// method = 0 for normal auth response from game server
// method = 1 for reauth response originating from keymaster
void gcd_compute_response(char *cdkey, char *challenge, char response[RESPONSE_SIZE], CDResponseMethod method)
{
char rawout[RAWSIZE];
unsigned int anyrandom;
char randstr[9];
/* check to make sure we weren't passed a huge cd key/challenge */
if (strlen(cdkey) * 2 + strlen(challenge) + 8 >= RAWSIZE)
{
strcpy(response,"CD Key or challenge too long");
return;
}
/* make sure we are randomized */
srand(time(NULL) ^ 0x33333333);
/* Since RAND_MAX is 16 bit on many systems, make sure we get a 32 bit number */
anyrandom = (rand() << 16 | rand());
sprintf(randstr,"%.8x",anyrandom);
/* auth response = MD5(cdkey + random mod 0xffff + challenge) */
/* reauth response = MD5(challenge + random mode 0xffff + cdkey) */
if (method == 0)
sprintf(rawout, "%s%d%s",cdkey, anyrandom % 0xFFFF , challenge );
else
sprintf(rawout, "%s%d%s",challenge, anyrandom % 0xFFFF, cdkey);
/* do the cd key md5 */
MD5Digest((unsigned char *)cdkey, strlen(cdkey), response);
/* add the random value */
strcpy(&response[32], randstr);
/* do the response md5 */
MD5Digest((unsigned char *)rawout, strlen(rawout), &response[40]);
}
void Crypt::ComputeMD5(unsigned char digest[16], void const* bytesIn, unsigned int inputLen)
{
MD5 md5;
MD5Open(&md5);
MD5Digest(&md5, bytesIn, inputLen);
MD5Close(&md5, digest);
}
// PKCS#1 v2.1, B.2.1 MGF1, mask generation function
// modification: generates mask and applies in place
gsi_bool gsiCryptRSAMaskData(unsigned char *data, gsi_u32 dataLen, const unsigned char* seed, gsi_u32 seedLen)
{
int i=0;
int k=0;
// The datablock may be used as the seed
unsigned char hashValue[GS_CRYPT_HASHSIZE]; // in integer form, NOT HEXSTRING
// seed should never be larger than the data block size (but it may be less)
if (seedLen > GS_CRYPT_RSA_DATABLOCKSIZE)
return gsi_false;
for (i=0; (gsi_u32)i<dataLen;i+=GS_CRYPT_HASHSIZE)
{
// Perform the hash
#if (GS_CRYPT_HASHSIZE==GS_CRYPT_MD5_HASHSIZE)
{
gsi_u32 temp=0;
// concatenate byte value of i onto seed
char seedPlusIter[GS_CRYPT_RSA_DATABLOCKSIZE+4]; // seed||i
char hashHexStr[GS_CRYPT_RSA_DATABLOCKSIZE*2+1]; // hexstr of hash "A1" rather than 0xA1
memcpy(&seedPlusIter[0], seed, seedLen);
seedPlusIter[GS_CRYPT_RSA_DATABLOCKSIZE+0] = 0x00;
seedPlusIter[GS_CRYPT_RSA_DATABLOCKSIZE+1] = 0x00;
seedPlusIter[GS_CRYPT_RSA_DATABLOCKSIZE+2] = 0x00;
seedPlusIter[GS_CRYPT_RSA_DATABLOCKSIZE+3] = (gsi_u8)(i/GS_CRYPT_HASHSIZE);
MD5Digest(seedPlusIter, seedLen+sizeof(gsi_u32), hashHexStr);
// convert from hexstr to integer form
for(k=0; k<seedLen+sizeof(gsi_u32))
{
gsi_u32 temp;
temp = sscanf(&hashHexStr[k*2], "%02X", &temp);
hashValue[k] = (gsi_u8)temp;
}
}
#elif (GS_CRYPT_HASHSIZE==GS_CRYPT_SHA1_HASHSIZE)
{
gsi_u8 counter[4] = { 0x00,0x00,0x00,0x00 };
GSSHA1Context sha;
counter[3] = (gsi_u8)(i/GS_CRYPT_HASHSIZE); // ensure little endian int
GSSHA1Reset(&sha);
GSSHA1Input(&sha, (const unsigned char*)seed, seedLen);
GSSHA1Input(&sha, counter, 4);
GSSHA1Result(&sha, hashValue);
}
#endif
// apply the mask to data
for (k=0; k<GS_CRYPT_HASHSIZE; k++)
{
if ((gsi_u32)(i+k) >= dataLen)
return gsi_true;
data[i+k] ^= (gsi_u8)hashValue[k];
}
}
return gsi_true;
}
/* return true if digest calculated */
int get_file_digest(const char * filename, Uint8 digest[16])
{
MD5 md5;
el_file_ptr file = NULL;
file = el_open(filename);
memset (digest, 0, 16);
if (file == NULL)
{
LOG_ERROR("MD5Digest: Unable to open %s (%d)", filename, errno);
return 0;
}
if (el_get_pointer(file) == NULL)
{
el_close(file);
return 0;
}
MD5Open(&md5);
MD5Digest(&md5, el_get_pointer(file), el_get_size(file));
MD5Close(&md5, digest);
el_close(file);
return 1;
}
float get_bag_tilt(float pos_x, float pos_y, int bag_id, int map_x, int map_y)
{
char str[64];
MD5 md5;
Uint8 digest[16];
