/*
* Callback from the keyring lookup in refresh_credentials.
*/
static void
found_password_cb (GnomeKeyringResult result,
GList *list,
gpointer user_data)
{
SwService *service = SW_SERVICE (user_data);
SwServiceLastfm *lastfm = SW_SERVICE_LASTFM (service);
SwServiceLastfmPrivate *priv = lastfm->priv;
g_free (priv->username);
g_free (priv->password);
g_free (priv->session_key);
priv->session_key = NULL;
priv->username = NULL;
priv->password = NULL;
priv->checked_with_server = FALSE;
if (result == GNOME_KEYRING_RESULT_OK && list != NULL) {
GnomeKeyringNetworkPasswordData *data = list->data;
priv->username = g_strdup (data->user);
priv->password = g_strdup (data->password);
if (sw_is_online ()) {
verify_user (service);
}
} else {
if (result != GNOME_KEYRING_RESULT_NO_MATCH) {
g_warning (G_STRLOC ": Error getting password: %s", gnome_keyring_result_to_message (result));
}
}
sw_service_emit_user_changed (service);
sw_service_emit_capabilities_changed (service, get_dynamic_caps (service));
}
void hNOTICE(struct entity *from, char *target, char *msg) {
struct user *u = (struct user *)from;
if (!verify_user(u))
return;
if (u->server == me)
return;
if (*target != '#')
hook_call("onprivnotc", pack_args(arg_user(u), arg_user(get_user_by_numeric(str2unum(target))), arg_str(msg)));
}
/*
* Returns true if the user successfully authenticates, false if not
* or -1 on error.
*/
static int
check_user_interactive(int validated, int mode, struct passwd *auth_pw)
{
int status, rval = true;
debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
/* Always need a password when -k was specified with the command. */
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
if (build_timestamp(auth_pw) == -1) {
rval = -1;
goto done;
}
status = timestamp_status(auth_pw);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
char *prompt;
bool lectured;
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
rval = -1;
goto done;
}
/* XXX - should not lecture if askpass helper is being used. */
lectured = display_lecture(status);
/* Expand any escapes in the prompt. */
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
auth_pw->pw_name);
if (prompt == NULL) {
rval = -1;
goto done;
}
rval = verify_user(auth_pw, prompt, validated);
if (rval == true && lectured)
set_lectured();
sudo_efree(prompt);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_SUCCESS) &&
!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR)
update_timestamp(auth_pw);
done:
debug_return_bool(rval);
}
void hPRIVMSG(struct entity *from, char *target, char *msg) {
struct user *u = (struct user *)from;
if (!verify_user(u))
return;
if (u->server == me)
return;
if (*target == '#')
hook_call("onchanmsg", pack_args(arg_user(u), arg_chan(get_channel_by_name(target)), arg_str(msg)));
else
hook_call("onprivmsg", pack_args(arg_user(u), arg_user(get_user_by_numeric(str2unum(target))), arg_str(msg)));
}
int
main(int argc, char *argv[])
{
char *sql_db = NULL;
sqlite3* db;
char *username = NULL;
struct user user;
enum manage_action action = MANAGE_ACTION_HELP;
int opt;
char privid[OTP_PRIVID_HEX_LEN];
unsigned char *privid_bin;
int temp, ret;
struct otp_data* data;
char digest_name[DIGEST_NAME_MAX_SIZE];
char *ctemp;
