Logo Search packages:      
Sourcecode: util-linux version File versions  Download package


/* cryptocard.c - support for the CRYPTOCard
   RB-1 Challenge-Response Token, initial code by 
   bentson@grieg.seaslug.org (Randolph Bentson) on 3-Dec-96,
   Hacked severely by poe@daimi.aau.dk.
   This relies on an implementation of DES in a library, currently
   it interfaces with the koontz-des.tar.gz implementation which
   can be found in:


      (Link with the fdes.o file from that distribution)

   and with Eric A. Young's libdes implementation used in SSLeay. Also
   available from the above ftp site. Link with the libdes.a library.

   The sources for this code are maintained in


      1999-02-22 Arkadiusz Mi¶kiewicz <misiek@pld.ORG.PL>
      - added Native Language Support


/******************** CONFIGURATION section *****************************/
/*--------------- select ONE DES implementation ------------------------*/
/*#define KOONTZ_DES */
#define EAY_LIBDES
/*--------------- define if on little endian machine (Intel x86) -------*/
/******************** end of CONFIGURATION section **********************/

#define _BSD_SOURCE 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <syslog.h>
#include <pwd.h>
#include <sys/param.h>
#include <sys/stat.h>
#include "nls.h"

#include "../koontz-des/des.h"
#endif /* KOONTZ_DES */

#include "../libdes/des.h"
#endif /* EAY_LIBDES */

#include "cryptocard.h"

static char *
    static char challenge_str[30];
    int rfd;
    unsigned long clong;

    /* create and present a challenge string */
    if ((rfd = open("/dev/urandom", O_RDONLY)) < 0) {
      syslog(LOG_NOTICE, _("couldn't open /dev/urandom"));
      return NULL;
    if (read(rfd, &clong, 4) < 4) {
      syslog(LOG_NOTICE, _("couldn't read random data from /dev/urandom"));
      return NULL;

    sprintf(challenge_str,"%08lu", clong);
    return challenge_str;

static char *
    int success = 0;
    char keyfile[MAXPATHLEN];
    static char key[10];
    int rfd;
    struct stat statbuf;

    if (strlen(pwd->pw_dir) + 13 > sizeof(keyfile))
      goto bail_out;
    sprintf(keyfile, "%s/.cryptocard", pwd->pw_dir);

    if ((rfd = open(keyfile, O_RDONLY)) < 0) {
      syslog(LOG_NOTICE, _("can't open %s for reading"), keyfile);
      goto bail_out;
    if (fstat(rfd, &statbuf) < 0) {
      syslog(LOG_NOTICE, _("can't stat(%s)"), keyfile);
      goto close_and_bail_out;
    if ((statbuf.st_uid != pwd->pw_uid)
      || ((statbuf.st_mode & S_IFMT) != S_IFREG)
      || (statbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO))) {
      syslog(LOG_NOTICE, _("%s doesn't have the correct filemodes"), keyfile);
      goto close_and_bail_out;
    if (read(rfd, key, 8) < 8) {
      syslog(LOG_NOTICE, _("can't read data from %s"), keyfile);
      goto close_and_bail_out;

    key[8] = 0;
    success = 1;

    if (success)
      return key;
      return NULL;

static int
check_response(char *challenge, char *response, char *key)
    char buf[20];

    extern void des (union LR_block *);
    extern void loadkey(char *,int);
    extern void set_des_mode(int);

    union LR_block data;

    strncpy((char *)data.string, (char *)challenge, 8);
    loadkey(key, NOSHIFT);

    memset(key, 0, 8); /* no need for the secret key anymore, scratch it */

    sprintf(buf, "%2.2X%2.2X%2.2X%2.2X",
          (int)(data.LR[0]) & 0xff,
          (int)(data.LR[0]>>8) & 0xff,
          (int)(data.LR[0]>>16) & 0xff,
          (int)(data.LR[0]>>24) & 0xff);
#endif /* KOONTZ_DES */
    des_cblock       res;
    des_key_schedule ks;
    des_set_key((des_cblock *)key, ks);
    memset(key, 0, 8);
    des_ecb_encrypt((des_cblock *)challenge, &res, ks, DES_ENCRYPT);

    /* use this on Intel x86 boxes */
    sprintf(buf, "%2.2X%2.2X%2.2X%2.2X",
          res[0], res[1], res[2], res[3]);
#else /* ie. BIG_ENDIAN */
    /* use this on big endian RISC boxes */
    sprintf(buf, "%2.2X%2.2X%2.2X%2.2X",
          res[3], res[2], res[1], res[0]);
#endif /* LITTLE_ENDIAN */
#endif /* EAY_LIBDES */

    /* return success only if ALL requirements have been met */
    if (strncmp(buf, response, 8) == 0)
      return 1;

    return 0;

    char prompt[80];
    char *challenge;
    char *key;
    char *response;

    challenge = generate_challenge();
    if (challenge == NULL) return 0;

    if (strlen(challenge) + 13 > sizeof(prompt)) return 0;
    sprintf(prompt, "%s Password: ", challenge);

    alarm((unsigned int)timeout);  /* give user time to fiddle with card */
    response = getpass(prompt);  /* presents challenge and gets response */

    if (response == NULL) return 0;

    /* This requires some explanation: As root we may not be able to
       read the directory of the user if it is on an NFS mounted
       filesystem. We temporarily set our effective uid to the user-uid
       making sure that we keep root privs. in the real uid. 

       A portable solution would require a fork(), but we rely on Linux
       having the BSD setreuid() */

      uid_t ruid = getuid();
      gid_t egid = getegid();

      setregid(-1, pwd->pw_gid);
      setreuid(0, pwd->pw_uid);

      /* now we can access the file */
      /* get the (properly qualified) key */
      key = get_key();

      /* reset to root privs */
      setuid(0); /* setreuid doesn't do it alone! */
      setreuid(ruid, 0);
      setregid(-1, egid);

      if (key == NULL) return 0;

    return check_response(challenge, response, key);

#endif /* CRYPTOCARD */

Generated by  Doxygen 1.6.0   Back to index