Make some fixes and add demos

Signed-off-by: Mattias Andrée <maandree@kth.se>

8 files changed, 300 insertions, 9 deletions

diff --git a/.gitignore b/.gitignore
index e41dce2..8ed3063 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,6 @@
 *.su
 *.dll
 *.dylib
+/democonfig
+/demo-setup
+/demo-login
diff --git a/Makefile b/Makefile
index 2ee23b3..202fdce 100644
--- a/Makefile
+++ b/Makefile
@@ -25,11 +25,17 @@ OBJ =\
 HDR =\
 	libsecauth.h
 
+BIN =\
+	demo-setup\
+	demo-login
+
 LOBJ = $(OBJ:.o=.lo)
 
 
-all: libsecauth.a libsecauth.$(LIBEXT)
+all: libsecauth.a libsecauth.$(LIBEXT) $(BIN)
 $(OBJ): $($@:.o=.c) $(HDR)
+demo-setup.o: demo-setup.c $(HDR)
+demo-login.o: demo-login.c $(HDR)
 
 libsecauth.a: $(OBJ)
 	-rm -f -- $@
@@ -45,6 +51,12 @@ libsecauth.$(LIBEXT): $(LOBJ)
 .c.lo:
 	$(CC) -fPIC -c -o $@ $< $(CFLAGS) $(CPPFLAGS)
 
+demo-setup: demo-setup.o libsecauth.a
+	$(CC) -o $@ demo-setup.o libsecauth.a $(LDFLAGS)
+
+demo-login: demo-login.o libsecauth.a
+	$(CC) -o $@ demo-login.o libsecauth.a $(LDFLAGS)
+
 install: libsecauth.a libsecauth.$(LIBEXT)
 	mkdir -p -- "$(DESTDIR)$(PREFIX)/lib"
 	mkdir -p -- "$(DESTDIR)$(PREFIX)/include"
@@ -62,7 +74,7 @@ uninstall:
 	-rm -f -- "$(DESTDIR)$(PREFIX)/include/libsecauth.h"
 
 clean:
-	-rm -rf -- *.o *.a *.so *.lo *.su *.dll *.dylib
+	-rm -rf -- *.o *.a *.so *.lo *.su *.dll *.dylib democonfig $(BIN)
 
 .SUFFIXES:
 .SUFFIXES: .c .o .lo
diff --git a/config.mk b/config.mk
index f785a40..03a64d3 100644
--- a/config.mk
+++ b/config.mk
@@ -4,5 +4,5 @@ MANPREFIX = $(PREFIX)/share/man
 CC = cc
 
