[moira.git] / update / auth_002.c

/*
 *	$Source$
 *	$Header$
 */
/*  (c) Copyright 1988 by the Massachusetts Institute of Technology. */
/*  For copying and distribution information, please see the file */
/*  <mit-copyright.h>. */

#ifndef lint
static char *rcsid_auth_002_c = "$Header$";
#endif

#include <mit-copyright.h>
#include <stdio.h>
#include <string.h>
#include <gdb.h>
#include <krb.h>
#include <krb_et.h>
#include <netinet/in.h>
#include <errno.h>
#ifdef POSIX
#include <sys/utsname.h>
#endif

extern char buf[BUFSIZ];
extern int have_authorization;
extern struct sockaddr_in *client_address();
extern CONNECTION conn;
extern int code;
extern char *PrincipalHostname();
static char service[] = "rcmd";
static char master[] = "sms";
static char qmark[] = "???";
extern C_Block session;

/*
 * authentication request auth_002:
 *
 * >>> (STRING) "auth_002"
 * <<< (int) 0
 * >>> (STRING) ticket
 * <<< (int) code
 * <<< (STRING) nonce
 * >>> (STRING) encrypted nonce
 * <<< (int) code
 *
 */

int auth_002(char *str)
{
  STRING data;
  char realm[REALM_SZ];
  char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
  AUTH_DAT ad;
  char *p, *first, *config_lookup();
  KTEXT_ST ticket_st;
  struct utsname name;
  des_key_schedule sched;
  C_Block nonce, nonce2;

  if (send_ok())
    lose("sending okay for authorization (auth_002)");
  code = receive_object(conn, (char *)&data, STRING_T);
  if (code)
    {
      code = connection_errno(conn);
      lose("awaiting Kerberos authenticators");
    }
  uname(&name);
  ticket_st.mbz = 0;
  ticket_st.length = MAX_STRING_SIZE(data);
  memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
  code = krb_rd_req(&ticket_st, service, krb_get_phost(name.nodename), 0,
		    &ad, KEYFILE);
  if (code)
    {
      code += ERROR_TABLE_BASE_krb;
      strcpy(ad.pname, qmark);
      strcpy(ad.pinst, qmark);
      strcpy(ad.prealm, qmark);
      goto auth_failed;
    }

  /* If there is an auth record in the config file matching the
   * authenticator we received, then accept it.  If there's no
   * auth record, assume [master]@[local realm].
   */
  if (first = p = config_lookup("auth"))
    {
      do
	{
	  kname_parse(aname, ainst, arealm, p);
	  if (strcmp(aname, ad.pname) ||
	      strcmp(ainst, ad.pinst) ||
	      strcmp(arealm, ad.prealm))
	    p = config_lookup("auth");
	  else
	    p = first;
	}
      while (p != first);
    }
  else
    {
      strcpy(aname, master);
      strcpy(ainst, "");
      if (krb_get_lrealm(arealm, 1))
	strcpy(arealm, KRB_REALM);
    }
  code = EPERM;
  if (strcmp(aname, ad.pname) ||
      strcmp(ainst, ad.pinst) ||
      strcmp(arealm, ad.prealm))
    goto auth_failed;

  if (send_ok())
    lose("sending preliminary approval of authorization");

  /* replay protection */
  des_random_key(&nonce);
  STRING_DATA(data) = (char *)nonce;
  MAX_STRING_SIZE(data) = 8;
  if (send_object(conn, (char *)&data, STRING_T))
    lose("sending nonce");
  code = receive_object(conn, (char *)&data, STRING_T);
  if (code)
    {
      code = connection_errno(conn);
      goto auth_failed;
    }
  des_key_sched(ad.session, sched);
  des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
  if (memcmp(nonce, nonce2, sizeof(nonce)))
    goto auth_failed;

