serv_smtp.c serv_pop3.c internet_addressing.c parsedate.c genstamp.c \
domain.c clientsocket.c serv_inetcfg.c serv_rwho.c serv_bio.c \
serv_moderate.c client_passwords.c serv_imap.c imap_tools.c \
- serv_network.c
+ serv_network.c serv_pas2.c md5.c
DEP_FILES=$(SOURCES:.c=.d)
citadel$(EXEEXT): ipc_c_tcp$(CX) citadel$(CX) rooms$(CX) routines$(CX) \
routines2$(CX) messages$(CX) \
- client_passwords$(CX) \
+ client_passwords$(CX) md5$(CX) \
commands$(CX) client_chat$(CX) serv_info$(CX) tools$(CX) $(LIBOBJS)
$(CC) ipc_c_tcp$(CX) citadel$(CX) rooms$(CX) routines$(CX) \
routines2$(CX) messages$(CX) \
commands$(CX) client_chat$(CX) serv_info$(CX) tools$(CX) \
- client_passwords$(CX) \
+ client_passwords$(CX) md5$(CX) \
$(LIBOBJS) $(LDFLAGS) -o citadel $(NETLIBS) $(CLIENT_PTLIBS)
netpoll: netpoll.o config.o ipc_c_tcp.o tools.o $(LIBOBJS)
modules/serv_test.mo: serv_test.mo
ln -f serv_test.mo modules
-modules/serv_pop3.so: serv_pop3.mo
- $(LINK_SHARED) -o modules/serv_pop3.so serv_pop3.mo
+modules/serv_pop3.so: serv_pop3.mo md5.mo
+ $(LINK_SHARED) -o modules/serv_pop3.so serv_pop3.mo md5.mo
modules/serv_pop3.mo: serv_pop3.mo
ln -f serv_pop3.mo modules
aidepost: aidepost.o config.o $(LIBOBJS)
$(CC) aidepost.o config.o $(LIBOBJS) $(LDFLAGS) -o aidepost
+modules/serv_pas2.so: serv_pas2.mo md5.mo
+ $(LINK_SHARED) -o modules/serv_pas2.so serv_pas2.mo md5.mo
+
+modules/serv_pas2.mo: serv_pas2.mo
+ ln -f serv_pas2.mo modules
+
+modules/md5.mo: md5.mo
+ ln -f md5.mo modules
+
+
+
#
# 'netmailer' needs to run setuid because it generates headers for Internet
# mail. If it is not run setuid, all outgoing mail may always show as coming
#include "client_passwords.h"
#include "citadel_decls.h"
#include "tools.h"
+#include "acconfig.h"
#ifndef HAVE_SNPRINTF
#include "snprintf.h"
#endif
+#include "md5.h"
+
struct march {
struct march *next;
char march_name[ROOMNAMELEN];
char march_floor;
char march_order;
-};
+ };
#define IFEXPERT if (userflags&US_EXPERT)
#define IFNEXPERT if ((userflags&US_EXPERT)==0)
int a, b, mcmd;
char aaa[100], bbb[100];/* general purpose variables */
char argbuf[32]; /* command line buf */
+ char nonce[NONCE_SIZE];
+ char *sptr, *sptr2; /* USed to extract the nonce */
+ char hexstring[MD5_HEXSTRING_SIZE];
volatile int termn8 = 0;
int stored_password = 0;
char password[256];
printf("%s\n", &aaa[4]);
logoff(atoi(aaa));
}
+
+/* If there is a [nonce] at the end, put the nonce in <nonce>, else nonce
+ * is zeroized.
