[moira.git] / server / mr_sauth.c

/* $Id$
 *
 * Handle server side of authentication
 *
 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
 * For copying and distribution information, please see the file
 * <mit-copyright.h>.
 *
 */

#include <mit-copyright.h>
#include "mr_server.h"

#include <sys/types.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <stdlib.h>
#include <string.h>

RCSID("$Header$");

extern char *whoami, *host;

typedef struct _replay_cache {
  KTEXT_ST auth;
  time_t expires;
  struct _replay_cache *next;
} replay_cache;

replay_cache *rcache = NULL;

/*
 * Handle a MOIRA_AUTH RPC request.
 *
 * argv[0] is a kerberos authenticator.  Decompose it, and if
 * successful, store the name the user authenticated to in
 * cl->cl_name.
 */

void do_auth(client *cl, mr_params req)
{
  KTEXT_ST auth;
  AUTH_DAT ad;
  int status, ok;
  replay_cache *rc, *rcnew;
  time_t now;

  auth.length = req.mr_argl[0];
  memcpy(auth.dat, req.mr_argv[0], auth.length);
  auth.mbz = 0;

  if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
			   cl->haddr.sin_addr.s_addr, &ad, "")))
    {
      status += ERROR_TABLE_BASE_krb;
      client_reply(cl, status);
      com_err(whoami, status, " (authentication failed)");
      return;
    }

  if (!rcache)
    {
      rcache = malloc(sizeof(replay_cache));
      memset(rcache, 0, sizeof(replay_cache));
    }

  /* scan replay cache */
  for (rc = rcache->next; rc; rc = rc->next)
    {
      if (auth.length == rc->auth.length &&
	  !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	{
	  com_err(whoami, 0,
		  "Authenticator replay from %s using authenticator for %s",
		  inet_ntoa(cl->haddr.sin_addr),
		  kname_unparse(ad.pname, ad.pinst, ad.prealm));
	  com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
	  client_reply(cl, KE_RD_AP_REPEAT);
	  return;
	}
    }

  /* add new entry */
  time(&now);
  rcnew = malloc(sizeof(replay_cache));
  memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
  rcnew->expires = now + 2 * CLOCK_SKEW;
  rcnew->next = rcache->next;
  rcache->next = rcnew;

  /* clean cache */
  for (rc = rcnew; rc->next; )
    {
      if (rc->next->expires < now)
	{
	  rcnew = rc->next;
	  rc->next = rc->next->next;
	  free(rcnew);
	}
      else
	rc = rc->next;
    }

  memcpy(cl->kname.name, ad.pname, ANAME_SZ);
  memcpy(cl->kname.inst, ad.pinst, INST_SZ);
  memcpy(cl->kname.realm, ad.prealm, REALM_SZ);
  strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm));

  if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm))
    ok = 1;
  else
    ok = 0;
  /* this is in a separate function because it accesses the database */
  status = set_krb_mapping(cl->clname, ad.pname, ok,
			   &cl->client_id, &cl->users_id);

  strncpy(cl->entity, req.mr_argv[1], 8);
  cl->entity[8] = 0;

  memset(&ad, 0, sizeof(ad));	/* Clean up session key, etc. */

  com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	  cl->clname, cl->entity, cl->users_id, cl->client_id);

