diff --git a/src/server_config.c b/src/server_config.c index 9f856551..a2011144 100644 --- a/src/server_config.c +++ b/src/server_config.c @@ -123,7 +123,7 @@ nc_server_config_ssh_opts_free(struct nc_server_ssh_opts *opts) struct nc_hostkey *hostkey; struct nc_auth_client *auth_client; struct nc_public_key *pubkey; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; if (!opts) { return; @@ -179,7 +179,7 @@ static void nc_server_config_tls_opts_free(struct nc_server_tls_opts *opts) { struct nc_ctn *ctn, *next; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; if (!opts) { return; @@ -243,7 +243,7 @@ static void nc_server_config_unix_opts_free(struct nc_server_unix_opts *opts) { struct nc_server_unix_user_mapping *mapping; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; if (!opts) { return; @@ -275,7 +275,7 @@ static void nc_server_config_keystore_free(struct nc_keystore *ks) { struct nc_keystore_entry *entry; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; if (!ks) { return; @@ -309,7 +309,7 @@ nc_server_config_truststore_free(struct nc_truststore *ts) { struct nc_certificate_bag *cbag; struct nc_public_key_bag *pkbag; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; if (!ts) { return; @@ -359,7 +359,7 @@ nc_server_config_free(struct nc_server_config *config) struct nc_endpt *endpt; struct nc_ch_client *ch_client; struct nc_ch_endpt *ch_endpt; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; char *socket_path = NULL; if (!config) { @@ -599,7 +599,7 @@ config_local_bind(const struct lyd_node *node, enum nc_operation parent_op, stru enum nc_operation op; struct nc_bind *bind = NULL; const char *local_addr; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -963,7 +963,7 @@ config_ssh_hostkey(const struct lyd_node *node, enum nc_operation parent_op, str enum nc_operation op; struct nc_hostkey *hostkey = NULL; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -1104,7 +1104,7 @@ config_ssh_user_public_key(const struct lyd_node *node, enum nc_operation parent enum nc_operation op; struct lyd_node *n; struct nc_public_key *key = NULL; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; const char *name; NC_NODE_GET_OP(node, parent_op, &op); @@ -2151,7 +2151,7 @@ config_tls_client_auth_ca_cert(const struct lyd_node *node, enum nc_operation op; struct lyd_node *n; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct nc_certificate *cert = NULL; NC_NODE_GET_OP(node, parent_op, &op); @@ -2274,7 +2274,7 @@ config_tls_client_auth_ee_cert(const struct lyd_node *node, enum nc_operation op; struct lyd_node *n; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct nc_certificate *cert = NULL; NC_NODE_GET_OP(node, parent_op, &op); @@ -3068,7 +3068,7 @@ static int config_unix_user_mapping_netconf_user(const struct lyd_node *node, enum nc_operation parent_op, struct nc_server_unix_user_mapping *mapping) { enum nc_operation op; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; const char *user; char **allowed_user; @@ -3126,7 +3126,7 @@ config_unix_user_mapping(const struct lyd_node *node, enum nc_operation parent_o enum nc_operation op; struct nc_server_unix_user_mapping *mapping = NULL; const char *system_user; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct ly_set *set = NULL; uint32_t j; @@ -3262,7 +3262,7 @@ config_endpoint(const struct lyd_node *node, enum nc_operation parent_op, enum nc_operation op; struct nc_endpt *endpt = NULL; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; int r; NC_NODE_GET_OP(node, parent_op, &op); @@ -3601,7 +3601,7 @@ config_ch_client_endpoint(const struct lyd_node *node, enum nc_operation parent_ struct lyd_node *n; enum nc_operation op; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct nc_ch_endpt *endpt = NULL; NC_NODE_GET_OP(node, parent_op, &op); @@ -3855,7 +3855,7 @@ config_netconf_client(const struct lyd_node *node, enum nc_operation parent_op, struct lyd_node *n; enum nc_operation op; const char *name; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; struct nc_ch_client *ch_client = NULL; NC_NODE_GET_OP(node, parent_op, &op); @@ -4097,7 +4097,7 @@ config_asymmetric_key_cert(const struct lyd_node *node, enum nc_operation parent enum nc_operation op; struct nc_certificate *cert = NULL; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -4167,7 +4167,7 @@ config_asymmetric_key(const struct lyd_node *node, enum nc_operation parent_op, enum nc_operation op; const char *name; struct nc_keystore_entry *entry = NULL; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -4382,7 +4382,7 @@ config_certificate_bag_cert(const struct lyd_node *node, enum nc_operation paren enum nc_operation op; struct nc_certificate *cert = NULL; const char *name; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -4436,7 +4436,7 @@ config_certificate_bag(const struct lyd_node *node, enum nc_operation parent_op, enum nc_operation op; const char *name; struct nc_certificate_bag *bag = NULL; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; uint32_t j; struct ly_set *set = NULL; @@ -4569,7 +4569,7 @@ config_public_key_bag_pubkey(const