AuthInfo*
passLogin(char *user, char *secret)
{
AuthInfo *ai;
Chalstate *cs;
uint8_t digest[MD5dlen];
char response[2*MD5dlen+1];
int i;
if((cs = auth_challenge("proto=cram role=server")) == nil)
return nil;
hmac_md5((uint8_t*)cs->chal, strlen(cs->chal),
(uint8_t*)secret, strlen(secret), digest,
nil);
for(i = 0; i < MD5dlen; i++)
snprint(response + 2*i, sizeof(response) - 2*i, "%2.2ux", digest[i]);
cs->user = user;
cs->resp = response;
cs->nresp = strlen(response);
ai = auth_response(cs);
auth_freechal(cs);
return ai;
}
static int www_challenge(struct sip_msg *msg, char* realm, char *flags)
{
int vflags = 0;
str srealm = {0, 0};
if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
LM_ERR("failed to get realm value\n");
goto error;
}
if(srealm.len==0) {
LM_ERR("invalid realm value - empty content\n");
goto error;
}
if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
LM_ERR("invalid flags value\n");
goto error;
}
return auth_challenge(msg, &srealm, vflags, HDR_AUTHORIZATION_T);
error:
if(!(vflags&4)) {
if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
return -4;
}
return -1;
}
int
vncsrvauth(Vnc *v)
{
Chalstate *c;
AuthInfo *ai;
if((c = auth_challenge("proto=vnc role=server user=%q", getuser()))==nil)
sysfatal("vncchal: %r");
if(c->nchal != VncChalLen)
sysfatal("vncchal got %d bytes wanted %d", c->nchal, VncChalLen);
vncwrlong(v, AVncAuth);
vncwrbytes(v, c->chal, VncChalLen);
vncflush(v);
vncrdbytes(v, c->chal, VncChalLen);
c->resp = c->chal;
c->nresp = VncChalLen;
ai = auth_response(c);
auth_freechal(c);
if(ai == nil){
fprint(2, "vnc auth failed: server factotum: %r\n");
vncwrlong(v, VncAuthFailed);
vncflush(v);
return -1;
}
auth_freeAI(ai);
vncwrlong(v, VncAuthOK);
vncflush(v);
return 0;
}
static int
netkeysrvauth(int fd, char *user)
{
char response[32];
Chalstate *ch;
int tries;
AuthInfo *ai;
if(readstr(fd, user, 32) < 0)
return -1;
ai = nil;
ch = nil;
for(tries = 0; tries < 10; tries++){
if((ch = auth_challenge("proto=p9cr role=server user=%q", user)) == nil)
return -1;
writestr(fd, ch->chal, "challenge", 1);
if(readstr(fd, response, sizeof response) < 0)
return -1;
ch->resp = response;
ch->nresp = strlen(response);
if((ai = auth_response(ch)) != nil)
break;
}
auth_freechal(ch);
if(ai == nil)
return -1;
writestr(fd, "", "challenge", 1);
if(auth_chuid(ai, 0) < 0)
fatal(1, "newns");
auth_freeAI(ai);
return fd;
}
AuthInfo*
auth_userpasswd(char *user, char *passwd)
{
char key[DESKEYLEN], resp[16];
AuthInfo *ai;
Chalstate *ch;
/*
* Probably we should have a factotum protocol
* to check a raw password. For now, we use
* p9cr, which is simplest to speak.
