3 * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
4 * For copying and distribution information, please see the file
8 #include <mit-copyright.h>
10 #include "update_server.h"
12 #include <sys/utsname.h>
21 static char service[] = "rcmd";
22 static char master[] = "sms";
23 static char qmark[] = "???";
24 extern des_cblock session;
27 * authentication request auth_002:
29 * >>> (STRING) "auth_002"
34 * >>> (STRING) encrypted nonce
39 void auth_002(int conn, char *str)
41 char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
43 char *p, *first, *data;
46 des_key_schedule sched;
47 des_cblock nonce, nonce2;
52 recv_string(conn, &data, &size);
53 if (size > sizeof(ticket_st.dat))
55 code = KE_RD_AP_UNDEC;
56 com_err(whoami, code, ": authenticator too large");
60 memcpy(ticket_st.dat, data, size);
63 ticket_st.length = size;
64 code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0,
68 code += ERROR_TABLE_BASE_krb;
69 strcpy(ad.pname, qmark);
70 strcpy(ad.pinst, qmark);
71 strcpy(ad.prealm, qmark);
75 /* If there is an auth record in the config file matching the
76 * authenticator we received, then accept it. If there's no
77 * auth record, assume [master]@[local realm].
79 if ((first = p = config_lookup("auth")))
83 kname_parse(aname, ainst, arealm, p);
84 if (strcmp(aname, ad.pname) ||
85 strcmp(ainst, ad.pinst) ||
86 strcmp(arealm, ad.prealm))
87 p = config_lookup("auth");
95 strcpy(aname, master);
97 if (krb_get_lrealm(arealm, 1))
98 strcpy(arealm, KRB_REALM);
101 if (strcmp(aname, ad.pname) ||
102 strcmp(ainst, ad.pinst) ||
103 strcmp(arealm, ad.prealm))
108 /* replay protection */
109 des_random_key(&nonce);
110 send_string(conn, (char *)nonce, sizeof(nonce));
111 recv_string(conn, &data, &size);
112 des_key_sched(ad.session, sched);
113 des_ecb_encrypt(data, nonce2, sched, 0);
115 if (memcmp(nonce, nonce2, sizeof(nonce)))
119 have_authorization = 1;
120 /* Stash away session key */
121 memcpy(session, ad.session, sizeof(session));
125 com_err(whoami, code, "auth for %s.%s@%s failed",
126 ad.pname, ad.pinst, ad.prealm);
127 send_int(conn, code);