diff --git a/sys/include/authsrv.h b/sys/include/authsrv.h index 9de941f3f..d8fbf36bc 100644 --- a/sys/include/authsrv.h +++ b/sys/include/authsrv.h @@ -12,6 +12,8 @@ typedef struct Passwordreq Passwordreq; typedef struct OChapreply OChapreply; typedef struct OMSchapreply OMSchapreply; +typedef struct Authkey Authkey; + enum { ANAMELEN= 28, /* name max size in previous proto */ @@ -110,22 +112,27 @@ struct OMSchapreply }; #define OMSCHAPREPLYLEN (ANAMELEN+24+24) +struct Authkey +{ + char des[DESKEYLEN]; +}; + /* * convert to/from wire format */ -extern int convT2M(Ticket*, char*, char*); -extern void convM2T(char*, Ticket*, char*); -extern int convA2M(Authenticator*, char*, char*); -extern void convM2A(char*, Authenticator*, char*); -extern int convTR2M(Ticketreq*, char*); -extern void convM2TR(char*, Ticketreq*); -extern int convPR2M(Passwordreq*, char*, char*); -extern void convM2PR(char*, Passwordreq*, char*); +extern int convT2M(Ticket*, char*, int, Authkey*); +extern int convM2T(char*, int, Ticket*, Authkey*); +extern int convA2M(Authenticator*, char*, int, Ticket*); +extern int convM2A(char*, int, Authenticator*, Ticket*); +extern int convTR2M(Ticketreq*, char*, int); +extern int convM2TR(char*, int, Ticketreq*); +extern int convPR2M(Passwordreq*, char*, int, Ticket*); +extern int convM2PR(char*, int, Passwordreq*, Ticket*); /* * convert ascii password to DES key */ -extern int passtokey(char*, char*); +extern int passtokey(Authkey*, char*); /* * Nvram interface @@ -167,5 +174,7 @@ extern int authdial(char *netroot, char *authdom); /* * exchange messages with auth server */ -extern int _asgetticket(int, char*, char*); +extern int _asgetticket(int, Ticketreq*, char*, int); +extern int _asrequest(int, Ticketreq*); +extern int _asgetresp(int, Ticket*, Authenticator*, Authkey *); extern int _asrdresp(int, char*, int); diff --git a/sys/man/2/authsrv b/sys/man/2/authsrv index 9eec0a426..70b1e7057 100644 --- a/sys/man/2/authsrv +++ b/sys/man/2/authsrv @@ -1,6 +1,6 @@ .TH AUTHSRV 2 .SH NAME -authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrdresp \- routines for communicating with authentication servers +authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrequest, _asgetresp, _asrdresp \- routines for communicating with authentication servers .SH SYNOPSIS .nf .PP @@ -15,7 +15,7 @@ authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, co int authdial(char *netroot, char *ad); .PP .B -int passtokey(char key[DESKEYLEN], char *password) +int passtokey(Authkey *key, char *password) .PP .B uchar nvcsum(void *mem, int len) @@ -24,34 +24,40 @@ uchar nvcsum(void *mem, int len) int readnvram(Nvrsafe *nv, int flag); .PPP .B -int convT2M(Ticket *t, char *msg, char *key) +int convT2M(Ticket *t, char *msg, int len, Authkey *key) .PP .B -void convM2T(char *msg, Ticket *t, char *key) +int convM2T(char *msg, int len, Ticket *t, Authkey *key) .PP .B -int convA2M(Authenticator *a, char *msg, char *key) +int convA2M(Authenticator *a, char *msg, int len, Ticket *t) .PP .B -void convM2A(char *msg, Authenticator *a, char *key) +int convM2A(char *msg, int len, Authenticator *a, Ticket *t) .PP .B -int convTR2M(Ticketreq *tr, char *msg) +int convTR2M(Ticketreq *tr, char *msg, int len) .PP .B -void convM2TR(char *msg, Ticketreq *tr) +int convM2TR(char *msg, int len, Ticketreq *tr) .PP .B -int convPR2M(Passwordreq *pr, char *msg, char *key) +int convPR2M(Passwordreq *pr, char *msg, int len, Ticket *t) .PP .B -void convM2PR(char *msg, Passwordreq *pr, char *key) +int convM2PR(char *msg, int len, Passwordreq *pr, Ticket *t) .PP .B -int _asgetticket(int fd, char *trbuf, char *tbuf); +int _asgetticket(int fd, Ticketreq *tr, char *buf, int len) .PP .B -int _asrdresp(int fd, char *buf, int len); +int _asrequest(int fd, Ticketreq *tr) +.PP +.B +int _asgetresp(int fd, Ticket *t, Authenticator *a, Authkey *key) +.PP +.B +int _asrdresp(int fd, char *buf, int len) .SH DESCRIPTION .I Authdial dials an authentication server over the @@ -99,7 +105,9 @@ is used to make the call. .I Passtokey converts .I password -into a DES key and stores the result in +into a set of cryptographic keys and stores them in the +.I Authkey +structure .IR key . It returns 0 if .I password @@ -213,18 +221,34 @@ are used to convert them back. .I Key is used for encrypting the message before transmission and decrypting after reception. -.PP -The routine -.I _asgetresp -receives either a character array or an error string. -On error, it sets errstr and returns -1. If successful, -it returns the number of bytes received. +.IR ConvA2M , +.IR convM2A , +.I convPR2M +and +.I convM2PR +encrypt/decrypt the message with the random ticket key. .PP The routine .I _asgetticket -sends a ticket request message and then uses +sends a ticket request +.I tr +returning the two encrypted tickets in +.IR buf . +The routine +.I _asrequest +encodes the ticket request +.I tr +and sends it not waiting for a response. +After sending a request, .I _asgetresp -to recieve an answer. +can be used to receive the response containing a ticket and an optional +authenticator and decrypts the ticket and authenticator using +.IR key . +The routine +.I _asrdresp +receives either a character array or an error string. +On error, it sets errstr and returns -1. If successful, +it returns the number of bytes received. .SH SOURCE .B /sys/src/libauthsrv .SH SEE ALSO diff --git a/sys/src/cmd/auth/as.c b/sys/src/cmd/auth/as.c index 89d1285e9..59317b0af 100644 --- a/sys/src/cmd/auth/as.c +++ b/sys/src/cmd/auth/as.c @@ -8,6 +8,7 @@ #include #include #include +#include #include "authcmdlib.h" int debug; diff --git a/sys/src/cmd/auth/authcmdlib.h b/sys/src/cmd/auth/authcmdlib.h index 78a3a7078..b8e31ee13 100644 --- a/sys/src/cmd/auth/authcmdlib.h +++ b/sys/src/cmd/auth/authcmdlib.h @@ -39,13 +39,14 @@ extern Fs fs[3]; void checksum(char*, char*); void error(char*, ...); void fail(char*); -char* findkey(char*, char*, char*); +int findkey(char*, char*, Authkey*); +char* finddeskey(char*, char*, char*); char* findsecret(char*, char*, char*); -int getauthkey(char*); +int getauthkey(Authkey*); long getexpiration(char *db, char *u); -void getpass(char*, char*, int, int); +void getpass(Authkey*, char*, int, int); int getsecret(int, char*); -int keyfmt(Fmt*); +int deskeyfmt(Fmt*); void logfail(char*); int netcheck(void*, long, char*); char* netdecimal(char*); @@ -58,7 +59,8 @@ int readfile(char*, char*, int); void readln(char*, char*, int, int); long readn(int, void*, long); char* secureidcheck(char*, char*); -char* setkey(char*, char*, char*); +int setkey(char*, char*, Authkey*); +char* setdeskey(char*, char*, char*); char* setsecret(char*, char*, char*); int smartcheck(void*, long, char*); void succeed(char*); diff --git a/sys/src/cmd/auth/authsrv.c