 CPPFLAGS = -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE=700
-CFLAGS   = -std=c99 -Wall -Os
-LDFLAGS  = -s
+CFLAGS   = -std=c99 -Wall -O2
+LDFLAGS  = -s -lcrypt
diff --git a/demo-login.c b/demo-login.c
new file mode 100644
index 0000000..fd3c750
--- /dev/null
+++ b/demo-login.c
@@ -0,0 +1,172 @@
+/* See LICENSE file for copyright and license details. */
+#include "libsecauth.h"
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define PEPPER "pepper"
+
+
+static char *
+server_lookup_hash(void)
+{
+	char *settings;
+	size_t size, len;
+	ssize_t r;
+	int fd;
+
+	fd = open("democonfig", O_RDONLY);
+	if (fd < 0) {
+		perror("open");
+		return NULL;
+	}
+	settings = NULL;
+	size = 0;
+	for (len = 0;; len += (size_t)r) {
+		if (len == size) {
+			settings = realloc(settings, size += 128);
+			if (!settings) {
+				perror("realloc");
+				return NULL;
+			}
+		}
+		r = read(fd, &settings[len], size - len);
+		if (r <= 0) {
+			if (!r)
+				break;
+			perror("read");
+			return NULL;
+		}
+	}
+	close(fd);
+	if (!len || settings[len - 1] != '\n') {
+		fprintf(stderr, "./democonfig is corrupt\n");
+		return NULL;
+	}
+	settings[len - 1] = '\0';
+
+	return settings;
+}
+
+int
+main(int argc, char *argv[])
+{
+	struct libsecauth_spec spec;
+	char *message, *settings, *expected;
+	size_t size, off;
+	int fd;
+	ssize_t w;
+	int r;
+
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s password", argv[0]);
+		return 1;
+	}
+
+	/* -- SERVER -- */
+
+	settings = server_lookup_hash();
+	if (!settings)
+		return 1;
+	if (libsecauth_parse_spec(&spec, settings)) {
+		perror("libsecauth_parse_spec");
+		return 1;
+	}
+	spec.posthash = NULL;
+	spec.expected = NULL;
+	spec.client_rounds -= spec.client_rounds > 0;
+	spec.server_rounds = 0;
+
+	size = libsecauth_format_spec(&spec, NULL, 0);
+	message = malloc(size);
+	if (!message) {
+		perror("malloc");
+		return 1;
+	}
+	libsecauth_format_spec(&spec, message, size);
+	free(settings);
+
+	/* -- CLIENT -- */
+
+	settings = message;
+	if (libsecauth_parse_spec(&spec, settings)) {
+		perror("libsecauth_parse_spec");
+		return 1;
+	}
+	message = libsecauth_client_hash(&spec, argv[1]);
+	if (!message) {
+		perror("libsecauth_client_hash");
+		return 1;
+	}
+	free(settings);
+
+	/* -- SERVER -- */
+
+	settings = server_lookup_hash();
+	if (!settings)
+		return 1;
+	if (libsecauth_parse_spec(&spec, settings)) {
+		perror("libsecauth_parse_spec");
+		return 1;
+	}
+	spec.server_rounds += spec.client_rounds > 0;
+	spec.client_rounds -= spec.client_rounds > 0;
+	r = libsecauth_server_hash(&spec, message, PEPPER, NULL);
+	if (r < 0) {
+		perror("libsecauth_server_hash");
+		return 1;
+	} else if (!r) {
+		free(settings);
+		free(message);
+		printf("Incorrect password\n");
+		return 0;
+	}
+	printf("Login OK\n");
+
+	expected = NULL;
+	if (!spec.client_rounds) {
+		spec.xferhash = "$1$newsalt1$";
+		spec.posthash = "$6$rounds=1000$newsalt2$";
+		spec.expected = NULL;
+		spec.server_rounds = 100;
+		if (libsecauth_server_hash(&spec, message, PEPPER, &expected) < 0) {
+			perror("libsecauth_server_hash");
+			return 1;
+		}
+		spec.client_rounds = spec.server_rounds;
+		spec.server_rounds = 0;
+		spec.expected = expected;
+		printf("password rehashed\n");
+	}
+	free(message);
+	size = libsecauth_format_spec(&spec, NULL, 0);
+	message = malloc(size);
+	if (!message) {
+		perror("malloc");
+		return 1;
+	}
+	libsecauth_format_spec(&spec, message, size);
+	free(settings);
+	free(expected);
+
+	message[size - 1] = '\n';
+	fd = open("democonfig", O_WRONLY | O_TRUNC, 0600);
+	if (fd < 0) {
+		perror("open");
+		return 1;
+	}
+	for (off = 0; off < size; off += (size_t)w) {
+		w = write(fd, &message[off], size - off);
+		if (w <= 0) {
+			perror("write");
+			return 1;
+		}
+	}
+	close(fd);
+
+	free(message);
+
+	return 0;
+}
diff --git a/demo-setup.c b/demo-setup.c
new file mode 100644
index 0000000..fa18c05
--- /dev/null
+++ b/demo-setup.c
@@ -0,0 +1,98 @@
+/* See LICENSE file for copyright and license details. */
+#include "libsecauth.h"
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define PEPPER "pepper"
+
+
+int
+main(int argc, char *argv[])
+{
+	struct libsecauth_spec spec;
+	char *message, *hash;
+	size_t size, off;
+	ssize_t r;
+	int fd;
+
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s password", argv[0]);
+		return 1;
+	}
+
+	/* -- SERVER -- */
+
+	memset(&spec, 0, sizeof(spec));
+	spec.prehash = "$6$rounds=2000$salt1$";
+	spec.xferhash = "$1$salt2$";
+	spec.client_rounds = 100;
+	spec.server_rounds = 0;
+
+	size = libsecauth_format_spec(&spec, NULL, 0);
+	message = malloc(size);
+	if (!message) {
+		perror("malloc");
+		return 1;
+	}
+	libsecauth_format_spec(&spec, message, size);
+
+	/* -- CLIENT -- */
+
+	memset(&spec, 0, sizeof(spec));
+	if (libsecauth_parse_spec(&spec, message)) {
+		perror("libsecauth_parse_spec");
+		return 1;
+	}
+
+	hash = libsecauth_client_hash(&spec, argv[1]);
+	if (!hash) {
+		perror("libsecauth_client_hash");
+		return 1;
+	}
+	free(message);
+	message = hash;
+
+	/* -- SERVER -- */
+
+	memset(&spec, 0, sizeof(spec));
+	spec.prehash = "$6$rounds=2000$salt1$";
+	spec.xferhash = "$1$salt2$";
+	spec.client_rounds = 100;
+	spec.server_rounds = 0;
+	spec.posthash = "$6$rounds=1000$salt3$";
+	if (libsecauth_server_hash(&spec, message, PEPPER, &hash) < 0) {
+		perror("libsecauth_server_hash");
+		return 1;
+	}
+	spec.expected = hash;
+	free(message);
+	size = libsecauth_format_spec(&spec, NULL, 0);
+	message = malloc(size);
+	if (!message) {
+		perror("malloc");
+		return 1;
+	}
+	libsecauth_format_spec(&spec, message, size);
+	free(hash);
+
+	message[size - 1] = '\n';
+	fd = open("democonfig", O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (fd < 0) {
+		perror("open");
+		return 1;
+	}
+	for (off = 0; off < size; off += (size_t)r) {
+		r = write(fd, &message[off], size - off);
+		if (r <= 0) {
+			perror("write");
+			return 1;
+		}
+	}
+	close(fd);
+	free(message);
+
+	return 0;
+}
diff --git a/libsecauth_format_spec.c b/libsecauth_format_spec.c
index 83a08cf..09fa600 100644
--- a/libsecauth_format_spec.c
+++ b/libsecauth_format_spec.c
@@ -25,5 +25,5 @@ libsecauth_format_spec(struct libsecauth_spec *spec, char *buffer, size_t buffer
 	             client_rounds, server_rounds,
 	             spec->posthash ? "{$" : "", spec->posthash ? spec->posthash : "", spec->posthash ? "$}" : "",
 	             expected_with_dollars ? "{$" : "", spec->expected ? spec->expected : "" , expected_with_dollars ? "$}" : "");
-	return i > 0 ? (size_t)i : 0;
+	return i > 0 ? (size_t)(i + 1) : 0;
 }
diff --git a/libsecauth_parse_spec.c b/libsecauth_parse_spec.c
index 2961268..e1b0e7d 100644
--- a/libsecauth_parse_spec.c
+++ b/libsecauth_parse_spec.c
@@ -14,6 +14,7 @@ get_subhash(char *s, char **endp)
 
