else if (do_check) {

  396. 		rspamadm_pw_check ();

  397. 	}

  398. }