b/sys/src/cmd/auth/authsrv.c index bef741a37..e6dd65867 100644 --- a/sys/src/cmd/auth/authsrv.c +++ b/sys/src/cmd/auth/authsrv.c @@ -30,22 +30,24 @@ void vnc(Ticketreq*); int speaksfor(char*, char*); void replyerror(char*, ...); void getraddr(char*); -void mkkey(char*); +void mkkey(Authkey*); +int samekey(Authkey*, Authkey*); +void mkticket(Ticketreq*, Ticket*); void randombytes(uchar*, int); void nthash(uchar hash[MShashlen], char *passwd); void lmhash(uchar hash[MShashlen], char *passwd); void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom); void mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen]); void desencrypt(uchar data[8], uchar key[7]); -int tickauthreply(Ticketreq*, char*); +int tickauthreply(Ticketreq*, Authkey*); void safecpy(char*, char*, int); - void main(int argc, char *argv[]) { char buf[TICKREQLEN]; Ticketreq tr; + int n; ARGBEGIN{ case 'd': @@ -64,11 +66,10 @@ main(int argc, char *argv[]) srand(time(0)*getpid()); for(;;){ - if(readn(0, buf, TICKREQLEN) <= 0) + n = readn(0, buf, sizeof(buf)); + if(n <= 0 || convM2TR(buf, n, &tr) <= 0) exits(0); - - convM2TR(buf, &tr); - switch(buf[0]){ + switch(tr.type){ case AuthTreq: ticketrequest(&tr); break; @@ -97,7 +98,7 @@ main(int argc, char *argv[]) vnc(&tr); break; default: - syslog(0, AUTHLOG, "unknown ticket request type: %d", buf[0]); + syslog(0, AUTHLOG, "unknown ticket request type: %d", tr.type); exits(0); } } @@ -107,45 +108,39 @@ main(int argc, char *argv[]) int ticketrequest(Ticketreq *tr) { - char akey[DESKEYLEN]; - char hkey[DESKEYLEN]; - Ticket t; + Authkey akey, hkey; char tbuf[2*TICKETLEN+1]; + Ticket t; + int n; - if(findkey(KEYDB, tr->authid, akey) == 0){ + if(!findkey(KEYDB, tr->authid, &akey)){ /* make one up so caller doesn't know it was wrong */ - mkkey(akey); + mkkey(&akey); if(debug) syslog(0, AUTHLOG, "tr-fail authid %s", raddr); } - if(findkey(KEYDB, tr->hostid, hkey) == 0){ + if(!findkey(KEYDB, tr->hostid, &hkey)){ /* make one up so caller doesn't know it was wrong */ - mkkey(hkey); + mkkey(&hkey); if(debug) syslog(0, AUTHLOG, "tr-fail hostid %s(%s)", tr->hostid, raddr); } - memset(&t, 0, sizeof(t)); - memmove(t.chal, tr->chal, CHALLEN); - strcpy(t.cuid, tr->uid); - if(speaksfor(tr->hostid, tr->uid)) - strcpy(t.suid, tr->uid); - else { - mkkey(akey); - mkkey(hkey); + mkticket(tr, &t); + if(!speaksfor(tr->hostid, tr->uid)){ + mkkey(&akey); + mkkey(&hkey); if(debug) syslog(0, AUTHLOG, "tr-fail %s@%s(%s) -> %s@%s no speaks for", tr->uid, tr->hostid, raddr, tr->uid, tr->authid); } - - mkkey(t.key); - - tbuf[0] = AuthOK; + n = 0; + tbuf[n++] = AuthOK; t.num = AuthTc; - convT2M(&t, tbuf+1, hkey); + n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &hkey); t.num = AuthTs; - convT2M(&t, tbuf+1+TICKETLEN, akey); - if(write(1, tbuf, 2*TICKETLEN+1) < 0){ + n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &akey); + if(write(1, tbuf, n) < 0){ if(debug) syslog(0, AUTHLOG, "tr-fail %s@%s(%s): hangup", tr->uid, tr->hostid, raddr); @@ -163,22 +158,23 @@ challengebox(Ticketreq *tr) { long chal; char *key, *netkey; - char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN]; + Authkey hkey; + char kbuf[DESKEYLEN], nkbuf[DESKEYLEN]; char buf[NETCHLEN+1]; char *err; - key = findkey(KEYDB, tr->uid, kbuf); - netkey = findkey(NETKEYDB, tr->uid, nkbuf); - if(key == 0 && netkey == 0){ + key = finddeskey(KEYDB, tr->uid, kbuf); + netkey = finddeskey(NETKEYDB, tr->uid, nkbuf); + if(key == nil && netkey == nil){ /* make one up so caller doesn't know it was wrong */ - mkkey(nkbuf); + randombytes((uchar*)nkbuf, DESKEYLEN); netkey = nkbuf; if(debug) syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr); } - if(findkey(KEYDB, tr->hostid, hkey) == 0){ + if(!findkey(KEYDB, tr->hostid, &hkey)){ /* make one up so caller doesn't know it was wrong */ - mkkey(hkey); + mkkey(&hkey); if(debug) syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid, tr->uid, raddr); @@ -195,8 +191,8 @@ challengebox(Ticketreq *tr) exits(0); if(readn(0, buf, NETCHLEN) < 0) exits(0); - if(!(key && netcheck(key, chal, buf)) - && !(netkey && netcheck(netkey, chal, buf)) + if(!(key != nil && netcheck(key, chal, buf)) + && !(netkey != nil && netcheck(netkey, chal, buf)) && (err = secureidcheck(tr->uid, buf)) != nil){ replyerror("cr-fail %s %s %s", err, tr->uid, raddr); logfail(tr->uid); @@ -210,7 +206,7 @@ challengebox(Ticketreq *tr) /* * reply with ticket & authenticator */ - if(tickauthreply(tr, hkey) < 0){ + if(tickauthreply(tr, &hkey) < 0){ if(debug) syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup", tr->uid, tr->hostid, raddr); @@ -229,36 +225,36 @@ changepasswd(Ticketreq *tr) char tbuf[TICKETLEN+1]; char prbuf[PASSREQLEN]; Passwordreq pr; - char okey[DESKEYLEN], nkey[DESKEYLEN]; + Authkey okey, nkey; char *err; + int n; - if(findkey(KEYDB, tr->uid, okey) == 0){ + if(!findkey(KEYDB, tr->uid, &okey)){ /* make one up so caller doesn't know it was wrong */ - mkkey(okey); + mkkey(&okey); syslog(0, AUTHLOG, "cp-fail uid %s", raddr); } /* send back a ticket with a new key */ - memmove(t.chal, tr->chal, CHALLEN); - mkkey(t.key); - tbuf[0] = AuthOK; + mkticket(tr, &t); t.num = AuthTp; - safecpy(t.cuid, tr->uid, sizeof(t.cuid)); - safecpy(t.suid, tr->uid, sizeof(t.suid)); - convT2M(&t, tbuf+1, okey); - write(1, tbuf, sizeof(tbuf)); + n = 0; + tbuf[n++] = AuthOK; + n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &okey); + if(write(1, tbuf, n) != n) + exits(0); /* loop trying passwords out */ for(;;){ - if(readn(0, prbuf, PASSREQLEN) < 0) + n = readn(0, prbuf, sizeof(prbuf)); + if(n <= 0 || convM2PR(prbuf, n, &pr, &t) <= 0) exits(0); - convM2PR(prbuf, &pr, t.key); if(pr.num != AuthPass){ replyerror("protocol botch1: %s", raddr); exits(0); } - passtokey(nkey, pr.old); - if(memcmp(nkey, okey, DESKEYLEN)){ + passtokey(&nkey, pr.old); + if(!samekey(&nkey, &okey)){ replyerror("protocol botch2: %s", raddr); continue; } @@ -268,13 +264,13 @@ changepasswd(Ticketreq *tr) replyerror("%s %s", err, raddr); continue; } - passtokey(nkey, pr.new); + passtokey(&nkey, pr.new); } if(pr.changesecret && setsecret(KEYDB, tr->uid, pr.secret) == 0){ replyerror("can't write secret %s", raddr); continue; } - if(*pr.new && setkey(KEYDB, tr->uid, nkey) == 0){ + if(*pr.new && setkey(KEYDB, tr->uid, &nkey) == 0){ replyerror("can't write key %s", raddr); continue; } @@ -292,15 +288,14 @@ http(Ticketreq *tr) { Ticket t; char tbuf[TICKETLEN+1]; - char key[DESKEYLEN]; + Authkey key; char *p; Biobuf *b; int n; - randombytes((uchar*)key, DESKEYLEN); - /* use plan9 key when there is any */ - findkey(KEYDB, tr->uid, key); + if(!findkey(KEYDB, tr->uid, &key)) + mkkey(&key); n = strlen(tr->uid); b = Bopen("/sys/lib/httppasswords", OREAD); @@ -315,21 +310,20 @@ http(Ticketreq *tr) p += n; while(*p == ' ' || *p == '\t') p++; - passtokey(key, p); + passtokey(&key, p); } } Bterm(b); } /* send back a ticket encrypted with the key */ + mkticket(tr, &t); randombytes((uchar*)t.chal, CHALLEN); - mkkey(t.key); - tbuf[0] = AuthOK; t.num = AuthHr; - safecpy(t.cuid, tr->uid, sizeof(t.cuid)); - safecpy(t.suid, tr->uid, sizeof(t.suid)); - convT2M(&t, tbuf+1, key); - write(1, tbuf, sizeof(tbuf)); + n = 0; + tbuf[n++] = AuthOK; + n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &key); + write(1, tbuf, n); } static char* @@ -339,13 +333,13 @@ domainname(void) static char *domain; int n; - if(domain) + if(domain != nil) return domain; if(*sysname) return sysname; domain = csgetvalue(0, "sys", sysname, "dom", nil); - if(domain) + if(domain != nil) return domain; n = readfile("/dev/sysname", sysname, sizeof(sysname)-1); @@ -373,12 +367,13 @@ h2b(char c) void apop(Ticketreq *tr, int type) { - int challen, i, tries; - char *secret, *hkey, *p; + int challen, i, n, tries; + char *secret, *p; + Authkey hkey; Ticketreq treq; DigestState *s; - char sbuf[SECRETLEN], hbuf[DESKEYLEN]; - char tbuf[TICKREQLEN]; + char sbuf[SECRETLEN]; + char trbuf[TICKREQLEN]; char buf[MD5dlen*2]; uchar digest[MD5dlen], resp[MD5dlen]; ulong rb[4]; @@ -401,9 +396,9 @@ apop(Ticketreq *tr, int type) /* * get ticket request */ - if(readn(0, tbuf, TICKREQLEN) < 0) + n = readn(0, trbuf, sizeof(trbuf)); + if(n <= 0 || convM2TR(trbuf, n, &treq) <= 0) exits(0); - convM2TR(tbuf, &treq); tr = &treq; if(tr->type != type) exits(0); @@ -411,7 +406,7 @@ apop(Ticketreq *tr, int type) /* * read response */ - if(readn(0, buf, MD5dlen*2) < 0) + if(readn(0, buf, MD5dlen*2) != MD5dlen*2) exits(0); for(i = 0; i < MD5dlen; i++) resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]); @@ -420,8 +415,7 @@ apop(Ticketreq *tr, int type) * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); - hkey = findkey(KEYDB, tr->hostid, hbuf); - if(hkey == 0 || secret == 0){ + if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){ replyerror("apop-fail bad response %s", raddr); logfail(tr->uid); if(tries > 5) @@ -455,7 +449,7 @@ apop(Ticketreq *tr, int type) /* * reply with ticket & authenticator */ - if(tickauthreply(tr, hkey) < 0) + if(tickauthreply(tr, &hkey) < 0) exits(0); if(debug){ @@ -493,10 +487,11 @@ uchar swizzletab[256] = { void vnc(Ticketreq *tr) { + char *secret; + Authkey hkey; uchar chal[VNCchallen+6]; uchar reply[VNCchallen]; - char *secret, *hkey; - char sbuf[SECRETLEN], hbuf[DESKEYLEN]; + char sbuf[SECRETLEN]; DESstate s; int i; @@ -514,18 +509,15 @@ vnc(Ticketreq *tr) */ memset(sbuf, 0, sizeof(sbuf)); secret = findsecret(KEYDB, tr->uid, sbuf); - if(secret == 0){ + if(secret == nil){ randombytes((uchar*)sbuf, sizeof(sbuf)); secret = sbuf; } for(i = 0; i < 8; i++) secret[i] = swizzletab[(uchar)secret[i]]; - hkey = findkey(KEYDB, tr->hostid, hbuf); - if(hkey == 0){ - randombytes((uchar*)hbuf, sizeof(hbuf)); - hkey = hbuf; - } + if(!findkey(KEYDB, tr->hostid, &hkey)) + mkkey(&hkey); /* * get response @@ -548,7 +540,7 @@ vnc(Ticketreq *tr) /* * reply with ticket & authenticator */ - if(tickauthreply(tr, hkey) < 0) + if(tickauthreply(tr, &hkey) < 0) exits(0); if(debug) @@ -558,9 +550,10 @@ vnc(Ticketreq *tr) void chap(Ticketreq *tr) { - char *secret, *hkey; + char *secret; + Authkey hkey; DigestState *s; - char sbuf[SECRETLEN], hbuf[DESKEYLEN]; + char sbuf[SECRETLEN]; uchar digest[MD5dlen]; char chal[CHALLEN]; OChapreply