[moira.git] / update / auth_002.c

/* $Id$
 *
 * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
 * For copying and distribution information, please see the file
 * <mit-copyright.h>.
 */

#include <mit-copyright.h>
#include <moira.h>
#include "update_server.h"

#include <sys/utsname.h>

#include <errno.h>
#include <stdio.h>
#include <string.h>

#ifdef HAVE_KRB4
#include <krb.h>
#endif

RCSID("$Header$");

static char service[] = "rcmd";
static char master[] = "sms";
static char qmark[] = "???";
#ifdef HAVE_KRB4
extern des_cblock session;
#endif

/*
 * authentication request auth_002:
 *
 * >>> (STRING) "auth_002"
 * <<< (int) 0
 * >>> (STRING) ticket
 * <<< (int) code
 * <<< (STRING) nonce
 * >>> (STRING) encrypted nonce
 * <<< (int) code
 *
 */

void auth_002(int conn, char *str)
{
#ifdef HAVE_KRB4
  char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
  AUTH_DAT ad;
  char *p, *first, *data;
  size_t size;
  KTEXT_ST ticket_st;
  des_key_schedule sched;
  des_cblock nonce, nonce2;
  long code;

  send_ok(conn);
  
  recv_string(conn, &data, &size);
  if (size > sizeof(ticket_st.dat))
    {
      code = KE_RD_AP_UNDEC;
      com_err(whoami, code, ": authenticator too large");
      send_int(conn, code);
      return;
    }
  memcpy(ticket_st.dat, data, size);
  free(data);
  ticket_st.mbz = 0;
  ticket_st.length = size;
  code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0,
		    &ad, KEYFILE);
  if (code)
    {
      code += ERROR_TABLE_BASE_krb;
      strcpy(ad.pname, qmark);
      strcpy(ad.pinst, qmark);
      strcpy(ad.prealm, qmark);
      goto auth_failed;
    }

  /* If there is an auth record in the config file matching the
   * authenticator we received, then accept it.  If there's no
   * auth record, assume [master]@[local realm].
   */
  if ((first = p = config_lookup("auth")))
    {
      do
	{
	  kname_parse(aname, ainst, arealm, p);
	  if (strcmp(aname, ad.pname) ||
	      strcmp(ainst, ad.pinst) ||
	      strcmp(arealm, ad.prealm))
	    p = config_lookup("auth");
	  else
	    p = first;
	}
      while (p != first);
    }
  else
    {
      strcpy(aname, master);
      strcpy(ainst, "");
      if (krb_get_lrealm(arealm, 1))
	strcpy(arealm, KRB_REALM);
    }
  code = EPERM;
  if (strcmp(aname, ad.pname) ||
      strcmp(ainst, ad.pinst) ||
      strcmp(arealm, ad.prealm))
    goto auth_failed;

  send_ok(conn);

  /* replay protection */
  des_random_key(&nonce);
  send_string(conn, (char *)nonce, sizeof(nonce));
  recv_string(conn, &data, &size);
  des_key_sched(ad.session, sched);
  des_ecb_encrypt(data, nonce2, sched, 0);
  free(data);
  if (memcmp(nonce, nonce2, sizeof(nonce)))
    goto auth_failed;
  send_ok(conn);

  have_authorization = 1;
  /* Stash away session key */
  memcpy(session, ad.session, sizeof(session));
  return;