memset(digest, 0, 16);
safe_snprintf(str, 40, "%f%f%f%f%f", pos_x, pos_y, (float) bag_id,
(float) map_x, (float) map_y);
MD5Open(&md5);
MD5Digest(&md5, str, strlen(str));
MD5Close(&md5, digest);
// the sum of 5 cos operations can be between -5 and +5
// normalize them to -1.0 ... +1.0
// multiply with 15 (-15.0 ... +15.0 degrees)
return ((cosf(digest[3]) + cosf(digest[4]) + cosf(digest[5]) + cosf(
digest[6]) + cosf(digest[7])) / 5.0f) * 30;
}
float get_bag_rotation(float pos_x, float pos_y, int bag_id, int map_x, int map_y)
{
char str[64];
MD5 md5;
Uint8 digest[16];
memset(digest, 0, 16);
safe_snprintf(str, 40, "%f%f%f%f%f", pos_x, pos_y, (float) bag_id,
(float) map_x, (float) map_y);
MD5Open(&md5);
MD5Digest(&md5, str, strlen(str));
MD5Close(&md5, digest);
// the sum of 5 sin operations can be between -5 and +5
// normalize them to -0.5 ... +0.5
// multiply with 360 (-180.0 ... +180.0 degrees)
return ((sinf(digest[2]) + sinf(digest[3]) + sinf(digest[4]) + sinf(
digest[5]) + sinf(digest[6])) / 10.0f) * 360;
}
static JSVAL fs_md5(JSARGS args) {
HandleScope scope;
String::Utf8Value path(args[0]->ToString());
unsigned char buf[1024];
int bytes;
MD5_CTX mdContext;
MD5Init(&mdContext);
FILE *fp = fopen(*path, "rb");
if (fp == NULL) {
return scope.Close(False());
}
while ((bytes = fread(buf, 1, 1024, fp)) != 0) {
MD5Update(&mdContext, buf, bytes);
}
fclose(fp);
MD5Final(&mdContext);
MD5Digest(&mdContext, (char *)buf);
return scope.Close(String::New((char *)buf));
}
status_t
POP3Protocol::Login(const char *uid, const char *password, int method)
{
status_t err;
BString error_msg;
error_msg << MDR_DIALECT_CHOICE("Error while authenticating user ",
"ユーザー認証中にエラーが発生しました ") << uid;
if (method == 1) { //APOP
int32 index = fLog.FindFirst("<");
if(index != B_ERROR) {
runner->ReportProgress(0, 0, MDR_DIALECT_CHOICE(
"Sending APOP authentication...", "APOP認証情報を送信中..."));
int32 end = fLog.FindFirst(">",index);
BString timestamp("");
fLog.CopyInto(timestamp, index, end - index + 1);
timestamp += password;
char md5sum[33];
MD5Digest((unsigned char*)timestamp.String(), md5sum);
BString cmd = "APOP ";
cmd += uid;
cmd += " ";
cmd += md5sum;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
error_msg << MDR_DIALECT_CHOICE(". The server said:\n",
"サーバのメッセージです\n") << fLog;
runner->ShowError(error_msg.String());
return err;
}
return B_OK;
} else {
error_msg << MDR_DIALECT_CHOICE(": The server does not support APOP.",
"サーバはAPOPをサポートしていません");
runner->ShowError(error_msg.String());
return B_NOT_ALLOWED;
}
}
runner->ReportProgress(0, 0, MDR_DIALECT_CHOICE("Sending username...",
"ユーザーID送信中..."));
BString cmd = "USER ";
cmd += uid;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
error_msg << MDR_DIALECT_CHOICE(". The server said:\n",
"サーバのメッセージです\n") << fLog;
runner->ShowError(error_msg.String());
return err;
}
runner->ReportProgress(0, 0, MDR_DIALECT_CHOICE("Sending password...",
"パスワード送信中..."));
cmd = "PASS ";
cmd += password;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
error_msg << MDR_DIALECT_CHOICE(". The server said:\n",
"サーバのメッセージです\n") << fLog;
runner->ShowError(error_msg.String());
return err;
}
return B_OK;
}
GPResult
gpiProcessConnect(
GPConnection * connection,
GPIOperation * operation,
const char * input
)
{
char buffer[512];
char check[33];
char uniquenick[GP_UNIQUENICK_LEN];
GPIConnectData * data;
GPIConnection * iconnection = (GPIConnection*)*connection;
GPICallback callback;
GPIProfile * profile;
char userBuffer[GP_NICK_LEN + GP_EMAIL_LEN];
char partnerBuffer[11];
char * user;
// Check for an error.
//////////////////////
if(gpiCheckForError(connection, input, GPIFalse))
{
// Is this a deleted profile?
/////////////////////////////
if((iconnection->errorCode == GP_LOGIN_PROFILE_DELETED) && iconnection->profileid)
{
// Remove this profile object.
