[moira.git] / server / mr_sauth.c

/* $Id$
 *
 * Handle server side of authentication
 *
 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
 * For copying and distribution information, please see the file
 * <mit-copyright.h>.
 *
 */

#include <mit-copyright.h>
#include "mr_server.h"

#include <sys/types.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <stdlib.h>
#include <string.h>

RCSID("$Header$");

extern char *whoami, *host;
extern int proxy_acl;
extern krb5_context context;

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm);

#ifdef HAVE_KRB4
typedef struct _replay_cache {
  KTEXT_ST auth;
  time_t expires;
  struct _replay_cache *next;
} replay_cache;

replay_cache *rcache = NULL;
#endif

/*
 * Handle a MOIRA_AUTH RPC request.
 *
 * argv[0] is a kerberos authenticator.  Decompose it, and if
 * successful, store the name the user authenticated to in
 * cl->cl_name.
 */

void do_auth(client *cl)
{
#ifdef HAVE_KRB4
  KTEXT_ST auth;
  AUTH_DAT ad;
  int status;
  replay_cache *rc, *rcnew;
  time_t now;

  auth.length = cl->req.mr_argl[0];
  memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
  auth.mbz = 0;

  if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
			   cl->haddr.sin_addr.s_addr, &ad, "")))
    {
      status += ERROR_TABLE_BASE_krb;
      client_reply(cl, status);
      com_err(whoami, status, " (authentication failed)");
      return;
    }

  if (!rcache)
    {
      rcache = xmalloc(sizeof(replay_cache));
      memset(rcache, 0, sizeof(replay_cache));
    }

  /* scan replay cache */
  for (rc = rcache->next; rc; rc = rc->next)
    {
      if (auth.length == rc->auth.length &&
	  !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	{
	  com_err(whoami, 0,
		  "Authenticator replay from %s using authenticator for %s",
		  inet_ntoa(cl->haddr.sin_addr),
		  mr_kname_unparse(ad.pname, ad.pinst, ad.prealm));
	  com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	  client_reply(cl, KE_RD_AP_REPEAT);
	  return;
	}
    }

  /* add new entry */
  time(&now);
  rcnew = xmalloc(sizeof(replay_cache));
  memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
  rcnew->expires = now + 2 * CLOCK_SKEW;
  rcnew->next = rcache->next;
  rcache->next = rcnew;

  /* clean cache */
  for (rc = rcnew; rc->next; )
    {
      if (rc->next->expires < now)
	{
	  rcnew = rc->next;
	  rc->next = rc->next->next;
	  free(rcnew);
	}
      else
	rc = rc->next;
    }

  status = set_client(cl, mr_kname_unparse(ad.pname, ad.pinst, ad.prealm),
		      ad.pname, ad.pinst, ad.prealm);

  strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
  cl->entity[sizeof(cl->entity) - 1] = 0;

  memset(&ad, 0, sizeof(ad));	/* Clean up session key, etc. */

  com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);
#else
  client_reply(cl, MR_NO_KRB4);
#endif
}

void do_proxy(client *cl)
{
  char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
  char kname[MAX_K_NAME_SZ];

  if (cl->proxy_id)
    {
      com_err(whoami, MR_PERM, "Cannot re-proxy");
      client_reply(cl, MR_PERM);
      return;
    }

  if (mr_kname_parse(name, inst, realm, cl->req.mr_argv[0]) != 0)
    {
      com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	      cl->req.mr_argv);
      client_reply(cl, KE_KNAME_FMT);
      return;
    }

  if (!*realm)
    {
      strcpy(realm, krb_realm);
      sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
    }
  else
    strcpy(kname, cl->req.mr_argv[0]);
    
  if (find_member("LIST", proxy_acl, cl))
    {
      cl->proxy_id = cl->client_id;
      set_client(cl, kname, name, inst, realm);
      com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	      kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
      client_reply(cl, MR_SUCCESS);
    }
  else
    {
      com_err(whoami, MR_PERM, "Proxy authentication denied");
      client_reply(cl, MR_PERM);
    }
}