while((opt = getopt(argc, argv, "hs:lg:r:a:c")) != -1) {
switch(opt) {
case 'h':
usage(0);
break;
case 's':
sql_db = optarg;
break;
case 'l':
if (action != MANAGE_ACTION_HELP) {
usage(1);
}
action = MANAGE_ACTION_LIST;
break;
case 'g':
if (action != MANAGE_ACTION_HELP) {
usage(1);
}
action = MANAGE_ACTION_GET;
username = optarg;
break;
case 'r':
if (action != MANAGE_ACTION_HELP) {
usage(1);
}
action = MANAGE_ACTION_DELETE;
username = optarg;
break;
case 'a':
if (action != MANAGE_ACTION_HELP) {
usage(1);
}
action = MANAGE_ACTION_ADD;
username = optarg;
break;
case 'c':
if (action != MANAGE_ACTION_HELP) {
usage(1);
}
action = MANAGE_ACTION_CREATE;
break;
default:
usage(0);
}
}
if(argc > optind) {
usage(1);
}
if (action == MANAGE_ACTION_HELP) {
usage(0);
}
if (sql_db == NULL) {
usage(2);
}
if (forget_real_credentials() != 0) {
printf("Unable to fix uid/gid\n");
return -EPERM;
}
db = init(sql_db);
if (db == NULL) {
printf("Unable to open the database\n");
return 1;
}
switch(action) {
case MANAGE_ACTION_HELP:
/* Already done */
break;
case MANAGE_ACTION_LIST:
list_users(db);
sql_close(db);
return 0;
case MANAGE_ACTION_CREATE:
create_database(db);
return 0;
case MANAGE_ACTION_GET:
case MANAGE_ACTION_ADD:
case MANAGE_ACTION_DELETE:
/* Later */
break;
}
if (username == NULL) {
usage(3);
}
if (verify_user(username, strlen(username), &user) != 0) {
printf("Unauthorized char in the username");
return OTP_ERR;
}
switch(action) {
case MANAGE_ACTION_HELP:
case MANAGE_ACTION_LIST:
case MANAGE_ACTION_CREATE:
/* Already done */
break;
case MANAGE_ACTION_GET:
data = get_otp_data(db, &user);
if (data == NULL) {
printf("No such user\n");
break;
}
printf("User '%.*s':\n", (unsigned int) user.len, user.name);
printf("Public ID : %.*s\n", (int) OTP_PUB_ID_HEX_LEN, data->pubid);
printf("Private Key: %.*s\n", (int) OTP_KEY_HEX_LEN, data->key);
printf("Private ID digest: %s\n", data->digest_name);
printf("Private ID hash: %s\n", data->privid_hash);
free(data);
break;
case MANAGE_ACTION_DELETE:
for (temp = 0; temp < MAX_RETRIES; ++temp) {
ret = try_start_transaction(db);
switch (ret) {
case OTP_SQL_ERR:
printf("SQL error during the transaction initialisation");
goto free_db;
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_OK:
ret = try_delete_credentials(db, &user);
switch (ret) {
case OTP_SQL_ERR:
printf("SQL error while trying to remove user");
goto free_db;
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_OK:
ret = try_end_transaction(db);
switch (ret) {
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_ERR:
printf("SQL error when trying to commit the transaction");
goto free_db;
case OTP_SQL_OK:
sql_close(db);
return 0;
}
}
}
}
printf("Unable to remove user (Database busy)\n");
break;
case MANAGE_ACTION_ADD:
data = calloc(sizeof(struct otp_data), 1ul);
if (data == NULL) {
printf("Malloc error\n");
goto free_db;
}
if (read_input_word(data->pubid, OTP_PUB_ID_HEX_LEN, "Public ID")) {
goto free_data;
}
if (check_modhex(data->pubid, OTP_PUB_ID_HEX_LEN) != 0) {
printf("Non hex character in input, please retry\n");
goto free_data;
}
if (read_input_word(data->key, OTP_KEY_HEX_LEN, "AES key")) {
goto free_data;
}
if (check_hex(data->key, (int) OTP_KEY_HEX_LEN) != 0) {