 	if (s[0] == '{' && s[1] == '$') {
 		s = ret = &s[2];
+		depth += 1;
 	} else {
 		ret = s;
 	}
@@ -24,12 +25,15 @@ get_subhash(char *s, char **endp)
 			if (!depth)
 				return NULL;
 			if (!--depth) {
+				s[-1] = '\0';
 				*s++ = '\0';
 				*s++ = '\0';
+				*endp = s;
 				return ret;
 			}
 		} else if (s[0] == '$' && !depth) {
 			*s++ = '\0';
+			*endp = s;
 			return ret;
 		}
 	}
@@ -53,6 +57,7 @@ libsecauth_parse_spec(struct libsecauth_spec *spec, char *s)
 {
 	const char *client_rounds, *server_rounds;
 	size_t slen = strlen(s);
+	char *sorig = s;
 
 	memset(spec, 0, sizeof(*spec));
 
@@ -65,20 +70,20 @@ libsecauth_parse_spec(struct libsecauth_spec *spec, char *s)
 	client_rounds  = get_subhash(s, &s);
 	server_rounds  = get_subhash(s, &s);
 	spec->posthash = get_subhash(s, &s);
-	spec->expected = get_subhash(s, &s);
+	spec->expected = s;
 
 	if (client_rounds && strtou32(client_rounds, &spec->client_rounds))
 		goto invalid;
 	if (server_rounds && strtou32(server_rounds, &spec->server_rounds))
 		goto invalid;
 
-	if (*s)
+	if (strchr(s, '$'))
 		goto invalid;
 
 	return 0;
 
 invalid:
-	memset(s, 0, slen);
+	memset(sorig, 0, slen);
 	errno = EINVAL;
 	return -1;
 }
diff --git a/libsecauth_server_hash.c b/libsecauth_server_hash.c
index 6f0d4f0..80f9318 100644
--- a/libsecauth_server_hash.c
+++ b/libsecauth_server_hash.c
@@ -15,7 +15,8 @@ libsecauth_server_hash(const struct libsecauth_spec *spec, const char *inhash, c
 	uint32_t rounds;
 	size_t i = 0;
 
-	*resultp = NULL;
+	if (resultp)
+		*resultp = NULL;
 	memset(hashbuf, 0, sizeof(hashbuf));
 
 	for (i = 0, rounds = spec->server_rounds; rounds--; i ^= 1) {