]>
Commit | Line | Data |
---|---|---|
1 | /* $Id$ | |
2 | * | |
3 | * Handle server side of authentication | |
4 | * | |
5 | * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology | |
6 | * For copying and distribution information, please see the file | |
7 | * <mit-copyright.h>. | |
8 | * | |
9 | */ | |
10 | ||
11 | #include <mit-copyright.h> | |
12 | #include "mr_server.h" | |
13 | ||
14 | #include <sys/types.h> | |
15 | ||
16 | #include <arpa/inet.h> | |
17 | #include <netinet/in.h> | |
18 | ||
19 | #include <stdlib.h> | |
20 | #include <string.h> | |
21 | ||
22 | RCSID("$Header$"); | |
23 | ||
24 | extern char *whoami, *host; | |
25 | extern int proxy_acl; | |
26 | ||
27 | static int set_client(client *cl, char *kname, | |
28 | char *name, char *inst, char *realm); | |
29 | ||
30 | typedef struct _replay_cache { | |
31 | KTEXT_ST auth; | |
32 | time_t expires; | |
33 | struct _replay_cache *next; | |
34 | } replay_cache; | |
35 | ||
36 | replay_cache *rcache = NULL; | |
37 | ||
38 | /* | |
39 | * Handle a MOIRA_AUTH RPC request. | |
40 | * | |
41 | * argv[0] is a kerberos authenticator. Decompose it, and if | |
42 | * successful, store the name the user authenticated to in | |
43 | * cl->cl_name. | |
44 | */ | |
45 | ||
46 | void do_auth(client *cl) | |
47 | { | |
48 | KTEXT_ST auth; | |
49 | AUTH_DAT ad; | |
50 | int status; | |
51 | replay_cache *rc, *rcnew; | |
52 | time_t now; | |
53 | ||
54 | auth.length = cl->req.mr_argl[0]; | |
55 | memcpy(auth.dat, cl->req.mr_argv[0], auth.length); | |
56 | auth.mbz = 0; | |
57 | ||
58 | if ((status = krb_rd_req(&auth, MOIRA_SNAME, host, | |
59 | cl->haddr.sin_addr.s_addr, &ad, ""))) | |
60 | { | |
61 | status += ERROR_TABLE_BASE_krb; | |
62 | client_reply(cl, status); | |
63 | com_err(whoami, status, " (authentication failed)"); | |
64 | return; | |
65 | } | |
66 | ||
67 | if (!rcache) | |
68 | { | |
69 | rcache = xmalloc(sizeof(replay_cache)); | |
70 | memset(rcache, 0, sizeof(replay_cache)); | |
71 | } | |
72 | ||
73 | /* scan replay cache */ | |
74 | for (rc = rcache->next; rc; rc = rc->next) | |
75 | { | |
76 | if (auth.length == rc->auth.length && | |
77 | !memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) | |
78 | { | |
79 | com_err(whoami, 0, | |
80 | "Authenticator replay from %s using authenticator for %s", | |
81 | inet_ntoa(cl->haddr.sin_addr), | |
82 | kname_unparse(ad.pname, ad.pinst, ad.prealm)); | |
83 | com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)"); | |
84 | client_reply(cl, KE_RD_AP_REPEAT); | |
85 | return; | |
86 | } | |
87 | } | |
88 | ||
89 | /* add new entry */ | |
90 | time(&now); | |
91 | rcnew = xmalloc(sizeof(replay_cache)); | |
92 | memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST)); | |
93 | rcnew->expires = now + 2 * CLOCK_SKEW; | |
94 | rcnew->next = rcache->next; | |
95 | rcache->next = rcnew; | |
96 | ||
97 | /* clean cache */ | |
98 | for (rc = rcnew; rc->next; ) | |
99 | { | |
100 | if (rc->next->expires < now) | |
101 | { | |
102 | rcnew = rc->next; | |
103 | rc->next = rc->next->next; | |
104 | free(rcnew); | |
105 | } | |
106 | else | |
107 | rc = rc->next; | |
108 | } | |
109 | ||
110 | status = set_client(cl, kname_unparse(ad.pname, ad.pinst, ad.prealm), | |
111 | ad.pname, ad.pinst, ad.prealm); | |
112 | ||
113 | strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1); | |
114 | cl->entity[sizeof(cl->entity) - 1] = 0; | |
115 | ||
116 | memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */ | |
117 | ||
118 | com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d", | |
119 | cl->clname, cl->entity, cl->users_id, cl->client_id); | |
120 | ||
121 | if (status != MR_SUCCESS || cl->users_id != 0) | |
122 | client_reply(cl, status); | |
123 | else | |
124 | client_reply(cl, MR_USER_AUTH); | |
125 | } | |
126 | ||
127 | void do_proxy(client *cl) | |
128 | { | |
129 | char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; | |
130 | char kname[MAX_K_NAME_SZ]; | |
131 | ||
132 | if (cl->proxy_id) | |
133 | { | |
134 | com_err(whoami, MR_PERM, "Cannot re-proxy"); | |
135 | client_reply(cl, MR_PERM); | |
136 | return; | |
137 | } | |
138 | ||
139 | if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS) | |
140 | { | |
141 | com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s", | |
142 | cl->req.mr_argv); | |
143 | client_reply(cl, KE_KNAME_FMT); | |
144 | return; | |
145 | } | |
146 | ||
147 | if (!*realm) | |
148 | { | |
149 | strcpy(realm, krb_realm); | |
150 | sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm); | |
151 | } | |
152 | else | |
153 | strcpy(kname, cl->req.mr_argv[0]); | |
154 | ||
155 | if (find_member("LIST", proxy_acl, cl)) | |
156 | { | |
157 | cl->proxy_id = cl->client_id; | |
158 | set_client(cl, kname, name, inst, realm); | |
159 | com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s", | |
160 | kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]); | |
161 | client_reply(cl, MR_SUCCESS); | |
162 | } | |
163 | else | |
164 | { | |
165 | com_err(whoami, MR_PERM, "Proxy authentication denied"); | |
166 | client_reply(cl, MR_PERM); | |
167 | } | |
168 | } | |
169 | ||
170 | static int set_client(client *cl, char *kname, | |
171 | char *name, char *inst, char *realm) | |
172 | { | |
173 | int ok; | |
174 | ||
175 | strncpy(cl->clname, kname, sizeof(cl->clname)); | |
176 | cl->clname[sizeof(cl->clname) - 1] = '\0'; | |
177 | ||
178 | if (inst[0] == 0 && !strcmp(realm, krb_realm)) | |
179 | ok = 1; | |
180 | else | |
181 | ok = 0; | |
182 | /* this is in a separate function because it accesses the database */ | |
183 | return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id); | |
184 | } |