printf("Non hex character in input, please retry\n");
goto free_data;
}
if (read_input_word(privid, OTP_PRIVID_HEX_LEN, "Private ID")) {
goto free_data;
}
if (check_hex(privid, (int) OTP_PRIVID_HEX_LEN) != 0) {
printf("Non hex character in input, please retry\n");
goto free_data;
}
privid_bin = hex2bin(privid, OTP_PRIVID_HEX_LEN);
if (privid_bin == NULL) {
printf("Malloc error (bis)\n");
goto free_data;
}
printf("Please Specify a valid digest algorithm [%s]\n", DEFAULT_DIGEST);
memset(digest_name, 0, (size_t) DIGEST_NAME_MAX_SIZE);
ctemp = fgets(digest_name, DIGEST_NAME_MAX_SIZE, stdin);
if (ctemp == NULL) {
printf("Unable to read input\n");
goto free_data;
}
if (digest_name[DIGEST_NAME_MAX_SIZE - 1] != 0 && digest_name[DIGEST_NAME_MAX_SIZE - 1] != '\n') {
printf("Digest algorithm name too long, please retry\n");
goto free_data;
}
if (digest_name[0] == '\n') {
data->digest_name = strdup(DEFAULT_DIGEST);
} else {
ctemp = memchr(digest_name, '\n', (size_t) DIGEST_NAME_MAX_SIZE);
if (ctemp != NULL) {
*ctemp = '\0';
}
data->digest_name = digest_name;
}
ctemp = (char*)compute_hash(data->digest_name, (char*)privid_bin, OTP_PRIVID_BIN_LEN);
if (ctemp == NULL) {
goto free_data;
}
data->privid_hash = bin2hex(ctemp, strlen(ctemp));
if (data->privid_hash == NULL) {
goto free_data;
}
printf("New user :\n");
printf("Name: '%.*s':\n", (unsigned int) user.len, user.name);
printf("Public ID : %.*s\n", (int) OTP_PUB_ID_HEX_LEN, data->pubid);
printf("Private Key: %.*s\n", (int) OTP_KEY_HEX_LEN, data->key);
printf("Private ID: %.*s\n", (int) OTP_PRIVID_HEX_LEN, privid);
printf("Private ID digest: %s\n", data->digest_name);
printf("Private ID hash: %s\n", data->privid_hash);
printf("Press enter to create this new user\n");
if (getc(stdin) != '\n') {
goto free_data;
}
for (temp = 0; temp < MAX_RETRIES; ++temp) {
ret = try_start_transaction(db);
switch (ret) {
case OTP_SQL_ERR:
printf("SQL error during the transaction initialisation");
goto free_data;
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_OK:
ret = try_create_credentials(db, data, &user);
switch (ret) {
case OTP_SQL_ERR:
printf("SQL error while trying to add the user");
goto free_data;
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_OK:
ret = try_end_transaction(db);
switch (ret) {
case OTP_SQL_MAY_RETRY:
break;
case OTP_SQL_ERR:
printf("SQL error when trying to commit the transaction");
goto free_data;
case OTP_SQL_OK:
goto free_data;
}
}
}
}
printf("Unable to create user (Database busy)\n");
break;
}
goto free_db;
free_data:
free_otp_data(data);
free_db:
sql_close(db);
return 0;
}
/*
* Returns true if the user successfully authenticates, false if not
* or -1 on error.
*/
int
check_user(int validated, int mode)
{
struct passwd *auth_pw;
char *timestampdir = NULL;
char *timestampfile = NULL;
char *prompt;
struct stat sb;
int status, rval = true;
debug_decl(check_user, SUDO_DEBUG_AUTH)
/*
* Init authentication system regardless of whether we need a password.
* Required for proper PAM session support.
*/
auth_pw = get_authpw();
if (sudo_auth_init(auth_pw) == -1) {
rval = -1;
goto done;
}
/*
* Don't prompt for the root passwd or if the user is exempt.
* If the user is not changing uid/gid, no need for a password.
