[moira.git] / server / mr_sauth.c

/* $Id$
 *
 * Handle server side of authentication
 *
 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
 * For copying and distribution information, please see the file
 * <mit-copyright.h>.
 *
 */

#include <mit-copyright.h>
#include "mr_server.h"

#include <sys/types.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <stdlib.h>
#include <string.h>

RCSID("$Header$");

extern char *whoami, *host;
extern int proxy_acl;
extern krb5_context context;

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm);

typedef struct _replay_cache {
  KTEXT_ST auth;
  time_t expires;
  struct _replay_cache *next;
} replay_cache;

replay_cache *rcache = NULL;

/*
 * Handle a MOIRA_AUTH RPC request.
 *
 * argv[0] is a kerberos authenticator.  Decompose it, and if
 * successful, store the name the user authenticated to in
 * cl->cl_name.
 */

void do_auth(client *cl)
{
  KTEXT_ST auth;
  AUTH_DAT ad;
  int status;
  replay_cache *rc, *rcnew;
  time_t now;

  auth.length = cl->req.mr_argl[0];
  memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
  auth.mbz = 0;

  if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
			   cl->haddr.sin_addr.s_addr, &ad, "")))
    {
      status += ERROR_TABLE_BASE_krb;
      client_reply(cl, status);
      com_err(whoami, status, " (authentication failed)");
      return;
    }

  if (!rcache)
    {
      rcache = xmalloc(sizeof(replay_cache));
      memset(rcache, 0, sizeof(replay_cache));
    }

  /* scan replay cache */
  for (rc = rcache->next; rc; rc = rc->next)
    {
      if (auth.length == rc->auth.length &&
	  !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	{
	  com_err(whoami, 0,
		  "Authenticator replay from %s using authenticator for %s",
		  inet_ntoa(cl->haddr.sin_addr),
		  mr_kname_unparse(ad.pname, ad.pinst, ad.prealm));
	  com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	  client_reply(cl, KE_RD_AP_REPEAT);
	  return;
	}
    }

  /* add new entry */
  time(&now);
  rcnew = xmalloc(sizeof(replay_cache));
  memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
  rcnew->expires = now + 2 * CLOCK_SKEW;
  rcnew->next = rcache->next;
  rcache->next = rcnew;

  /* clean cache */
  for (rc = rcnew; rc->next; )
    {
      if (rc->next->expires < now)
	{
	  rcnew = rc->next;
	  rc->next = rc->next->next;
	  free(rcnew);
	}
      else
	rc = rc->next;
    }

  status = set_client(cl, mr_kname_unparse(ad.pname, ad.pinst, ad.prealm),
		      ad.pname, ad.pinst, ad.prealm);

  strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
  cl->entity[sizeof(cl->entity) - 1] = 0;

  memset(&ad, 0, sizeof(ad));	/* Clean up session key, etc. */

  com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);
}

void do_proxy(client *cl)
{
  char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
  char kname[MAX_K_NAME_SZ];

  if (cl->proxy_id)
    {
      com_err(whoami, MR_PERM, "Cannot re-proxy");
      client_reply(cl, MR_PERM);
      return;
    }

  if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
    {
      com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	      cl->req.mr_argv);
      client_reply(cl, KE_KNAME_FMT);
      return;
    }

  if (!*realm)
    {
      strcpy(realm, krb_realm);
      sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
    }
  else
    strcpy(kname, cl->req.mr_argv[0]);
    
  if (find_member("LIST", proxy_acl, cl))
    {
      cl->proxy_id = cl->client_id;
      set_client(cl, kname, name, inst, realm);
      com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	      kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
      client_reply(cl, MR_SUCCESS);
    }
  else
    {
      com_err(whoami, MR_PERM, "Proxy authentication denied");
      client_reply(cl, MR_PERM);
    }
}

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm)
{
  int ok;

  strncpy(cl->clname, kname, sizeof(cl->clname));
  cl->clname[sizeof(cl->clname) - 1] = '\0';

  if ((!inst || inst[0] == 0) && !strcmp(realm, krb_realm))
    ok = 1;
  else
    ok = 0;
  /* this is in a separate function because it accesses the database */
  return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
}

void do_krb5_auth(client *cl)
{
  krb5_data auth;
  krb5_auth_context auth_con = NULL;
  krb5_principal server = NULL, client = NULL;
  krb5_ticket *ticket;
  char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
  int status;

  ticket = NULL;

  status = krb5_auth_con_init(context, &auth_con);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, "(krb5 auth context init failed)");
      goto out;
    }

  status = krb5_sname_to_principal(context, host, MOIRA_SNAME, 
				    KRB5_NT_SRV_HST, &server);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, "(krb5_sname_to_principal failed)");
      goto out;
    }

  auth.length = cl->req.mr_argl[0];
  auth.data = cl->req.mr_argv[0];

  status = krb5_rd_req(context, &auth_con, &auth, server, NULL, NULL,
			&ticket);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5 authentication failed)");
      goto out;
    }

  status = krb5_copy_principal(context, ticket->enc_part2->client, &client);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5_copy_principal failed)");
      goto out;
    }