//////////////////////////////
gpiRemoveProfileByID(connection, iconnection->profileid);
// If we have the profileid/userid cached, lose them.
/////////////////////////////////////////////////////
iconnection->userid = 0;
iconnection->profileid = 0;
}
// Check for creating an existing profile.
//////////////////////////////////////////
else if(iconnection->errorCode == GP_NEWUSER_BAD_NICK)
{
// Store the pid.
/////////////////
if(gpiValueForKey(input, "\\pid\\", buffer, sizeof(buffer)))
iconnection->profileid = atoi(buffer);
}
// Call the callbacks.
//////////////////////
CallbackFatalError(connection, GP_SERVER_ERROR, iconnection->errorCode, iconnection->errorString);
}
// Get a pointer to the data.
/////////////////////////////
data = (GPIConnectData*)operation->data;
switch(operation->state)
{
case GPI_CONNECTING:
// This should be \lc\1.
////////////////////////
if(strncmp(input, "\\lc\\1", 5) != 0)
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexpected data was received from the server.");
// Get the server challenge.
////////////////////////////
if(!gpiValueForKey(input, "\\challenge\\", data->serverChallenge, sizeof(data->serverChallenge)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexpected data was received from the server.");
// Check if this is a new user.
///////////////////////////////
if(data->newuser)
{
// Send a new user message.
///////////////////////////
CHECK_RESULT(gpiSendNewuser(connection, data));
// Update the operation's state.
////////////////////////////////
operation->state = GPI_REQUESTING;
}
else
{
// Send a login message.
////////////////////////
CHECK_RESULT(gpiSendLogin(connection, data));
// Update the operation's state.
////////////////////////////////
operation->state = GPI_LOGIN;
}
break;
case GPI_REQUESTING:
// This should be \nur\.
////////////////////////
if(strncmp(input, "\\nur\\", 5) != 0)
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexpected data was received from the server.");
// Get the userid.
//////////////////
if(!gpiValueForKey(input, "\\userid\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
iconnection->userid = atoi(buffer);
// Get the profileid.
/////////////////////
if(!gpiValueForKey(input, "\\profileid\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
iconnection->profileid = atoi(buffer);
// Send a login request.
////////////////////////
CHECK_RESULT(gpiSendLogin(connection, data));
// Update the operation's state.
////////////////////////////////
operation->state = GPI_LOGIN;
break;
case GPI_LOGIN:
// This should be \lc\2.
////////////////////////
if(strncmp(input, "\\lc\\2", 5) != 0)
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexpected data was received from the server.");
// Get the sesskey.
///////////////////
if(!gpiValueForKey(input, "\\sesskey\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
iconnection->sessKey = atoi(buffer);
// Get the userid.
//////////////////
if(!gpiValueForKey(input, "\\userid\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
iconnection->userid = atoi(buffer);
// Get the profileid.
/////////////////////
if(!gpiValueForKey(input, "\\profileid\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
iconnection->profileid = atoi(buffer);
// Get the uniquenick.
//////////////////////
if(!gpiValueForKey(input, "\\uniquenick\\", uniquenick, sizeof(uniquenick)))
uniquenick[0] = '\0';
// Get the loginticket.
//////////////////////
if(!gpiValueForKey(input, "\\lt\\", iconnection->loginTicket, sizeof(iconnection->loginTicket)))
iconnection->loginTicket[0] = '\0';
// Construct the user.
//////////////////////
if(iconnection->partnerID != GP_PARTNERID_GAMESPY)
{
sprintf(partnerBuffer, "%d@", iconnection->partnerID);
}
else
{
// GS ID's do not stash the partner ID in the auth challenge to support legacy clients.
strcpy(partnerBuffer, "");
}
if(data->authtoken[0])
user = data->authtoken;
else if(iconnection->uniquenick[0])
{
sprintf(userBuffer, "%s%s", partnerBuffer, iconnection->uniquenick);
user = userBuffer;
}
else
{
sprintf(userBuffer, "%s%s@%s", partnerBuffer, iconnection->nick, iconnection->email);
user = userBuffer;
}
// Construct the check.
///////////////////////
sprintf(buffer, "%s%s%s%s%s%s",
data->passwordHash,
" ",
user,
data->serverChallenge,
data->userChallenge,
data->passwordHash);
MD5Digest((unsigned char *)buffer, strlen(buffer), check);
// Get the proof.
/////////////////
if(!gpiValueForKey(input, "\\proof\\", buffer, sizeof(buffer)))
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_PARSE, "Unexepected data was received from the server.");
// Check the server authentication.
///////////////////////////////////
if(memcmp(check, buffer, 32) != 0)
CallbackFatalError(connection, GP_NETWORK_ERROR, GP_LOGIN_SERVER_AUTH_FAILED, "Could not authenticate server.");
// Add the local profile to the list.
/////////////////////////////////////
if(iconnection->infoCaching)
{
profile = gpiProfileListAdd(connection, iconnection->profileid);
profile->profileId = iconnection->profileid;
profile->userId = iconnection->userid;
}
// Set the connect state.
