[moira.git] / server / mr_sauth.c

/*
 *	$Source$
 *	$Author$
 *	$Header$
 *
 *	Copyright (C) 1987 by the Massachusetts Institute of Technology
 *	For copying and distribution information, please see the file
 *	<mit-copyright.h>.
 *
 */

#ifndef lint
static char *rcsid_sms_sauth_c = "$Header$";
#endif lint

#include <mit-copyright.h>
#include <string.h>
#include "mr_server.h"
#include <ctype.h>
#include <krb_et.h>
#include <moira.h>
#include <time.h>

extern char *whoami, *host;

/* from libmoira */
char *kname_unparse(char *, char *, char *);

typedef struct _replay_cache {
  KTEXT_ST auth;
  time_t expires;
  struct _replay_cache *next;
} replay_cache;

replay_cache *rcache = NULL;

/*
 * Handle a MOIRA_AUTH RPC request.
 *
 * argv[0] is a kerberos authenticator.  Decompose it, and if
 * successful, store the name the user authenticated to in 
 * cl->cl_name.
 */

void
do_auth(cl)
	client *cl;
{
	KTEXT_ST auth;
	AUTH_DAT ad;
	int status, ok;
	extern int errno;
	replay_cache *rc, *rcnew;
	time_t now;

	auth.length = cl->args->mr_argl[0];
	memcpy((char *)auth.dat, cl->args->mr_argv[0], auth.length);
	auth.mbz = 0;

	if ((status = krb_rd_req (&auth, MOIRA_SNAME, host,
				  cl->haddr.sin_addr.s_addr, &ad, "")) != 0) {
		status += ERROR_TABLE_BASE_krb;
		cl->reply.mr_status = status;
		if (log_flags & LOG_RES)
			com_err(whoami, status, " (authentication failed)");
		return;
	}

	if(!rcache) {
	  rcache = (replay_cache*)malloc(sizeof(replay_cache));
	  memset(rcache, 0, sizeof(replay_cache));
	}

	/* scan replay cache */
	for (rc = rcache->next; rc; rc = rc->next) {
	  if(auth.length == rc->auth.length &&
	     !memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) {
	    com_err(whoami, 0, "Authenticator replay from %s using authenticator for %s",
		    inet_ntoa(cl->haddr.sin_addr),
		    kname_unparse(ad.pname, ad.pinst, ad.prealm));
	    com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	    cl->reply.mr_status = KE_RD_AP_REPEAT;
	    return;
	  }
	}

	/* add new entry */
	time(&now);
	rcnew = (replay_cache*)malloc(sizeof(replay_cache));
	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	rcnew->expires = now + 2*CLOCK_SKEW;
	rcnew->next = rcache->next;
	rcache->next = rcnew;

	/* clean cache */
	for (rc = rcnew; rc->next; ) {
	  if(rc->next->expires < now) {
	    rcnew = rc->next;
	    rc->next = rc->next->next;
	    free(rcnew);
	  } else rc = rc->next;
	}

	memcpy(cl->kname.name, ad.pname, ANAME_SZ);
	memcpy(cl->kname.inst, ad.pinst, INST_SZ);
	memcpy(cl->kname.realm, ad.prealm, REALM_SZ);
	strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm));

	if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm))
	  ok = 1;
	else
	  ok = 0;
	/* this is in a separate function because it accesses the database */
	status = set_krb_mapping(cl->clname, ad.pname, ok,
				 &cl->client_id, &cl->users_id);

	if (cl->args->mr_version_no == MR_VERSION_2) {
	    strncpy(cl->entity, cl->args->mr_argv[1], 8);
	    cl->entity[8] = 0;
	} else {
	    strcpy(cl->entity, "???");
	}
	memset(&ad, 0, sizeof(ad));	/* Clean up session key, etc. */