  if (send_ok())
    lose("sending approval of authorization");
  have_authorization = 1;
  /* Stash away session key */
  memcpy(session, ad.session, sizeof(session));
  return 0;
auth_failed:
  sprintf(buf, "auth for %s.%s@%s failed: %s",
	  ad.pname, ad.pinst, ad.prealm, error_message(code));
  {
    int rc;
    rc = send_object(conn, (char *)&code, INTEGER_T);
    code = rc;
  }
  if (code)
    lose("sending rejection of authenticator");
  return EPERM;
}
Commit	Line	Data
de56407f	1	/*
	2	* $Source$
	3	* $Header$
	4	*/
546bc43b	5	/* (c) Copyright 1988 by the Massachusetts Institute of Technology. */
	6	/* For copying and distribution information, please see the file */
	7	/* <mit-copyright.h>. */
de56407f	8
de56407f	9	#ifndef lint
5df6ee25	10	static char *rcsid_auth_002_c = "$Header$";
7da203a3	11	#endif
de56407f	12
546bc43b	13	#include <mit-copyright.h>
de56407f	14	#include <stdio.h>
8fd777cf	15	#include <string.h>
1e8fd4c0	16	#include <gdb.h>
de56407f	17	#include <krb.h>
b29ec86e	18	#include <krb_et.h>
de56407f	19	#include <netinet/in.h>
de56407f	20	#include <errno.h>
8fd777cf	21	#ifdef POSIX
	22	#include <sys/utsname.h>
	23	#endif
de56407f	24
	25	extern char buf[BUFSIZ];
	26	extern int have_authorization;
	27	extern struct sockaddr_in *client_address();
	28	extern CONNECTION conn;
7da203a3	29	extern int code;
de56407f	30	extern char *PrincipalHostname();
1c6164bb	31	static char service[] = "rcmd";
1c6164bb	32	static char master[] = "sms";
de56407f	33	static char qmark[] = "???";
5df6ee25	34	extern C_Block session;
de56407f	35
de56407f	36	/*
5df6ee25	37	* authentication request auth_002:
de56407f	38	*
5df6ee25	39	* >>> (STRING) "auth_002"
de56407f	40	* <<< (int) 0
	41	* >>> (STRING) ticket
	42	* <<< (int) code
5df6ee25	43	* <<< (STRING) nonce
	44	* >>> (STRING) encrypted nonce
	45	* <<< (int) code
de56407f	46	*
	47	*/
	48
5eaef520	49	int auth_002(char *str)
de56407f	50	{
5eaef520	51	STRING data;
	52	char realm[REALM_SZ];
	53	char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
	54	AUTH_DAT ad;
	55	char p, first, *config_lookup();
	56	KTEXT_ST ticket_st;
	57	struct utsname name;
	58	des_key_schedule sched;
	59	C_Block nonce, nonce2;
de56407f	60
5eaef520	61	if (send_ok())
	62	lose("sending okay for authorization (auth_002)");
	63	code = receive_object(conn, (char *)&data, STRING_T);
	64	if (code)
	65	{
	66	code = connection_errno(conn);
	67	lose("awaiting Kerberos authenticators");
de56407f	68	}
5eaef520	69	uname(&name);
	70	ticket_st.mbz = 0;
	71	ticket_st.length = MAX_STRING_SIZE(data);
	72	memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
	73	code = krb_rd_req(&ticket_st, service, krb_get_phost(name.nodename), 0,
	74	&ad, KEYFILE);
	75	if (code)
	76	{
	77	code += ERROR_TABLE_BASE_krb;
	78	strcpy(ad.pname, qmark);
	79	strcpy(ad.pinst, qmark);
	80	strcpy(ad.prealm, qmark);
	81	goto auth_failed;
de56407f	82	}
c47daf21	83
5eaef520	84	/* If there is an auth record in the config file matching the
	85	* authenticator we received, then accept it. If there's no
	86	* auth record, assume [master]@[local realm].
	87	*/
	88	if (first = p = config_lookup("auth"))
	89	{
	90	do
	91	{
	92	kname_parse(aname, ainst, arealm, p);
	93	if (strcmp(aname, ad.pname) \|\|
	94	strcmp(ainst, ad.pinst) \|\|
	95	strcmp(arealm, ad.prealm))
	96	p = config_lookup("auth");
	97	else
	98	p = first;
	99	}
	100	while (p != first);
c47daf21	101	}
5eaef520	102	else
	103	{
	104	strcpy(aname, master);
	105	strcpy(ainst, "");
	106	if (krb_get_lrealm(arealm, 1))
	107	strcpy(arealm, KRB_REALM);
	108	}
	109	code = EPERM;
	110	if (strcmp(aname, ad.pname) \|\|
	111	strcmp(ainst, ad.pinst) \|\|
	112	strcmp(arealm, ad.prealm))
	113	goto auth_failed;
5df6ee25	114
5eaef520	115	if (send_ok())
5eaef520	116	lose("sending preliminary approval of authorization");
5df6ee25	117
5eaef520	118	/* replay protection */
	119	des_random_key(&nonce);
	120	STRING_DATA(data) = (char *)nonce;
	121	MAX_STRING_SIZE(data) = 8;
	122	if (send_object(conn, (char *)&data, STRING_T))
	123	lose("sending nonce");
	124	code = receive_object(conn, (char *)&data, STRING_T);
	125	if (code)
	126	{
	127	code = connection_errno(conn);
	128	goto auth_failed;
585b298c	129	}
5eaef520	130	des_key_sched(ad.session, sched);
	131	des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
	132	if (memcmp(nonce, nonce2, sizeof(nonce)))
	133	goto auth_failed;
5df6ee25	134
5eaef520	135	if (send_ok())
	136	lose("sending approval of authorization");
	137	have_authorization = 1;
	138	/* Stash away session key */
	139	memcpy(session, ad.session, sizeof(session));
	140	return 0;
de56407f	141	auth_failed:
5eaef520	142	sprintf(buf, "auth for %s.%s@%s failed: %s",
	143	ad.pname, ad.pinst, ad.prealm, error_message(code));
	144	{
44d12d58	145	int rc;
5eaef520	146	rc = send_object(conn, (char *)&code, INTEGER_T);
	147	code = rc;
	148	}
	149	if (code)
	150	lose("sending rejection of authenticator");
	151	return EPERM;
de56407f	152	}