/////////////////////////
iconnection->connectState = GPI_CONNECTED;
// Call the connect-response callback.
//////////////////////////////////////
callback = operation->callback;
if(callback.callback != NULL)
{
GPConnectResponseArg * arg;
arg = (GPConnectResponseArg *)gsimalloc(sizeof(GPConnectResponseArg));
if(arg == NULL)
Error(connection, GP_MEMORY_ERROR, "Out of memory.");
memset(arg, 0, sizeof(GPConnectResponseArg));
arg->profile = (GPProfile)iconnection->profileid;
arg->result = GP_NO_ERROR;
#ifndef GSI_UNICODE
strzcpy(arg->uniquenick, uniquenick, GP_UNIQUENICK_LEN);
#else
UTF8ToUCS2StringLen(uniquenick, arg->uniquenick, GP_UNIQUENICK_LEN);
#endif
CHECK_RESULT(gpiAddCallback(connection, callback, arg, operation, 0));
}
// This operation is complete.
//////////////////////////////
gpiRemoveOperation(connection, operation);
// Get the local profile's info.
////////////////////////////////
#if 0
gpiAddOperation(connection, GPI_GET_INFO, NULL, &operation, GP_NON_BLOCKING, NULL, NULL);
gpiSendGetInfo(connection, iconnection->profileid, operation->id);
#endif
#ifdef _PS3
// We just connected, so setup buddy sync && start NP init
// For future, we can limit syncs by setting flags to turn on/off here
//////////////////////////////////////////////////////////////////////
iconnection->npPerformBuddySync = gsi_true;
iconnection->npPerformBlockSync = gsi_true;
iconnection->loginTime = current_time();
if (!iconnection->npInitialized)
gpiInitializeNpBasic(connection);
#endif
break;
default:
break;
}
return GP_NO_ERROR;
}
static GPResult
gpiSendLogin(
GPConnection * connection,
GPIConnectData * data
)
{
char buffer[512];
char response[33];
GPIConnection * iconnection = (GPIConnection*)*connection;
GPIProfile * profile;
char * passphrase;
char userBuffer[GP_NICK_LEN + GP_EMAIL_LEN];
char partnerBuffer[11];
char * user;
// Construct the user challenge.
////////////////////////////////
randomString(data->userChallenge, sizeof(data->userChallenge) - 1);
// Hash the password.
/////////////////////
if(data->partnerchallenge[0])
passphrase = data->partnerchallenge;
else
passphrase = iconnection->password;
MD5Digest((unsigned char*)passphrase, strlen(passphrase), data->passwordHash);
// Construct the user.
//////////////////////
if(iconnection->partnerID != GP_PARTNERID_GAMESPY)
{
sprintf(partnerBuffer, "%d@", iconnection->partnerID);
}
else
{
// GS ID's do not stash the partner ID in the auth challenge to support legacy clients.
strcpy(partnerBuffer, "");
}
if(data->authtoken[0])
user = data->authtoken;
else if(iconnection->uniquenick[0])
{
sprintf(userBuffer, "%s%s", partnerBuffer, iconnection->uniquenick);
user = userBuffer;
}
else
{
sprintf(userBuffer, "%s%s@%s", partnerBuffer, iconnection->nick, iconnection->email);
user = userBuffer;
}
// Construct the response.
//////////////////////////
sprintf(buffer, "%s%s%s%s%s%s",
data->passwordHash,
" ",
user,
data->userChallenge,
data->serverChallenge,
data->passwordHash);
MD5Digest((unsigned char *)buffer, strlen(buffer), response);
// Check for an existing profile.
/////////////////////////////////
if(iconnection->infoCaching)
{
gpiFindProfileByUser(connection, iconnection->nick, iconnection->email, &profile);
if(profile != NULL)
{
// Get the userid and profileid.
////////////////////////////////
iconnection->userid = profile->userId;
iconnection->profileid = profile->profileId;
}
}
// Construct the outgoing message.
