/* * -1 if authentication failed * 1 if authentication succeeded * 2 if authentication succeeded, using parameter * -2 if authentication is delayed, don't error * No AuthStruct = everyone allowed */ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) { #ifdef AUTHENABLE_UNIXCRYPT extern char *crypt(); #endif #ifdef AUTHENABLE_SSL_CLIENTCERT X509 *x509_clientcert = NULL; X509 *x509_filecert = NULL; FILE *x509_f = NULL; #endif if (!as) return 1; switch (as->type) { case AUTHTYPE_PLAINTEXT: if (!para) return -1; /* plain text compare */ if (!strcmp(para, as->data)) return 2; else return -1; break; #ifdef AUTHENABLE_UNIXCRYPT case AUTHTYPE_UNIXCRYPT: if (!para) return -1; /* If our data is like 1 or none, we just let em through .. */ if (!(as->data[0] && as->data[1])) return 1; if (!strcmp(crypt(para, as->data), as->data)) return 2; else return -1; break; #endif case AUTHTYPE_MD5: return authcheck_md5(cptr, as, para); break; #ifdef AUTHENABLE_SHA1 case AUTHTYPE_SHA1: return authcheck_sha1(cptr, as, para); break; #endif #ifdef AUTHENABLE_RIPEMD160 case AUTHTYPE_RIPEMD160: return authcheck_ripemd160(cptr, as, para); #endif #ifdef AUTHENABLE_SSL_CLIENTCERT case AUTHTYPE_SSL_CLIENTCERT: if (!para) return -1; if (!cptr->ssl) return -1; x509_clientcert = SSL_get_peer_certificate((SSL *)cptr->ssl); if (!x509_clientcert) return -1; if (!(x509_f = fopen(as->data, "r"))) { X509_free(x509_clientcert); return -1; } x509_filecert = PEM_read_X509(x509_f, NULL, NULL, NULL); fclose(x509_f); if (!x509_filecert) { X509_free(x509_clientcert); return -1; } if (X509_cmp(x509_filecert, x509_clientcert) != 0) { X509_free(x509_clientcert); X509_free(x509_filecert); break; } X509_free(x509_clientcert); X509_free(x509_filecert); return 2; #endif } return -1; }
/* * -1 if authentication failed * 1 if authentication succeeded * 2 if authentication succeeded, using parameter * -2 if authentication is delayed, don't error * No AuthStruct = everyone allowed */ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) { #ifdef AUTHENABLE_UNIXCRYPT extern char *crypt(); #endif #if defined(AUTHENABLE_SSL_CLIENTCERT) || defined(AUTHENABLE_SSL_CLIENTCERTFP) X509 *x509_clientcert = NULL; #endif #ifdef AUTHENABLE_SSL_CLIENTCERT X509 *x509_filecert = NULL; FILE *x509_f = NULL; #endif #ifdef AUTHENABLE_SSL_CLIENTCERTFP unsigned int n; unsigned int i; unsigned int j; unsigned int k; unsigned char md[EVP_MAX_MD_SIZE]; char hex[EVP_MAX_MD_SIZE * 2 + 1]; char hexc[EVP_MAX_MD_SIZE * 3 + 1]; char hexchars[16] = "0123456789abcdef"; const EVP_MD *digest = EVP_sha256(); #endif if (!as) return 1; switch (as->type) { case AUTHTYPE_PLAINTEXT: if (!para) return -1; /* plain text compare */ if (!strcmp(para, as->data)) return 2; else return -1; break; #ifdef AUTHENABLE_UNIXCRYPT case AUTHTYPE_UNIXCRYPT: if (!para) return -1; /* If our data is like 1 or none, we just let em through .. */ if (!(as->data[0] && as->data[1])) return 1; if (!strcmp(crypt(para, as->data), as->data)) return 2; else return -1; break; #endif case AUTHTYPE_MD5: return authcheck_md5(cptr, as, para); break; #ifdef AUTHENABLE_SHA1 case AUTHTYPE_SHA1: return authcheck_sha1(cptr, as, para); break; #endif #ifdef AUTHENABLE_RIPEMD160 case AUTHTYPE_RIPEMD160: return authcheck_ripemd160(cptr, as, para); #endif #ifdef AUTHENABLE_SSL_CLIENTCERT case AUTHTYPE_SSL_CLIENTCERT: if (!para) return -1; if (!cptr->ssl) return -1; x509_clientcert = SSL_get_peer_certificate((SSL *)cptr->ssl); if (!x509_clientcert) return -1; if (!(x509_f = fopen(as->data, "r"))) { X509_free(x509_clientcert); return -1; } x509_filecert = PEM_read_X509(x509_f, NULL, NULL, NULL); fclose(x509_f); if (!x509_filecert) { X509_free(x509_clientcert); return -1; } if (X509_cmp(x509_filecert, x509_clientcert) != 0) { X509_free(x509_clientcert); X509_free(x509_filecert); break; } X509_free(x509_clientcert); X509_free(x509_filecert); return 2; #endif #ifdef AUTHENABLE_SSL_CLIENTCERTFP case AUTHTYPE_SSL_CLIENTCERTFP: if (!para) return -1; if (!cptr->ssl) return -1; x509_clientcert = SSL_get_peer_certificate((SSL *)cptr->ssl); if (!x509_clientcert) return -1; if (!X509_digest(x509_clientcert, digest, md, &n)) { X509_free(x509_clientcert); return -1; } j = 0; k = 0; for (i=0; i<n; i++) { hex[j++] = hexchars[(md[i] >> 4) & 0xF]; hex[j++] = hexchars[md[i] & 0xF]; hexc[k++] = hexchars[(md[i] >> 4) & 0xF]; hexc[k++] = hexchars[md[i] & 0xF]; hexc[k++] = ':'; } hex[j] = '\0'; hexc[--k] = '\0'; if (strcasecmp(as->data, hex) && strcasecmp(as->data, hexc)) { X509_free(x509_clientcert); return -1; } X509_free(x509_clientcert); return 2; #endif } return -1; }