OpenWrt – Blame information for rev 4

Subversion Repositories:
Rev:
Rev Author Line No. Line
4 office 1 /*
2 * Copyright (c) 1997-1999 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * In addition, the following conditions apply:
27 *
28 * 1. Any software that incorporates the SRP authentication technology
29 * must display the following acknowlegment:
30 * "This product uses the 'Secure Remote Password' cryptographic
31 * authentication system developed by Tom Wu (tjw@CS.Stanford.EDU)."
32 *
33 * 2. Any software that incorporates all or part of the SRP distribution
34 * itself must also display the following acknowledgment:
35 * "This product includes software developed by Tom Wu and Eugene
36 * Jhong for the SRP Distribution (http://srp.stanford.edu/srp/)."
37 *
38 * 3. Redistributions in source or binary form must retain an intact copy
39 * of this copyright notice and list of conditions.
40 */
41  
42 #include "t_defines.h"
43  
44 #ifdef HAVE_UNISTD_H
45 #include <unistd.h>
46 #endif /* HAVE_UNISTD_H */
47  
48 #include <stdio.h>
49 #include <sys/types.h>
50 #include <sys/stat.h>
51 #include <fcntl.h>
52  
53 #include "t_sha.h"
54  
55 #ifndef NULL
56 #define NULL 0
57 #endif
58  
59 static unsigned char randpool[SHA_DIGESTSIZE], randout[SHA_DIGESTSIZE];
60 static unsigned long randcnt = 0;
61 static unsigned int outpos = 0;
62 SHA1_CTX randctxt;
63  
64 /*
65 * t_envhash - Generate a 160-bit SHA hash of the environment
66 *
67 * This routine performs an SHA hash of all the "name=value" pairs
68 * in the environment concatenated together and dumps them in the
69 * output. While it is true that anyone on the system can see
70 * your environment, someone not on the system will have a very
71 * difficult time guessing it, especially since some systems play
72 * tricks with variable ordering and sometimes define quirky
73 * environment variables like $WINDOWID or $_.
74 */
75 extern char ** environ;
76  
77 static void
78 t_envhash(out)
79 unsigned char * out;
80 {
81 char ** ptr;
82 char ebuf[256];
83 SHA1_CTX ctxt;
84  
85 SHA1Init(&ctxt);
86 for(ptr = environ; *ptr; ++ptr) {
87 strncpy(ebuf, *ptr, 255);
88 ebuf[255] = '\0';
89 SHA1Update(&ctxt, ebuf, strlen(ebuf));
90 }
91 SHA1Final(out, &ctxt);
92 }
93  
94 /*
95 * t_fshash - Generate a 160-bit SHA hash from the file system
96 *
97 * This routine climbs up the directory tree from the current
98 * directory, running stat() on each directory until it hits the
99 * root directory. This information is sensitive to the last
100 * access/modification times of all the directories above you,
101 * so someone who lists one of those directories injects some
102 * entropy into the system. Obviously, this hash is very sensitive
103 * to your current directory when the program is run.
104 *
105 * For good measure, it also performs an fstat on the standard input,
106 * usually your tty, throws that into the buffer, creates a file in
107 * /tmp (the inode is unpredictable on a busy system), and runs stat()
108 * on that before deleting it.
109 *
110 * The entire buffer is run once through SHA to obtain the final result.
111 */
112 static void
113 t_fshash(out)
114 unsigned char * out;
115 {
116 char dotpath[128];
117 struct stat st;
118 SHA1_CTX ctxt;
119 int i, pinode;
120 dev_t pdev;
121  
122 SHA1Init(&ctxt);
123 if(stat(".", &st) >= 0) {
124 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
125 pinode = st.st_ino;
126 pdev = st.st_dev;
127 strcpy(dotpath, "..");
128 for(i = 0; i < 40; ++i) {
129 if(stat(dotpath, &st) < 0)
130 break;
131 if(st.st_ino == pinode && st.st_dev == pdev)
132 break;
133 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
134 pinode = st.st_ino;
135 pdev = st.st_dev;
136 strcat(dotpath, "/..");
137 }
138 }
139  
140 if(fstat(0, &st) >= 0)
141 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
142  
143 sprintf(dotpath, "/tmp/rnd.%d", getpid());
144 if(creat(dotpath, 0600) >= 0 && stat(dotpath, &st) >= 0)
145 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
146 unlink(dotpath);
147  
148 SHA1Final(out, &ctxt);
149 }
150  
151 /*
152 * Generate a high-entropy seed for the strong random number generator.
153 * This uses a wide variety of quickly gathered and somewhat unpredictable
154 * system information. The 'preseed' structure is assembled from:
155 *
156 * The system time in seconds
157 * The system time in microseconds
158 * The current process ID
159 * The parent process ID
160 * A hash of the user's environment
161 * A hash gathered from the file system
162 * Input from a random device, if available
163 * Timings of system interrupts
164 *
165 * The entire structure (60 bytes on most systems) is fed to SHA to produce
166 * a 160-bit seed for the strong random number generator. It is believed
167 * that in the worst case (on a quiet system with no random device versus
168 * an attacker who has access to the system already), the seed contains at
169 * least about 80 bits of entropy. Versus an attacker who does not have
170 * access to the system, the entropy should be slightly over 128 bits.