  /* Always convert to krb4 style principal name for now. */
  status = krb5_524_conv_principal(context, client, name, inst, realm);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5_524_conv_principal failed)");
      goto out;
    }
  status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
		      realm);

  strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
  cl->entity[sizeof(cl->entity) - 1] = 0;

  com_err(whoami, 0, "krb5 auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);

 out:
  if (client)
    krb5_free_principal(context, client);
  if (server)
    krb5_free_principal(context, server);
  if (ticket)
    krb5_free_ticket(context, ticket);
  if (auth_con)
    krb5_auth_con_free(context, auth_con);
  return;
}
Commit	Line	Data
7ac48069	1	/* $Id$
	2	*
	3	* Handle server side of authentication
a3cf6921	4	*
7ac48069	5	* Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
	6	* For copying and distribution information, please see the file
	7	* <mit-copyright.h>.
a3cf6921	8	*
a3cf6921	9	*/
a3cf6921	10
c801de4c	11	#include <mit-copyright.h>
d548a4e7	12	#include "mr_server.h"
a3cf6921	13
7ac48069	14	#include <sys/types.h>
a3cf6921	15
7ac48069	16	#include <arpa/inet.h>
	17	#include <netinet/in.h>
	18
	19	#include <stdlib.h>
	20	#include <string.h>
	21
	22	RCSID("$Header$");
	23
	24	extern char whoami, host;
ed00e35e	25	extern int proxy_acl;
991417e4	26	extern krb5_context context;
ed00e35e	27
	28	static int set_client(client cl, char kname,
	29	char name, char inst, char *realm);
c1665e6d	30
3d0d0f07	31	typedef struct _replay_cache {
	32	KTEXT_ST auth;
	33	time_t expires;
	34	struct _replay_cache *next;
	35	} replay_cache;
	36
	37	replay_cache *rcache = NULL;
	38
a3cf6921	39	/*
d548a4e7	40	* Handle a MOIRA_AUTH RPC request.
a3cf6921	41	*
a3cf6921	42	* argv[0] is a kerberos authenticator. Decompose it, and if
5eaef520	43	* successful, store the name the user authenticated to in
a3cf6921	44	* cl->cl_name.
	45	*/
	46
8691463b	47	void do_auth(client *cl)
a3cf6921	48	{
5eaef520	49	KTEXT_ST auth;
5eaef520	50	AUTH_DAT ad;
ed00e35e	51	int status;
5eaef520	52	replay_cache rc, rcnew;
	53	time_t now;
	54
8691463b	55	auth.length = cl->req.mr_argl[0];
8691463b	56	memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
5eaef520	57	auth.mbz = 0;
5eaef520	58
85330553	59	if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
85330553	60	cl->haddr.sin_addr.s_addr, &ad, "")))
5eaef520	61	{
5eaef520	62	status += ERROR_TABLE_BASE_krb;
85330553	63	client_reply(cl, status);
85330553	64	com_err(whoami, status, " (authentication failed)");
5eaef520	65	return;
	66	}
	67
	68	if (!rcache)
	69	{
e688520a	70	rcache = xmalloc(sizeof(replay_cache));
5eaef520	71	memset(rcache, 0, sizeof(replay_cache));
	72	}
	73
	74	/* scan replay cache */
	75	for (rc = rcache->next; rc; rc = rc->next)
	76	{
	77	if (auth.length == rc->auth.length &&
	78	!memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	79	{
	80	com_err(whoami, 0,
	81	"Authenticator replay from %s using authenticator for %s",
	82	inet_ntoa(cl->haddr.sin_addr),
866127a1	83	mr_kname_unparse(ad.pname, ad.pinst, ad.prealm));
5eaef520	84	com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
85330553	85	client_reply(cl, KE_RD_AP_REPEAT);
5eaef520	86	return;
3d0d0f07	87	}
5eaef520	88	}
	89
	90	/* add new entry */
	91	time(&now);
e688520a	92	rcnew = xmalloc(sizeof(replay_cache));
5eaef520	93	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	94	rcnew->expires = now + 2 * CLOCK_SKEW;
	95	rcnew->next = rcache->next;
	96	rcache->next = rcnew;
	97
	98	/* clean cache */
	99	for (rc = rcnew; rc->next; )
	100	{
	101	if (rc->next->expires < now)
	102	{
	103	rcnew = rc->next;
	104	rc->next = rc->next->next;
	105	free(rcnew);
060e9c63	106	}
5eaef520	107	else
	108	rc = rc->next;
	109	}
	110
866127a1	111	status = set_client(cl, mr_kname_unparse(ad.pname, ad.pinst, ad.prealm),
ed00e35e	112	ad.pname, ad.pinst, ad.prealm);
5eaef520	113
ed00e35e	114	strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
ed00e35e	115	cl->entity[sizeof(cl->entity) - 1] = 0;
85330553	116
5eaef520	117	memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
5eaef520	118
