Implement AUTH_002, which isn't vulnerable to replay attacks. Remove

support for AUTH_001 from the update_server (to prevent an AUTH_002
authentication from being replayed as an AUTH_001 authentication.)
Remove INST_001 since it wasn't being used.

diff --git a/update/auth_001.c b/update/auth_002.c
similarity index 78%
rename from update/auth_001.c
rename to update/auth_002.c
index 0b3bd368eac623d61f10c4936c77beb03f8bc33c..ca621350198cc0481610aeb7db1f45fb99e5f5e3 100644 (file)
--- a/update/auth_001.c
+++ b/update/auth_002.c
@@ -7,7 +7,7 @@
 /*  <mit-copyright.h>. */
 
 #ifndef lint
-static char *rcsid_auth_001_c = "$Header$";
+static char *rcsid_auth_002_c = "$Header$";
 #endif
 
 #include <mit-copyright.h>
@@ -31,20 +31,23 @@ extern char *PrincipalHostname();
 static char service[] = "rcmd";
 static char master[] = "sms";
 static char qmark[] = "???";
-C_Block session;
+extern C_Block session;
 
 /*
- * authentication request auth_001:
+ * authentication request auth_002:
  *
- * >>> (STRING) "auth_001"
+ * >>> (STRING) "auth_002"
  * <<< (int) 0
  * >>> (STRING) ticket
  * <<< (int) code
+ * <<< (STRING) nonce
+ * >>> (STRING) encrypted nonce
+ * <<< (int) code
  *
  */
 
 int
-auth_001(str)
+auth_002(str)
      char *str;
 {
     STRING data;
@@ -56,9 +59,11 @@ auth_001(str)
 #ifdef POSIX
     struct utsname name;
 #endif
+    des_key_schedule sched;
+    C_Block nonce, nonce2;
 
     if (send_ok())
-       lose("sending okay for authorization (auth_001)");
+       lose("sending okay for authorization (auth_002)");
     code = receive_object(conn, (char *)&data, STRING_T);
     if (code) {
        code = connection_errno(conn);
@@ -109,6 +114,22 @@ auth_001(str)
        strcmp(ainst, ad.pinst) ||
        strcmp(arealm, ad.prealm))
       goto auth_failed;
+
+    if (send_ok())
+       lose("sending preliminary approval of authorization");
+
+    /* replay protection */
+    des_random_key(&nonce);
+    STRING_DATA(data) = (char *)nonce;
+    MAX_STRING_SIZE(data) = 8;
+    if (send_object(conn, (char *)&data, STRING_T))
+       lose("sending nonce");
+    code = receive_object(conn, (char *)&data, STRING_T);
+    des_key_sched(&ad.session, &sched);
+    des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
+    if (memcmp(nonce, nonce2, sizeof(nonce)))
+       goto auth_failed;
+
     if (send_ok())
        lose("sending approval of authorization");
     have_authorization = 1;

diff --git a/update/inst_001.c b/update/inst_001.c
deleted file mode 100644 (file)
index 6b02693..0000000
--- a/update/inst_001.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- *     $Source$
- *     $Header$
- */
-/*  (c) Copyright 1988 by the Massachusetts Institute of Technology. */
-/*  For copying and distribution information, please see the file */
-/*  <mit-copyright.h>. */
-
-#ifndef lint
-static char *rcsid_inst_001_c = "$Header$";
-#endif
-
-#include <mit-copyright.h>
-#include <stdio.h>
-#include <errno.h>
-#include <ctype.h>
-#include <gdb.h>
-#include <moira.h>
-
-STRING instructions = { 0, 0 };
-extern CONNECTION conn;
-extern int have_instructions, have_authorization;
-extern int code;
-extern char *whoami;
-
-
-/*
- * instruction sequence transmission:
- * syntax:
- *     >>> (STRING) "inst_001"
- *     <<< (int)0
- *     >>> (STRING) instructions
- *     <<< (int)0
- */
-
-inst_001(str)
-     char *str;
-{
-    int file_size;
-    int checksum;
-    char *pathname;
-    
-    if (config_lookup("noinstructions")) {
-       code = EPERM;
-       code = send_object(conn, (char *)&code, INTEGER_T);
-       com_err(whoami, EPERM, "Not allowed to receive instructions");
-       return;
-    }
-
-    str += 8;
-    while (*str == ' ')
-       str++;
-    if (!*str) {
-    failure:
-       reject_call(MR_ARGS);
-       return;
-    }
-    file_size = atoi(str);
-    while (isdigit(*str))
-       str++;
-    while (*str == ' ')
-       str++;
-    checksum = atoi(str);
-    while (isdigit(*str))
-       str++;
-    while (*str == ' ')
-       str++;
-    if (*str != '/')
-       goto failure;
-    pathname = str;
-    if (!have_authorization) {
-       reject_call(MR_PERM);
-       return;
-    }
-    code = send_ok();
-    if (code)
-       lose("sending ok for file xfer (2)");
-    code = get_file(pathname, file_size, checksum, 0555, 0);
-    if (!code) {
-       char buf[BUFSIZ];
-       have_instructions = 1;
-       strcpy(buf, "transferred file ");
-       strcat(buf, pathname);
-       mr_log_info(buf);
-    }
-#ifdef DEBUG
-    printf("got instructions: %s\n", STRING_DATA(instructions));
-#endif
-}

diff --git a/update/update_server.c b/update/update_server.c
index 992cf51d8c7f907f464a3f1db3f918f4ef7ecb49..a74fd87cd5063147603fd20fba3efe3843ea9213 100644 (file)
--- a/update/update_server.c
+++ b/update/update_server.c
@@ -25,24 +25,23 @@ static char *rcsid_dispatch_c = "$Header$";
 #include <termios.h>
 #endif
 #include "update.h"
+#include "des.h"
 
-extern int auth_001(), inst_001();
-extern int xfer_002(), xfer_003(), exec_002();
+extern int auth_002(), xfer_002(), xfer_003(), exec_002();
 
 extern int sync_proc(), quit();
 extern char *config_lookup();
 
 extern void gdb_debug();
 extern int errno;
-extern STRING instructions;
 
 CONNECTION conn;
 int code, log_priority;
 char *whoami;
 
 int have_authorization = 0;
+C_Block session;
 int have_file = 0;
-int have_instructions = 0;
 int done = 0;
 int uid = 0;
 
@@ -54,8 +53,7 @@ struct _dt {
      char *str;
      int (*proc)();
 } dispatch_table[] = {
-     { "INST_001", inst_001 },
-     { "AUTH_001", auth_001 },
+     { "AUTH_002", auth_002 },
      { "XFER_002", xfer_002 },
      { "XFER_003", xfer_003 },
      { "EXEC_002", exec_002 },
@@ -202,10 +200,7 @@ initialize()
 {
      /* keep have_authorization around */
      have_file = 0;
-     have_instructions = 0;
      done = 0;
-     if (STRING_DATA(instructions) != (char *)NULL)
-         string_free(&instructions);
 }