void
chap(Ticketreq *tr)
{
char *secret, *hkey;
DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
uchar digest[MD5dlen];
char chal[CHALLEN];
OChapreply reply;
/*
* Create a challenge and send it.
*/
randombytes((uchar*)chal, sizeof(chal));
write(1, chal, sizeof(chal));
/*
* get chap reply
*/
if(readn(0, &reply, sizeof(reply)) < 0)
exits(0);
safecpy(tr->uid, reply.uid, sizeof(tr->uid));
/*
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
replyerror("chap-fail bad response %s", raddr);
logfail(tr->uid);
exits(0);
}
/*
* check for match
*/
s = md5(&reply.id, 1, 0, 0);
md5((uchar*)secret, strlen(secret), 0, s);
md5((uchar*)chal, sizeof(chal), digest, s);
if(memcmp(digest, reply.resp, MD5dlen) != 0){
replyerror("chap-fail bad response %s", raddr);
logfail(tr->uid);
exits(0);
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
exits(0);
if(debug)
syslog(0, AUTHLOG, "chap-ok %s %s", tr->uid, raddr);
}
void
fail(char *user)
{
logfail(user);
exits("failure");
}
int
main(int argc, char **argv)
{
const char *user;
struct passwd *pw;
struct group *gr;
uid_t user_uid;
gid_t mail_gid;
int error;
char fn[PATH_MAX+1];
int f;
openlog("dma-mbox-create", 0, LOG_MAIL);
errno = 0;
gr = getgrnam(DMA_GROUP);
if (!gr)
logfail("cannot find dma group `%s'", DMA_GROUP);
mail_gid = gr->gr_gid;
if (setgid(mail_gid) != 0)
logfail("cannot set gid to %d (%s)", mail_gid, DMA_GROUP);
if (getegid() != mail_gid)
logfail("cannot set gid to %d (%s), still at %d", mail_gid, DMA_GROUP, getegid());
/*
* We take exactly one argument: the username.
*/
if (argc != 2) {
errno = 0;
logfail("no arguments");
}
user = argv[1];
syslog(LOG_NOTICE, "creating mbox for `%s'", user);
/* the username may not contain a pathname separator */
if (strchr(user, '/')) {
errno = 0;
logfail("path separator in username `%s'", user);
exit(1);
}
/* verify the user exists */
errno = 0;
pw = getpwnam(user);
if (!pw)
logfail("cannot find user `%s'", user);
user_uid = pw->pw_uid;
error = snprintf(fn, sizeof(fn), "%s/%s", _PATH_MAILDIR, user);
if (error < 0 || (size_t)error >= sizeof(fn)) {
if (error >= 0) {
errno = 0;
logfail("mbox path too long");
}
logfail("cannot build mbox path for `%s/%s'", _PATH_MAILDIR, user);
}
f = open(fn, O_RDONLY|O_CREAT, 0600);
if (f < 0)
logfail("cannot open mbox `%s'", fn);
if (fchown(f, user_uid, mail_gid))
logfail("cannot change owner of mbox `%s'", fn);
if (fchmod(f, 0620))
logfail("cannot change permissions of mbox `%s'", fn);
/* file should be present with the right owner and permissions */
syslog(LOG_NOTICE, "successfully created mbox for `%s'", user);
return (0);
}
int
main(int argc, char **argv)
{
#if USE_CAPSICUM
cap_rights_t rights;
#endif
const char *user;
struct passwd *pw;
struct group *gr;
uid_t user_uid;
gid_t mail_gid;
int f, maildirfd;
/*
* Open log fd now for capability sandbox.
*/
openlog("dma-mbox-create", LOG_NDELAY, LOG_MAIL);
errno = 0;
gr = getgrnam(DMA_GROUP);
if (!gr)
logfail(EX_CONFIG, "cannot find dma group `%s'", DMA_GROUP);
mail_gid = gr->gr_gid;
if (setgid(mail_gid) != 0)
logfail(EX_NOPERM, "cannot set gid to %d (%s)", mail_gid, DMA_GROUP);
if (getegid() != mail_gid)
logfail(EX_NOPERM, "cannot set gid to %d (%s), still at %d", mail_gid, DMA_GROUP, getegid());
/*
* We take exactly one argument: the username.