static int set_client(client *cl, char *kname,
		      char *name, char *inst, char *realm)
{
  int ok;

  strncpy(cl->clname, kname, sizeof(cl->clname));
  cl->clname[sizeof(cl->clname) - 1] = '\0';

  if ((!inst || inst[0] == 0) && !strcmp(realm, krb_realm))
    ok = 1;
  else
    ok = 0;
  /* this is in a separate function because it accesses the database */
  return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
}

void do_krb5_auth(client *cl)
{
  krb5_data auth;
  krb5_auth_context auth_con = NULL;
  krb5_principal server = NULL, client = NULL;
  krb5_ticket *ticket;
  char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
  int status;

  ticket = NULL;

  status = krb5_auth_con_init(context, &auth_con);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, "(krb5 auth context init failed)");
      goto out;
    }

  status = krb5_sname_to_principal(context, host, MOIRA_SNAME, 
				    KRB5_NT_SRV_HST, &server);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, "(krb5_sname_to_principal failed)");
      goto out;
    }

  auth.length = cl->req.mr_argl[0];
  auth.data = cl->req.mr_argv[0];

  status = krb5_rd_req(context, &auth_con, &auth, server, NULL, NULL,
			&ticket);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5 authentication failed)");
      goto out;
    }

  status = krb5_copy_principal(context, ticket->enc_part2->client, &client);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5_copy_principal failed)");
      goto out;
    }

  /* Always convert to krb4 style principal name for now. */
  status = krb5_524_conv_principal(context, client, name, inst, realm);
  if (status)
    {
      client_reply(cl, status);
      com_err(whoami, status, " (krb5_524_conv_principal failed)");
      goto out;
    }
  status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
		      realm);

  strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
  cl->entity[sizeof(cl->entity) - 1] = 0;

  com_err(whoami, 0, "krb5 auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);