*/
if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil)
return nil;
passtokey(key, passwd);
netresp(key, atol(ch->chal), resp);
memset(key, 0, sizeof key);
ch->resp = resp;
ch->nresp = strlen(resp);
ai = auth_response(ch);
auth_freechal(ch);
return ai;
}
static void
hello(void)
{
fmtinstall('H', encodefmt);
if((chs = auth_challenge("proto=apop role=server")) == nil){
senderr("auth server not responding, try later");
exits(nil);
}
sendok("POP3 server ready %s", chs->chal);
}
void
main(int argc, char **argv)
{
char buf[128], bufu[128];
int afd, n;
AuthInfo *ai;
AuthRpc *rpc;
Chalstate *c;
ARGBEGIN{
default:
usage();
}ARGEND
if(argc != 1)
usage();
if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
sysfatal("open /mnt/factotum/rpc: %r");
rpc = auth_allocrpc(afd);
if(rpc == nil)
sysfatal("auth_allocrpc: %r");
if((c = auth_challenge("%s", argv[0])) == nil)
sysfatal("auth_challenge: %r");
print("challenge: %s\n", c->chal);
print("user:"******"response: ");
n = read(0, buf, sizeof buf);
if(n < 0)
sysfatal("read: %r");
if(n == 0)
exits(nil);
c->nresp = n-1;
c->resp = buf;
if((ai = auth_response(c)) == nil)
sysfatal("auth_response: %r");
print("%s %s\n", ai->cuid, ai->suid);
}
static AuthInfo*
responselogin(char *user, char *resp)
{
Chalstate *c;
AuthInfo *ai;
if((c = auth_challenge("proto=p9cr user=%q role=server", user)) == nil){
sshlog("auth_challenge failed for %s", user);
return nil;
}
c->resp = resp;
c->nresp = strlen(resp);
ai = auth_response(c);
auth_freechal(c);
return ai;
}
static int
passcmd(char *arg)
{
DigestState *s;
uint8_t digest[MD5dlen];
char response[2*MD5dlen+1];
if(passwordinclear==0 && didtls==0)
return senderr("password in the clear disallowed");
/* use password to encode challenge */
if((chs = auth_challenge("proto=apop role=server")) == nil)
return senderr("couldn't get apop challenge");
/* hash challenge with secret and convert to ascii */
s = md5((uint8_t*)chs->chal, chs->nchal, 0, 0);
md5((uint8_t*)arg, strlen(arg), digest, s);
snprint(response, sizeof response, "%.*H", MD5dlen, digest);
return dologin(response);
}
/*
* rfc 2195 cram-md5 authentication
*/
char*
cramauth(void)
{
AuthInfo *ai;
Chalstate *cs;
char *s, *t;
int n;
if((cs = auth_challenge("proto=cram role=server")) == nil)
return "couldn't get cram challenge";
n = cs->nchal;
s = binalloc(&parseBin, n * 2, 0);
n = enc64(s, n * 2, (uint8_t*)cs->chal, n);
Bprint(&bout, "+ ");
Bwrite(&bout, s, n);
Bprint(&bout, "\r\n");
if(Bflush(&bout) < 0)
writeErr();
s = authresp();
if(s == nil)
return "client cancelled authentication";
t = strchr(s, ' ');
if(t == nil)
bye("bad auth response");
*t++ = '\0';
strncpy(username, s, UserNameLen);
username[UserNameLen-1] = '\0';
cs->user = username;
cs->resp = t;
cs->nresp = strlen(t);
if((ai = auth_response(cs)) == nil)
return "login failed";
auth_freechal(cs);
setupuser(ai);
return nil;
}
static int ah_post_send(ne_request *req, void *cookie, const ne_status *status)
{
auth_session *sess = cookie;
struct auth_request *areq = ne_get_request_private(req, sess->spec->id);
const char *auth_hdr, *auth_info_hdr;
int ret = NE_OK;
if (!areq) return NE_OK;
auth_hdr = ne_get_response_header(req, sess->spec->resp_hdr);
auth_info_hdr = ne_get_response_header(req, sess->spec->resp_info_hdr);
if (sess->context == AUTH_CONNECT && status->code == 401 && !auth_hdr) {
/* Some broken proxies issue a 401 as a proxy auth challenge
* to a CONNECT request; handle this here. */
auth_hdr = ne_get_response_header(req, "WWW-Authenticate");
auth_info_hdr = NULL;
}
#ifdef HAVE_GSSAPI
/* whatever happens: forget the GSSAPI token cached thus far */
if (sess->gssapi_token) {
ne_free(sess->gssapi_token);
sess->gssapi_token = NULL;
}
#endif
NE_DEBUG(NE_DBG_HTTPAUTH,
"ah_post_send (#%d), code is %d (want %d), %s is %s\n",
sess->attempt, status->code, sess->spec->status_code,