*/
if (argc != 2) {
errno = 0;
logfail(EX_USAGE, "no arguments");
}
user = argv[1];
syslog(LOG_NOTICE, "creating mbox for `%s'", user);
/* the username may not contain a pathname separator */
if (strchr(user, '/')) {
errno = 0;
logfail(EX_DATAERR, "path separator in username `%s'", user);
exit(1);
}
/* verify the user exists */
errno = 0;
pw = getpwnam(user);
if (!pw)
logfail(EX_NOUSER, "cannot find user `%s'", user);
maildirfd = open(_PATH_MAILDIR, O_RDONLY);
if (maildirfd < 0)
logfail(EX_NOINPUT, "cannot open maildir %s", _PATH_MAILDIR);
/*
* Cache NLS data, for strerror, for err(3), before entering capability
* mode.
*/
caph_cache_catpages();
/*
* Cache local time before entering Capsicum capability sandbox.
*/
caph_cache_tzdata();
#if USE_CAPSICUM
cap_rights_init(&rights, CAP_CREATE, CAP_FCHMOD, CAP_FCHOWN,
CAP_LOOKUP, CAP_READ);
if (cap_rights_limit(maildirfd, &rights) < 0 && errno != ENOSYS)
err(EX_OSERR, "can't limit maildirfd rights");
/* Enter Capsicum capability sandbox */
if (caph_enter() < 0)
err(EX_OSERR, "cap_enter");
#endif
user_uid = pw->pw_uid;
f = openat(maildirfd, user, O_RDONLY|O_CREAT|O_NOFOLLOW, 0600);
if (f < 0)
logfail(EX_NOINPUT, "cannot open mbox `%s'", user);
if (fchown(f, user_uid, mail_gid))
logfail(EX_OSERR, "cannot change owner of mbox `%s'", user);
if (fchmod(f, 0620))
logfail(EX_OSERR, "cannot change permissions of mbox `%s'",
user);
/* file should be present with the right owner and permissions */
syslog(LOG_NOTICE, "successfully created mbox for `%s'", user);
return (0);
}
void
mschap(Ticketreq *tr)
{
char *secret, *hkey;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
uchar chal[CHALLEN];
uchar hash[MShashlen];
uchar hash2[MShashlen];
uchar resp[MSresplen];
OMSchapreply reply;
int dupe, lmok, ntok;
DigestState *s;
uchar digest[SHA1dlen];
/*
* Create a challenge and send it.
*/
randombytes((uchar*)chal, sizeof(chal));
write(1, chal, sizeof(chal));
/*
* get chap reply
*/
if(readn(0, &reply, sizeof(reply)) < 0)
exits(0);
safecpy(tr->uid, reply.uid, sizeof(tr->uid));
/*
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
replyerror("mschap-fail bad response %s/%s(%s)",
tr->uid, tr->hostid, raddr);
logfail(tr->uid);
exits(0);
}
lmhash(hash, secret);
mschalresp(resp, hash, chal);
lmok = memcmp(resp, reply.LMresp, MSresplen) == 0;
nthash(hash, secret);
mschalresp(resp, hash, chal);
ntok = memcmp(resp, reply.NTresp, MSresplen) == 0;
dupe = memcmp(reply.LMresp, reply.NTresp, MSresplen) == 0;
/*
* It is valid to send the same response in both the LM and NTLM
* fields provided one of them is correct, if neither matches,
* or the two fields are different and either fails to match,
* the whole sha-bang fails.
*
* This is an improvement in security as it allows clients who
* wish to do NTLM auth (which is insecure) not to send
* LM tokens (which is very insecure).
*
* Windows servers supports clients doing this also though
* windows clients don't seem to use the feature.
*/
if((!ntok && !lmok) || ((!ntok || !lmok) && !dupe)){
replyerror("mschap-fail bad response %s/%s(%s) %d,%d,%d",
tr->uid, tr->hostid, raddr, dupe, lmok, ntok);
logfail(tr->uid);
exits(0);
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
exits(0);
if(debug)
replyerror("mschap-ok %s/%s(%s) %ux",
tr->uid, tr->hostid, raddr);
nthash(hash, secret);
md4(hash, 16, hash2, 0);
s = sha1(hash2, 16, 0, 0);
sha1(hash2, 16, 0, s);
sha1(chal, 8, digest, s);
if(write(1, digest, 16) < 0)
exits(0);
}
void
vnc(Ticketreq *tr)
{
uchar chal[VNCchallen+6];
uchar reply[VNCchallen];
char *secret, *hkey;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
DESstate s;
int i;
/*
* Create a challenge and send it.
