3 * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
4 * For copying and distribution information, please see the file
8 #include <mit-copyright.h>
10 #include "update_server.h"
12 #include <sys/utsname.h>
22 static char service[] = "rcmd";
23 static char master[] = "sms";
24 static char qmark[] = "???";
25 extern des_cblock session;
28 * authentication request auth_002:
30 * >>> (STRING) "auth_002"
35 * >>> (STRING) encrypted nonce
40 void auth_002(int conn, char *str)
42 char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
44 char *p, *first, *data;
47 des_key_schedule sched;
48 des_cblock nonce, nonce2;
53 recv_string(conn, &data, &size);
54 if (size > sizeof(ticket_st.dat))
56 code = KE_RD_AP_UNDEC;
57 com_err(whoami, code, ": authenticator too large");
61 memcpy(ticket_st.dat, data, size);
64 ticket_st.length = size;
65 code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0,
69 code += ERROR_TABLE_BASE_krb;
70 strcpy(ad.pname, qmark);
71 strcpy(ad.pinst, qmark);
72 strcpy(ad.prealm, qmark);
76 /* If there is an auth record in the config file matching the
77 * authenticator we received, then accept it. If there's no
78 * auth record, assume [master]@[local realm].
80 if ((first = p = config_lookup("auth")))
84 kname_parse(aname, ainst, arealm, p);
85 if (strcmp(aname, ad.pname) ||
86 strcmp(ainst, ad.pinst) ||
87 strcmp(arealm, ad.prealm))
88 p = config_lookup("auth");
96 strcpy(aname, master);
98 if (krb_get_lrealm(arealm, 1))
99 strcpy(arealm, KRB_REALM);
102 if (strcmp(aname, ad.pname) ||
103 strcmp(ainst, ad.pinst) ||
104 strcmp(arealm, ad.prealm))
109 /* replay protection */
110 des_random_key(&nonce);
111 send_string(conn, (char *)nonce, sizeof(nonce));
112 recv_string(conn, &data, &size);
113 des_key_sched(ad.session, sched);
114 des_ecb_encrypt(data, nonce2, sched, 0);
116 if (memcmp(nonce, nonce2, sizeof(nonce)))
120 have_authorization = 1;
121 /* Stash away session key */
122 memcpy(session, ad.session, sizeof(session));
126 com_err(whoami, code, "auth for %s.%s@%s failed",
127 ad.pname, ad.pinst, ad.prealm);
128 send_int(conn, code);