]>
Commit | Line | Data |
---|---|---|
7ac48069 | 1 | /* $Id$ |
2 | * | |
3 | * Handle server side of authentication | |
a3cf6921 | 4 | * |
7ac48069 | 5 | * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology |
6 | * For copying and distribution information, please see the file | |
7 | * <mit-copyright.h>. | |
a3cf6921 | 8 | * |
a3cf6921 | 9 | */ |
10 | ||
c801de4c | 11 | #include <mit-copyright.h> |
d548a4e7 | 12 | #include "mr_server.h" |
a3cf6921 | 13 | |
7ac48069 | 14 | #include <sys/types.h> |
a3cf6921 | 15 | |
7ac48069 | 16 | #include <arpa/inet.h> |
17 | #include <netinet/in.h> | |
18 | ||
19 | #include <stdlib.h> | |
20 | #include <string.h> | |
21 | ||
22 | RCSID("$Header$"); | |
23 | ||
24 | extern char *whoami, *host; | |
c1665e6d | 25 | |
3d0d0f07 | 26 | typedef struct _replay_cache { |
27 | KTEXT_ST auth; | |
28 | time_t expires; | |
29 | struct _replay_cache *next; | |
30 | } replay_cache; | |
31 | ||
32 | replay_cache *rcache = NULL; | |
33 | ||
a3cf6921 | 34 | /* |
d548a4e7 | 35 | * Handle a MOIRA_AUTH RPC request. |
a3cf6921 | 36 | * |
37 | * argv[0] is a kerberos authenticator. Decompose it, and if | |
5eaef520 | 38 | * successful, store the name the user authenticated to in |
a3cf6921 | 39 | * cl->cl_name. |
40 | */ | |
41 | ||
85330553 | 42 | void do_auth(client *cl, mr_params req) |
a3cf6921 | 43 | { |
5eaef520 | 44 | KTEXT_ST auth; |
45 | AUTH_DAT ad; | |
46 | int status, ok; | |
5eaef520 | 47 | replay_cache *rc, *rcnew; |
48 | time_t now; | |
49 | ||
85330553 | 50 | auth.length = req.mr_argl[0]; |
51 | memcpy(auth.dat, req.mr_argv[0], auth.length); | |
5eaef520 | 52 | auth.mbz = 0; |
53 | ||
85330553 | 54 | if ((status = krb_rd_req(&auth, MOIRA_SNAME, host, |
55 | cl->haddr.sin_addr.s_addr, &ad, ""))) | |
5eaef520 | 56 | { |
57 | status += ERROR_TABLE_BASE_krb; | |
85330553 | 58 | client_reply(cl, status); |
59 | com_err(whoami, status, " (authentication failed)"); | |
5eaef520 | 60 | return; |
61 | } | |
62 | ||
63 | if (!rcache) | |
64 | { | |
65 | rcache = malloc(sizeof(replay_cache)); | |
66 | memset(rcache, 0, sizeof(replay_cache)); | |
67 | } | |
68 | ||
69 | /* scan replay cache */ | |
70 | for (rc = rcache->next; rc; rc = rc->next) | |
71 | { | |
72 | if (auth.length == rc->auth.length && | |
73 | !memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) | |
74 | { | |
75 | com_err(whoami, 0, | |
76 | "Authenticator replay from %s using authenticator for %s", | |
77 | inet_ntoa(cl->haddr.sin_addr), | |
78 | kname_unparse(ad.pname, ad.pinst, ad.prealm)); | |
79 | com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)"); | |
85330553 | 80 | client_reply(cl, KE_RD_AP_REPEAT); |
5eaef520 | 81 | return; |
3d0d0f07 | 82 | } |
5eaef520 | 83 | } |
84 | ||
85 | /* add new entry */ | |
86 | time(&now); | |
87 | rcnew = malloc(sizeof(replay_cache)); | |
88 | memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST)); | |
89 | rcnew->expires = now + 2 * CLOCK_SKEW; | |
90 | rcnew->next = rcache->next; | |
91 | rcache->next = rcnew; | |
92 | ||
93 | /* clean cache */ | |
94 | for (rc = rcnew; rc->next; ) | |
95 | { | |
96 | if (rc->next->expires < now) | |
97 | { | |
98 | rcnew = rc->next; | |
99 | rc->next = rc->next->next; | |
100 | free(rcnew); | |
060e9c63 | 101 | } |
5eaef520 | 102 | else |
103 | rc = rc->next; | |
104 | } | |
105 | ||
106 | memcpy(cl->kname.name, ad.pname, ANAME_SZ); | |
107 | memcpy(cl->kname.inst, ad.pinst, INST_SZ); | |
108 | memcpy(cl->kname.realm, ad.prealm, REALM_SZ); | |
109 | strcpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm)); | |
110 | ||
111 | if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm)) | |
112 | ok = 1; | |
113 | else | |
114 | ok = 0; | |
115 | /* this is in a separate function because it accesses the database */ | |
116 | status = set_krb_mapping(cl->clname, ad.pname, ok, | |
117 | &cl->client_id, &cl->users_id); | |
118 | ||
85330553 | 119 | strncpy(cl->entity, req.mr_argv[1], 8); |
120 | cl->entity[8] = 0; | |
121 | ||
5eaef520 | 122 | memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */ |
123 | ||
85330553 | 124 | com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d", |
125 | cl->clname, cl->entity, cl->users_id, cl->client_id); | |
126 | ||
127 | if (status != MR_SUCCESS || cl->users_id != 0) | |
128 | client_reply(cl, status); | |
129 | else | |
130 | client_reply(cl, MR_USER_AUTH); | |
a3cf6921 | 131 | } |