//////////////////////////////////
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\login\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\challenge\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, data->userChallenge);
if(data->authtoken[0])
{
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\authtoken\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, data->authtoken);
}
else if(iconnection->uniquenick[0])
{
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\uniquenick\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, iconnection->uniquenick);
}
else
{
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\user\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, iconnection->nick);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "@");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, iconnection->email);
}
if(iconnection->userid != 0)
{
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\userid\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->userid);
}
if(iconnection->profileid != 0)
{
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\profileid\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->profileid);
}
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\partnerid\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->partnerID);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\response\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, response);
if(iconnection->firewall == GP_FIREWALL)
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\firewall\\1");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\port\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->peerPort);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\productid\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->productID);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\gamename\\");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, __GSIACGamename);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\namespaceid\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->namespaceID);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\sdkrevision\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, GPI_SDKREV);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\quiet\\");
gpiAppendIntToBuffer(connection, &iconnection->outputBuffer, iconnection->quietModeFlags);
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\id\\1");
gpiAppendStringToBuffer(connection, &iconnection->outputBuffer, "\\final\\");
return GP_NO_ERROR;
}
status_t
POP3Protocol::Login(const char* uid, const char* password, int method)
{
status_t err;
BString errorMessage(B_TRANSLATE("Error while authenticating user %user"));
errorMessage.ReplaceFirst("%user", uid);
if (method == 1) { //APOP
int32 index = fLog.FindFirst("<");
if(index != B_ERROR) {
ReportProgress(0, 0, B_TRANSLATE("Sending APOP authentication"
B_UTF8_ELLIPSIS));
int32 end = fLog.FindFirst(">", index);
BString timestamp("");
fLog.CopyInto(timestamp, index, end - index + 1);
timestamp += password;
char md5sum[33];
MD5Digest((unsigned char*)timestamp.String(), md5sum);
BString cmd = "APOP ";
cmd += uid;
cmd += " ";
cmd += md5sum;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
errorMessage << B_TRANSLATE(". The server said:\n") << fLog;
ShowError(errorMessage.String());
return err;
}
return B_OK;
} else {
errorMessage << B_TRANSLATE(": The server does not support APOP.");
ShowError(errorMessage.String());
return B_NOT_ALLOWED;
}
}
ReportProgress(0, 0, B_TRANSLATE("Sending username" B_UTF8_ELLIPSIS));
BString cmd = "USER ";
cmd += uid;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
errorMessage << B_TRANSLATE(". The server said:\n") << fLog;
ShowError(errorMessage.String());
return err;
}
ReportProgress(0, 0, B_TRANSLATE("Sending password" B_UTF8_ELLIPSIS));
cmd = "PASS ";
cmd += password;
cmd += CRLF;
err = SendCommand(cmd.String());
if (err != B_OK) {
errorMessage << B_TRANSLATE(". The server said:\n") << fLog;
ShowError(errorMessage.String());
return err;
}
return B_OK;
}
static int pop3_getauth(int sock, struct query *ctl, char *greeting)
/* apply for connection authorization */
{
int ok;
char *start,*end;
char *msg;
#ifdef OPIE_ENABLE
char *challenge;
#endif /* OPIE_ENABLE */
#ifdef SSL_ENABLE
flag connection_may_have_tls_errors = FALSE;
flag got_tls = FALSE;
#endif /* SSL_ENABLE */
done_capa = FALSE;
#if defined(GSSAPI)
has_gssapi = FALSE;
#endif /* defined(GSSAPI) */
#if defined(KERBEROS_V4) || defined(KERBEROS_V5)
has_kerberos = FALSE;
#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */
has_cram = FALSE;
#ifdef OPIE_ENABLE
has_otp = FALSE;
#endif /* OPIE_ENABLE */
#ifdef SSL_ENABLE
has_stls = FALSE;
#endif /* SSL_ENABLE */
/* Set this up before authentication quits early. */
set_peek_capable(ctl);
/* Hack: allow user to force RETR. */
if (peek_capable && getenv("FETCHMAIL_POP3_FORCE_RETR")) {
peek_capable = 0;
}
/*
* The "Maillennium POP3/PROXY server" deliberately truncates
* TOP replies after c. 64 or 80 kByte (we have varying reports), so
* disable TOP. Comcast once spewed marketing babble to the extent
* of protecting Outlook -- pretty overzealous to break a protocol
* for that that Microsoft could have read, too. Comcast aren't
* alone in using this software though.
* <http://lists.ccil.org/pipermail/fetchmail-friends/2004-April/008523.html>
* (Thanks to Ed Wilts for reminding me of that.)
*
* The warning is printed once per server, until fetchmail exits.
* It will be suppressed when --fetchall or other circumstances make
* us use RETR anyhow.
*
* Matthias Andree
*/
if (peek_capable && strstr(greeting, "Maillennium POP3/PROXY server")) {
if ((ctl->server.workarounds & WKA_TOP) == 0) {
report(stdout, GT_("Warning: \"Maillennium POP3/PROXY server\" found, using RETR command instead of TOP.\n"));
ctl->server.workarounds |= WKA_TOP;
}
peek_capable = 0;
}
if (ctl->server.authenticate == A_SSH) {
return PS_SUCCESS;
}
#ifdef SDPS_ENABLE
/*
* This needs to catch both demon.co.uk and demon.net.
* If we see either, and we're in multidrop mode, try to use
* the SDPS *ENV extension.
*/
if (!(ctl->server.sdps) && MULTIDROP(ctl) && strstr(greeting, "demon."))
ctl->server.sdps = TRUE;
#endif /* SDPS_ENABLE */
switch (ctl->server.protocol) {
case P_POP3:
#ifdef RPA_ENABLE
/* XXX FIXME: AUTH probing (RFC1734) should become global */
/* CompuServe POP3 Servers as of 990730 want AUTH first for RPA */
if (strstr(ctl->remotename, "@compuserve.com"))
{
/* AUTH command should return a list of available mechanisms */
if (gen_transact(sock, "AUTH") == 0)
{
char buffer[10];
flag has_rpa = FALSE;
while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0)
{
if (DOTLINE(buffer))
break;
if (strncasecmp(buffer, "rpa", 3) == 0)
has_rpa = TRUE;
}
if (has_rpa && !POP3_auth_rpa(ctl->remotename,
ctl->password, sock))
return(PS_SUCCESS);
}
return(PS_AUTHFAIL);
}
#endif /* RPA_ENABLE */
/*
* CAPA command may return a list including available
* authentication mechanisms and STLS capability.
