int
match_command_match(struct mail_ctx *mctx, struct expritem *ei)
{
struct match_command_data *data = ei->data;
struct account *a = mctx->account;
struct mail *m = mctx->mail;
struct io *io = mctx->io;
struct msg msg;
struct msgbuf msgbuf;
struct userdata *ud;
char *user;
set_wrapped(m, '\n');
/*
* We are called as the child so to change uid this needs to be done
* largely in the parent.
*/
memset(&msg, 0, sizeof msg);
msg.type = MSG_COMMAND;
msg.id = m->idx;
msg.data.account = a;
msg.data.cmddata = data;
user = conf.cmd_user;
if (data->user.str != NULL)
user = replacestr(&data->user, m->tags, m, &m->rml);
if ((ud = user_lookup(user, conf.user_order)) == NULL) {
log_warnx("%s: bad user: %s", a->name, user);
return (MATCH_ERROR);
}
if (data->user.str != NULL)
xfree(user);
msg.data.uid = ud->uid;
msg.data.gid = ud->gid;
update_tags(&m->tags, ud);
user_free(ud);
msgbuf.buf = m->tags;
msgbuf.len = STRB_SIZE(m->tags);
mail_send(m, &msg);
if (privsep_send(io, &msg, &msgbuf) != 0)
fatalx("privsep_send error");
reset_tags(&m->tags);
mctx->msgid = msg.id;
return (MATCH_PARENT);
}
int cmd_nick(Channel *channel, User *speaker, const char *text)
{
int i;
Channel *ch;
char buf[256];
if(!user_name_is_valid(text))
return 0;
if(user_lookup(text) != NULL) /* Refuse if nick is in use. */
return 0;
/* Before doing the change, go through all channels and notify. */
snprintf(buf, sizeof buf, "%s is now known as %s\n", user_get_name(speaker), text);
for(i = 0; (ch = channel_index(i)) != NULL; i++)
{
if(channel_user_is_member(ch, speaker))
channel_hear(ch, NULL, buf);
}
user_set_name(speaker, text);
return 1;
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
const char *username;
const void *password;
const char *database = NULL;
const char *cryptmode = NULL;
int retval = PAM_AUTH_ERR, ctrl;
/* parse arguments */
ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);
if (database == NULL) {
pam_syslog(pamh, LOG_ERR, "can not get the database name");
return PAM_SERVICE_ERR;
}
/* Get the username */
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
pam_syslog(pamh, LOG_ERR, "can not get the username");
return PAM_SERVICE_ERR;
}
if ((ctrl & PAM_USE_FPASS_ARG) == 0 && (ctrl & PAM_TRY_FPASS_ARG) == 0) {
/* Converse to obtain a password */
retval = obtain_authtok(pamh);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR, "can not obtain password from user");
return retval;
}
}
/* Check if we got a password */
retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
if (retval != PAM_SUCCESS || password == NULL) {
if ((ctrl & PAM_TRY_FPASS_ARG) != 0) {
/* Converse to obtain a password */
retval = obtain_authtok(pamh);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR, "can not obtain password from user");
return retval;
}
retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
}
if (retval != PAM_SUCCESS || password == NULL) {
pam_syslog(pamh, LOG_ERR, "can not recover user password");
return PAM_AUTHTOK_RECOVERY_ERR;
}
}
if (ctrl & PAM_DEBUG_ARG)
pam_syslog(pamh, LOG_INFO, "Verify user `%s' with a password",
username);
/* Now use the username to look up password in the database file */
retval = user_lookup(pamh, database, cryptmode, username, password, ctrl);
switch (retval) {
case -2:
/* some sort of system error. The log was already printed */
return PAM_SERVICE_ERR;
case -1:
/* incorrect password */
pam_syslog(pamh, LOG_WARNING,
"user `%s' denied access (incorrect password)",
username);
return PAM_AUTH_ERR;
case 1:
/* the user does not exist in the database */
if (ctrl & PAM_DEBUG_ARG)
pam_syslog(pamh, LOG_NOTICE,
"user `%s' not found in the database", username);
return PAM_USER_UNKNOWN;
case 0:
/* Otherwise, the authentication looked good */
pam_syslog(pamh, LOG_NOTICE, "user '%s' granted access", username);
return PAM_SUCCESS;
default:
/* we don't know anything about this return value */
pam_syslog(pamh, LOG_ERR,
"internal module error (retval = %d, user = `%s'",
retval, username);
return PAM_SERVICE_ERR;
}
/* should not be reached */
return PAM_IGNORE;
}
int
