move token_shadow to pbs_config workspace
Also moved out crypt.rs (libcrypt bindings) to pbs_tools workspace.
This commit is contained in:
Dietmar Maurer
75
src/auth.rs
75
src/auth.rs
@ -4,7 +4,6 @@
|
||||
|
||||
use std::process::{Command, Stdio};
|
||||
use std::io::Write;
|
||||
use std::ffi::CStr;
|
||||
|
||||
use anyhow::{bail, format_err, Error};
|
||||
use serde_json::json;
|
||||
@ -19,7 +18,7 @@ pub trait ProxmoxAuthenticator {
|
||||
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
|
||||
}
|
||||
|
||||
pub struct PAM();
|
||||
struct PAM();
|
||||
|
||||
impl ProxmoxAuthenticator for PAM {
|
||||
|
||||
@ -70,73 +69,7 @@ impl ProxmoxAuthenticator for PAM {
|
||||
}
|
||||
}
|
||||
|
||||
pub struct PBS();
|
||||
|
||||
// from libcrypt1, 'lib/crypt.h.in'
|
||||
const CRYPT_OUTPUT_SIZE: usize = 384;
|
||||
const CRYPT_MAX_PASSPHRASE_SIZE: usize = 512;
|
||||
const CRYPT_DATA_RESERVED_SIZE: usize = 767;
|
||||
const CRYPT_DATA_INTERNAL_SIZE: usize = 30720;
|
||||
|
||||
#[repr(C)]
|
||||
struct crypt_data {
|
||||
output: [libc::c_char; CRYPT_OUTPUT_SIZE],
|
||||
setting: [libc::c_char; CRYPT_OUTPUT_SIZE],
|
||||
input: [libc::c_char; CRYPT_MAX_PASSPHRASE_SIZE],
|
||||
reserved: [libc::c_char; CRYPT_DATA_RESERVED_SIZE],
|
||||
initialized: libc::c_char,
|
||||
internal: [libc::c_char; CRYPT_DATA_INTERNAL_SIZE],
|
||||
}
|
||||
|
||||
pub fn crypt(password: &[u8], salt: &[u8]) -> Result<String, Error> {
|
||||
#[link(name = "crypt")]
|
||||
extern "C" {
|
||||
#[link_name = "crypt_r"]
|
||||
fn __crypt_r(
|
||||
key: *const libc::c_char,
|
||||
salt: *const libc::c_char,
|
||||
data: *mut crypt_data,
|
||||
) -> *mut libc::c_char;
|
||||
}
|
||||
|
||||
let mut data: crypt_data = unsafe { std::mem::zeroed() };
|
||||
for (i, c) in salt.iter().take(data.setting.len() - 1).enumerate() {
|
||||
data.setting[i] = *c as libc::c_char;
|
||||
}
|
||||
for (i, c) in password.iter().take(data.input.len() - 1).enumerate() {
|
||||
data.input[i] = *c as libc::c_char;
|
||||
}
|
||||
|
||||
let res = unsafe {
|
||||
let status = __crypt_r(
|
||||
&data.input as *const _,
|
||||
&data.setting as *const _,
|
||||
&mut data as *mut _,
|
||||
);
|
||||
if status.is_null() {
|
||||
bail!("internal error: crypt_r returned null pointer");
|
||||
}
|
||||
CStr::from_ptr(&data.output as *const _)
|
||||
};
|
||||
Ok(String::from(res.to_str()?))
|
||||
}
|
||||
|
||||
|
||||
pub fn encrypt_pw(password: &str) -> Result<String, Error> {
|
||||
|
||||
let salt = proxmox::sys::linux::random_data(8)?;
|
||||
let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));
|
||||
|
||||
crypt(password.as_bytes(), salt.as_bytes())
|
||||
}
|
||||
|
||||
pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {
|
||||
let verify = crypt(password.as_bytes(), enc_password.as_bytes())?;
|
||||
if verify != enc_password {
|
||||
bail!("invalid credentials");
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
struct PBS();
|
||||
|
||||
const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");
|
||||
|
||||
@ -146,13 +79,13 @@ impl ProxmoxAuthenticator for PBS {
|
||||
let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
||||
match data[username.as_str()].as_str() {
|
||||
None => bail!("no password set"),
|
||||
Some(enc_password) => verify_crypt_pw(password, enc_password)?,
|
||||
Some(enc_password) => pbs_tools::crypt::verify_crypt_pw(password, enc_password)?,
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
|
||||
let enc_password = encrypt_pw(password)?;
|
||||
let enc_password = pbs_tools::crypt::encrypt_pw(password)?;
|
||||
let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
||||
data[username.as_str()] = enc_password.into();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user