+ */
+
+ if ((sptr = strchr(aaa, '<')) == NULL)
+ {
+ nonce[0] = '\0';
+ }
+ else
+ {
+ if ((sptr2 = strchr(sptr, '>')) == NULL)
+ {
+ nonce[0] = '\0';
+ }
+ else
+ {
+ sptr2++;
+ *sptr2 = '\0';
+ strncpy(nonce, sptr, NONCE_SIZE);
+ }
+ }
+
get_serv_info();
look_for_ansi();
if (rc_remember_passwords) {
get_stored_password(hostbuf, portbuf, fullname, password);
if (strlen(fullname) > 0) {
- sprintf(aaa, "USER %s", fullname);
+ snprintf(aaa, sizeof(aaa)-1, "USER %s", fullname);
serv_puts(aaa);
serv_gets(aaa);
- sprintf(aaa, "PASS %s", password);
+ if (nonce[0])
+ {
+ sprintf(aaa, "PAS2 %s", make_apop_string(password, nonce, hexstring));
+ }
+ else /* Else no APOP */
+ {
+ snprintf(aaa, sizeof(aaa)-1, "PASS %s", password);
+ }
+
serv_puts(aaa);
serv_gets(aaa);
if (aaa[0] == '2') {
newprompt("\rPlease enter your password: ", password, -19);
}
strproc(password);
- snprintf(aaa, sizeof aaa, "PASS %s", password);
+
+ if (nonce[0])
+ {
+ sprintf(aaa, "PAS2 %s", make_apop_string(password, nonce, hexstring));
+ }
+ else /* Else no APOP */
+ {
+ snprintf(aaa, sizeof(aaa)-1, "PASS %s", password);
+ }
+
serv_puts(aaa);
serv_gets(aaa);
if (aaa[0] == '2') {
*/
typedef unsigned char CIT_UBYTE;
-#define ROOMNAMELEN 128
+/* Various length constants */
+
+#define ROOMNAMELEN 128 /* The size of the roomname structure */
+#define NONCE_SIZE 128 /* Added by <bc> to allow for APOP auth
+ * it is BIG becuase there is a hostname
+ * in the nonce, as per the APOP RFC.
+ */
+
+#define USERNAME_SIZE 32 /* The size of a username string */
/*
* Message expiration policy stuff
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "citadel.h"
* Various things that need to be initialized at startup
*/
void master_startup(void) {
+ struct timeval tv;
+
lprintf(7, "Opening databases\n");
open_databases();
create_room(AIDEROOM, 3, "", 0);
create_room(SYSCONFIGROOM, 3, "", 0);
create_room(config.c_twitroom, 0, "", 0);
- }
+
+/* Seed the PRNG */
+
+ lprintf(7, "Seeding the pseudo-random number generator...\n");
+ gettimeofday(&tv, NULL);
+ srand(tv.tv_usec);
+}
/*
* Cleanup routine to be called when the server is shutting down.
strcpy(con->cs_clientname, "(unknown)");
strcpy(con->curr_user, NLI);
strcpy(con->net_node,"");
+ con->fake_username[0] = '\0';
+ con->fake_postname[0] = '\0';
+ con->fake_hostname[0] = '\0';
+ con->fake_roomname[0] = '\0';
+ memset(con->cs_nonce, NONCE_SIZE, 0);
snprintf(con->temp, sizeof con->temp, tmpnam(NULL));
safestrncpy(con->cs_host, config.c_fqdn, sizeof con->cs_host);
con->cs_host[sizeof con->cs_host - 1] = 0;
void citproto_begin_session() {
+ struct timeval tv;
+
if (CC->nologin==1) {
cprintf("%d %s: Too many users are already online "
"(maximum is %d)\n",
config.c_nodename, config.c_maxsessions);
}
else {
- cprintf("%d %s Citadel/UX server ready.\n",
- OK, config.c_nodename);
+ gettimeofday(&tv, NULL);
+ memset(CC->cs_nonce, NONCE_SIZE, 0);
+ snprintf(CC->cs_nonce, NONCE_SIZE, "<%d%ld@%s>", rand(), tv.tv_usec, config.c_nodename);
+
+/* RFC 1725 et al specify a PID to be placed in front of the nonce.
+ * Quoth BTX: That would be stupid.