85330553	119	com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	120	cl->clname, cl->entity, cl->users_id, cl->client_id);
	121
	122	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	123	client_reply(cl, status);
	124	else
	125	client_reply(cl, MR_USER_AUTH);
a3cf6921	126	}
ed00e35e	127
	128	void do_proxy(client *cl)
	129	{
8ac76f32	130	char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
ed00e35e	131	char kname[MAX_K_NAME_SZ];
	132
	133	if (cl->proxy_id)
	134	{
	135	com_err(whoami, MR_PERM, "Cannot re-proxy");
	136	client_reply(cl, MR_PERM);
	137	return;
	138	}
	139
	140	if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
	141	{
	142	com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	143	cl->req.mr_argv);
	144	client_reply(cl, KE_KNAME_FMT);
	145	return;
	146	}
	147
	148	if (!*realm)
	149	{
	150	strcpy(realm, krb_realm);
	151	sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
	152	}
	153	else
	154	strcpy(kname, cl->req.mr_argv[0]);
	155
	156	if (find_member("LIST", proxy_acl, cl))
	157	{
	158	cl->proxy_id = cl->client_id;
	159	set_client(cl, kname, name, inst, realm);
	160	com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	161	kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
	162	client_reply(cl, MR_SUCCESS);
	163	}
	164	else
	165	{
	166	com_err(whoami, MR_PERM, "Proxy authentication denied");
	167	client_reply(cl, MR_PERM);
	168	}
	169	}
	170
	171	static int set_client(client cl, char kname,
	172	char name, char inst, char *realm)
	173	{
	174	int ok;
	175
	176	strncpy(cl->clname, kname, sizeof(cl->clname));
	177	cl->clname[sizeof(cl->clname) - 1] = '\0';
	178
991417e4	179	if ((!inst \|\| inst[0] == 0) && !strcmp(realm, krb_realm))
ed00e35e	180	ok = 1;
	181	else
	182	ok = 0;
	183	/* this is in a separate function because it accesses the database */
	184	return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
	185	}
991417e4	186
	187	void do_krb5_auth(client *cl)
	188	{
	189	krb5_data auth;
	190	krb5_auth_context auth_con = NULL;
	191	krb5_principal server = NULL, client = NULL;
	192	krb5_ticket *ticket;
	193	char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
	194	int status;
	195
	196	ticket = NULL;
	197
	198	status = krb5_auth_con_init(context, &auth_con);
	199	if (status)
	200	{
	201	client_reply(cl, status);
	202	com_err(whoami, status, "(krb5 auth context init failed)");
	203	goto out;
	204	}
	205
	206	status = krb5_sname_to_principal(context, host, MOIRA_SNAME,
	207	KRB5_NT_SRV_HST, &server);
	208	if (status)
	209	{
	210	client_reply(cl, status);
	211	com_err(whoami, status, "(krb5_sname_to_principal failed)");
	212	goto out;
	213	}
	214
	215	auth.length = cl->req.mr_argl[0];
	216	auth.data = cl->req.mr_argv[0];
	217
	218	status = krb5_rd_req(context, &auth_con, &auth, server, NULL, NULL,
	219	&ticket);
	220	if (status)
	221	{
	222	client_reply(cl, status);
	223	com_err(whoami, status, " (krb5 authentication failed)");
	224	goto out;
	225	}
	226
	227	status = krb5_copy_principal(context, ticket->enc_part2->client, &client);
	228	if (status)
	229	{
	230	client_reply(cl, status);
	231	com_err(whoami, status, " (krb5_copy_principal failed)");
	232	goto out;
	233	}
	234
	235	/* Always convert to krb4 style principal name for now. */
	236	status = krb5_524_conv_principal(context, client, name, inst, realm);
	237	if (status)
	238	{
	239	client_reply(cl, status);
	240	com_err(whoami, status, " (krb5_524_conv_principal failed)");
	241	goto out;
	242	}
	243	status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
	244	realm);
	245
	246	strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
	247	cl->entity[sizeof(cl->entity) - 1] = 0;
	248
991417e4	249	com_err(whoami, 0, "krb5 auth to %s using %s, uid %d cid %d",
	250	cl->clname, cl->entity, cl->users_id, cl->client_id);
	251
	252	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	253	client_reply(cl, status);
	254	else
	255	client_reply(cl, MR_USER_AUTH);
	256
	257	out:
	258	if (client)
	259	krb5_free_principal(context, client);
	260	if (server)
	261	krb5_free_principal(context, server);
	262	if (ticket)
	263	krb5_free_ticket(context, ticket);
	264	if (auth_con)
	265	krb5_auth_con_free(context, auth_con);
	266	return;
	267	}