*
* If it doesn't, no harm done, we just fall back to a plain
* login -- if the user allows it.
*
* Note that this code latches the server's authentication type,
* so that in daemon mode the CAPA check only needs to be done
* once at start of run.
*
* If CAPA fails, then force the authentication method to
* PASSWORD, switch off opportunistic and repoll immediately.
* If TLS is mandatory, fail up front.
*/
if ((ctl->server.authenticate == A_ANY) ||
(ctl->server.authenticate == A_GSSAPI) ||
(ctl->server.authenticate == A_KERBEROS_V4) ||
(ctl->server.authenticate == A_KERBEROS_V5) ||
(ctl->server.authenticate == A_OTP) ||
(ctl->server.authenticate == A_CRAM_MD5) ||
maybe_tls(ctl))
{
if ((ok = capa_probe(sock)) != PS_SUCCESS)
/* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
if (ok == PS_AUTHFAIL ||
/* Some servers directly close the socket. However, if we
* have already authenticated before, then a previous CAPA
* must have succeeded. In that case, treat this as a
* genuine socket error and do not change the auth method.
*/
(ok == PS_SOCKET && !ctl->wehaveauthed))
{
#ifdef SSL_ENABLE
if (must_tls(ctl)) {
/* fail with mandatory STLS without repoll */
report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
return ok;
} else if (maybe_tls(ctl)) {
/* defeat opportunistic STLS */
xfree(ctl->sslproto);
ctl->sslproto = xstrdup("");
}
#endif
/* If strong authentication was opportunistic, retry without, else fail. */
switch (ctl->server.authenticate) {
case A_ANY:
ctl->server.authenticate = A_PASSWORD;
/* FALLTHROUGH */
case A_PASSWORD: /* this should only happen with TLS enabled */
return PS_REPOLL;
default:
return PS_AUTHFAIL;
}
}
}
#ifdef SSL_ENABLE
if (maybe_tls(ctl)) {
char *commonname;
commonname = ctl->server.pollname;
if (ctl->server.via)
commonname = ctl->server.via;
if (ctl->sslcommonname)
commonname = ctl->sslcommonname;
if (has_stls)
{
/* Use "tls1" rather than ctl->sslproto because tls1 is the only
* protocol that will work with STARTTLS. Don't need to worry
* whether TLS is mandatory or opportunistic unless SSLOpen() fails
* (see below). */
if (gen_transact(sock, "STLS") == PS_SUCCESS
&& SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
ctl->server.pollname, &ctl->remotename) != -1)
{
/*
* RFC 2595 says this:
*
* "Once TLS has been started, the client MUST discard cached
* information about server capabilities and SHOULD re-issue the
* CAPABILITY command. This is necessary to protect against
* man-in-the-middle attacks which alter the capabilities list prior
* to STARTTLS. The server MAY advertise different capabilities
* after STARTTLS."
*
* Now that we're confident in our TLS connection we can
* guarantee a secure capability re-probe.
*/
got_tls = TRUE;
done_capa = FALSE;
ok = capa_probe(sock);
if (ok != PS_SUCCESS) {
return ok;
}
if (outlevel >= O_VERBOSE)
{
report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
}
}
}
if (!got_tls) {
if (must_tls(ctl)) {
/* Config required TLS but we couldn't guarantee it, so we must
* stop. */
report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
return PS_SOCKET;
} else {
/* We don't know whether the connection is usable, and there's
* no command we can reasonably issue to test it (NOOP isn't
* allowed til post-authentication), so leave it in an unknown
* state, mark it as such, and check more carefully if things
* go wrong when we try to authenticate. */
connection_may_have_tls_errors = TRUE;
if (outlevel >= O_VERBOSE)
{
report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue.\n"), commonname);
}
}
}
} /* maybe_tls() */
#endif /* SSL_ENABLE */
/*
* OK, we have an authentication type now.
*/
#if defined(KERBEROS_V4)
/*
* Servers doing KPOP have to go through a dummy login sequence
* rather than doing SASL.