+ */
+
+ cprintf("%d %s Citadel/UX server ready %s.\n",
+ OK, config.c_nodename, CC->cs_nonce);
}
}
* method of authentication which would require some major changes to the
* Citadel server core.
*
+ * This is no longer true- APOP is implemented.
+ *
* -> The deprecated "LAST" command is included in this implementation, because
* there exist mail clients which insist on using it (such as Bynari
* TradeMail, and certain versions of Eudora).
#include <sys/wait.h>
#include <string.h>
#include <limits.h>
+#include <ctype.h>
#include "citadel.h"
#include "server.h"
#include <time.h>
#include "tools.h"
#include "internet_addressing.h"
#include "serv_pop3.h"
-
+#include "md5.h"
long SYM_POP3;
* Here's where our POP3 session begins its happy day.
*/
void pop3_greeting(void) {
-
+ struct timeval tv;
+
strcpy(CC->cs_clientname, "POP3 session");
+ gettimeofday(&tv, NULL);
+ memset(CC->cs_nonce, NONCE_SIZE, 0);
+ snprintf(CC->cs_nonce, NONCE_SIZE, "<%d%ld@%s>", rand(), tv.tv_usec, config.c_fqdn);
CC->internal_pgm = 1;
CtdlAllocUserData(SYM_POP3, sizeof(struct citpop3));
POP3->msgs = NULL;
POP3->num_msgs = 0;
- cprintf("+OK Welcome to the Citadel/UX POP3 server at %s\r\n",
- config.c_fqdn);
+ cprintf("+OK Welcome to the Citadel/UX POP3 server %s\r\n",
+ CC->cs_nonce, config.c_fqdn);
}
return(POP3->num_msgs);
}
+void pop3_login(void)
+{
+ int msgs;
+
+ msgs = pop3_grab_mailbox();
+ if (msgs >= 0) {
+ cprintf("+OK %s is logged in (%d messages)\r\n",
+ CC->usersupp.fullname, msgs);
+ lprintf(9, "POP3 password login successful\n");
+ }
+ else {
+ cprintf("-ERR Can't open your mailbox\r\n");
+ }
+
+}
+
+void pop3_apop(char *argbuf)
+{
+ char username[256];
+ char userdigest[MD5_HEXSTRING_SIZE];
+ char realdigest[MD5_HEXSTRING_SIZE];
+ char *sptr;
+
+ if (CC->logged_in)
+ {
+ cprintf("-ERR You are already logged in; not in the AUTHORIZATION phase.\r\n");
+ return;
+ }
+
+ if ((sptr = strchr(argbuf, ' ')) == NULL)
+ {
+ cprintf("Invalid APOP line.\r\n");
+ return;
+ }
+
+ *sptr++ = '\0';
+
+ while ((*sptr) && isspace(*sptr))
+ sptr++;
+
+ strncpy(username, argbuf, sizeof(username)-1);
+ username[sizeof(username)-1] = '\0';
+
+ memset(userdigest, MD5_HEXSTRING_SIZE, 0);
+ strncpy(userdigest, sptr, MD5_HEXSTRING_SIZE-1);
+
+ if (CtdlLoginExistingUser(username) != login_ok)
+ {
+ cprintf("-ERR No such user.\r\n");
+ return;
+ }
+
+ if (getuser(&CC->usersupp, CC->curr_user))
+ {
+ cprintf("-ERR No such user.\r\n");
+ return;
+ }
+
+ make_apop_string(CC->usersupp.password, CC->cs_nonce, realdigest);
+ if (!strncasecmp(realdigest, userdigest, MD5_HEXSTRING_SIZE-1))
+ {
+ pop3_login();
+ }
+ else
+ {
+ cprintf("-ERR That is NOT the password! Go away!\r\n");
+ }
+}
+
+
/*
* Authorize with password (implements POP3 "PASS" command)
*/
void pop3_pass(char *argbuf) {
char password[256];
- int msgs;
strcpy(password, argbuf);
striplt(password);
lprintf(9, "Trying <%s>\n", password);
if (CtdlTryPassword(password) == pass_ok) {
- msgs = pop3_grab_mailbox();