  if (status != MR_SUCCESS || cl->users_id != 0)
    client_reply(cl, status);
  else
    client_reply(cl, MR_USER_AUTH);
}
Commit	Line	Data
7ac48069	1	/* $Id$
	2	*
	3	* Handle server side of authentication
a3cf6921	4	*
7ac48069	5	* Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
	6	* For copying and distribution information, please see the file
	7	* <mit-copyright.h>.
a3cf6921	8	*
a3cf6921	9	*/
a3cf6921	10
c801de4c	11	#include <mit-copyright.h>
d548a4e7	12	#include "mr_server.h"
a3cf6921	13
7ac48069	14	#include <sys/types.h>
a3cf6921	15
7ac48069	16	#include <arpa/inet.h>
	17	#include <netinet/in.h>
	18
	19	#include <stdlib.h>
	20	#include <string.h>
	21
	22	RCSID("$Header$");
	23
	24	extern char whoami, host;
c1665e6d	25
3d0d0f07	26	typedef struct _replay_cache {
	27	KTEXT_ST auth;
	28	time_t expires;
	29	struct _replay_cache *next;
	30	} replay_cache;
	31
	32	replay_cache *rcache = NULL;
	33
a3cf6921	34	/*
d548a4e7	35	* Handle a MOIRA_AUTH RPC request.
a3cf6921	36	*
a3cf6921	37	* argv[0] is a kerberos authenticator. Decompose it, and if
5eaef520	38	* successful, store the name the user authenticated to in
a3cf6921	39	* cl->cl_name.
	40	*/
	41
85330553	42	void do_auth(client *cl, mr_params req)
a3cf6921	43	{
5eaef520	44	KTEXT_ST auth;
	45	AUTH_DAT ad;
	46	int status, ok;
5eaef520	47	replay_cache rc, rcnew;
	48	time_t now;
	49
85330553	50	auth.length = req.mr_argl[0];
85330553	51	memcpy(auth.dat, req.mr_argv[0], auth.length);
5eaef520	52	auth.mbz = 0;
5eaef520	53
85330553	54	if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
85330553	55	cl->haddr.sin_addr.s_addr, &ad, "")))
5eaef520	56	{
5eaef520	57	status += ERROR_TABLE_BASE_krb;
85330553	58	client_reply(cl, status);
85330553	59	com_err(whoami, status, " (authentication failed)");
5eaef520	60	return;
	61	}
	62
	63	if (!rcache)
	64	{
	65	rcache = malloc(sizeof(replay_cache));
	66	memset(rcache, 0, sizeof(replay_cache));
	67	}
	68
	69	/* scan replay cache */
	70	for (rc = rcache->next; rc; rc = rc->next)
	71	{
	72	if (auth.length == rc->auth.length &&
	73	!memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
	74	{
	75	com_err(whoami, 0,
	76	"Authenticator replay from %s using authenticator for %s",
	77	inet_ntoa(cl->haddr.sin_addr),
	78	kname_unparse(ad.pname, ad.pinst, ad.prealm));
	79	com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
85330553	80	client_reply(cl, KE_RD_AP_REPEAT);
5eaef520	81	return;
3d0d0f07	82	}
5eaef520	83	}
	84
	85	/* add new entry */
	86	time(&now);
	87	rcnew = malloc(sizeof(replay_cache));
	88	memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
	89	rcnew->expires = now + 2 * CLOCK_SKEW;
	90	rcnew->next = rcache->next;
	91	rcache->next = rcnew;
	92
	93	/* clean cache */
	94	for (rc = rcnew; rc->next; )
	95	{
	96	if (rc->next->expires < now)
	97	{
	98	rcnew = rc->next;
	99	rc->next = rc->next->next;
	100	free(rcnew);
060e9c63	101	}
5eaef520	102	else
	103	rc = rc->next;
	104	}
	105
	106	memcpy(cl->kname.name, ad.pname, ANAME_SZ);
	107	memcpy(cl->kname.inst, ad.pinst, INST_SZ);
	108	memcpy(cl->kname.realm, ad.prealm, REALM_SZ);
	109	strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm));
	110
	111	if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm))
	112	ok = 1;
	113	else
	114	ok = 0;
	115	/* this is in a separate function because it accesses the database */
	116	status = set_krb_mapping(cl->clname, ad.pname, ok,
	117	&cl->client_id, &cl->users_id);
	118
85330553	119	strncpy(cl->entity, req.mr_argv[1], 8);
	120	cl->entity[8] = 0;
	121
5eaef520	122	memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
5eaef520	123
85330553	124	com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
	125	cl->clname, cl->entity, cl->users_id, cl->client_id);
	126
	127	if (status != MR_SUCCESS \|\| cl->users_id != 0)
	128	client_reply(cl, status);
	129	else
	130	client_reply(cl, MR_USER_AUTH);
a3cf6921	131	}