*/
if (!def_authenticate || user_uid == 0 || user_is_exempt())
goto done;
if (user_uid == runas_pw->pw_uid &&
(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) {
#ifdef HAVE_SELINUX
if (user_role == NULL && user_type == NULL)
#endif
#ifdef HAVE_PRIV_SET
if (runas_privs == NULL && runas_limitprivs == NULL)
#endif
goto done;
}
/* Always need a password when -k was specified with the command. */
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
/* Stash the tty's ctime for tty ticket comparison. */
if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
tty_info.dev = sb.st_dev;
tty_info.ino = sb.st_ino;
tty_info.rdev = sb.st_rdev;
if (tty_is_devpts(user_ttypath))
ctim_get(&sb, &tty_info.ctime);
}
if (build_timestamp(×tampdir, ×tampfile) == -1) {
rval = -1;
goto done;
}
status = timestamp_status(timestampdir, timestampfile, user_name,
TS_MAKE_DIRS);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
rval = -1;
goto done;
}
/* XXX - should not lecture if askpass helper is being used. */
lecture(status);
/* Expand any escapes in the prompt. */
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
user_name, user_shost);
rval = verify_user(auth_pw, prompt, validated);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_OK) &&
!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR)
update_timestamp(timestampdir, timestampfile);
efree(timestampdir);
efree(timestampfile);
done:
sudo_auth_cleanup(auth_pw);
sudo_pw_delref(auth_pw);
debug_return_bool(rval);
}
// TODO: Should change this logic to re-use sessions.
session_t * session_new(maindata_t *maindata, RISPSESSION streamsession)
{
assert(maindata);
assert(streamsession);
assert(maindata->verify == 0xc001b33f);
// to indicate when this function is called.
fprintf(stderr, "---> session_new();\n");
// allocate space for the object, and clear it too.
session_t *session = calloc(1, sizeof(session_t));
assert(session);
int index;
int found = -1;
for (index=0; found < 0 && index < maindata->sessions.max; index++) {
if(maindata->sessions.list[index] == NULL) {
found = index;
}
}
if (found < 0) {
maindata->sessions.list = realloc(maindata->sessions.list, sizeof(session_t *) * (maindata->sessions.max + 1));
found = maindata->sessions.max;
maindata->sessions.max ++;
}
assert(found >= 0);
maindata->sessions.list[found] = session;
session->id = found;
session->verify = 123456789;
session->maindata = maindata;
session->session_ptr = streamsession;
// this will ask the RISP session if there was any authorisation information (certificates)
assert(streamsession);
char *certname = rispsession_get_session_auth_certname(streamsession);
if (certname) {
// we need to check if the cert is in the users list.
fprintf(stderr, "##### Client cert name: %s\n", certname);
if (verify_user(maindata, certname) == 1) {
fprintf(stderr, "User Validated[%d]\n", session->id);
session->data.authenticated = true;
}
else {
assert(session->data.authenticated == false);
}
free(certname);
certname = NULL;
}
else {
fprintf(stderr, "##$### Client Cert Not Received.\n");
}
// Set the defaults
session->data.name[0] = 0;
session->data.established = false;
session->data.echo = false;
session->data.follow = true;
session->data.update = true;
return(session);
}
/**
Benutzer anmelden (Passwort Überprüfen)
*/
int main(int argc, char ** argv)
{
cgi datCGI;
init_CGI(&datCGI);
person login_person;
init_person(&login_person);
//fprintf(stderr, "Hallo vor Post\n");
get_CGI_data(&datCGI);
if(datCGI.request_method != POST) {
print_exit_failure("Use POST!");
}
//fprintf(stderr, "POST_DATA: %s", datCGI.POST_data);