 out:
  if (client)
    krb5_free_principal(context, client);
  if (server)
    krb5_free_principal(context, server);
  if (ticket)
    krb5_free_ticket(context, ticket);
  if (auth_con)
    krb5_auth_con_free(context, auth_con);
  return;
}
Commit	Line	Data
7ac48069	1	/* $Id$
	2	*
	3	* Handle server side of authentication
a3cf6921	4	*
7ac48069	5	* Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
	6	* For copying and distribution information, please see the file
	7	* <mit-copyright.h>.
a3cf6921	8	*
a3cf6921	9	*/
a3cf6921	10
c801de4c	11	#include <mit-copyright.h>
d548a4e7	12	#include "mr_server.h"
a3cf6921	13
7ac48069	14	#include <sys/types.h>
a3cf6921	15
7ac48069	16	#include <arpa/inet.h>
	17	#include <netinet/in.h>
	18
	19	#include <stdlib.h>
	20	#include <string.h>
	21
	22	RCSID("$Header$");
	23
	24	extern char whoami, host;
ed00e35e	25	extern int proxy_acl;
991417e4	26	extern krb5_context context;
ed00e35e	27
	28	static int set_client(client cl, char kname,
	29	char name, char inst, char *realm);
c1665e6d	30
cb974713	31	#ifdef HAVE_KRB4
3d0d0f07	32	typedef struct _replay_cache {
	33	KTEXT_ST auth;
	34	time_t expires;
	35	struct _replay_cache *next;
	36	} replay_cache;
	37
	38	replay_cache *rcache = NULL;
cb974713	39	#endif
3d0d0f07	40
a3cf6921	41	/*
d548a4e7	42	* Handle a MOIRA_AUTH RPC request.
a3cf6921	43	*
a3cf6921	44	* argv[0] is a kerberos authenticator. Decompose it, and if
5eaef520	45	* successful, store the name the user authenticated to in
a3cf6921	46	* cl->cl_name.
	47	*/
	48
8691463b	49	void do_auth(client *cl)
a3cf6921	50	{
cb974713	51	#ifdef HAVE_KRB4
5eaef520	52	KTEXT_ST auth;
5eaef520	53	AUTH_DAT ad;
ed00e35e	54	int status;
5eaef520	55	replay_cache rc, rcnew;
	56	time_t now;
	57
8691463b	58	auth.length = cl->req.mr_argl[0];
8691463b	59	memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
5eaef520	60	auth.mbz = 0;
5eaef520	61
85330553	62	if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
85330553	63	cl->haddr.sin_addr.s_addr, &ad, "")))
5eaef520	64	{
5eaef520	65	status += ERROR_TABLE_BASE_krb;
85330553	66	client_reply(cl, status);
85330553	67	com_err(whoami, status, " (authentication failed)");
5eaef520	68	return;
	69	}
	70
	71	if (!rcache)
	72	{
e688520a	73	rcache = xmalloc(sizeof(replay_cache));
5eaef520	74	memset(rcache, 0, sizeof(replay_cache));
	75	}
	76
	77	/* scan replay cache */
	78	for (rc = rcache->next; rc; rc = rc->next)
	79	{
	80	if (auth.length == rc->auth.length &&
	81	!memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	82	{
	83	com_err(whoami, 0,
	84	"Authenticator replay from %s using authenticator for %s",
	85	inet_ntoa(cl->haddr.sin_addr),
866127a1	86	mr_kname_unparse(ad.pname, ad.pinst, ad.prealm));
5eaef520	87	com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
85330553	88	client_reply(cl, KE_RD_AP_REPEAT);
5eaef520	89	return;
3d0d0f07	90	}
5eaef520	91	}
	92
	93	/* add new entry */
	94	time(&now);
e688520a	95	rcnew = xmalloc(sizeof(replay_cache));
5eaef520	96	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	97	rcnew->expires = now + 2 * CLOCK_SKEW;
	98	rcnew->next = rcache->next;
	99	rcache->next = rcnew;
	100
	101	/* clean cache */
	102	for (rc = rcnew; rc->next; )
	103	{
	104	if (rc->next->expires < now)
	105	{
	106	rcnew = rc->next;
	107	rc->next = rc->next->next;
	108	free(rcnew);
060e9c63	109	}
5eaef520	110	else
	111	rc = rc->next;
	112	}
	113
866127a1	114	status = set_client(cl, mr_kname_unparse(ad.pname, ad.pinst, ad.prealm),
ed00e35e	115	ad.pname, ad.pinst, ad.prealm);
5eaef520	116
ed00e35e	117	strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
ed00e35e	118	cl->entity[sizeof(cl->entity) - 1] = 0;
85330553	119
5eaef520	120	memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
5eaef520	121
85330553	122	com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	123	cl->clname, cl->entity, cl->users_id, cl->client_id);
	124
	125	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	126	client_reply(cl, status);
	127	else
	128	client_reply(cl, MR_USER_AUTH);
cb974713	129	#else