171 */
172 static char initialized = 0;
173  
174 static struct {
175 unsigned int trand1;
176 time_t sec;
177 time_t usec;
178 short pid;
179 short ppid;
180 unsigned char envh[SHA_DIGESTSIZE];
181 unsigned char fsh[SHA_DIGESTSIZE];
182 unsigned char devrand[20];
183 unsigned int trand2;
184 } preseed;
185  
186 unsigned long raw_truerand();
187  
188 void
189 t_initrand()
190 {
191 SHA1_CTX ctxt;
192 #ifdef USE_FTIME
193 struct timeb t;
194 #else
195 struct timeval t;
196 #endif
197 int i, r=0;
198  
199 if(initialized)
200 return;
201  
202 initialized = 1;
203  
204 i = open("/dev/urandom", O_RDONLY);
205 if(i > 0) {
206 r += read(i, preseed.devrand, sizeof(preseed.devrand));
207 close(i);
208 }
209  
210 /* Resort to truerand only if desperate for some Real entropy */
211 if(r == 0)
212 preseed.trand1 = raw_truerand();
213  
214 #ifdef USE_FTIME
215 ftime(&t);
216 #else
217 gettimeofday(&t, NULL);
218 #endif
219  
220 #ifdef USE_FTIME
221 preseed.sec = t.time;
222 preseed.usec = t.millitm;
223 #else
224 preseed.sec = t.tv_sec;
225 preseed.usec = t.tv_usec;
226 #endif
227 preseed.pid = getpid();
228 preseed.ppid = getppid();
229 t_envhash(preseed.envh);
230 t_fshash(preseed.fsh);
231  
232 if(r == 0)
233 preseed.trand2 = raw_truerand();
234  
235 SHA1Init(&ctxt);
236 SHA1Update(&ctxt, (unsigned char *) &preseed, sizeof(preseed));
237 SHA1Final(randpool, &ctxt);
238 outpos = 0;
239 memset((unsigned char *) &preseed, 0, sizeof(preseed));
240 memset((unsigned char *) &ctxt, 0, sizeof(ctxt));
241 }
242  
243 #define NUM_RANDOMS 12
244  
245 /*
246 * The strong random number generator. This uses a 160-bit seed
247 * and uses SHA-1 in a feedback configuration to generate successive
248 * outputs. If S[0] is set to the initial seed, then:
249 *
250 * S[i+1] = SHA-1(i || S[i])
251 * A[i] = SHA-1(S[i])
252 *
253 * where the A[i] are the output blocks starting with i=0.
254 * Each cycle generates 20 bytes of new output.
255 */
256 _TYPE( void )
257 t_random(data, size)
258 unsigned char * data;
259 unsigned size;
260 {
261 if(!initialized)
262 t_initrand();
263  
264 if(size <= 0) /* t_random(NULL, 0) forces seed initialization */
265 return;
266  
267 while(size > outpos) {
268 if(outpos > 0) {
269 memcpy(data, randout + (sizeof(randout) - outpos), outpos);
270 data += outpos;
271 size -= outpos;
272 }
273  
274 /* Recycle */
275 SHA1Init(&randctxt);
276 SHA1Update(&randctxt, randpool, sizeof(randpool));
277 SHA1Final(randout, &randctxt);
278 SHA1Init(&randctxt);
279 SHA1Update(&randctxt, (unsigned char *) &randcnt, sizeof(randcnt));
280 SHA1Update(&randctxt, randpool, sizeof(randpool));
281 SHA1Final(randpool, &randctxt);
282 ++randcnt;
283 outpos = sizeof(randout);
284 }
285  
286 if(size > 0) {
287 memcpy(data, randout + (sizeof(randout) - outpos), size);
288 outpos -= size;
289 }
290 }
291  
292 /*
293 * The interleaved session-key hash. This separates the even and the odd
294 * bytes of the input (ignoring the first byte if the input length is odd),
295 * hashes them separately, and re-interleaves the two outputs to form a
296 * single 320-bit value.
297 */
298 _TYPE( unsigned char * )
299 t_sessionkey(key, sk, sklen)
300 unsigned char * key;
301 unsigned char * sk;
302 unsigned sklen;
303 {
304 unsigned i, klen;
305 unsigned char * hbuf;
306 unsigned char hout[SHA_DIGESTSIZE];
307 SHA1_CTX ctxt;
308  
309 while(sklen > 0 && *sk == 0) { /* Skip leading 0's */
310 --sklen;
311 ++sk;
312 }
313  
314 klen = sklen / 2;
315 if((hbuf = malloc(klen * sizeof(char))) == 0)
316 return 0;
317  
318 for(i = 0; i < klen; ++i)
319 hbuf[i] = sk[sklen - 2 * i - 1];
320 SHA1Init(&ctxt);
321 SHA1Update(&ctxt, hbuf, klen);
322 SHA1Final(hout, &ctxt);
323 for(i = 0; i < sizeof(hout); ++i)
324 key[2 * i] = hout[i];
325  
326 for(i = 0; i < klen; ++i)
327 hbuf[i] = sk[sklen - 2 * i - 2];
328 SHA1Init(&ctxt);
329 SHA1Update(&ctxt, hbuf, klen);
330 SHA1Final(hout, &ctxt);
331 for(i = 0; i < sizeof(hout); ++i)
332 key[2 * i + 1] = hout[i];
333  
334 memset(hout, 0, sizeof(hout));
335 memset(hbuf, 0, klen);
336 free(hbuf);
337 return key;
338 }