1
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
2
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
4
* Copyright (C) 2010 Eric Day
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; version 2 of the License.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
26
#include "drizzled/configmake.h"
27
#include "drizzled/plugin/authentication.h"
28
#include "drizzled/security_context.h"
29
#include "drizzled/util/convert.h"
30
#include "drizzled/algorithm/sha1.h"
31
#include <boost/program_options.hpp>
32
#include <drizzled/module/option_map.h>
35
namespace po= boost::program_options;
37
using namespace drizzled;
42
static char* users_file= NULL;
43
static const char DEFAULT_USERS_FILE[]= SYSCONFDIR "/drizzle.users";
45
class AuthFile: public plugin::Authentication
49
AuthFile(string name_arg);
52
* Retrieve the last error encountered in the class.
54
string& getError(void);
57
* Load the users file into a map cache.
59
* @return True on success, false on error. If false is returned an error
60
* is set and can be retrieved with getError().
67
* Base class method to check authentication for a user.
69
bool authenticate(const SecurityContext &sctx, const string &password);
72
* Verify the local and remote scrambled password match using the MySQL
75
* @param[in] password Plain text password that is stored locally.
76
* @param[in] scramble_bytes The random bytes that the server sent to the
77
* client for scrambling the password.
78
* @param[in] scrambled_password The result of the client scrambling the
80
* @return True if the password matched, false if not.
82
bool verifyMySQLHash(const string &password,
83
const string &scramble_bytes,
84
const string &scrambled_password);
89
* Cache or username:password entries from the file.
91
map<string, string> users;
94
AuthFile::AuthFile(string name_arg):
95
plugin::Authentication(name_arg),
101
string& AuthFile::getError(void)
106
bool AuthFile::loadFile(void)
108
ifstream file(users_file);
112
error = "Could not open users file: ";
122
/* Ignore blank lines and lines starting with '#'. */
123
if (line == "" || line[line.find_first_not_of(" \t")] == '#')
128
size_t password_offset = line.find(":");
129
if (password_offset == string::npos)
133
username = string(line, 0, password_offset);
134
password = string(line, password_offset + 1);
137
pair<map<string, string>::iterator, bool> result;
138
result = users.insert(pair<string, string>(username, password));
139
if (result.second == false)
141
error = "Duplicate entry found in users file: ";
152
bool AuthFile::verifyMySQLHash(const string &password,
153
const string &scramble_bytes,
154
const string &scrambled_password)
156
if (scramble_bytes.size() != SHA1_DIGEST_LENGTH ||
157
scrambled_password.size() != SHA1_DIGEST_LENGTH)
163
uint8_t local_scrambled_password[SHA1_DIGEST_LENGTH];
164
uint8_t temp_hash[SHA1_DIGEST_LENGTH];
165
uint8_t scrambled_password_check[SHA1_DIGEST_LENGTH];
167
/* Generate the double SHA1 hash for the password stored locally first. */
169
SHA1Update(&ctx, reinterpret_cast<const uint8_t *>(password.c_str()),
171
SHA1Final(temp_hash, &ctx);
174
SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
175
SHA1Final(local_scrambled_password, &ctx);
177
/* Hash the scramble that was sent to client with the local password. */
179
SHA1Update(&ctx, reinterpret_cast<const uint8_t*>(scramble_bytes.c_str()),
181
SHA1Update(&ctx, local_scrambled_password, SHA1_DIGEST_LENGTH);
182
SHA1Final(temp_hash, &ctx);
184
/* Next, XOR the result with what the client sent to get the original
185
single-hashed password. */
186
for (int x= 0; x < SHA1_DIGEST_LENGTH; x++)
187
temp_hash[x]= temp_hash[x] ^ scrambled_password[x];
189
/* Hash this result once more to get the double-hashed password again. */
191
SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
192
SHA1Final(scrambled_password_check, &ctx);
194
/* These should match for a successful auth. */
195
return memcmp(local_scrambled_password, scrambled_password_check, SHA1_DIGEST_LENGTH) == 0;
198
bool AuthFile::authenticate(const SecurityContext &sctx, const string &password)
200
map<string, string>::const_iterator user = users.find(sctx.getUser());
201
if (user == users.end())
204
if (sctx.getPasswordType() == SecurityContext::MYSQL_HASH)
205
return verifyMySQLHash(user->second, sctx.getPasswordContext(), password);
207
if (password == user->second)
213
static int init(module::Context &context)
215
const module::option_map &vm= context.getOptions();
217
if (vm.count("users"))
219
users_file= const_cast<char *>(vm["users"].as<string>().c_str());
222
AuthFile *auth_file = new AuthFile("auth_file");
223
if (!auth_file->loadFile())
225
errmsg_printf(ERRMSG_LVL_ERROR, _("Could not load auth file: %s\n"),
226
auth_file->getError().c_str());
231
context.add(auth_file);
235
static DRIZZLE_SYSVAR_STR(users,
238
N_("File to load for usernames and passwords"),
239
NULL, /* check func */
240
NULL, /* update func*/
241
DEFAULT_USERS_FILE /* default */);
243
static drizzle_sys_var* sys_variables[]=
245
DRIZZLE_SYSVAR(users),
249
static void init_options(drizzled::module::option_context &context)
252
po::value<string>()->default_value(DEFAULT_USERS_FILE),
253
N_("File to load for usernames and passwords"));
256
} /* namespace auth_file */
258
DRIZZLE_PLUGIN(auth_file::init, auth_file::sys_variables, auth_file::init_options);