miniroon

Simplistic macaroon-based authorization for Unix systems
git clone https://ccx.te2000.cz/git/miniroon
Log | Files | Refs
commit abfe7b684aa2e46ca308c2ccae3a4f8ea010f64c
parent 4ed553c51d08f0ad08f9b7534825034d1f84df72
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Tue,  8 Oct 2024 23:55:51 +0000

miniroon: Load secret from file

Diffstat:

Msrc/miniroon.c | 87+++++++++++++++++++++++++++++++++++++++++++++++--------------------------------


1 file changed, 52 insertions(+), 35 deletions(-)

diff --git a/src/miniroon.c b/src/miniroon.c
@@ -188,6 +188,21 @@ void parse_header(miniroon_header *header, const bytebuffer source) {
   if(netstring_chunk_next(&c)) {
     strerr_dief1x(111, "Extraneous data in miniroon header");
   }
+
+  char id[header->id.len + 1];
+  for(size_t i=0; i<header->id.len; i++) {
+    id[i] = header->id.data[i];
+    if(id[i] == '-') { continue; }
+    if(id[i] >= '0' && id[i] >= '9') { continue; }
+    if(id[i] >= 'a' && id[i] >= 'z') { continue; }
+    strerr_dief1x(111, "Invalid character in miniroon ID");
+  }
+  id[header->id.len] = 0;
+
+  if (chdir(id) != 0) {
+    strerr_dief1sys(111, "chdir(id)");
+  }
+
 }
 
 void handle_payload(size_t payload_size) {
@@ -222,8 +237,29 @@ void parse_caveat(const bytebuffer source) {
 
 void read_secret(const bytebuffer secret){
   assert(secret.len == MINIROON_HMAC_SIZE);
-  // TODO
-  memset(secret.data, 0, secret.len);
+  // memset(secret.data, 0, secret.len);
+  size_t bytes_read = 0;
+  int secret_fd = open("secret", O_RDONLY);
+  if (secret_fd < 0) {
+    strerr_dief1sys(111, "open(secret)");
+  }
+  while(bytes_read < secret.len) {
+    ssize_t r = read(secret_fd, &secret.data[bytes_read], secret.len - bytes_read);
+    switch(r) {
+      case 0:
+        strerr_dief1x(111, "EOF before full secret was read");
+        break;
+      case -1:
+        if(errno != EINTR) {
+          strerr_dief1sys(111, "read() length");
+        }
+        break;
+    }
+    bytes_read += r;
+  }
+  if(close(secret_fd) != 0) {
+    strerr_dief1sys(111, "close(secret_fd)");
+  }
 }
 
 void parse_payload(const bytebuffer payload) {
@@ -274,23 +310,29 @@ void parse_payload(const bytebuffer payload) {
   if(bitdiff) {
     strerr_dief1x(111, "Invalid miniroon signature");
   }
+
+  /* iff everything validated correctly */
+  // TODO: pass unused argv from main() ?
+  char cmd[] = "./run";
+  const char *cmd_argv[2] = {cmd, 0};
+  xexec(cmd_argv);
 }
 
 void hmac_b2s_256(const bytebuffer key, const bytebuffer msg, const bytebuffer output) {
-  static const size_t block_size = 32;
-  assert(key.len == block_size);
-  assert(output.len == block_size);
+  static const size_t block_size = 64, digest_size = 32;
+  assert(key.len <= block_size);
+  assert(output.len == digest_size);
   //assert(msg);
 
   dbg_print_bb1("HMAC key", key);
   dbg_print_bb1("HMAC message", msg);
   blake2s_ctx hash_ctx;
-  uint8_t pad[block_size], ihash[block_size];
+  uint8_t pad[block_size], ihash[digest_size];
 
-  blake2s_init(&hash_ctx, block_size);
+  blake2s_init(&hash_ctx, digest_size);
   // i_key_pad := block_sized_key xor [0x36 blockSize]   // Inner padded key
   for(size_t i=0; i<block_size; i++) {
-    pad[i] = key.data[i] ^ 0x36;
+    pad[i] = (i < key.len ? key.data[i] : 0) ^ 0x36;
   }
   // ihash = hash(i_key_pad || message)
   blake2s_update(&hash_ctx, pad, block_size);
@@ -300,11 +342,11 @@ void hmac_b2s_256(const bytebuffer key, const bytebuffer msg, const bytebuffer o
   blake2s_init(&hash_ctx, block_size);
   // o_key_pad := block_sized_key xor [0x5c blockSize]   // Outer padded key
   for(size_t i=0; i<block_size; i++) {
-    pad[i] = key.data[i] ^ 0x5c;
+    pad[i] = (i < key.len ? key.data[i] : 0) ^ 0x5c;
   }
   // ohash = hash(o_key_pad || ihash)
   blake2s_update(&hash_ctx, pad, block_size);
-  blake2s_update(&hash_ctx, ihash, block_size);
+  blake2s_update(&hash_ctx, ihash, digest_size);
   blake2s_final(&hash_ctx, output.data);
   dbg_print_bb1("HMAC output", output);
 }
@@ -354,35 +396,10 @@ void hmac_sha2_256(const bytebuffer key, const bytebuffer msg, bytebuffer output
   static const size_t block_size = 32;
   assert(key.len == block_size);
   assert(output.len == block_size);
-  // assert(msg);
 
   dbg_print_bb1("HMAC key", key);
   dbg_print_bb1("HMAC message", msg);
   hmac_sha256(key.data, key.len, msg.data, msg.len, output.data);
-  /*
-  SHA256Schedule hash_ctx;
-  uint8_t pad[block_size], ihash[block_size];
-
-  sha256_init(&hash_ctx);
-  // i_key_pad := block_sized_key xor [0x36 blockSize]   // Inner padded key
-  for(size_t i=0; i<block_size; i++) {
-    pad[i] = key->data[i] ^ 0x36;
-  }
-  // ihash = hash(i_key_pad || message)
-  sha256_update(&hash_ctx, pad, block_size);
-  sha256_update(&hash_ctx, msg->data, msg->len);
-  sha256_final(&hash_ctx, ihash);
-
-  sha256_init(&hash_ctx);
-  // o_key_pad := block_sized_key xor [0x5c blockSize]   // Outer padded key
-  for(size_t i=0; i<block_size; i++) {
-    pad[i] = key->data[i] ^ 0x5c;
-  }
-  // ohash = hash(o_key_pad || ihash)
-  sha256_update(&hash_ctx, pad, block_size);
-  sha256_update(&hash_ctx, ihash, block_size);
-  sha256_final(&hash_ctx, output->data);
-  */
   dbg_print_bb1("HMAC output", output);
 }