*/
if (has_kerberos &&
ctl->server.service && (strcmp(ctl->server.service, KPOP_PORT)!=0)
&& (ctl->server.authenticate == A_KERBEROS_V4
|| ctl->server.authenticate == A_KERBEROS_V5
|| ctl->server.authenticate == A_ANY))
{
ok = do_rfc1731(sock, "AUTH", ctl->server.truename);
if (ok == PS_SUCCESS || ctl->server.authenticate != A_ANY)
break;
}
#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */
#if defined(GSSAPI)
if (has_gssapi &&
(ctl->server.authenticate == A_GSSAPI ||
(ctl->server.authenticate == A_ANY
&& check_gss_creds("pop", ctl->server.truename) == PS_SUCCESS)))
{
ok = do_gssauth(sock,"AUTH","pop",ctl->server.truename,ctl->remotename);
if (ok == PS_SUCCESS || ctl->server.authenticate != A_ANY)
break;
}
#endif /* defined(GSSAPI) */
#ifdef OPIE_ENABLE
if (has_otp &&
(ctl->server.authenticate == A_OTP ||
ctl->server.authenticate == A_ANY))
{
ok = do_otp(sock, "AUTH", ctl);
if (ok == PS_SUCCESS || ctl->server.authenticate != A_ANY)
break;
}
#endif /* OPIE_ENABLE */
#ifdef NTLM_ENABLE
/* MSN servers require the use of NTLM (MSN) authentication */
if (!strcasecmp(ctl->server.pollname, "pop3.email.msn.com") ||
ctl->server.authenticate == A_MSN)
return (do_pop3_ntlm(sock, ctl, 1) == 0) ? PS_SUCCESS : PS_AUTHFAIL;
if (ctl->server.authenticate == A_NTLM || (has_ntlm && ctl->server.authenticate == A_ANY)) {
ok = do_pop3_ntlm(sock, ctl, 0);
if (ok == 0 || ctl->server.authenticate != A_ANY)
break;
}
#else
if (ctl->server.authenticate == A_NTLM || ctl->server.authenticate == A_MSN)
{
report(stderr,
GT_("Required NTLM capability not compiled into fetchmail\n"));
}
#endif
if (ctl->server.authenticate == A_CRAM_MD5 ||
(has_cram && ctl->server.authenticate == A_ANY))
{
ok = do_cram_md5(sock, "AUTH", ctl, NULL);
if (ok == PS_SUCCESS || ctl->server.authenticate != A_ANY)
break;
}
/* ordinary validation, no one-time password or RPA */
if ((ok = gen_transact(sock, "USER %s", ctl->remotename)))
break;
#ifdef OPIE_ENABLE
/* see RFC1938: A One-Time Password System */
if ((challenge = strstr(lastok, "otp-"))) {
char response[OPIE_RESPONSE_MAX+1];
int i;
char *n = xstrdup("");
i = opiegenerator(challenge, !strcmp(ctl->password, "opie") ? n : ctl->password, response);
free(n);
if ((i == -2) && !run.poll_interval) {
char secret[OPIE_SECRET_MAX+1];
fprintf(stderr, GT_("Secret pass phrase: "));
if (opiereadpass(secret, sizeof(secret), 0))
i = opiegenerator(challenge, secret, response);
memset(secret, 0, sizeof(secret));
};
if (i) {
ok = PS_ERROR;
break;
};
ok = gen_transact(sock, "PASS %s", response);
break;
}
#endif /* OPIE_ENABLE */
/* KPOP uses out-of-band authentication and does not check what
* we send here, so send some random fixed string, to avoid
* users switching *to* KPOP accidentally revealing their
* password */
if ((ctl->server.authenticate == A_ANY
|| ctl->server.authenticate == A_KERBEROS_V4
|| ctl->server.authenticate == A_KERBEROS_V5)
&& (ctl->server.service != NULL
&& strcmp(ctl->server.service, KPOP_PORT) == 0))
{
ok = gen_transact(sock, "PASS krb_ticket");
break;
}
/* check if we are actually allowed to send the password */
if (ctl->server.authenticate == A_ANY
|| ctl->server.authenticate == A_PASSWORD) {
strlcpy(shroud, ctl->password, sizeof(shroud));
ok = gen_transact(sock, "PASS %s", ctl->password);
} else {
report(stderr, GT_("We've run out of allowed authenticators and cannot continue.\n"));
ok = PS_AUTHFAIL;
}
memset(shroud, 0x55, sizeof(shroud));
shroud[0] = '\0';
break;
case P_APOP:
/* build MD5 digest from greeting timestamp + password */
/* find start of timestamp */
for (start = greeting; *start != 0 && *start != '<'; start++)
continue;
if (*start == 0) {
report(stderr,
GT_("Required APOP timestamp not found in greeting\n"));
return(PS_AUTHFAIL);
}
/* find end of timestamp */
for (end = start; *end != 0 && *end != '>'; end++)
continue;
if (*end == 0 || end == start + 1) {
report(stderr,
GT_("Timestamp syntax error in greeting\n"));
return(PS_AUTHFAIL);
}
else
*++end = '\0';
/* SECURITY: 2007-03-17
* Strictly validating the presented challenge for RFC-822
* conformity (it must be a msg-id in terms of that standard) is
* supposed to make attacks against the MD5 implementation
* harder[1]
*
* [1] "Security vulnerability in APOP authentication",
* Gaëtan Leurent, fetchmail-devel, 2007-03-17 */
if (!rfc822_valid_msgid((unsigned char *)start)) {
report(stderr,
GT_("Invalid APOP timestamp.\n"));
return PS_AUTHFAIL;
}
/* copy timestamp and password into digestion buffer */
msg = (char *)xmalloc((end-start+1) + strlen(ctl->password) + 1);
strcpy(msg,start);
strcat(msg,ctl->password);
strcpy((char *)ctl->digest, MD5Digest((unsigned char *)msg));
free(msg);
ok = gen_transact(sock, "APOP %s %s", ctl->remotename, (char *)ctl->digest);
break;
case P_RPOP:
if ((ok = gen_transact(sock,"USER %s", ctl->remotename)) == 0) {
strlcpy(shroud, ctl->password, sizeof(shroud));
ok = gen_transact(sock, "RPOP %s", ctl->password);
memset(shroud, 0x55, sizeof(shroud));
shroud[0] = '\0';
}
break;
default:
report(stderr, GT_("Undefined protocol request in POP3_auth\n"));
ok = PS_ERROR;
}
#ifdef SSL_ENABLE
/* this is for servers which claim to support TLS, but actually
* don't! */
if (connection_may_have_tls_errors
&& (ok == PS_SOCKET || ok == PS_PROTOCOL))
{
xfree(ctl->sslproto);
ctl->sslproto = xstrdup("");
/* repoll immediately without TLS */
ok = PS_REPOLL;
}
#endif
if (ok != 0)
{
/* maybe we detected a lock-busy condition? */
if (ok == PS_LOCKBUSY)
report(stderr, GT_("lock busy! Is another session active?\n"));
return(ok);
}
/* Disable the sleep. Based on patch by Brian Candler 2004-04-19/2004-11-08,
* accepted by Matthias Andree.
