/*
- * $Id: uams_dhx_passwd.c,v 1.22 2003-06-14 16:40:54 srittau Exp $
- *
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
* All Rights Reserved. See COPYRIGHT.
*/
-#define _XOPEN_SOURCE /* for crypt() */
-
#ifdef HAVE_CONFIG_H
-#include <config.h>
+#include "config.h"
#endif /* HAVE_CONFIG_H */
+#include <atalk/standards.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#ifdef HAVE_UNISTD_H
#include <unistd.h>
-#endif /* HAVE_UNISTD_H */
-#ifndef NO_CRYPT_H
+#ifdef HAVE_CRYPT_H
#include <crypt.h>
-#endif /* ! NO_CRYPT_H */
+#endif /* ! HAVE_CRYPT_H */
+#include <sys/time.h>
+#include <time.h>
#include <pwd.h>
-#include <atalk/logger.h>
+#include <arpa/inet.h>
#ifdef SHADOWPW
#include <shadow.h>
#endif /* SHADOWPW */
+#if defined(GNUTLS_DHX)
+#include <gnutls/openssl.h>
+#elif defined(OPENSSL_DHX)
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/cast.h>
+#else /* OPENSSL_DHX */
+#include <bn.h>
+#include <dh.h>
+#include <cast.h>
+#endif /* OPENSSL_DHX */
+
+#include <atalk/logger.h>
#include <atalk/afp.h>
#include <atalk/uam.h>
(unsigned long) (a)) & 0xffff)
/* the secret key */
+static CAST_KEY castkey;
static struct passwd *dhxpwd;
-static u_int8_t randbuf[16];
+static uint8_t randbuf[16];
#ifdef TRU64
#include <sia.h>
#include <siad.h>
-static char *clientname;
+static const char *clientname;
#endif /* TRU64 */
-#include "crypt.h"
-
/* dhx passwd */
-static int pwd_login(void *obj, char *username, int ulen, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+static int pwd_login(void *obj, char *username, int ulen, struct passwd **uam_pwd _U_,
+ char *ibuf, size_t ibuflen _U_,
+ char *rbuf, size_t *rbuflen)
{
unsigned char iv[] = "CJalbert";
- u_int8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
+ uint8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
0x3F, 0x20, 0x24, 0x74, 0x4C, 0xEE, 0xE7, 0x5B };
- u_int8_t g = 0x07;
+ uint8_t g = 0x07;
#ifdef SHADOWPW
struct spwd *sp;
#endif /* SHADOWPW */
- CastKey castkey;
- u_int16_t sessid;
- int i;
-#if 0
- char *name;
-#endif
+ BIGNUM *bn, *gbn, *pbn;
+ uint16_t sessid;
+ size_t i;
+ DH *dh;
-#if defined(TRU64) && !defined(HAVE_GCRYPT)
+#ifdef TRU64
int rnd_seed[256];
for (i = 0; i < 256; i++)
rnd_seed[i] = random();
RAND_seed(rnd_seed, sizeof(rnd_seed));
-#endif /* defined(TRU64) && !defined(HAVE_GCRYPT) */
+#endif /* TRU64 */
*rbuflen = 0;
return AFPERR_PARAM;
#endif /* TRU64 */
- if (( dhxpwd = uam_getname(username, ulen)) == NULL ) {
- return AFPERR_PARAM;
+ if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
+ return AFPERR_NOTAUTH;
}
LOG(log_info, logtype_uams, "dhx login: %s", username);
if (!dhxpwd->pw_passwd)
return AFPERR_NOTAUTH;
- castkey = atalk_cast_key(ibuf, KEYSIZE);
- if (!castkey)
+ /* get the client's public key */
+ if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) {
return AFPERR_PARAM;
+ }
+
+ /* get our primes */
+ if (!(gbn = BN_bin2bn(&g, sizeof(g), NULL))) {
+ BN_free(bn);
+ return AFPERR_PARAM;
+ }
+
+ if (!(pbn = BN_bin2bn(p, sizeof(p), NULL))) {
+ BN_free(gbn);
+ BN_free(bn);
+ return AFPERR_PARAM;
+ }
+
+ /* okay, we're ready */
+ if (!(dh = DH_new())) {
+ BN_free(pbn);
+ BN_free(gbn);
+ BN_free(bn);
+ return AFPERR_PARAM;
+ }
+ /* generate key and make sure we have enough space */
