]>
Commit | Line | Data |
---|---|---|
a3cf6921 | 1 | /* |
2 | * $Source$ | |
3 | * $Author$ | |
4 | * $Header$ | |
5 | * | |
6 | * Copyright (C) 1987 by the Massachusetts Institute of Technology | |
c801de4c | 7 | * For copying and distribution information, please see the file |
8 | * <mit-copyright.h>. | |
a3cf6921 | 9 | * |
a3cf6921 | 10 | */ |
11 | ||
12 | #ifndef lint | |
13 | static char *rcsid_sms_sauth_c = "$Header$"; | |
14 | #endif lint | |
15 | ||
c801de4c | 16 | #include <mit-copyright.h> |
03c05291 | 17 | #include <string.h> |
d548a4e7 | 18 | #include "mr_server.h" |
713cf9c9 | 19 | #include <ctype.h> |
40165bd0 | 20 | #include <krb_et.h> |
03c05291 | 21 | #include <moira.h> |
3d0d0f07 | 22 | #include <time.h> |
a3cf6921 | 23 | |
3d0d0f07 | 24 | extern char *whoami, *host; |
a3cf6921 | 25 | |
03c05291 | 26 | /* from libmoira */ |
27 | char *kname_unparse(char *, char *, char *); | |
c1665e6d | 28 | |
3d0d0f07 | 29 | typedef struct _replay_cache { |
30 | KTEXT_ST auth; | |
31 | time_t expires; | |
32 | struct _replay_cache *next; | |
33 | } replay_cache; | |
34 | ||
35 | replay_cache *rcache = NULL; | |
36 | ||
a3cf6921 | 37 | /* |
d548a4e7 | 38 | * Handle a MOIRA_AUTH RPC request. |
a3cf6921 | 39 | * |
40 | * argv[0] is a kerberos authenticator. Decompose it, and if | |
41 | * successful, store the name the user authenticated to in | |
42 | * cl->cl_name. | |
43 | */ | |
44 | ||
45 | void | |
46 | do_auth(cl) | |
47 | client *cl; | |
48 | { | |
49 | KTEXT_ST auth; | |
50 | AUTH_DAT ad; | |
c1665e6d | 51 | int status, ok; |
a53c9c79 | 52 | extern int errno; |
3d0d0f07 | 53 | replay_cache *rc, *rcnew; |
54 | time_t now; | |
713cf9c9 | 55 | |
d548a4e7 | 56 | auth.length = cl->args->mr_argl[0]; |
03c05291 | 57 | memcpy((char *)auth.dat, cl->args->mr_argv[0], auth.length); |
a3cf6921 | 58 | auth.mbz = 0; |
713cf9c9 | 59 | |
03c05291 | 60 | if ((status = krb_rd_req (&auth, MOIRA_SNAME, host, |
61 | cl->haddr.sin_addr.s_addr, &ad, "")) != 0) { | |
40165bd0 | 62 | status += ERROR_TABLE_BASE_krb; |
d548a4e7 | 63 | cl->reply.mr_status = status; |
060e9c63 | 64 | if (log_flags & LOG_RES) |
3d0d0f07 | 65 | com_err(whoami, status, " (authentication failed)"); |
a3cf6921 | 66 | return; |
67 | } | |
3d0d0f07 | 68 | |
69 | if(!rcache) { | |
70 | rcache = (replay_cache*)malloc(sizeof(replay_cache)); | |
71 | memset(rcache, 0, sizeof(replay_cache)); | |
72 | } | |
73 | ||
74 | /* scan replay cache */ | |
75 | for (rc = rcache->next; rc; rc = rc->next) { | |
76 | if(auth.length == rc->auth.length && | |
77 | !memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) { | |
78 | com_err(whoami, 0, "Authenticator replay from %s using authenticator for %s", | |
79 | inet_ntoa(cl->haddr.sin_addr), | |
80 | kname_unparse(ad.pname, ad.pinst, ad.prealm)); | |
81 | com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)"); | |
82 | cl->reply.mr_status = KE_RD_AP_REPEAT; | |
83 | return; | |
84 | } | |
85 | } | |
86 | ||
87 | /* add new entry */ | |
88 | time(&now); | |
89 | rcnew = (replay_cache*)malloc(sizeof(replay_cache)); | |
90 | memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST)); | |
91 | rcnew->expires = now + 2*CLOCK_SKEW; | |
92 | rcnew->next = rcache->next; | |
93 | rcache->next = rcnew; | |
94 | ||
95 | /* clean cache */ | |
96 | for (rc = rcnew; rc->next; ) { | |
97 | if(rc->next->expires < now) { | |
98 | rcnew = rc->next; | |
99 | rc->next = rc->next->next; | |
100 | free(rcnew); | |
101 | } else rc = rc->next; | |
102 | } | |
c1665e6d | 103 | |
03c05291 | 104 | memcpy(cl->kname.name, ad.pname, ANAME_SZ); |
105 | memcpy(cl->kname.inst, ad.pinst, INST_SZ); | |
106 | memcpy(cl->kname.realm, ad.prealm, REALM_SZ); | |
c1665e6d | 107 | strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm)); |
90021a6f | 108 | |
c1665e6d | 109 | if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm)) |
110 | ok = 1; | |
111 | else | |
112 | ok = 0; | |
113 | /* this is in a separate function because it accesses the database */ | |
aa3c5c98 | 114 | status = set_krb_mapping(cl->clname, ad.pname, ok, |
115 | &cl->client_id, &cl->users_id); | |
90021a6f | 116 | |
d548a4e7 | 117 | if (cl->args->mr_version_no == MR_VERSION_2) { |
dda4020f | 118 | strncpy(cl->entity, cl->args->mr_argv[1], 8); |
c1665e6d | 119 | cl->entity[8] = 0; |
90021a6f | 120 | } else { |
c1665e6d | 121 | strcpy(cl->entity, "???"); |
060e9c63 | 122 | } |
03c05291 | 123 | memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */ |
90021a6f | 124 | |
125 | if (log_flags & LOG_RES) | |
c1665e6d | 126 | com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d", |
127 | cl->clname, cl->entity, cl->users_id, cl->client_id); | |
aa3c5c98 | 128 | if (status != MR_SUCCESS) |
129 | cl->reply.mr_status = status; | |
130 | else if (cl->users_id == 0) | |
d548a4e7 | 131 | cl->reply.mr_status = MR_USER_AUTH; |
a3cf6921 | 132 | } |