int py_ersatz_hash(char *password, char *ersatz_salt, char *out_hash)
{
/* todo: check the ersatz size */
char hmac_digest[HMAC_LEN];
int ret = py_hsm_hmac(password, hmac_digest);
if(ret != HSM_HMAC_OK)
return ERSATZ_HASH_FAIL;
int i;
char decoded_salt[SALT_SIZE ];
/* convert back from . to + */
for(i = 0; i < SALT_SIZE; i++)
if(ersatz_salt[i] == '.')
ersatz_salt[i] = '+';
/* base64 decode ersatz salt */
b64_pton((unsigned char *) ersatz_salt, decoded_salt, SALT_SIZE);
/* xor the hmac digest with the salt */
for(i = 0; i < SALT_SIZE; i++)
hmac_digest[i] = hmac_digest[i] ^ decoded_salt[i];
for(i = 0; i < SALT_SIZE; i++)
if(ersatz_salt[i] == '+')
ersatz_salt[i] = '.';
/* take a sha-512 hash */
crypt_set_format("sha512");
strcpy(out_hash, crypt(hmac_digest, ersatz_salt));
return ERSATZ_HASH_OK;
}
int main()
{
char salt[SALTSIZE + 1];
crypt_set_format("sha512");
makesalt(salt);
crypt("123456", salt);
return 0;
}
const char *
login_setcryptfmt(login_cap_t *lc, const char *def, const char *error) {
const char *cipher;
cipher = login_getcapstr(lc, "passwd_format", def, NULL);
if (getenv("CRYPT_DEBUG") != NULL)
fprintf(stderr, "login_setcryptfmt: "
"passwd_format = %s\n", cipher);
if (cipher == NULL)
return (error);
if (!crypt_set_format(cipher))
return (error);
return (cipher);
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
const char *user;
char *password, *crypt_password, *cached_password;
int pam_err, timestamp;
/* identify user */
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return (pam_err);
if (getpwnam(user) == NULL)
return (PAM_USER_UNKNOWN);
/* get password */
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
(const char **)&password, NULL);
if (pam_err == PAM_CONV_ERR)
return (pam_err);
if (pam_err != PAM_SUCCESS)
return (PAM_AUTH_ERR);
cached_password = NULL;
if (!read_ticket(user, ×tamp, &cached_password)) {
pam_err = PAM_AUTH_ERR;
if (crypt_set_format("sha512"))
crypt_password = crypt(password, gen_salt());
else
crypt_password = NULL;
goto done;
}
if ((crypt_password = crypt(password, cached_password)) != NULL &&
strcmp(crypt_password, cached_password) == 0) {
struct timespec now;
clock_gettime(CLOCK_MONOTONIC, &now);
/* TODO: timeout should be an argument! */
if ((int)now.tv_sec > timestamp + TIMEOUT) {
openpam_log(PAM_LOG_DEBUG,
"expired auth ticket: %d > %d",
(int)now.tv_sec, timestamp + TIMEOUT);
pam_err = PAM_AUTH_ERR;
} else {
pam_err = PAM_SUCCESS;
}
} else {
openpam_log(PAM_LOG_DEBUG, "passwords do not match");
pam_err = PAM_AUTH_ERR;
}
done:
if (crypt_password != NULL) {
char *cp;
size_t len;
len = strlen(crypt_password) + 1;
if ((cp = calloc(len, sizeof(char))) != NULL &&
strlcpy(cp, crypt_password, len) < len)
pam_set_data(pamh, "pam_auth_ticket", cp, cleanup);
}
free(cached_password);
return (pam_err);
}
int main(int argc, char **argv) {
crypt_set_format("sha512");
printf("%s", crypt(argv[1], "1"));
}