sess->spec->resp_hdr, auth_hdr ? auth_hdr : "(none)");
if (auth_info_hdr && sess->scheme == auth_scheme_digest) {
if (verify_digest_response(areq, sess, auth_info_hdr)) {
NE_DEBUG(NE_DBG_HTTPAUTH, "Response authentication invalid.\n");
ne_set_error(sess->sess, "%s", _(sess->spec->fail_msg));
ret = NE_ERROR;
}
}
#ifdef HAVE_GSSAPI
/* one must wonder... has Mr Brezak actually read RFC2617? */
else if (sess->scheme == auth_scheme_gssapi
&& (status->klass == 2 || status->klass == 3)
&& auth_hdr) {
char *hdr = ne_strdup(auth_hdr);
if (verify_negotiate_response(sess, hdr)) {
NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: Mutual auth failed.\n");
ret = NE_ERROR;
}
ne_free(hdr);
}
#endif /* HAVE_GSSAPI */
else if ((status->code == sess->spec->status_code ||
(status->code == 401 && sess->context == AUTH_CONNECT)) &&
auth_hdr) {
/* note above: allow a 401 in response to a CONNECT request
* from a proxy since some buggy proxies send that. */
NE_DEBUG(NE_DBG_HTTPAUTH, "Got challenge (code %d).\n", status->code);
if (!auth_challenge(sess, auth_hdr)) {
ret = NE_RETRY;
} else {
clean_session(sess);
ret = sess->spec->fail_code;
}
}
#ifdef HAVE_SSPI
else if (sess->sspi_context) {
ne_sspi_clear_context(sess->sspi_context);
}
#endif
return ret;
}
void
auth(String *mech, String *resp)
{
char *user, *pass, *scratch = nil;
AuthInfo *ai = nil;
Chalstate *chs = nil;
String *s_resp1_64 = nil, *s_resp2_64 = nil, *s_resp1 = nil;
String *s_resp2 = nil;
if (rejectcheck())
goto bomb_out;
syslog(0, "smtpd", "auth(%s, %s) from %s", s_to_c(mech),
"(protected)", him);
if (authenticated) {
bad_sequence:
rejectcount++;
reply("503 5.5.2 Bad sequence of commands\r\n");
goto bomb_out;
}
if (cistrcmp(s_to_c(mech), "plain") == 0) {
if (!passwordinclear) {
rejectcount++;
reply("538 5.7.1 Encryption required for requested "
"authentication mechanism\r\n");
goto bomb_out;
}
s_resp1_64 = resp;
if (s_resp1_64 == nil) {
reply("334 \r\n");
s_resp1_64 = s_new();
if (getcrnl(s_resp1_64, &bin) <= 0)
goto bad_sequence;
}
s_resp1 = s_dec64(s_resp1_64);
if (s_resp1 == nil) {
rejectcount++;
reply("501 5.5.4 Cannot decode base64\r\n");
goto bomb_out;
}
memset(s_to_c(s_resp1_64), 'X', s_len(s_resp1_64));
user = s_to_c(s_resp1) + strlen(s_to_c(s_resp1)) + 1;
pass = user + strlen(user) + 1;
ai = auth_userpasswd(user, pass);
authenticated = ai != nil;
memset(pass, 'X', strlen(pass));
goto windup;
}
else if (cistrcmp(s_to_c(mech), "login") == 0) {
if (!passwordinclear) {
rejectcount++;
reply("538 5.7.1 Encryption required for requested "
"authentication mechanism\r\n");
goto bomb_out;
}
if (resp == nil) {
reply("334 VXNlcm5hbWU6\r\n");
s_resp1_64 = s_new();
if (getcrnl(s_resp1_64, &bin) <= 0)
goto bad_sequence;
}
reply("334 UGFzc3dvcmQ6\r\n");
s_resp2_64 = s_new();
if (getcrnl(s_resp2_64, &bin) <= 0)
goto bad_sequence;
s_resp1 = s_dec64(s_resp1_64);
s_resp2 = s_dec64(s_resp2_64);
memset(s_to_c(s_resp2_64), 'X', s_len(s_resp2_64));
if (s_resp1 == nil || s_resp2 == nil) {
rejectcount++;
reply("501 5.5.4 Cannot decode base64\r\n");
goto bomb_out;
}
ai = auth_userpasswd(s_to_c(s_resp1), s_to_c(s_resp2));
authenticated = ai != nil;
memset(s_to_c(s_resp2), 'X', s_len(s_resp2));
windup:
if (authenticated) {
/* if you authenticated, we trust you despite your IP */
trusted = 1;
reply("235 2.0.0 Authentication successful\r\n");
} else {
rejectcount++;
reply("535 5.7.1 Authentication failed\r\n");
syslog(0, "smtpd", "authentication failed: %r");
}
goto bomb_out;
}
else if (cistrcmp(s_to_c(mech), "cram-md5") == 0) {
int chal64n;
char *resp, *t;
chs = auth_challenge("proto=cram role=server");
if (chs == nil) {
rejectcount++;
reply("501 5.7.5 Couldn't get CRAM-MD5 challenge\r\n");
goto bomb_out;
}
scratch = malloc(chs->nchal * 2 + 1);
chal64n = enc64(scratch, chs->nchal * 2, (uchar *)chs->chal,
chs->nchal);
scratch[chal64n] = 0;
reply("334 %s\r\n", scratch);