struct lyd_node *node, enum nc_operation pare enum nc_operation op; const char *name; struct nc_public_key *pubkey = NULL; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; NC_NODE_GET_OP(node, parent_op, &op); @@ -4621,7 +4621,7 @@ config_public_key_bag(const struct lyd_node *node, enum nc_operation parent_op, enum nc_operation op; const char *name; struct nc_public_key_bag *bag = NULL; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct ly_set *set = NULL; uint32_t j; @@ -4848,7 +4848,7 @@ config_cert_exp_notif_interval(const struct lyd_node *node, enum nc_operation pa struct lyd_node *anchor_node, *period_node; enum nc_operation op; const char *anchor_str, *period_str; - uint32_t i; + LY_ARRAY_COUNT_TYPE i = 0; struct nc_cert_exp_time anchor = {0}, period = {0}; struct nc_cert_exp_time_interval *interval = NULL; @@ -5238,7 +5238,7 @@ nc_server_config_reconcile_chclients_dispatch(struct nc_server_config *old_cfg, struct nc_ch_client *old_ch_client, *new_ch_client; struct nc_server_ch_thread_arg **ch_thread_arg; int found; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; char **started_clients = NULL, **client_name = NULL; if (!server_opts.ch_dispatch_data.acquire_ctx_cb || !server_opts.ch_dispatch_data.release_ctx_cb || @@ -5752,7 +5752,7 @@ static int nc_server_config_truststore_dup(const struct nc_truststore *src, struct nc_truststore *dst) { int rc = 0; - LY_ARRAY_COUNT_TYPE i, j; + LY_ARRAY_COUNT_TYPE i = 0, j = 0; const struct nc_certificate_bag *src_cbag; struct nc_certificate_bag *dst_cbag; const struct nc_certificate *src_cert; @@ -6492,7 +6492,7 @@ nc_server_config_oper_get_user_password_last_modified(const char *ch_client, con const char *username, time_t *last_modified) { int rc = 0; - LY_ARRAY_COUNT_TYPE i; + LY_ARRAY_COUNT_TYPE i = 0; struct nc_server_ssh_opts *ssh_opts = NULL; struct nc_endpt *endpt = NULL; struct nc_ch_client *client = NULL; diff --git a/src/server_config_util_ssh.c b/src/server_config_util_ssh.c index fcfb5e0a..bbb8e630 100644 --- a/src/server_config_util_ssh.c +++ b/src/server_config_util_ssh.c @@ -495,15 +495,31 @@ _nc_server_config_add_ssh_user_password(const struct ly_ctx *ctx, const char *tr const char *password, struct lyd_node **config) { int ret = 0; + size_t i; char *hashed_pw = NULL; - const char *salt = "$6$idsizuippipk$"; + char salt[3 /* "$6$" */ + 16 /* random chars */ + 1 /* trailing '$' */ + 1 /* NUL */]; struct crypt_data *cdata = NULL; - - NC_CHECK_ARG_RET(NULL, ctx, tree_path, password, config, 1); + unsigned char rnd[16]; + static const char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; cdata = calloc(1, sizeof *cdata); NC_CHECK_ERRMEM_GOTO(!cdata, ret = 1, cleanup); + /* generate a random salt compatible with crypt SHA-512: "$6$$" */ + if (nc_tls_generate_random_bytes_wrap(rnd, sizeof rnd)) { + ret = 1; + goto cleanup; + } + + salt[0] = '$'; + salt[1] = '6'; + salt[2] = '$'; + for (i = 0; i < sizeof rnd; ++i) { + salt[3 + i] = itoa64[rnd[i] % 64]; + } + salt[3 + sizeof rnd] = '$'; + salt[3 + sizeof rnd + 1] = '\0'; + hashed_pw = crypt_r(password, salt, cdata); if (!hashed_pw) { ERR(NULL, "Hashing password failed (%s).", strerror(errno)); diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c index b7375eef..24ca59a9 100644 --- a/src/session_mbedtls.c +++ b/src/session_mbedtls.c @@ -2478,3 +2478,26 @@ nc_tls_keylog_session_wrap(void *session) { mbedtls_ssl_set_export_keys_cb(session, nc_tls_keylog_write_line, NULL); } + +int +nc_tls_generate_random_bytes_wrap(void *buf, size_t num) +{ + int rc = 0; + mbedtls_ctr_drbg_context *ctr_drbg = NULL; + mbedtls_entropy_context *entropy = NULL; + + rc = nc_tls_rng_new(&ctr_drbg, &entropy); + if (rc) { + goto cleanup; + } + + rc = mbedtls_ctr_drbg_random(ctr_drbg, buf, num); + if (rc) { + nc_mbedtls_strerr(NULL, rc, "Creating random bytes failed"); + goto cleanup; + } + +cleanup: + nc_tls_rng_destroy(ctr_drbg, entropy); + return rc; +} diff --git a/src/session_openssl.c b/src/session_openssl.c index 472d8c3d..52e550ed 100644 --- a/src/session_openssl.c +++ b/src/session_openssl.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -1975,3 +1976,14 @@ nc_tls_keylog_session_wrap(void *session) SSL_CTX_set_keylog_callback(ctx, nc_tls_keylog_write_line); } + +int +nc_tls_generate_random_bytes_wrap(void *buf, size_t num) +{ + if (RAND_bytes(buf, (int)num) != 1) { + ERR(NULL, "Generating random bytes failed (%s).", ERR_reason_error_string(ERR_get_error())); + return 1; + } + + return 0; +} diff --git a/src/session_wrapper.h b/src/session_wrapper.h index 229bf5a2..858ebad1 100644 --- a/src/session_wrapper.h +++ b/src/session_wrapper.h @@ -757,4 +757,13 @@ time_t nc_tls_get_cert_exp_time_wrap(void *cert); */ void nc_tls_keylog_session_wrap(void *session); +/** + * @brief Generate random bytes. + * + * @param[in] buf Buffer to fill with random bytes. + * @param[in] num Number of random bytes to generate. Caller is responsible for ensuring the buffer is large enough. + * @return 0 on success, 1 on error. + */ +int nc_tls_generate_random_bytes_wrap(void *buf, size_t num); + #endif