auth_failed:
  com_err(whoami, code, "auth for %s.%s@%s failed",
	  ad.pname, ad.pinst, ad.prealm);
  send_int(conn, code);
#else
  send_int(conn, MR_NO_KRB4);
#endif
}
Commit	Line	Data
7ac48069	1	/* $Id$
	2	*
	3	* Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
	4	* For copying and distribution information, please see the file
	5	* <mit-copyright.h>.
de56407f	6	*/
de56407f	7
546bc43b	8	#include <mit-copyright.h>
7ac48069	9	#include <moira.h>
	10	#include "update_server.h"
	11
	12	#include <sys/utsname.h>
	13
	14	#include <errno.h>
de56407f	15	#include <stdio.h>
eedd0489	16	#include <string.h>
7ac48069	17
cb974713	18	#ifdef HAVE_KRB4
de56407f	19	#include <krb.h>
cb974713	20	#endif
7ac48069	21
7ac48069	22	RCSID("$Header$");
de56407f	23
1c6164bb	24	static char service[] = "rcmd";
1c6164bb	25	static char master[] = "sms";
de56407f	26	static char qmark[] = "???";
cb974713	27	#ifdef HAVE_KRB4
85330553	28	extern des_cblock session;
cb974713	29	#endif
de56407f	30
de56407f	31	/*
5df6ee25	32	* authentication request auth_002:
de56407f	33	*
5df6ee25	34	* >>> (STRING) "auth_002"
de56407f	35	* <<< (int) 0
	36	* >>> (STRING) ticket
	37	* <<< (int) code
5df6ee25	38	* <<< (STRING) nonce
	39	* >>> (STRING) encrypted nonce
	40	* <<< (int) code
de56407f	41	*
	42	*/
	43
85330553	44	void auth_002(int conn, char *str)
de56407f	45	{
cb974713	46	#ifdef HAVE_KRB4
5eaef520	47	char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
5eaef520	48	AUTH_DAT ad;
85330553	49	char p, first, *data;
85330553	50	size_t size;
5eaef520	51	KTEXT_ST ticket_st;
5eaef520	52	des_key_schedule sched;
85330553	53	des_cblock nonce, nonce2;
85330553	54	long code;
de56407f	55
85330553	56	send_ok(conn);
	57
	58	recv_string(conn, &data, &size);
	59	if (size > sizeof(ticket_st.dat))
5eaef520	60	{
85330553	61	code = KE_RD_AP_UNDEC;
	62	com_err(whoami, code, ": authenticator too large");
	63	send_int(conn, code);
	64	return;
de56407f	65	}
85330553	66	memcpy(ticket_st.dat, data, size);
85330553	67	free(data);
5eaef520	68	ticket_st.mbz = 0;
85330553	69	ticket_st.length = size;
85330553	70	code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0,
5eaef520	71	&ad, KEYFILE);
	72	if (code)
	73	{
	74	code += ERROR_TABLE_BASE_krb;
	75	strcpy(ad.pname, qmark);
	76	strcpy(ad.pinst, qmark);
	77	strcpy(ad.prealm, qmark);
	78	goto auth_failed;
de56407f	79	}
c47daf21	80
5eaef520	81	/* If there is an auth record in the config file matching the
	82	* authenticator we received, then accept it. If there's no
	83	* auth record, assume [master]@[local realm].
	84	*/
7ac48069	85	if ((first = p = config_lookup("auth")))
5eaef520	86	{
	87	do
	88	{
	89	kname_parse(aname, ainst, arealm, p);
	90	if (strcmp(aname, ad.pname) \|\|
	91	strcmp(ainst, ad.pinst) \|\|
	92	strcmp(arealm, ad.prealm))
	93	p = config_lookup("auth");
	94	else
	95	p = first;
	96	}
	97	while (p != first);
c47daf21	98	}
5eaef520	99	else
	100	{
	101	strcpy(aname, master);
	102	strcpy(ainst, "");
	103	if (krb_get_lrealm(arealm, 1))
	104	strcpy(arealm, KRB_REALM);
	105	}
	106	code = EPERM;
	107	if (strcmp(aname, ad.pname) \|\|
	108	strcmp(ainst, ad.pinst) \|\|
	109	strcmp(arealm, ad.prealm))
	110	goto auth_failed;
5df6ee25	111
85330553	112	send_ok(conn);
5df6ee25	113
5eaef520	114	/* replay protection */
5eaef520	115	des_random_key(&nonce);
85330553	116	send_string(conn, (char *)nonce, sizeof(nonce));
85330553	117	recv_string(conn, &data, &size);
5eaef520	118	des_key_sched(ad.session, sched);
85330553	119	des_ecb_encrypt(data, nonce2, sched, 0);
85330553	120	free(data);
5eaef520	121	if (memcmp(nonce, nonce2, sizeof(nonce)))
5eaef520	122	goto auth_failed;
85330553	123	send_ok(conn);
5df6ee25	124
5eaef520	125	have_authorization = 1;
	126	/* Stash away session key */
	127	memcpy(session, ad.session, sizeof(session));
85330553	128	return;
85330553	129
de56407f	130	auth_failed:
85330553	131	com_err(whoami, code, "auth for %s.%s@%s failed",
	132	ad.pname, ad.pinst, ad.prealm);
	133	send_int(conn, code);
cb974713	134	#else
e51080f9	135	send_int(conn, MR_NO_KRB4);
cb974713	136	#endif
de56407f	137	}