s_resp1_64 = s_new();
if (getcrnl(s_resp1_64, &bin) <= 0)
goto bad_sequence;
s_resp1 = s_dec64(s_resp1_64);
if (s_resp1 == nil) {
rejectcount++;
reply("501 5.5.4 Cannot decode base64\r\n");
goto bomb_out;
}
/* should be of form <user><space><response> */
resp = s_to_c(s_resp1);
t = strchr(resp, ' ');
if (t == nil) {
rejectcount++;
reply("501 5.5.4 Poorly formed CRAM-MD5 response\r\n");
goto bomb_out;
}
*t++ = 0;
chs->user = resp;
chs->resp = t;
chs->nresp = strlen(t);
ai = auth_response(chs);
authenticated = ai != nil;
goto windup;
}
rejectcount++;
reply("501 5.5.1 Unrecognised authentication type %s\r\n", s_to_c(mech));
bomb_out:
if (ai)
auth_freeAI(ai);
if (chs)
auth_freechal(chs);
if (scratch)
free(scratch);
if (s_resp1)
s_free(s_resp1);
if (s_resp2)
s_free(s_resp2);
if (s_resp1_64)
s_free(s_resp1_64);
if (s_resp2_64)
s_free(s_resp2_64);
}
SmbProcessResult
smbnegotiate(SmbSession *s, SmbHeader *h, uchar *, SmbBuffer *b)
{
ushort index;
int i;
uchar bufferformat;
if (!smbcheckwordcount("negotiate", h, 0))
return SmbProcessResultFormat;
if (s->state != SmbSessionNeedNegotiate) {
/* this acts as a complete session reset */
smblogprint(-1, "smbnegotiate: called when already negotiated\n");
return SmbProcessResultUnimp;
}
i = 0;
index = 0xffff;
while (smbbuffergetb(b, &bufferformat)) {
char *s;
if (bufferformat != 0x02) {
smblogprint(-1, "smbnegotiate: unrecognised buffer format 0x%.2ux\n", bufferformat);
return SmbProcessResultFormat;
}
if (!smbbuffergetstr(b, 0, &s)) {
smblogprint(-1, "smbnegotiate: no null found\n");
return SmbProcessResultFormat;
}
smblogprint(h->command, "smbnegotiate: '%s'\n", s);
if (index == 0xffff && strcmp(s, "NT LM 0.12") == 0)
index = i;
i++;
free(s);
}
if (index != 0xffff) {
Tm *tm;
ulong capabilities;
ulong bytecountfixupoffset;
h->wordcount = 17;
if (!smbbufferputheader(s->response, h, nil)
|| !smbbufferputs(s->response, index)
|| !smbbufferputb(s->response, 3) /* user security, encrypted */
|| !smbbufferputs(s->response, 1) /* max mux */
|| !smbbufferputs(s->response, 1) /* max vc */
|| !smbbufferputl(s->response, smbglobals.maxreceive) /* max buffer size */
|| !smbbufferputl(s->response, 0x10000) /* max raw */
|| !smbbufferputl(s->response, threadid())) /* session key */
goto die;
/* <= Win2k insist upon this being set to ensure that they observe the prototol (!) */
capabilities = CAP_NT_SMBS;
if (smbglobals.unicode)
capabilities |= CAP_UNICODE;
tm = localtime(time(nil));
s->tzoff = tm->tzoff;
if (!smbbufferputl(s->response, capabilities)
|| !smbbufferputv(s->response, nsec() / 100 + (vlong)10000000 * 11644473600LL)
|| !smbbufferputs(s->response, -s->tzoff / 60)
|| !smbbufferputb(s->response, 8)) /* crypt len */
goto die;
bytecountfixupoffset = smbbufferwriteoffset(s->response);
if (!smbbufferputs(s->response, 0))
goto die;
s->cs = auth_challenge("proto=mschap role=server");
if (s->cs == nil) {
smblogprint(h->command, "smbnegotiate: couldn't get mschap challenge\n");
return SmbProcessResultMisc;
}
if (s->cs->nchal != 8) {
smblogprint(h->command, "smbnegotiate: nchal %d\n", s->cs->nchal);
return SmbProcessResultMisc;
}
if (!smbbufferputbytes(s->response, s->cs->chal, s->cs->nchal)
|| !smbbufferputstring(s->response, nil, SMB_STRING_UNICODE, smbglobals.primarydomain)
|| !smbbufferfixuprelatives(s->response, bytecountfixupoffset))
goto die;
}
else {
h->wordcount = 1;
if (!smbbufferputheader(s->response, h, nil)
|| !smbbufferputs(s->response, index)
|| !smbbufferputs(s->response, 0))
goto die;
}
s->state = SmbSessionNeedSetup;
return SmbProcessResultReply;
die:
return SmbProcessResultDie;
}
static int www_challenge(struct sip_msg *msg, char* realm, char *flags)
{
return auth_challenge(msg, realm, flags, HDR_AUTHORIZATION_T);
}
static int proxy_challenge(struct sip_msg *msg, char* realm, char *flags)
{
return auth_challenge(msg, realm, flags, HDR_PROXYAUTH_T);
}