*/
randombytes(chal+6, VNCchallen);
chal[0] = AuthOKvar;
snprint((char*)chal+1, sizeof chal - 1, "%-5d", VNCchallen);
if(write(1, chal, sizeof(chal)) != sizeof(chal))
return;
/*
* lookup keys (and swizzle bits)
*/
memset(sbuf, 0, sizeof(sbuf));
secret = findsecret(KEYDB, tr->uid, sbuf);
if(secret == 0){
randombytes((uchar*)sbuf, sizeof(sbuf));
secret = sbuf;
}
for(i = 0; i < 8; i++)
secret[i] = swizzletab[(uchar)secret[i]];
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0){
randombytes((uchar*)hbuf, sizeof(hbuf));
hkey = hbuf;
}
/*
* get response
*/
if(readn(0, reply, sizeof(reply)) != sizeof(reply))
return;
/*
* decrypt response and compare
*/
setupDESstate(&s, (uchar*)secret, nil);
desECBdecrypt(reply, sizeof(reply), &s);
if(memcmp(reply, chal+6, VNCchallen) != 0){
replyerror("vnc-fail bad response %s", raddr);
logfail(tr->uid);
return;
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
exits(0);
if(debug)
syslog(0, AUTHLOG, "vnc-ok %s %s", tr->uid, raddr);
}
void
apop(Ticketreq *tr, int type)
{
int challen, i, tries;
char *secret, *hkey, *p;
Ticketreq treq;
DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
char tbuf[TICKREQLEN];
char buf[MD5dlen*2];
uchar digest[MD5dlen], resp[MD5dlen];
ulong rb[4];
char chal[256];
USED(tr);
/*
* Create a challenge and send it.
*/
randombytes((uchar*)rb, sizeof(rb));
p = chal;
p += snprint(p, sizeof(chal), "<%lux%lux.%lux%lux@%s>",
rb[0], rb[1], rb[2], rb[3], domainname());
challen = p - chal;
print("%c%-5d%s", AuthOKvar, challen, chal);
/* give user a few attempts */
for(tries = 0; ; tries++) {
/*
* get ticket request
*/
if(readn(0, tbuf, TICKREQLEN) < 0)
exits(0);
convM2TR(tbuf, &treq);
tr = &treq;
if(tr->type != type)
exits(0);
/*
* read response
*/
if(readn(0, buf, MD5dlen*2) < 0)
exits(0);
for(i = 0; i < MD5dlen; i++)
resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]);
/*
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
replyerror("apop-fail bad response %s", raddr);
logfail(tr->uid);
if(tries > 5)
return;
continue;
}
/*
* check for match
*/
if(type == AuthCram){
hmac_md5((uchar*)chal, challen,
(uchar*)secret, strlen(secret),
digest, nil);
} else {
s = md5((uchar*)chal, challen, 0, 0);
md5((uchar*)secret, strlen(secret), digest, s);
}
if(memcmp(digest, resp, MD5dlen) != 0){
replyerror("apop-fail bad response %s", raddr);
logfail(tr->uid);
if(tries > 5)
return;
continue;
}
break;
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
exits(0);
if(debug){
if(type == AuthCram)
syslog(0, AUTHLOG, "cram-ok %s %s", tr->uid, raddr);
else
syslog(0, AUTHLOG, "apop-ok %s %s", tr->uid, raddr);
}
}
void
challengebox(Ticketreq *tr)
{
long chal;
char *key, *netkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN];
char buf[NETCHLEN+1];
char *err;
key = findkey(KEYDB, tr->uid, kbuf);
netkey = findkey(NETKEYDB, tr->uid, nkbuf);
if(key == 0 && netkey == 0){
/* make one up so caller doesn't know it was wrong */
mkkey(nkbuf);
netkey = nkbuf;
if(debug)
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
}
if(findkey(KEYDB, tr->hostid, hkey) == 0){
/* make one up so caller doesn't know it was wrong */
mkkey(hkey);
if(debug)
syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid,
tr->uid, raddr);
}
/*
* challenge-response
*/
memset(buf, 0, sizeof(buf));
buf[0] = AuthOK;
chal = lnrand(MAXNETCHAL);
snprint(buf+1, sizeof buf - 1, "%lud", chal);
if(write(1, buf, NETCHLEN+1) < 0)
exits(0);
if(readn(0, buf, NETCHLEN) < 0)
exits(0);
if(!(key && netcheck(key, chal, buf))
&& !(netkey && netcheck(netkey, chal, buf))
&& (err = secureidcheck(tr->uid, buf)) != nil){
replyerror("cr-fail %s %s %s", err, tr->uid, raddr);
logfail(tr->uid);
if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): bad resp",
tr->uid, tr->hostid, raddr);
return;
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0){
if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr);
exits(0);
}
if(debug)
syslog(0, AUTHLOG, "cr-ok %s@%s(%s)",
tr->uid, tr->hostid, raddr);
}
