rlgwebd/sqlickrypt.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sqlite3.h>
#include <unistd.h>
#include <crypt.h>

#define DATABASE "/dgldir/dgamelaunch.db"

int xcallback(void *targ, int ncols, char **vals, char **colnames) {
  char *pws;
  int j;
  pws = *((char **) targ);
  if (pws == NULL) {
    for (j = 0; j < ncols; j++) {
      if (!strcmp(colnames[j], "password"))
        *((char **) targ) = strdup(vals[j]);
    }
  }
  /* Otherwise, this isn't the first row. */
  return 0;
}

int main(int argc, char *argv[]) {
  char ibuf[160], *uname, *pw, *pwhash = NULL, *comphash;
  char finduser_sql[160];
  char *cptr; // Utility pointer
  sqlite3 *db;
  int status;

  /* Read in the username and password */
  fgets(ibuf, 160, stdin);
  uname = ibuf;
  pw = strchr(uname, '\n');
  if (pw == NULL)
    exit(4); /* Truncated */
  *pw = '\0';
  pw++;
  fgets(pw, 160 - (pw - ibuf), stdin);
  if (pw[strlen(pw) - 1] == '\n')
    pw[strlen(pw) - 1] = '\0';
  else
    exit(4); /* Truncated */
  /* Sanitize the username, because it gets put into a query. */
  for (cptr = uname; *cptr != '\0'; cptr++) {
    if (!isalnum(*cptr)) {
      exit(4);
    }
  }
  /* Construct the query */
  strcpy(finduser_sql, "SELECT * FROM dglusers WHERE username='");
  strncat(finduser_sql, uname, 40);
  strcat(finduser_sql, "';");

  status = sqlite3_open(DATABASE, &db);
  if (status) {
    sqlite3_close(db);
    return 1;
  }
  sqlite3_exec(db, finduser_sql, xcallback, (void *) &pwhash, NULL);

  sqlite3_close(db);

  /* Now check the password. */
  if (pwhash == NULL) {
    return 2;
  }
  comphash = crypt(pw, pwhash);
  if (!strcmp(pwhash, comphash))
    return 0;
  return 1;
}