void pw_pgsql_check(AuthResult * const result,
const char *account, const char *password,
const struct sockaddr_storage * const sa,
const struct sockaddr_storage * const peer)
{
PGconn *id_sql_server = NULL;
const char *spwd = NULL; /* stored password */
const char *uid = sql_default_uid; /* stored system login/uid */
const char *gid = sql_default_gid; /* stored system group/gid */
const char *dir = NULL; /* stored home directory */
#ifdef QUOTAS
const char *sqta_fs = NULL; /* stored quota files */
const char *sqta_sz = NULL; /* stored quota size */
#endif
#ifdef RATIOS
const char *ratio_ul = NULL; /* stored ratio UL */
const char *ratio_dl = NULL; /* stored ratio DL */
#endif
#ifdef THROTTLING
const char *bandwidth_ul = NULL; /* stored bandwidth UL */
const char *bandwidth_dl = NULL; /* stored bandwidth DL */
#endif
char *escaped_account = NULL;
char *escaped_ip = NULL;
char *escaped_port = NULL;
char *escaped_peer_ip = NULL;
char *escaped_decimal_ip = NULL;
char *scrambled_password = NULL;
int committed = 1;
int crypto_crypt = 0, crypto_plain = 0, crypto_md5 = 0, crypto_md5sha1 = 0; /* TRICK */
unsigned long decimal_ip_num = 0UL;
char decimal_ip[42];
char hbuf[NI_MAXHOST];
char pbuf[NI_MAXSERV];
char phbuf[NI_MAXHOST];
result->auth_ok = 0;
if (pw_pgsql_validate_name(account) != 0) {
goto bye;
}
if (getnameinfo((const struct sockaddr *) sa, STORAGE_LEN(*sa),
hbuf, sizeof hbuf, pbuf, sizeof pbuf,
NI_NUMERICHOST | NI_NUMERICSERV) != 0 ||
getnameinfo((const struct sockaddr *) peer, STORAGE_LEN(*peer),
phbuf, sizeof phbuf, NULL, (size_t) 0U,
NI_NUMERICHOST) != 0) {
goto bye;
}
*decimal_ip = 0;
//if (STORAGE_FAMILY(*peer) == AF_INET) {
const unsigned char *decimal_ip_raw =
(const unsigned char *) &(STORAGE_SIN_ADDR(*peer));
decimal_ip_num = (decimal_ip_raw[0] << 24) |
(decimal_ip_raw[1] << 16) | (decimal_ip_raw[2] << 8) |
decimal_ip_raw[3];
if (SNCHECK(snprintf(decimal_ip, sizeof decimal_ip,
"%lu", decimal_ip_num), sizeof decimal_ip)) {
goto bye;
}
//}
if (pw_pgsql_connect(&id_sql_server) != 0) {
goto bye;
}
if ((escaped_account =
pw_pgsql_escape_string(account)) == NULL) {
goto bye;
}
if ((escaped_ip =
pw_pgsql_escape_string(hbuf)) == NULL) {
goto bye;
}
if ((escaped_port =
pw_pgsql_escape_string(pbuf)) == NULL) {
goto bye;
}
if ((escaped_peer_ip =
pw_pgsql_escape_string(phbuf)) == NULL) {
goto bye;
}
if ((escaped_decimal_ip =
pw_pgsql_escape_string(decimal_ip)) == NULL) {
goto bye;
}
if (pw_pgsql_simplequery(id_sql_server, PGSQL_TRANSACTION_START) == 0) {
committed = 0;
}
/*logfile(LOG_WARNING, "START AUTH 2 [%s]", sqlreq_getpw); */
if ((spwd = pw_pgsql_getquery(id_sql_server, sqlreq_getpw,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) == NULL) {
goto bye;
}
/*logfile(LOG_WARNING, "START AUTH 3 [%s]", sqlreq_getuid);*/
if (uid == NULL) {
uid = pw_pgsql_getquery(id_sql_server, sqlreq_getuid,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip);
}
if (uid == NULL) {
goto bye;
}
/*logfile(LOG_WARNING, "START AUTH 4 [%s]", sqlreq_getgid);*/
if (gid == NULL) {
gid = pw_pgsql_getquery(id_sql_server, sqlreq_getgid,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip);
}
if (gid == NULL) {
goto bye;
}
/*logfile(LOG_WARNING, "START AUTH 5 [%s]", sqlreq_getdir);*/
if ((dir = pw_pgsql_getquery(id_sql_server, sqlreq_getdir,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) == NULL) {
goto bye;
}
result->auth_ok--; /* -1 */
if (strcasecmp(crypto, PASSWD_SQL_ANY) == 0) {
crypto_crypt++;
crypto_md5++;
} else if (strcasecmp(crypto, PASSWD_SQL_CRYPT) == 0) {
crypto_crypt++;
} else if (strcasecmp(crypto, PASSWD_SQL_MD5) == 0) {