eap_mschap(struct iked *env, struct iked_sa *sa, struct eap_message *eap)
{
struct iked_user *usr;
struct eap_message *resp;
struct eap_mschap_response *msr;
struct eap_mschap_peer *msp;
struct eap_mschap *ms;
struct eap_mschap_success *mss;
u_int8_t *ptr, *pass;
size_t len, passlen;
char *name, *msg;
u_int8_t ntresponse[EAP_MSCHAP_NTRESPONSE_SZ];
u_int8_t successmsg[EAP_MSCHAP_SUCCESS_SZ];
struct ibuf *eapmsg = NULL;
int ret = -1;
if (!sa_stateok(sa, IKEV2_STATE_EAP)) {
log_debug("%s: unexpected EAP", __func__);
return (0); /* ignore */
}
if (sa->sa_hdr.sh_initiator) {
log_debug("%s: initiator EAP not supported", __func__);
return (-1);
}
/* Only MSCHAP-V2 */
if (eap->eap_type != EAP_TYPE_MSCHAP_V2) {
log_debug("%s: unsupported type EAP-%s", __func__,
print_map(eap->eap_type, eap_type_map));
return (-1);
}
if (betoh16(eap->eap_length) < (sizeof(*eap) + sizeof(*ms))) {
log_debug("%s: short message", __func__);
return (-1);
}
ms = (struct eap_mschap *)(eap + 1);
ptr = (u_int8_t *)(eap + 1);
switch (ms->ms_opcode) {
case EAP_MSOPCODE_RESPONSE:
msr = (struct eap_mschap_response *)ms;
if (betoh16(eap->eap_length) < (sizeof(*eap) + sizeof(*msr))) {
log_debug("%s: short response", __func__);
return (-1);
}
ptr += sizeof(*msr);
len = betoh16(eap->eap_length) -
sizeof(*eap) - sizeof(*msr);
if (len == 0 && sa->sa_eapid != NULL)
name = strdup(sa->sa_eapid);
else
name = get_string(ptr, len);
if (name == NULL) {
log_debug("%s: invalid response name", __func__);
return (-1);
}
if ((usr = user_lookup(env, name)) == NULL) {
log_debug("%s: unknown user '%s'", __func__, name);
free(name);
return (-1);
}
free(name);
if ((pass = string2unicode(usr->usr_pass, &passlen)) == NULL)
return (-1);
msp = &msr->msr_response.resp_peer;
mschap_nt_response(ibuf_data(sa->sa_eap.id_buf),
msp->msp_challenge, usr->usr_name, strlen(usr->usr_name),
pass, passlen, ntresponse);
if (memcmp(ntresponse, msp->msp_ntresponse,
sizeof(ntresponse)) != 0) {
log_debug("%s: '%s' authentication failed", __func__,
usr->usr_name);
free(pass);
/* XXX should we send an EAP failure packet? */
return (-1);
}
bzero(&successmsg, sizeof(successmsg));
mschap_auth_response(pass, passlen,
ntresponse, ibuf_data(sa->sa_eap.id_buf),
msp->msp_challenge, usr->usr_name, strlen(usr->usr_name),
successmsg);
if ((sa->sa_eapmsk = ibuf_new(NULL, MSCHAP_MSK_SZ)) == NULL) {
log_debug("%s: failed to get MSK", __func__);
free(pass);
return (-1);
}
mschap_msk(pass, passlen, ntresponse,
ibuf_data(sa->sa_eapmsk));
free(pass);
log_info("%s: '%s' authenticated", __func__, usr->usr_name);
if ((eapmsg = ibuf_static()) == NULL)
return (-1);
msg = " M=Welcome";
if ((resp = ibuf_advance(eapmsg, sizeof(*resp))) == NULL)
goto done;
resp->eap_code = EAP_CODE_REQUEST;
resp->eap_id = eap->eap_id + 1;
resp->eap_length = htobe16(sizeof(*resp) + sizeof(*mss) +
sizeof(successmsg) + strlen(msg));
resp->eap_type = EAP_TYPE_MSCHAP_V2;
if ((mss = ibuf_advance(eapmsg, sizeof(*mss))) == NULL)
goto done;
mss->mss_opcode = EAP_MSOPCODE_SUCCESS;
mss->mss_id = msr->msr_id;
mss->mss_length = htobe16(sizeof(*mss) +
sizeof(successmsg) + strlen(msg));
if (ibuf_add(eapmsg, successmsg, sizeof(successmsg)) != 0)
goto done;
if (ibuf_add(eapmsg, msg, strlen(msg)) != 0)
goto done;
break;
case EAP_MSOPCODE_SUCCESS:
if ((eapmsg = ibuf_static()) == NULL)
return (-1);
if ((resp = ibuf_advance(eapmsg, sizeof(*resp))) == NULL)
goto done;
resp->eap_code = EAP_CODE_RESPONSE;
resp->eap_id = eap->eap_id;
resp->eap_length = htobe16(sizeof(*resp) + sizeof(*ms));
resp->eap_type = EAP_TYPE_MSCHAP_V2;
if ((ms = ibuf_advance(eapmsg, sizeof(*ms))) == NULL)
goto done;
ms->ms_opcode = EAP_MSOPCODE_SUCCESS;
break;
case EAP_MSOPCODE_FAILURE:
case EAP_MSOPCODE_CHANGE_PASSWORD:
case EAP_MSOPCODE_CHALLENGE:
default:
log_debug("%s: EAP-%s unsupported "
"responder operation %s", __func__,
print_map(eap->eap_type, eap_type_map),
print_map(ms->ms_opcode, eap_msopcode_map));
return (-1);
}
if (eapmsg != NULL)
ret = ikev2_send_ike_e(env, sa, eapmsg,
IKEV2_PAYLOAD_EAP, IKEV2_EXCHANGE_IKE_AUTH, 1);
if (ret == 0)
sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
done:
ibuf_release(eapmsg);
return (ret);
}
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
const char *username;
const char *password;
int retval = PAM_AUTH_ERR;
/* parse arguments */
ctrl = _pam_parse(argc, argv);
/* Get the username */
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
if (ctrl & PAM_DEBUG_ARG)
_pam_log(LOG_DEBUG,"can not get the username");
return PAM_SERVICE_ERR;
}
/* Converse just to be sure we have the password */
retval = conversation(pamh);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_ERR, "could not obtain password for `%s'",
username);
return -2;
}
/* Get the password */
retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_ERR, "Could not retrive user's password");
return -2;
}
if (ctrl & PAM_DEBUG_ARG)
_pam_log(LOG_INFO, "Verify user `%s' with password `%s'",
username, password);
/* Now use the username to look up password in the database file */
retval = user_lookup(username, password);
switch (retval) {
case -2:
/* some sort of system error. The log was already printed */
return PAM_SERVICE_ERR;
case -1:
/* incorrect password */
_pam_log(LOG_WARNING,
"user `%s' denied access (incorrect password)",
username);
return PAM_AUTH_ERR;
case 1:
/* the user does not exist in the database */
if (ctrl & PAM_DEBUG_ARG)
_pam_log(LOG_NOTICE, "user `%s' not found in the database",
username);
return PAM_USER_UNKNOWN;
case 0:
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted acces", username);
return PAM_SUCCESS;
default:
/* we don't know anything about this return value */
_pam_log(LOG_ERR,
"internal module error (retval = %d, user = `%s'",
retval, username);
return PAM_SERVICE_ERR;
}
/* should not be reached */
return PAM_IGNORE;
}
/*
*Main thread for each client. Receives all messages
*and passes the data off to the correct function. Receives
*a pointer to the file descriptor for the socket the thread
*should listen on
*/
void *client_receive(void *ptr) {
int client = *(int *) ptr;
int received;
int logged_in = 0;
packet in_pkt, *client_message_ptr = &in_pkt;
while (1) {
received = recv(client, &in_pkt, sizeof(packet), 0);
if (received) {
debugPacket(client_message_ptr);
// Responses to not logged in clients
if (!logged_in) {
if(in_pkt.options == REGISTER) {
logged_in = register_user(&in_pkt, client);
}
else if(in_pkt.options == LOGIN) {
logged_in = login(&in_pkt, client);
}
else if(in_pkt.options == EXIT) {
close(client);
return NULL;
}
else {
sendError("Not logged in.", client);
}
}
// Responses to logged in clients
else if (logged_in) {
// Handle option messages for logged in client
if (in_pkt.options < 1000) {
if(in_pkt.options == REGISTER) {
sendError("You may not register while logged in.", client);
}
else if(in_pkt.options == SETPASS) {
set_pass(&in_pkt, client);
}
else if(in_pkt.options == SETNAME) {
set_name(&in_pkt, client);
}
else if(in_pkt.options == LOGIN) {
sendError("Already logged in.", client);
}
else if(in_pkt.options == EXIT) {
exit_client(&in_pkt, client);
return NULL;
}
else if(in_pkt.options == INVITE) {
invite(&in_pkt, client);
}
else if(in_pkt.options == JOIN) {
join(&in_pkt, client);
}
else if(in_pkt.options == LEAVE) {
leave(&in_pkt, client);
}
else if(in_pkt.options == GETALLUSERS) {
get_active_users(client);
}
else if(in_pkt.options == GETUSERS) {
get_room_users(&in_pkt, client);
}
else if(in_pkt.options == GETUSER) {
user_lookup(&in_pkt, client);
}
else if(in_pkt.options == GETROOMS) {
get_room_list(client);
}
else if(in_pkt.options == GETMOTD) {
sendMOTD(client);
}
else if(in_pkt.options == 0) {
printf("%s --- Error:%s Abrupt disconnect on logged in client.\n", RED, NORMAL);
exit_client(&in_pkt, client);
return NULL;
}
else {
printf("%s --- Error:%s Unknown message received from client.\n", RED, NORMAL);
}
}
// Handle conversation message for logged in client
else {
// Will be treated as a message packet, safe to santize entire buffer
sanitizeInput((void *)&in_pkt.buf, 0);
send_message(&in_pkt, client);
}
}
memset(&in_pkt, 0, sizeof(packet));
}
}
return NULL;
}