*
* Rationale: the server must have locked the spool before returning +OK;
* this sleep just wastes time and hence, for modem and GSM CSD users, money. */
#ifdef WANT_BOGUS
/*
* Empirical experience shows some server/OS combinations
* may need a brief pause even after any lockfiles on the
* server are released, to give the server time to finish
* copying back very large mailfolders from the temp-file...
* this is only ever an issue with extremely large mailboxes.
*/
sleep(3); /* to be _really_ safe, probably need sleep(5)! */
#endif
/* we're approved */
return(PS_SUCCESS);
}
void MD5Sum::update(const char* buffer, const int bufferLength)
{
// Process data buffer
const unsigned char* bTmp = reinterpret_cast<const unsigned char*>(buffer);
MD5Digest(&md5_, bTmp, bufferLength);
}
static GPResult
gpiProcessPeerAcceptingConnection(
GPConnection * connection,
GPIPeer * peer
)
{
GPIConnection * iconnection = (GPIConnection*)*connection;
GSUdpPeerState aPeerState;
char * str;
//int len;
GPIBool connClosed;
char intValue[16];
int pid;
char nick[GP_NICK_LEN];
char sig[33];
char sigCheck[33];
char buffer[256];
// Check the state.
///////////////////
GS_ASSERT(peer->state == GPI_PEER_WAITING);
if (peer->state != GPI_PEER_WAITING)
return GP_NETWORK_ERROR;
// Read any pending info.
/////////////////////////
//CHECK_RESULT(gpiRecvToBuffer(connection, peer->sock, &peer->inputBuffer, &len, &connClosed, "PR"));
gsUdpEngineGetPeerState(peer->ip, peer->port, &aPeerState);
// Check for a closed connection.
/////////////////////////////////
if(aPeerState == GS_UDP_PEER_CLOSED)
{
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
// Check for a final.
/////////////////////
str = strstr(peer->inputBuffer.buffer, "\\final\\");
if(str != NULL)
{
str[0] = '\0';
str += 7;
// Is it an auth?
/////////////////
if(strncmp(peer->inputBuffer.buffer, "\\auth\\", 6) == 0)
{
// Get the pid.
///////////////
if(!gpiValueForKey(peer->inputBuffer.buffer, "\\pid\\", intValue, sizeof(intValue)))
{
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
pid = atoi(intValue);
// Get the nick.
////////////////
if(!gpiValueForKey(peer->inputBuffer.buffer, "\\nick\\", nick, sizeof(nick)))
{
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
// Get the sig.
///////////////
if(!gpiValueForKey(peer->inputBuffer.buffer, "\\sig\\", sig, sizeof(sig)))
{
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
// Compute what the sig should be.
//////////////////////////////////
sprintf(buffer, "%s%d%d",
iconnection->password,
iconnection->profileid,
pid);
MD5Digest((unsigned char *)buffer, strlen(buffer), sigCheck);
// Check the sig.
/////////////////
if(strcmp(sig, sigCheck) != 0)
{
// Bad sig.
///////////
gpiAppendStringToBuffer(connection, &peer->outputBuffer, "\\anack\\");
gpiAppendStringToBuffer(connection, &peer->outputBuffer, "\\final\\");
gpiSendBufferToPeer(connection, peer->ip, peer->port, &peer->outputBuffer, &connClosed, GPITrue);
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
// Send an ack.
///////////////
gpiAppendStringToBuffer(connection, &peer->outputBuffer, "\\aack\\");
gpiAppendStringToBuffer(connection, &peer->outputBuffer, "\\final\\");
peer->state = GPI_PEER_CONNECTED;
peer->profile = (GPProfile)pid;
}
else
{
// Unrecognized command.
////////////////////////
peer->state = GPI_PEER_DISCONNECTED;
return GP_NO_ERROR;
}
// Update the buffer length.
////////////////////////////
peer->inputBuffer.len = 0;
}
return GP_NO_ERROR;
}