- if (msgs >= 0) {
- cprintf("+OK %s is logged in (%d messages)\r\n",
- CC->usersupp.fullname, msgs);
- lprintf(9, "POP3 password login successful\n");
- }
- else {
- cprintf("-ERR Can't open your mailbox\r\n");
- }
+ pop3_login();
}
else {
cprintf("-ERR That is NOT the password! Go away!\r\n");
pop3_pass(&cmdbuf[5]);
}
+ else if (!strncasecmp(cmdbuf, "APOP", 4))
+ {
+ pop3_apop(&cmdbuf[5]);
+ }
+
else if (!CC->logged_in) {
cprintf("-ERR Not logged in.\r\n");
}
char *Dynamic_Module_Init(void)
{
SYM_POP3 = CtdlGetDynamicSymbol();
+ printf("Registering POP3 port %d\n", config.c_pop3_port);
CtdlRegisterServiceHook(config.c_pop3_port,
NULL,
pop3_greeting,
void pop3_pass(char *argbuf);
void pop3_list(char *argbuf);
void pop3_command_loop(void);
+void pop3_login(void);
+
int state; /* thread state (see CON_ values below) */
int kill_me; /* Set to nonzero to flag for termination */
- char curr_user[32]; /* name of current user */
+ char curr_user[USERNAME_SIZE]; /* name of current user */
int logged_in; /* logged in */
int internal_pgm; /* authenticated as internal program */
char temp[32]; /* temp file name */
char cs_clientname[32]; /* name of client software */
char cs_host[26]; /* host logged in from */
+ /* Beginning of cryptography - session nonce */
+ char cs_nonce[NONCE_SIZE]; /* The nonce for this session's next auth transaction */
+
FILE *download_fp; /* Fields relating to file transfer */
FILE *upload_fp;
char upl_file[256];
int disable_exp; /* Set to 1 to disable incoming pages */
/* Masquerade... */
- char fake_username[32]; /* Fake username <bc> */
- char fake_postname[32]; /* Fake postname <bc> */
+ char fake_username[USERNAME_SIZE]; /* Fake username <bc> */
+ char fake_postname[USERNAME_SIZE]; /* Fake postname <bc> */
char fake_hostname[25]; /* Name of the fake hostname <bc> */
char fake_roomname[ROOMNAMELEN]; /* Name of the fake room <bc> */
+
/* Dynamically allocated session data */
struct CtdlSessData *FirstSessData;
int chat_seq;
time_t chat_time;
char chat_text[256];
- char chat_username[32];
+ char chat_username[USERNAME_SIZE];
char chat_room[ROOMNAMELEN];
};
lgetuser(&CC->usersupp,CC->curr_user);
++(CC->usersupp.timescalled);
- CC->fake_username[0] = '\0';
- CC->fake_postname[0] = '\0';
- CC->fake_hostname[0] = '\0';
- CC->fake_roomname[0] = '\0';
time(&CC->usersupp.lastcall);
/* If this user's name is the name of the system administrator
}
#endif
+void do_login()
+{
+ (CC->logged_in) = 1;
+ session_startup();
+ logged_in_response();
+}
int CtdlTryPassword(char *password)
#endif
if (!code) {
- (CC->logged_in) = 1;
- session_startup();
+ do_login();
return pass_ok;
}
else {
cprintf("%d Wrong password.\n", ERROR);
return;
case pass_ok:
- logged_in_response();
return;
cprintf("%d Can't find user record!\n",
ERROR+INTERNAL_ERROR);
void cmd_pass (char *buf);
int purge_user (char *pname);
int create_user (char *newusername);
+void do_login(void);
void cmd_newu (char *cmdbuf);
void cmd_setp (char *new_pw);
void cmd_getu (void);