+ dh->p = pbn;
+ dh->g = gbn;
+ if (!DH_generate_key(dh) || (BN_num_bytes(dh->pub_key) > KEYSIZE)) {
+ goto passwd_fail;
+ }
+
+ /* figure out the key. use rbuf as a temporary buffer. */
+ i = DH_compute_key((unsigned char *)rbuf, bn, dh);
+
+ /* set the key */
+ CAST_set_key(&castkey, i, (unsigned char *)rbuf);
+
/* session id. it's just a hashed version of the object pointer. */
sessid = dhxhash(obj);
memcpy(rbuf, &sessid, sizeof(sessid));
*rbuflen += sizeof(sessid);
/* send our public key */
- BN_bn2bin(dh->pub_key, rbuf);
+ BN_bn2bin(dh->pub_key, (unsigned char *)rbuf);
rbuf += KEYSIZE;
*rbuflen += KEYSIZE;
#endif /* 0 */
/* encrypt using cast */
- CAST_cbc_encrypt(rbuf, rbuf, CRYPTBUFLEN, &castkey, iv, CAST_ENCRYPT);
+ CAST_cbc_encrypt((unsigned char *)rbuf, (unsigned char *)rbuf, CRYPTBUFLEN, &castkey, iv, CAST_ENCRYPT);
*rbuflen += CRYPTBUFLEN;
BN_free(bn);
DH_free(dh);
/* cleartxt login */
static int passwd_login(void *obj, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
{
char *username;
- int len, ulen;
+ size_t len, ulen;
*rbuflen = 0;
(void *) &username, &ulen) < 0)
return AFPERR_MISC;
- if (ibuflen <= 1) {
+ if (ibuflen < 2) {
return( AFPERR_PARAM );
}
* uname format :
byte 3
2 bytes len (network order)
- len bytes unicode name
+ len bytes utf8 name
*/
static int passwd_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
{
char *username;
- int len, ulen;
- u_int16_t temp16;
+ size_t len, ulen;
+ uint16_t temp16;
*rbuflen = 0;
}
static int passwd_logincont(void *obj, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ char *ibuf, size_t ibuflen _U_,
+ char *rbuf, size_t *rbuflen)
{
+#ifdef SHADOWPW
+ struct spwd *sp;
+#endif /* SHADOWPW */
unsigned char iv[] = "LWallace";
BIGNUM *bn1, *bn2, *bn3;
- u_int16_t sessid;
+ uint16_t sessid;
char *p;
+ int err = AFPERR_NOTAUTH;
*rbuflen = 0;
ibuf += sizeof(sessid);
/* use rbuf as scratch space */
- CAST_cbc_encrypt(ibuf, rbuf, CRYPT2BUFLEN, &castkey,
+ CAST_cbc_encrypt((unsigned char *)ibuf, (unsigned char *)rbuf, CRYPT2BUFLEN, &castkey,
iv, CAST_DECRYPT);
/* check to make sure that the random number is the same. we
* get sent back an incremented random number. */
- if (!(bn1 = BN_bin2bn(rbuf, KEYSIZE, NULL)))
+ if (!(bn1 = BN_bin2bn((unsigned char *)rbuf, KEYSIZE, NULL)))
return AFPERR_PARAM;
if (!(bn2 = BN_bin2bn(randbuf, sizeof(randbuf), NULL))) {
memset(rbuf, 0, PASSWDLEN);
if ( strcmp( p, dhxpwd->pw_passwd ) == 0 ) {
*uam_pwd = dhxpwd;
- return AFP_OK;
+ err = AFP_OK;
}
+#ifdef SHADOWPW
+ if (( sp = getspnam( dhxpwd->pw_name )) == NULL ) {
+ LOG(log_info, logtype_uams, "no shadow passwd entry for %s", dhxpwd->pw_name);
+ return (AFPERR_NOTAUTH);
+ }
+
+ /* check for expired password */
+ if (sp && sp->sp_max != -1 && sp->sp_lstchg) {
+ time_t now = time(NULL) / (60*60*24);
+ int32_t expire_days = sp->sp_lstchg - now + sp->sp_max;
+ if ( expire_days < 0 ) {
+ LOG(log_info, logtype_uams, "password for user %s expired", dhxpwd->pw_name);
+ err = AFPERR_PWDEXPR;
+ }
+ }
+#endif /* SHADOWPW */
+ return err;
#endif /* TRU64 */
return AFPERR_NOTAUTH;
UAM_MODULE_VERSION,
uam_setup, uam_cleanup
};
+
+UAM_MODULE_EXPORT struct uam_export uams_dhx_passwd = {
+ UAM_MODULE_SERVER,
+ UAM_MODULE_VERSION,
+ uam_setup, uam_cleanup
+};