crypto_md5++;
} else if (strcasecmp(crypto, PASSWD_SQL_MD5SHA1) == 0) {
crypto_md5sha1++; /* TRICK */
} else { /* default to plaintext */
crypto_plain++;
}
if (crypto_crypt != 0) {
register const char *crypted;
if ((crypted = (const char *) crypt(password, spwd)) != NULL &&
strcmp(crypted, spwd) == 0) {
goto auth_ok;
}
}
if (crypto_md5 != 0) {
register const char *crypted;
if ((crypted = (const char *) crypto_hash_md5(password, 1)) != NULL &&
strcmp(crypted, spwd) == 0) {
goto auth_ok;
}
}
if (crypto_md5sha1 != 0) { /* TRICK */
register const char *crypted;
if ((crypted = (const char *) crypto_hash_sha1(password, 1)) != NULL ) {
if ((crypted = (const char *) crypto_hash_md5(crypted, 1)) != NULL &&
strcmp(crypted, spwd) == 0) {
goto auth_ok;
}
}
}
if (crypto_plain != 0) {
if (*password != 0 && /* refuse null cleartext passwords */
strcmp(password, spwd) == 0) {
goto auth_ok;
}
}
goto bye;
auth_ok:
/*
* do *NOT* accept root uid/gid - if the database is compromized, the FTP
* server could also be rooted.
*/
result->uid = (uid_t) strtoul(uid, NULL, 10);
if (result->uid <= (uid_t) 0) {
struct passwd *pw;
if ((pw = getpwnam(uid)) == NULL || pw->pw_uid <= (uid_t) 0) {
goto bye;
}
result->uid = pw->pw_uid;
}
result->gid = (gid_t) strtoul(gid, NULL, 10);
if (result->gid <= (gid_t) 0) {
struct group *gr;
if ((gr = getgrnam(gid)) == NULL || gr->gr_gid <= (gid_t) 0) {
goto bye;
}
result->gid = gr->gr_gid;
}
result->dir = dir;
dir = NULL;
#ifdef QUOTAS
if ((sqta_fs = pw_pgsql_getquery(id_sql_server, sqlreq_getqta_fs,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned long long q = strtoull(sqta_fs, NULL, 10);
if (q > 0ULL) {
result->user_quota_files = q;
result->quota_files_changed = 1;
}
}
if ((sqta_sz = pw_pgsql_getquery(id_sql_server, sqlreq_getqta_sz,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned long long q = strtoull(sqta_sz, NULL, 10);
if (q > 0ULL) {
result->user_quota_size = q * (1024UL * 1024UL);
result->quota_size_changed = 1;
}
}
#endif
#ifdef RATIOS
if ((ratio_ul = pw_pgsql_getquery(id_sql_server, sqlreq_getratio_ul,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned int q = (unsigned int) strtoul(ratio_ul, NULL, 10);
if (q > 0U) {
result->ratio_upload = q;
result->ratio_ul_changed = 1;
}
}
if ((ratio_dl = pw_pgsql_getquery(id_sql_server, sqlreq_getratio_dl,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned int q = (unsigned int) strtoul(ratio_dl, NULL, 10);
if (q > 0U) {
result->ratio_download = q;
result->ratio_dl_changed = 1;
}
}
#endif
#ifdef THROTTLING
if ((bandwidth_ul = pw_pgsql_getquery(id_sql_server, sqlreq_getbandwidth_ul,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned long q = (unsigned long) strtoul(bandwidth_ul, NULL, 10);
if (q > 0UL) {
result->throttling_bandwidth_ul = q * 1024UL;
result->throttling_ul_changed = 1;
}
}
if ((bandwidth_dl = pw_pgsql_getquery(id_sql_server, sqlreq_getbandwidth_dl,
escaped_account, escaped_ip,
escaped_port, escaped_peer_ip,
escaped_decimal_ip)) != NULL) {
const unsigned long q = (unsigned long) strtoul(bandwidth_dl, NULL, 10);
if (q > 0UL) {
result->throttling_bandwidth_dl = q * 1024UL;
result->throttling_dl_changed = 1;
}
}
#endif
result->slow_tilde_expansion = 1;
result->auth_ok =- result->auth_ok;
bye:
if (committed == 0) {
(void) pw_pgsql_simplequery(id_sql_server, PGSQL_TRANSACTION_END);
}
if (id_sql_server != NULL) {
PQfinish(id_sql_server);
}
if (spwd != NULL) {
free((void *) spwd);
}
if (uid != NULL) {
free((void *) uid);
}
if (gid != NULL) {
free((void *) gid);
}
if (dir != NULL) {
free((void *) dir);
}
if (scrambled_password != NULL) {
