void chap(Ticketreq *tr) { char *secret, *hkey; DigestState *s; char sbuf[SECRETLEN], hbuf[DESKEYLEN]; uchar digest[MD5dlen]; char chal[CHALLEN]; OChapreply reply; /* * Create a challenge and send it. */ randombytes((uchar*)chal, sizeof(chal)); write(1, chal, sizeof(chal)); /* * get chap reply */ if(readn(0, &reply, sizeof(reply)) < 0) exits(0); safecpy(tr->uid, reply.uid, sizeof(tr->uid)); /* * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); hkey = findkey(KEYDB, tr->hostid, hbuf); if(hkey == 0 || secret == 0){ replyerror("chap-fail bad response %s", raddr); logfail(tr->uid); exits(0); } /* * check for match */ s = md5(&reply.id, 1, 0, 0); md5((uchar*)secret, strlen(secret), 0, s); md5((uchar*)chal, sizeof(chal), digest, s); if(memcmp(digest, reply.resp, MD5dlen) != 0){ replyerror("chap-fail bad response %s", raddr); logfail(tr->uid); exits(0); } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0) exits(0); if(debug) syslog(0, AUTHLOG, "chap-ok %s %s", tr->uid, raddr); }
void fail(char *user) { logfail(user); exits("failure"); }
int main(int argc, char **argv) { const char *user; struct passwd *pw; struct group *gr; uid_t user_uid; gid_t mail_gid; int error; char fn[PATH_MAX+1]; int f; openlog("dma-mbox-create", 0, LOG_MAIL); errno = 0; gr = getgrnam(DMA_GROUP); if (!gr) logfail("cannot find dma group `%s'", DMA_GROUP); mail_gid = gr->gr_gid; if (setgid(mail_gid) != 0) logfail("cannot set gid to %d (%s)", mail_gid, DMA_GROUP); if (getegid() != mail_gid) logfail("cannot set gid to %d (%s), still at %d", mail_gid, DMA_GROUP, getegid()); /* * We take exactly one argument: the username. */ if (argc != 2) { errno = 0; logfail("no arguments"); } user = argv[1]; syslog(LOG_NOTICE, "creating mbox for `%s'", user); /* the username may not contain a pathname separator */ if (strchr(user, '/')) { errno = 0; logfail("path separator in username `%s'", user); exit(1); } /* verify the user exists */ errno = 0; pw = getpwnam(user); if (!pw) logfail("cannot find user `%s'", user); user_uid = pw->pw_uid; error = snprintf(fn, sizeof(fn), "%s/%s", _PATH_MAILDIR, user); if (error < 0 || (size_t)error >= sizeof(fn)) { if (error >= 0) { errno = 0; logfail("mbox path too long"); } logfail("cannot build mbox path for `%s/%s'", _PATH_MAILDIR, user); } f = open(fn, O_RDONLY|O_CREAT, 0600); if (f < 0) logfail("cannot open mbox `%s'", fn); if (fchown(f, user_uid, mail_gid)) logfail("cannot change owner of mbox `%s'", fn); if (fchmod(f, 0620)) logfail("cannot change permissions of mbox `%s'", fn); /* file should be present with the right owner and permissions */ syslog(LOG_NOTICE, "successfully created mbox for `%s'", user); return (0); }
int main(int argc, char **argv) { #if USE_CAPSICUM cap_rights_t rights; #endif const char *user; struct passwd *pw; struct group *gr; uid_t user_uid; gid_t mail_gid; int f, maildirfd; /* * Open log fd now for capability sandbox. */ openlog("dma-mbox-create", LOG_NDELAY, LOG_MAIL); errno = 0; gr = getgrnam(DMA_GROUP); if (!gr) logfail(EX_CONFIG, "cannot find dma group `%s'", DMA_GROUP); mail_gid = gr->gr_gid; if (setgid(mail_gid) != 0) logfail(EX_NOPERM, "cannot set gid to %d (%s)", mail_gid, DMA_GROUP); if (getegid() != mail_gid) logfail(EX_NOPERM, "cannot set gid to %d (%s), still at %d", mail_gid, DMA_GROUP, getegid()); /* * We take exactly one argument: the username. */ if (argc != 2) { errno = 0; logfail(EX_USAGE, "no arguments"); } user = argv[1]; syslog(LOG_NOTICE, "creating mbox for `%s'", user); /* the username may not contain a pathname separator */ if (strchr(user, '/')) { errno = 0; logfail(EX_DATAERR, "path separator in username `%s'", user); exit(1); } /* verify the user exists */ errno = 0; pw = getpwnam(user); if (!pw) logfail(EX_NOUSER, "cannot find user `%s'", user); maildirfd = open(_PATH_MAILDIR, O_RDONLY); if (maildirfd < 0) logfail(EX_NOINPUT, "cannot open maildir %s", _PATH_MAILDIR); /* * Cache NLS data, for strerror, for err(3), before entering capability * mode. */ caph_cache_catpages(); /* * Cache local time before entering Capsicum capability sandbox. */ caph_cache_tzdata(); #if USE_CAPSICUM cap_rights_init(&rights, CAP_CREATE, CAP_FCHMOD, CAP_FCHOWN, CAP_LOOKUP, CAP_READ); if (cap_rights_limit(maildirfd, &rights) < 0 && errno != ENOSYS) err(EX_OSERR, "can't limit maildirfd rights"); /* Enter Capsicum capability sandbox */ if (caph_enter() < 0) err(EX_OSERR, "cap_enter"); #endif user_uid = pw->pw_uid; f = openat(maildirfd, user, O_RDONLY|O_CREAT|O_NOFOLLOW, 0600); if (f < 0) logfail(EX_NOINPUT, "cannot open mbox `%s'", user); if (fchown(f, user_uid, mail_gid)) logfail(EX_OSERR, "cannot change owner of mbox `%s'", user); if (fchmod(f, 0620)) logfail(EX_OSERR, "cannot change permissions of mbox `%s'", user); /* file should be present with the right owner and permissions */ syslog(LOG_NOTICE, "successfully created mbox for `%s'", user); return (0); }
void mschap(Ticketreq *tr) { char *secret, *hkey; char sbuf[SECRETLEN], hbuf[DESKEYLEN]; uchar chal[CHALLEN]; uchar hash[MShashlen]; uchar hash2[MShashlen]; uchar resp[MSresplen]; OMSchapreply reply; int dupe, lmok, ntok; DigestState *s; uchar digest[SHA1dlen]; /* * Create a challenge and send it. */ randombytes((uchar*)chal, sizeof(chal)); write(1, chal, sizeof(chal)); /* * get chap reply */ if(readn(0, &reply, sizeof(reply)) < 0) exits(0); safecpy(tr->uid, reply.uid, sizeof(tr->uid)); /* * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); hkey = findkey(KEYDB, tr->hostid, hbuf); if(hkey == 0 || secret == 0){ replyerror("mschap-fail bad response %s/%s(%s)", tr->uid, tr->hostid, raddr); logfail(tr->uid); exits(0); } lmhash(hash, secret); mschalresp(resp, hash, chal); lmok = memcmp(resp, reply.LMresp, MSresplen) == 0; nthash(hash, secret); mschalresp(resp, hash, chal); ntok = memcmp(resp, reply.NTresp, MSresplen) == 0; dupe = memcmp(reply.LMresp, reply.NTresp, MSresplen) == 0; /* * It is valid to send the same response in both the LM and NTLM * fields provided one of them is correct, if neither matches, * or the two fields are different and either fails to match, * the whole sha-bang fails. * * This is an improvement in security as it allows clients who * wish to do NTLM auth (which is insecure) not to send * LM tokens (which is very insecure). * * Windows servers supports clients doing this also though * windows clients don't seem to use the feature. */ if((!ntok && !lmok) || ((!ntok || !lmok) && !dupe)){ replyerror("mschap-fail bad response %s/%s(%s) %d,%d,%d", tr->uid, tr->hostid, raddr, dupe, lmok, ntok); logfail(tr->uid); exits(0); } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0) exits(0); if(debug) replyerror("mschap-ok %s/%s(%s) %ux", tr->uid, tr->hostid, raddr); nthash(hash, secret); md4(hash, 16, hash2, 0); s = sha1(hash2, 16, 0, 0); sha1(hash2, 16, 0, s); sha1(chal, 8, digest, s); if(write(1, digest, 16) < 0) exits(0); }
void vnc(Ticketreq *tr) { uchar chal[VNCchallen+6]; uchar reply[VNCchallen]; char *secret, *hkey; char sbuf[SECRETLEN], hbuf[DESKEYLEN]; DESstate s; int i; /* * Create a challenge and send it. */ randombytes(chal+6, VNCchallen); chal[0] = AuthOKvar; snprint((char*)chal+1, sizeof chal - 1, "%-5d", VNCchallen); if(write(1, chal, sizeof(chal)) != sizeof(chal)) return; /* * lookup keys (and swizzle bits) */ memset(sbuf, 0, sizeof(sbuf)); secret = findsecret(KEYDB, tr->uid, sbuf); if(secret == 0){ randombytes((uchar*)sbuf, sizeof(sbuf)); secret = sbuf; } for(i = 0; i < 8; i++) secret[i] = swizzletab[(uchar)secret[i]]; hkey = findkey(KEYDB, tr->hostid, hbuf); if(hkey == 0){ randombytes((uchar*)hbuf, sizeof(hbuf)); hkey = hbuf; } /* * get response */ if(readn(0, reply, sizeof(reply)) != sizeof(reply)) return; /* * decrypt response and compare */ setupDESstate(&s, (uchar*)secret, nil); desECBdecrypt(reply, sizeof(reply), &s); if(memcmp(reply, chal+6, VNCchallen) != 0){ replyerror("vnc-fail bad response %s", raddr); logfail(tr->uid); return; } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0) exits(0); if(debug) syslog(0, AUTHLOG, "vnc-ok %s %s", tr->uid, raddr); }
void apop(Ticketreq *tr, int type) { int challen, i, tries; char *secret, *hkey, *p; Ticketreq treq; DigestState *s; char sbuf[SECRETLEN], hbuf[DESKEYLEN]; char tbuf[TICKREQLEN]; char buf[MD5dlen*2]; uchar digest[MD5dlen], resp[MD5dlen]; ulong rb[4]; char chal[256]; USED(tr); /* * Create a challenge and send it. */ randombytes((uchar*)rb, sizeof(rb)); p = chal; p += snprint(p, sizeof(chal), "<%lux%lux.%lux%lux@%s>", rb[0], rb[1], rb[2], rb[3], domainname()); challen = p - chal; print("%c%-5d%s", AuthOKvar, challen, chal); /* give user a few attempts */ for(tries = 0; ; tries++) { /* * get ticket request */ if(readn(0, tbuf, TICKREQLEN) < 0) exits(0); convM2TR(tbuf, &treq); tr = &treq; if(tr->type != type) exits(0); /* * read response */ if(readn(0, buf, MD5dlen*2) < 0) exits(0); for(i = 0; i < MD5dlen; i++) resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]); /* * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); hkey = findkey(KEYDB, tr->hostid, hbuf); if(hkey == 0 || secret == 0){ replyerror("apop-fail bad response %s", raddr); logfail(tr->uid); if(tries > 5) return; continue; } /* * check for match */ if(type == AuthCram){ hmac_md5((uchar*)chal, challen, (uchar*)secret, strlen(secret), digest, nil); } else { s = md5((uchar*)chal, challen, 0, 0); md5((uchar*)secret, strlen(secret), digest, s); } if(memcmp(digest, resp, MD5dlen) != 0){ replyerror("apop-fail bad response %s", raddr); logfail(tr->uid); if(tries > 5) return; continue; } break; } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0) exits(0); if(debug){ if(type == AuthCram) syslog(0, AUTHLOG, "cram-ok %s %s", tr->uid, raddr); else syslog(0, AUTHLOG, "apop-ok %s %s", tr->uid, raddr); } }
void challengebox(Ticketreq *tr) { long chal; char *key, *netkey; char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN]; char buf[NETCHLEN+1]; char *err; key = findkey(KEYDB, tr->uid, kbuf); netkey = findkey(NETKEYDB, tr->uid, nkbuf); if(key == 0 && netkey == 0){ /* make one up so caller doesn't know it was wrong */ mkkey(nkbuf); netkey = nkbuf; if(debug) syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr); } if(findkey(KEYDB, tr->hostid, hkey) == 0){ /* make one up so caller doesn't know it was wrong */ mkkey(hkey); if(debug) syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid, tr->uid, raddr); } /* * challenge-response */ memset(buf, 0, sizeof(buf)); buf[0] = AuthOK; chal = lnrand(MAXNETCHAL); snprint(buf+1, sizeof buf - 1, "%lud", chal); if(write(1, buf, NETCHLEN+1) < 0) exits(0); if(readn(0, buf, NETCHLEN) < 0) exits(0); if(!(key && netcheck(key, chal, buf)) && !(netkey && netcheck(netkey, chal, buf)) && (err = secureidcheck(tr->uid, buf)) != nil){ replyerror("cr-fail %s %s %s", err, tr->uid, raddr); logfail(tr->uid); if(debug) syslog(0, AUTHLOG, "cr-fail %s@%s(%s): bad resp", tr->uid, tr->hostid, raddr); return; } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0){ if(debug) syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup", tr->uid, tr->hostid, raddr); exits(0); } if(debug) syslog(0, AUTHLOG, "cr-ok %s@%s(%s)", tr->uid, tr->hostid, raddr); }