//Aus POST_data den String zwischen <AttributName>= und '&' ausschneiden
extract_POST_data(&datCGI, "email", &login_person.email);
remove_newline(login_person.email);
extract_POST_data(&datCGI, "pass", &login_person.password);
remove_newline(login_person.password);
if(login_person.email == NULL) {
httpSetCookie("EMAIL", "NULL");
httpSetCookie("SID", "0");
httpCacheControl("no-cache");
char * redirectString=NULL;
asprintf(&redirectString, "https://%s/incorrect_password.html", datCGI.http_host);
httpRedirect(redirectString);
}
//fprintf(stderr, "POST_DATA: %s", datCGI.POST_data);
//TODO: Verhindern, dass sich ein anderer Nutzer vom selben Rechner aus einloggt wenn der erste noch nicht abgemeldet ist
//(zweimaliges Anmelden verhindern)
//Das ist sehr unwahrscheinlich
/*
if(datCGI.http_cookies != NULL){
person already_logged_in_person;
init_person(&already_logged_in_person);
char * cook_sid=NULL;
if(extract_COOKIE_data(&datCGI, "EMAIL", &already_logged_in_person.email) == 0 && extract_COOKIE_data(&datCGI, "SID", &cook_sid) == 0){
//print_exit_failure("Hier ist schon jemand eingeloggt");
already_logged_in_person.sid=atoi(cook_sid);
if(get_person_by_sid(&already_logged_in_person)){
print_exit_failure("Hier ist schon jemand eingeloggt");
}
}
}*/
UserState user_state=verify_user(&login_person);
//Zwei cookies setzen
if(user_state == PW_CORRECT || user_state == PW_CORRECT_ALREADY_LOGGED_IN) {
httpSetCookie("EMAIL", login_person.email);
char * sid_string;
asprintf(&sid_string, "%d", login_person.sid);
httpSetCookie("SID", sid_string);
httpCacheControl("no-store, no-cache, must-revalidate, max-age=0");
char * redirectString=NULL;
asprintf(&redirectString, "https://%s/cgi-bin/all_messages.cgi", datCGI.http_host);
httpRedirect(redirectString);
}
if(user_state == PW_INCORRECT) {
httpSetCookie("EMAIL", "NULL");
httpSetCookie("SID", "0");
httpCacheControl("no-store, no-cache, must-revalidate, max-age=0");
char * redirectString=NULL;
asprintf(&redirectString, "https://%s/incorrect_password.html", datCGI.http_host);
httpRedirect(redirectString);
}
/*
httpHeader(HTML);
printf("<!DOCTYPE html><head>\
<title>InfoWall -- Anmeldung</title>\
<meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\" />\
<meta name=\"viewport\" content=\"width=device-width\">\
</head>\
<body>");
printf("%s\n", datCGI.POST_data);
puts("<h1>Erhaltene Daten:</h1>\n");
printf("<br>CONTENT_LENGTH: %d -- REQUEST_METHOD: %s\n", datCGI.content_length, datCGI.request_method);
printf("<br>Name: %s\nPassword: %s\n", login_person.email, login_person.password);
printf("<br>Post Data: %s\n", datCGI.POST_data);
puts("<br>\n\n\n\n");
if(login_person.auth && user_state==0){
puts("<h2>Personendaten:</h2>\n");
printf("<br>User ID: %d\n", login_person.id);
printf("<br>Vorname: %s\n", login_person.first_name);
printf("<br>Nachname: %s\n", login_person.name);
printf("<br>Email: %s\n", login_person.email);
printf("<br>Passwort: %s (richtig)\n", login_person.password);
printf("<br>Faecher: %s\n", login_person.courses);
if(login_person.isTeacher)printf("<br>Kuerzel: %s\n", login_person.acronym);
printf("<br>SID: %d\n", login_person.sid);
puts("<a href=\"/cgi-bin/logout.cgi\" style=\"color: green;\">LOGOUT</a>\
<br><a href=\"/cgi-bin/all_messages.cgi\">Alle Nachrichten</a>");
puts("<iframe src=\"/cgi-bin/all_messages.cgi\" style=\"width: 100%; height: 500px;\"");
}else{
puts("<br>YOU FAIL!!\n");
if(user_state == 1){
puts("Bereits angemeldet!");
printf("<a href=\"/cgi-bin/logout.cgi\">LOGOUT</a>\
<br><a href=\"/cgi-bin/all_messages.cgi\">Alle Nachrichten</a>");
}
}
printf("</body>\
</html>");*/
exit(0);
}