	130	client_reply(cl, MR_NO_KRB4);
	131	#endif
a3cf6921	132	}
ed00e35e	133
	134	void do_proxy(client *cl)
	135	{
8ac76f32	136	char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
ed00e35e	137	char kname[MAX_K_NAME_SZ];
	138
	139	if (cl->proxy_id)
	140	{
	141	com_err(whoami, MR_PERM, "Cannot re-proxy");
	142	client_reply(cl, MR_PERM);
	143	return;
	144	}
	145
cb974713	146	if (mr_kname_parse(name, inst, realm, cl->req.mr_argv[0]) != 0)
ed00e35e	147	{
	148	com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
	149	cl->req.mr_argv);
	150	client_reply(cl, KE_KNAME_FMT);
	151	return;
	152	}
	153
	154	if (!*realm)
	155	{
	156	strcpy(realm, krb_realm);
	157	sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
	158	}
	159	else
	160	strcpy(kname, cl->req.mr_argv[0]);
	161
	162	if (find_member("LIST", proxy_acl, cl))
	163	{
	164	cl->proxy_id = cl->client_id;
	165	set_client(cl, kname, name, inst, realm);
	166	com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
	167	kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
	168	client_reply(cl, MR_SUCCESS);
	169	}
	170	else
	171	{
	172	com_err(whoami, MR_PERM, "Proxy authentication denied");
	173	client_reply(cl, MR_PERM);
	174	}
	175	}
	176
	177	static int set_client(client cl, char kname,
	178	char name, char inst, char *realm)
	179	{
	180	int ok;
	181
	182	strncpy(cl->clname, kname, sizeof(cl->clname));
	183	cl->clname[sizeof(cl->clname) - 1] = '\0';
	184
991417e4	185	if ((!inst \|\| inst[0] == 0) && !strcmp(realm, krb_realm))
ed00e35e	186	ok = 1;
	187	else
	188	ok = 0;
	189	/* this is in a separate function because it accesses the database */
	190	return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
	191	}
991417e4	192
	193	void do_krb5_auth(client *cl)
	194	{
	195	krb5_data auth;
	196	krb5_auth_context auth_con = NULL;
	197	krb5_principal server = NULL, client = NULL;
	198	krb5_ticket *ticket;
	199	char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
	200	int status;
	201
	202	ticket = NULL;
	203
	204	status = krb5_auth_con_init(context, &auth_con);
	205	if (status)
	206	{
	207	client_reply(cl, status);
	208	com_err(whoami, status, "(krb5 auth context init failed)");
	209	goto out;
	210	}
	211
	212	status = krb5_sname_to_principal(context, host, MOIRA_SNAME,
	213	KRB5_NT_SRV_HST, &server);
	214	if (status)
	215	{
	216	client_reply(cl, status);
	217	com_err(whoami, status, "(krb5_sname_to_principal failed)");
	218	goto out;
	219	}
	220
	221	auth.length = cl->req.mr_argl[0];
	222	auth.data = cl->req.mr_argv[0];
	223
	224	status = krb5_rd_req(context, &auth_con, &auth, server, NULL, NULL,
	225	&ticket);
	226	if (status)
	227	{
	228	client_reply(cl, status);
	229	com_err(whoami, status, " (krb5 authentication failed)");
	230	goto out;
	231	}
	232
	233	status = krb5_copy_principal(context, ticket->enc_part2->client, &client);
	234	if (status)
	235	{
	236	client_reply(cl, status);
	237	com_err(whoami, status, " (krb5_copy_principal failed)");
	238	goto out;
	239	}
	240
	241	/* Always convert to krb4 style principal name for now. */
	242	status = krb5_524_conv_principal(context, client, name, inst, realm);
	243	if (status)
	244	{
	245	client_reply(cl, status);
	246	com_err(whoami, status, " (krb5_524_conv_principal failed)");
	247	goto out;
	248	}
	249	status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
	250	realm);
	251
	252	strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
	253	cl->entity[sizeof(cl->entity) - 1] = 0;
	254
991417e4	255	com_err(whoami, 0, "krb5 auth to %s using %s, uid %d cid %d",
	256	cl->clname, cl->entity, cl->users_id, cl->client_id);
	257
	258	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	259	client_reply(cl, status);
	260	else
	261	client_reply(cl, MR_USER_AUTH);
	262
	263	out:
	264	if (client)
	265	krb5_free_principal(context, client);
	266	if (server)
	267	krb5_free_principal(context, server);
	268	if (ticket)
	269	krb5_free_ticket(context, ticket);
	270	if (auth_con)
	271	krb5_auth_con_free(context, auth_con);
	272	return;
	273	}