]>
Commit | Line | Data |
---|---|---|
7ac48069 | 1 | /* $Id$ |
2 | * | |
3 | * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology. | |
4 | * For copying and distribution information, please see the file | |
5 | * <mit-copyright.h>. | |
de56407f | 6 | */ |
de56407f | 7 | |
546bc43b | 8 | #include <mit-copyright.h> |
7ac48069 | 9 | #include <moira.h> |
10 | #include "update_server.h" | |
11 | ||
12 | #include <sys/utsname.h> | |
13 | ||
14 | #include <errno.h> | |
de56407f | 15 | #include <stdio.h> |
eedd0489 | 16 | #include <string.h> |
7ac48069 | 17 | |
cb974713 | 18 | #ifdef HAVE_KRB4 |
de56407f | 19 | #include <krb.h> |
cb974713 | 20 | #endif |
7ac48069 | 21 | |
22 | RCSID("$Header$"); | |
de56407f | 23 | |
1c6164bb | 24 | static char service[] = "rcmd"; |
25 | static char master[] = "sms"; | |
de56407f | 26 | static char qmark[] = "???"; |
cb974713 | 27 | #ifdef HAVE_KRB4 |
85330553 | 28 | extern des_cblock session; |
cb974713 | 29 | #endif |
de56407f | 30 | |
31 | /* | |
5df6ee25 | 32 | * authentication request auth_002: |
de56407f | 33 | * |
5df6ee25 | 34 | * >>> (STRING) "auth_002" |
de56407f | 35 | * <<< (int) 0 |
36 | * >>> (STRING) ticket | |
37 | * <<< (int) code | |
5df6ee25 | 38 | * <<< (STRING) nonce |
39 | * >>> (STRING) encrypted nonce | |
40 | * <<< (int) code | |
de56407f | 41 | * |
42 | */ | |
43 | ||
85330553 | 44 | void auth_002(int conn, char *str) |
de56407f | 45 | { |
cb974713 | 46 | #ifdef HAVE_KRB4 |
5eaef520 | 47 | char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ]; |
48 | AUTH_DAT ad; | |
85330553 | 49 | char *p, *first, *data; |
50 | size_t size; | |
5eaef520 | 51 | KTEXT_ST ticket_st; |
5eaef520 | 52 | des_key_schedule sched; |
85330553 | 53 | des_cblock nonce, nonce2; |
54 | long code; | |
de56407f | 55 | |
85330553 | 56 | send_ok(conn); |
57 | ||
58 | recv_string(conn, &data, &size); | |
59 | if (size > sizeof(ticket_st.dat)) | |
5eaef520 | 60 | { |
85330553 | 61 | code = KE_RD_AP_UNDEC; |
62 | com_err(whoami, code, ": authenticator too large"); | |
63 | send_int(conn, code); | |
64 | return; | |
de56407f | 65 | } |
85330553 | 66 | memcpy(ticket_st.dat, data, size); |
67 | free(data); | |
5eaef520 | 68 | ticket_st.mbz = 0; |
85330553 | 69 | ticket_st.length = size; |
70 | code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0, | |
5eaef520 | 71 | &ad, KEYFILE); |
72 | if (code) | |
73 | { | |
74 | code += ERROR_TABLE_BASE_krb; | |
75 | strcpy(ad.pname, qmark); | |
76 | strcpy(ad.pinst, qmark); | |
77 | strcpy(ad.prealm, qmark); | |
78 | goto auth_failed; | |
de56407f | 79 | } |
c47daf21 | 80 | |
5eaef520 | 81 | /* If there is an auth record in the config file matching the |
82 | * authenticator we received, then accept it. If there's no | |
83 | * auth record, assume [master]@[local realm]. | |
84 | */ | |
7ac48069 | 85 | if ((first = p = config_lookup("auth"))) |
5eaef520 | 86 | { |
87 | do | |
88 | { | |
89 | kname_parse(aname, ainst, arealm, p); | |
90 | if (strcmp(aname, ad.pname) || | |
91 | strcmp(ainst, ad.pinst) || | |
92 | strcmp(arealm, ad.prealm)) | |
93 | p = config_lookup("auth"); | |
94 | else | |
95 | p = first; | |
96 | } | |
97 | while (p != first); | |
c47daf21 | 98 | } |
5eaef520 | 99 | else |
100 | { | |
101 | strcpy(aname, master); | |
102 | strcpy(ainst, ""); | |
103 | if (krb_get_lrealm(arealm, 1)) | |
104 | strcpy(arealm, KRB_REALM); | |
105 | } | |
106 | code = EPERM; | |
107 | if (strcmp(aname, ad.pname) || | |
108 | strcmp(ainst, ad.pinst) || | |
109 | strcmp(arealm, ad.prealm)) | |
110 | goto auth_failed; | |
5df6ee25 | 111 | |
85330553 | 112 | send_ok(conn); |
5df6ee25 | 113 | |
5eaef520 | 114 | /* replay protection */ |
115 | des_random_key(&nonce); | |
85330553 | 116 | send_string(conn, (char *)nonce, sizeof(nonce)); |
117 | recv_string(conn, &data, &size); | |
5eaef520 | 118 | des_key_sched(ad.session, sched); |
85330553 | 119 | des_ecb_encrypt(data, nonce2, sched, 0); |
120 | free(data); | |
5eaef520 | 121 | if (memcmp(nonce, nonce2, sizeof(nonce))) |
122 | goto auth_failed; | |
85330553 | 123 | send_ok(conn); |
5df6ee25 | 124 | |
5eaef520 | 125 | have_authorization = 1; |
126 | /* Stash away session key */ | |
127 | memcpy(session, ad.session, sizeof(session)); | |
85330553 | 128 | return; |
129 | ||
de56407f | 130 | auth_failed: |
85330553 | 131 | com_err(whoami, code, "auth for %s.%s@%s failed", |
132 | ad.pname, ad.pinst, ad.prealm); | |
133 | send_int(conn, code); | |
cb974713 | 134 | #else |
135 | return MR_NO_KRB4; | |
136 | #endif | |
de56407f | 137 | } |