extern time_t now;
+char hostbuf[BUFSIZ], *host;
+
int do_listen(char *port);
void do_reset_listen(void);
void clist_append(client *cp);
{
int status, i;
time_t tardy;
- char *port;
+ char *port, *p;
extern char *database;
struct stat stbuf;
sanity_check_queries();
+ /*
+ * Get moira server hostname for authentication
+ */
+ if (gethostname(hostbuf, sizeof(hostbuf)) < 0) {
+ com_err(whoami, errno, "Unable to get local hostname");
+ exit(1);
+ }
+ host = canonicalize_hostname(strsave(hostbuf));
+ for (p = host; *p && *p != '.'; p++)
+ if (isupper(*p))
+ *p = tolower(*p);
+ *p = 0;
+
/*
* Set up client array handler.
*/
#include <ctype.h>
#include <krb_et.h>
#include <moira.h>
+#include <time.h>
-extern char buf1[];
-extern char *whoami;
+extern char *whoami, *host;
/* from libmoira */
char *kname_unparse(char *, char *, char *);
+typedef struct _replay_cache {
+ KTEXT_ST auth;
+ time_t expires;
+ struct _replay_cache *next;
+} replay_cache;
+
+replay_cache *rcache = NULL;
+
/*
* Handle a MOIRA_AUTH RPC request.
*
KTEXT_ST auth;
AUTH_DAT ad;
int status, ok;
- char hostbuf[BUFSIZ], *host, *p;
extern int errno;
+ replay_cache *rc, *rcnew;
+ time_t now;
auth.length = cl->args->mr_argl[0];
memcpy((char *)auth.dat, cl->args->mr_argv[0], auth.length);
auth.mbz = 0;
- if (gethostname(hostbuf, sizeof(hostbuf)) < 0)
- com_err(whoami, errno, "Unable to get local hostname");
- host = canonicalize_hostname(strsave(hostbuf));
- for (p = host; *p && *p != '.'; p++)
- if (isupper(*p))
- *p = tolower(*p);
- *p = 0;
if ((status = krb_rd_req (&auth, MOIRA_SNAME, host,
cl->haddr.sin_addr.s_addr, &ad, "")) != 0) {
status += ERROR_TABLE_BASE_krb;
cl->reply.mr_status = status;
if (log_flags & LOG_RES)
- com_err(whoami, status, "(authentication failed)");
+ com_err(whoami, status, " (authentication failed)");
return;
}
- free(host);
+
+ if(!rcache) {
+ rcache = (replay_cache*)malloc(sizeof(replay_cache));
+ memset(rcache, 0, sizeof(replay_cache));
+ }
+
+ /* scan replay cache */
+ for (rc = rcache->next; rc; rc = rc->next) {
+ if(auth.length == rc->auth.length &&
+ !memcmp(&(auth.dat), &(rc->auth.dat), auth.length)) {
+ com_err(whoami, 0, "Authenticator replay from %s using authenticator for %s",
+ inet_ntoa(cl->haddr.sin_addr),
+ kname_unparse(ad.pname, ad.pinst, ad.prealm));
+ com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
+ cl->reply.mr_status = KE_RD_AP_REPEAT;
+ return;
+ }
+ }
+
+ /* add new entry */
+ time(&now);
+ rcnew = (replay_cache*)malloc(sizeof(replay_cache));
+ memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
+ rcnew->expires = now + 2*CLOCK_SKEW;
+ rcnew->next = rcache->next;
+ rcache->next = rcnew;
+
+ /* clean cache */
+ for (rc = rcnew; rc->next; ) {
+ if(rc->next->expires < now) {
+ rcnew = rc->next;
+ rc->next = rc->next->next;
+ free(rcnew);
+ } else rc = rc->next;
+ }
memcpy(cl->kname.name, ad.pname, ANAME_SZ);
memcpy(cl->kname.inst, ad.pinst, INST_SZ);
andersk / moira.git / commitdiff