	if (log_flags & LOG_RES)
	    com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
		    cl->clname, cl->entity, cl->users_id, cl->client_id);
	if (status != MR_SUCCESS)
	  cl->reply.mr_status = status;
	else if (cl->users_id == 0)
	  cl->reply.mr_status = MR_USER_AUTH;
}
Commit	Line	Data
a3cf6921	1	/*
	2	* $Source$
	3	* $Author$
	4	* $Header$
	5	*
	6	* Copyright (C) 1987 by the Massachusetts Institute of Technology
c801de4c	7	* For copying and distribution information, please see the file
c801de4c	8	* <mit-copyright.h>.
a3cf6921	9	*
a3cf6921	10	*/
	11
	12	#ifndef lint
	13	static char *rcsid_sms_sauth_c = "$Header$";
	14	#endif lint
	15
c801de4c	16	#include <mit-copyright.h>
03c05291	17	#include <string.h>
d548a4e7	18	#include "mr_server.h"
713cf9c9	19	#include <ctype.h>
40165bd0	20	#include <krb_et.h>
03c05291	21	#include <moira.h>
3d0d0f07	22	#include <time.h>
a3cf6921	23
3d0d0f07	24	extern char whoami, host;
a3cf6921	25
03c05291	26	/* from libmoira */
03c05291	27	char kname_unparse(char , char , char );
c1665e6d	28
3d0d0f07	29	typedef struct _replay_cache {
	30	KTEXT_ST auth;
	31	time_t expires;
	32	struct _replay_cache *next;
	33	} replay_cache;
	34
	35	replay_cache *rcache = NULL;
	36
a3cf6921	37	/*
d548a4e7	38	* Handle a MOIRA_AUTH RPC request.
a3cf6921	39	*
	40	* argv[0] is a kerberos authenticator. Decompose it, and if
	41	* successful, store the name the user authenticated to in
	42	* cl->cl_name.
	43	*/
	44
	45	void
	46	do_auth(cl)
	47	client *cl;
	48	{
	49	KTEXT_ST auth;
	50	AUTH_DAT ad;
c1665e6d	51	int status, ok;
a53c9c79	52	extern int errno;
3d0d0f07	53	replay_cache rc, rcnew;
3d0d0f07	54	time_t now;
713cf9c9	55
d548a4e7	56	auth.length = cl->args->mr_argl[0];
03c05291	57	memcpy((char *)auth.dat, cl->args->mr_argv[0], auth.length);
a3cf6921	58	auth.mbz = 0;
713cf9c9	59
03c05291	60	if ((status = krb_rd_req (&auth, MOIRA_SNAME, host,
03c05291	61	cl->haddr.sin_addr.s_addr, &ad, "")) != 0) {
40165bd0	62	status += ERROR_TABLE_BASE_krb;
d548a4e7	63	cl->reply.mr_status = status;
060e9c63	64	if (log_flags & LOG_RES)
3d0d0f07	65	com_err(whoami, status, " (authentication failed)");
a3cf6921	66	return;
a3cf6921	67	}
3d0d0f07	68
	69	if(!rcache) {
	70	rcache = (replay_cache*)malloc(sizeof(replay_cache));
	71	memset(rcache, 0, sizeof(replay_cache));
	72	}
	73
	74	/* scan replay cache */
	75	for (rc = rcache->next; rc; rc = rc->next) {
	76	if(auth.length == rc->auth.length &&
	77	!memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) {
	78	com_err(whoami, 0, "Authenticator replay from %s using authenticator for %s",
	79	inet_ntoa(cl->haddr.sin_addr),
	80	kname_unparse(ad.pname, ad.pinst, ad.prealm));
	81	com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	82	cl->reply.mr_status = KE_RD_AP_REPEAT;
	83	return;
	84	}
	85	}
	86
	87	/* add new entry */
	88	time(&now);
	89	rcnew = (replay_cache*)malloc(sizeof(replay_cache));
	90	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	91	rcnew->expires = now + 2*CLOCK_SKEW;
	92	rcnew->next = rcache->next;
	93	rcache->next = rcnew;
	94
	95	/* clean cache */
	96	for (rc = rcnew; rc->next; ) {
	97	if(rc->next->expires < now) {
	98	rcnew = rc->next;
	99	rc->next = rc->next->next;
	100	free(rcnew);
	101	} else rc = rc->next;
	102	}
c1665e6d	103
03c05291	104	memcpy(cl->kname.name, ad.pname, ANAME_SZ);
	105	memcpy(cl->kname.inst, ad.pinst, INST_SZ);
	106	memcpy(cl->kname.realm, ad.prealm, REALM_SZ);
c1665e6d	107	strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm));
90021a6f	108
c1665e6d	109	if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm))
	110	ok = 1;
	111	else
	112	ok = 0;
	113	/* this is in a separate function because it accesses the database */
aa3c5c98	114	status = set_krb_mapping(cl->clname, ad.pname, ok,
aa3c5c98	115	&cl->client_id, &cl->users_id);
90021a6f	116
d548a4e7	117	if (cl->args->mr_version_no == MR_VERSION_2) {
dda4020f	118	strncpy(cl->entity, cl->args->mr_argv[1], 8);
c1665e6d	119	cl->entity[8] = 0;
90021a6f	120	} else {
c1665e6d	121	strcpy(cl->entity, "???");
060e9c63	122	}
03c05291	123	memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
90021a6f	124
90021a6f	125	if (log_flags & LOG_RES)
c1665e6d	126	com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
c1665e6d	127	cl->clname, cl->entity, cl->users_id, cl->client_id);
aa3c5c98	128	if (status != MR_SUCCESS)
	129	cl->reply.mr_status = status;
	130	else if (cl->users_id == 0)
d548a4e7	131	cl->reply.mr_status = MR_USER_AUTH;
a3cf6921	132	}