free(scrambled_password);
}
#ifdef QUOTAS
if (sqta_fs != NULL) {
free((void *) sqta_fs);
}
if (sqta_sz != NULL) {
free((void *) sqta_sz);
}
#endif
#ifdef RATIOS
if (ratio_ul != NULL) {
free((void *) ratio_ul);
}
if (ratio_dl != NULL) {
free((void *) ratio_dl);
}
#endif
#ifdef THROTTLING
if (bandwidth_ul != NULL) {
free((void *) bandwidth_ul);
}
if (bandwidth_dl != NULL) {
free((void *) bandwidth_dl);
}
#endif
if (escaped_account != NULL) {
free((void *) escaped_account);
}
if (escaped_ip != NULL) {
free((void *) escaped_ip);
}
if (escaped_port != NULL) {
free((void *) escaped_port);
}
if (escaped_peer_ip != NULL) {
free((void *) escaped_peer_ip);
}
if (escaped_decimal_ip != NULL) {
free((void *) escaped_decimal_ip);
}
}
void pw_ldap_check(AuthResult * const result,
const char *account, const char *password,
const struct sockaddr_storage * const sa,
const struct sockaddr_storage * const peer)
{
struct passwd *pw;
const char *spwd; /* Stored pwd */
const char *cpwd = NULL; /* Computed pwd */
signed char nocase = 0; /* Insensitive strcmp */
(void) sa;
(void) peer;
result->auth_ok = 0;
if (account == NULL || *account == 0 || password == NULL ||
(pw = pw_ldap_getpwnam(account, result)) == NULL) {
return;
}
result->auth_ok--; /* -1 */
if (use_ldap_bind_method == 1 && result->backend_data != NULL) {
LDAP *ld;
char *dn = (char *) result->backend_data;
int ok = 0;
/* Verify password by binding to LDAP */
if (password != NULL && *password != 0 &&
(ld = pw_ldap_connect(dn, password)) != NULL) {
ldap_unbind(ld);
ok = 1;
}
free(result->backend_data);
result->backend_data = NULL;
if (ok <= 0) {
return;
}
} else {
free(result->backend_data);
result->backend_data = NULL;
spwd = pw->pw_passwd;
#ifdef HAVE_LIBSODIUM
if (strncasecmp(spwd, PASSWD_LDAP_SCRYPT_PREFIX,
sizeof PASSWD_LDAP_SCRYPT_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_SCRYPT_PREFIX - 1U);
if (crypto_pwhash_scryptsalsa208sha256_str_verify
(spwd, password, strlen(password)) == 0) {
goto pwd_ok;
}
return;
} else
#endif
if (strncasecmp(spwd, PASSWD_LDAP_MD5_PREFIX,
sizeof PASSWD_LDAP_MD5_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_MD5_PREFIX - 1U);
if (strlen(spwd) >= 32U) {
nocase++;
}
cpwd = crypto_hash_md5(password, nocase);
} else if (strncasecmp(spwd, PASSWD_LDAP_SHA_PREFIX,
sizeof PASSWD_LDAP_SHA_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_SHA_PREFIX - 1U);
if (strlen(spwd) >= 40U) {
nocase++;
}
cpwd = crypto_hash_sha1(password, nocase);
} else if (strncasecmp(spwd, PASSWD_LDAP_SSHA_PREFIX,
sizeof PASSWD_LDAP_SSHA_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_SSHA_PREFIX - 1U);
cpwd = crypto_hash_ssha1(password, spwd);
} else if (strncasecmp(spwd, PASSWD_LDAP_SMD5_PREFIX,
sizeof PASSWD_LDAP_SMD5_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_SMD5_PREFIX - 1U);
cpwd = crypto_hash_smd5(password, spwd);
} else if (strncasecmp(spwd, PASSWD_LDAP_CRYPT_PREFIX,
sizeof PASSWD_LDAP_CRYPT_PREFIX - 1U) == 0) {
spwd += (sizeof PASSWD_LDAP_CRYPT_PREFIX - 1U);
cpwd = (const char *) crypt(password, spwd);
} else if (*password != 0) {
cpwd = password; /* Cleartext */
} else {
return; /* Refuse null passwords */
}
if (cpwd == NULL) {
return;
}
if (nocase != 0) {
if (strcasecmp(cpwd, spwd) != 0) {
return;
}
}
if (pure_strcmp(cpwd, spwd) != 0) {
return;
}
}
pwd_ok:
result->uid = pw->pw_uid;
result->gid = pw->pw_gid;
if (result->uid <= (uid_t) 0 || result->gid <= (gid_t) 0) {
return;
}
if ((result->dir = strdup(pw->pw_dir)) == NULL) {
return;
}
result->slow_tilde_expansion = 1;
result->auth_ok = 1; /* User found, authentication ok */
}
