1
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
2
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
4
* Copyright (C) 2010 Eric Day
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; version 2 of the License.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
26
#include "drizzled/configmake.h"
27
#include "drizzled/plugin/authentication.h"
28
#include "drizzled/security_context.h"
29
#include "drizzled/util/convert.h"
30
#include "drizzled/algorithm/sha1.h"
33
using namespace drizzled;
38
static char* users_file= NULL;
39
static const char DEFAULT_USERS_FILE[]= SYSCONFDIR "/drizzle.users";
41
class AuthFile: public plugin::Authentication
45
AuthFile(string name_arg);
48
* Retrieve the last error encountered in the class.
50
string& getError(void);
53
* Load the users file into a map cache.
55
* @return True on success, false on error. If false is returned an error
56
* is set and can be retrieved with getError().
63
* Base class method to check authentication for a user.
65
bool authenticate(const SecurityContext &sctx, const string &password);
68
* Verify the local and remote scrambled password match using the MySQL
71
* @param[in] password Plain text password that is stored locally.
72
* @param[in] scramble_bytes The random bytes that the server sent to the
73
* client for scrambling the password.
74
* @param[in] scrambled_password The result of the client scrambling the
76
* @return True if the password matched, false if not.
78
bool verifyMySQLHash(const string &password,
79
const string &scramble_bytes,
80
const string &scrambled_password);
85
* Cache or username:password entries from the file.
87
map<string, string> users;
90
AuthFile::AuthFile(string name_arg):
91
plugin::Authentication(name_arg),
97
string& AuthFile::getError(void)
102
bool AuthFile::loadFile(void)
104
ifstream file(users_file);
108
error = "Could not open users file: ";
118
/* Ignore blank lines and lines starting with '#'. */
119
if (line == "" || line[line.find_first_not_of(" \t")] == '#')
124
size_t password_offset = line.find(":");
125
if (password_offset == string::npos)
129
username = string(line, 0, password_offset);
130
password = string(line, password_offset + 1);
133
pair<map<string, string>::iterator, bool> result;
134
result = users.insert(pair<string, string>(username, password));
135
if (result.second == false)
137
error = "Duplicate entry found in users file: ";
148
bool AuthFile::verifyMySQLHash(const string &password,
149
const string &scramble_bytes,
150
const string &scrambled_password)
152
if (scramble_bytes.size() != SHA1_DIGEST_LENGTH ||
153
scrambled_password.size() != SHA1_DIGEST_LENGTH)
159
uint8_t local_scrambled_password[SHA1_DIGEST_LENGTH];
160
uint8_t temp_hash[SHA1_DIGEST_LENGTH];
161
uint8_t scrambled_password_check[SHA1_DIGEST_LENGTH];
163
/* Generate the double SHA1 hash for the password stored locally first. */
165
SHA1Update(&ctx, reinterpret_cast<const uint8_t *>(password.c_str()),
167
SHA1Final(temp_hash, &ctx);
170
SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
171
SHA1Final(local_scrambled_password, &ctx);
173
/* Hash the scramble that was sent to client with the local password. */
175
SHA1Update(&ctx, reinterpret_cast<const uint8_t*>(scramble_bytes.c_str()),
177
SHA1Update(&ctx, local_scrambled_password, SHA1_DIGEST_LENGTH);
178
SHA1Final(temp_hash, &ctx);
180
/* Next, XOR the result with what the client sent to get the original
181
single-hashed password. */
182
for (int x= 0; x < SHA1_DIGEST_LENGTH; x++)
183
temp_hash[x]= temp_hash[x] ^ scrambled_password[x];
185
/* Hash this result once more to get the double-hashed password again. */
187
SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
188
SHA1Final(scrambled_password_check, &ctx);
190
/* These should match for a successful auth. */
191
return memcmp(local_scrambled_password, scrambled_password_check, SHA1_DIGEST_LENGTH) == 0;
194
bool AuthFile::authenticate(const SecurityContext &sctx, const string &password)
196
map<string, string>::const_iterator user = users.find(sctx.getUser());
197
if (user == users.end())
200
if (sctx.getPasswordType() == SecurityContext::MYSQL_HASH)
201
return verifyMySQLHash(user->second, sctx.getPasswordContext(), password);
203
if (password == user->second)
209
static int init(plugin::Context &context)
211
AuthFile *auth_file = new AuthFile("auth_file");
212
if (!auth_file->loadFile())
214
errmsg_printf(ERRMSG_LVL_ERROR, _("Could not load auth file: %s\n"),
215
auth_file->getError().c_str());
220
context.add(auth_file);
224
static DRIZZLE_SYSVAR_STR(users,
227
N_("File to load for usernames and passwords"),
228
NULL, /* check func */
229
NULL, /* update func*/
230
DEFAULT_USERS_FILE /* default */);
232
static drizzle_sys_var* sys_variables[]=
234
DRIZZLE_SYSVAR(users),
238
} /* namespace auth_file */
240
DRIZZLE_PLUGIN(auth_file::init, auth_file::sys_variables);
added
removed
plugin/auth_file/auth_file.cc