reply; @@ -582,8 +575,7 @@ chap(Ticketreq *tr) * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); - hkey = findkey(KEYDB, tr->hostid, hbuf); - if(hkey == 0 || secret == 0){ + if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){ replyerror("chap-fail bad response %s", raddr); logfail(tr->uid); exits(0); @@ -607,7 +599,7 @@ chap(Ticketreq *tr) /* * reply with ticket & authenticator */ - if(tickauthreply(tr, hkey) < 0) + if(tickauthreply(tr, &hkey) < 0) exits(0); if(debug) @@ -671,8 +663,9 @@ static uchar ntblobsig[] = {0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; void mschap(Ticketreq *tr) { - char *secret, *hkey; - char sbuf[SECRETLEN], hbuf[DESKEYLEN], windom[128]; + char *secret; + Authkey hkey; + char sbuf[SECRETLEN], windom[128]; uchar chal[CHALLEN], ntblob[1024]; uchar hash[MShashlen]; uchar hash2[MShashlen]; @@ -743,8 +736,7 @@ mschap(Ticketreq *tr) * lookup */ secret = findsecret(KEYDB, tr->uid, sbuf); - hkey = findkey(KEYDB, tr->hostid, hbuf); - if(hkey == 0 || secret == 0){ + if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){ replyerror("mschap-fail bad response %s/%s(%s)", tr->uid, tr->hostid, raddr); logfail(tr->uid); @@ -812,7 +804,7 @@ mschap(Ticketreq *tr) /* * reply with ticket & authenticator */ - if(tickauthreply(tr, hkey) < 0) + if(tickauthreply(tr, &hkey) < 0) exits(0); if(debug) @@ -939,16 +931,16 @@ speaksfor(char *speaker, char *user) if(strcmp(speaker, user) == 0) return 1; - if(db == 0) + if(db == nil) return 0; tp = ndbsearch(db, &s, "hostid", speaker); - if(tp == 0) + if(tp == nil) return 0; ok = 0; snprint(notuser, sizeof notuser, "!%s", user); - for(ntp = tp; ntp; ntp = ntp->entry) + for(ntp = tp; ntp != nil; ntp = ntp->entry) if(strcmp(ntp->attr, "uid") == 0){ if(strcmp(ntp->val, notuser) == 0){ ok = 0; @@ -1003,9 +995,25 @@ getraddr(char *dir) } void -mkkey(char *k) +mkkey(Authkey *k) { - randombytes((uchar*)k, DESKEYLEN); + randombytes((uchar*)k->des, DESKEYLEN); +} + +int +samekey(Authkey *a, Authkey *b) +{ + return memcmp(a->des, b->des, DESKEYLEN) == 0; +} + +void +mkticket(Ticketreq *tr, Ticket *t) +{ + memset(t, 0, sizeof(Ticket)); + memmove(t->chal, tr->chal, CHALLEN); + safecpy(t->cuid, tr->uid, sizeof(t->cuid)); + safecpy(t->suid, tr->uid, sizeof(t->suid)); + randombytes((uchar*)t->key, DESKEYLEN); } void @@ -1024,25 +1032,24 @@ randombytes(uchar *buf, int len) * reply with ticket and authenticator */ int -tickauthreply(Ticketreq *tr, char *hkey) +tickauthreply(Ticketreq *tr, Authkey *hkey) { Ticket t; Authenticator a; char buf[TICKETLEN+AUTHENTLEN+1]; + int n; - memset(&t, 0, sizeof(t)); - memmove(t.chal, tr->chal, CHALLEN); - safecpy(t.cuid, tr->uid, sizeof t.cuid); - safecpy(t.suid, tr->uid, sizeof t.suid); - mkkey(t.key); - buf[0] = AuthOK; + mkticket(tr, &t); t.num = AuthTs; - convT2M(&t, buf+1, hkey); + n = 0; + buf[n++] = AuthOK; + n += convT2M(&t, buf+n, sizeof(buf)-n, hkey); + memset(&a, 0, sizeof(a)); memmove(a.chal, t.chal, CHALLEN); a.num = AuthAc; a.id = 0; - convA2M(&a, buf+TICKETLEN+1, t.key); - if(write(1, buf, TICKETLEN+AUTHENTLEN+1) < 0) + n += convA2M(&a, buf+n, sizeof(buf)-n, &t); + if(write(1, buf, n) != n) return -1; return 0; } @@ -1053,3 +1060,4 @@ safecpy(char *to, char *from, int len) strncpy(to, from, len); to[len-1] = 0; } + diff --git a/sys/src/cmd/auth/changeuser.c b/sys/src/cmd/auth/changeuser.c index 71a59fc03..aebf14b10 100644 --- a/sys/src/cmd/auth/changeuser.c +++ b/sys/src/cmd/auth/changeuser.c @@ -5,7 +5,7 @@ #include #include "authcmdlib.h" -void install(char*, char*, char*, long, int); +void install(char*, char*, Authkey*, long, int); int exists (char*, char*); void @@ -18,14 +18,15 @@ usage(void) void main(int argc, char *argv[]) { - char *u, key[DESKEYLEN], answer[32], p9pass[32]; + char *u, answer[32], p9pass[32]; int which, i, newkey, newbio, dosecret; long t; + Authkey key; Acctbio a; Fs *f; srand(getpid()*time(0)); - fmtinstall('K', keyfmt); + fmtinstall('K', deskeyfmt); which = 0; ARGBEGIN{ @@ -61,10 +62,10 @@ main(int argc, char *argv[]) newkey = 0; } if(newkey) - getpass(key, p9pass, 1, 1); + getpass(&key, p9pass, 1, 1); dosecret = getsecret(newkey, p9pass); t = getexpiration(f->keys, u); - install(f->keys, u, key, t, newkey); + install(f->keys, u, &key, t, newkey); if(dosecret && setsecret(KEYDB, u, p9pass) == 0) error("error writing Inferno/pop secret"); newbio = querybio(f->who, u, &a); @@ -83,17 +84,17 @@ main(int argc, char *argv[]) } if(newkey) for(i=0; ikeys, u); newbio = querybio(f->who, u, &a); } - install(f->keys, u, key, t, newkey); + install(f->keys, u, &key, t, newkey); if(newbio) wrbio(f->who, &a); - findkey(f->keys, u, key); - print("user %s: SecureNet key: %K\n", u, key); - checksum(key, answer); + finddeskey(f->keys, u, key.des); + print("user %s: SecureNet key: %K\n", u, key.des); + checksum(key.des, answer); print("verify with checksum %s\n", answer); print("user %s installed for SecureNet\n", u); syslog(0, AUTHLOG, "user %s installed for securenet", u); @@ -102,7 +103,7 @@ main(int argc, char *argv[]) } void -install(char *db, char *u, char *key, long t, int newkey) +install(char *db, char *u, Authkey *key, long t, int newkey) { char buf[KEYDBBUF+ANAMELEN+20]; int fd; @@ -118,7 +119,7 @@ install(char *db, char *u, char *key, long t, int newkey) if(newkey){ sprint(buf, "%s/%s/key", db, u); fd = open(buf, OWRITE); - if(fd < 0 || write(fd, key, DESKEYLEN) != DESKEYLEN) + if(fd < 0 || write(fd, key->des, DESKEYLEN) != DESKEYLEN) error("can't set key: %r"); close(fd); } diff --git a/sys/src/cmd/auth/convkeys.c b/sys/src/cmd/auth/convkeys.c index dcd2c027f..bb7d553b3 100644 --- a/sys/src/cmd/auth/convkeys.c +++ b/sys/src/cmd/auth/convkeys.c @@ -7,19 +7,19 @@ #include #include "authcmdlib.h" -char authkey[DESKEYLEN]; +Authkey authkey; int verb; int usepass; -int convert(char*, char*, int); -int dofcrypt(int, char*, char*, int); +int convert(char*, Authkey*, int); void usage(void); void main(int argc, char *argv[]) { Dir *d; - char *p, *file, key[DESKEYLEN]; + Authkey key; + char *p, *file; int fd, len; ARGBEGIN{ @@ -40,12 +40,12 @@ main(int argc, char *argv[]) /* get original key */ if(usepass){ print("enter password file is encoded with\n"); - getpass(authkey, nil, 0, 1); + getpass(&authkey, nil, 0, 1); } else - getauthkey(authkey); + getauthkey(&authkey); if(!verb){ print("enter password to reencode with\n"); - getpass(key, nil, 0, 1); + getpass(&key, nil, 0, 1); } fd = open(file, ORDWR); @@ -60,7 +60,7 @@ main(int argc, char *argv[]) error("out of memory"); if(read(fd, p, len) != len) error("can't read key file: %r\n"); - len = convert(p, key, len); + len = convert(p, &key, len); if(verb) exits(0); if(pwrite(fd, p, len, 0) != len) @@ -128,7 +128,7 @@ badname(char *s) } int -convert(char *p, char *key, int len) +convert(char *p, Authkey *key, int len) { int i; @@ -139,7 +139,7 @@ convert(char *p, char *key, int len) len -= len % KEYDBLEN; } len += KEYDBOFF; - oldCBCdecrypt(authkey, p, len); + oldCBCdecrypt(authkey.des, p, len); for(i = KEYDBOFF; i < len; i += KEYDBLEN) if (badname(&p[i])) { print("bad name %.30s... - aborting\n", &p[i]); @@ -150,7 +150,7 @@ convert(char *p, char *key, int len) print("%s\n", &p[i]); randombytes((uchar*)p, 8); - oldCBCencrypt(key, p, len); + oldCBCencrypt(key->des, p, len); return len; } diff --git a/sys/src/cmd/auth/convkeys2.c b/sys/src/cmd/auth/convkeys2.c index f8e6feffe..bb4e3e41d 100644 --- a/sys/src/cmd/auth/convkeys2.c +++ b/sys/src/cmd/auth/convkeys2.c @@ -6,12 +6,11 @@ #include #include "authcmdlib.h" -char authkey[DESKEYLEN]; +Authkey authkey; int verb; int usepass; -int convert(char*, char*, char*, int); -int dofcrypt(int, char*, char*, int); +int convert(char*, char*, Authkey*, int); void usage(void); void randombytes(uchar*, int); @@ -19,7 +18,8 @@ void main(int argc, char *argv[]) { Dir *d; - char *p, *np, *file, key[DESKEYLEN]; + Authkey key; + char *p, *np, *file; int fd, len; ARGBEGIN{ @@ -40,11 +40,11 @@ main(int argc, char *argv[]) /* get original key */ if(usepass){ print("enter password file is encoded with\n"); - getpass(authkey, nil, 0, 1); + getpass(&authkey, nil, 0, 1); } else - getauthkey(authkey); + getauthkey(&authkey); print("enter password to reencode with\n"); - getpass(key, nil, 0, 1); + getpass(&key, nil, 0, 1); fd = open(file, ORDWR); if(fd < 0) @@ -61,7 +61,7 @@ main(int argc, char *argv[]) error("out of memory"); if(read(fd, p, len) != len) error("can't read key file: %r\n"); - len = convert(p, np, key, len); + len = convert(p, np, &key, len); if(verb) exits(0); if(pwrite(fd, np, len, 0) != len) @@ -84,7 +84,7 @@ oldCBCencrypt(char *key7, char *p, int len) } int -convert(char *p, char *np, char *key, int len) +convert(char *p, char *np, Authkey *key, int len) { int i, off, noff; @@ -95,7 +95,7 @@ convert(char *p, char *np, char *key, int len) for(i = 0; i < len; i ++){ off = i*OKEYDBLEN; noff = KEYDBOFF+i*(KEYDBLEN); - decrypt(authkey, &p[off], OKEYDBLEN); + decrypt(authkey.des, &p[off], OKEYDBLEN); memmove(&np[noff], &p[off], OKEYDBLEN); memset(&np[noff-SECRETLEN], 0, SECRETLEN); if(verb) @@ -103,7 +103,7 @@ convert(char *p, char *np, char *key, int len) } randombytes((uchar*)np, KEYDBOFF); len = (len*KEYDBLEN) + KEYDBOFF; - oldCBCencrypt(key, np, len); + oldCBCencrypt(key->des, np, len); return len; } diff --git a/sys/src/cmd/auth/cron.c b/sys/src/cmd/auth/cron.c index 425f2420d..57f1479a9 100644 --- a/sys/src/cmd/auth/cron.c +++ b/sys/src/cmd/auth/cron.c @@ -3,6 +3,7 @@ #include #include #include +#include #include "authcmdlib.h" char CRONLOG[] = "cron"; diff --git a/sys/src/cmd/auth/debug.c b/sys/src/cmd/auth/debug.c index d7df43f8b..4a182a640 100644 --- a/sys/src/cmd/auth/debug.c +++ b/sys/src/cmd/auth/debug.c @@ -208,9 +208,9 @@ authdialfutz(char *dom, char *user) void authfutz(char *dom, char *user) { - int fd, nobootes; - char pw[128], prompt[128], key[DESKEYLEN], booteskey[DESKEYLEN], tbuf[2*TICKETLEN], - trbuf[TICKREQLEN]; + int fd, nobootes, n, m; + char pw[128], prompt[128], tbuf[2*TICKETLEN]; + Authkey key, booteskey; Ticket t; Ticketreq tr; @@ -218,7 +218,7 @@ authfutz(char *dom, char *user) readcons(prompt, nil, 1, pw, sizeof pw); if(pw[0] == '\0') return; - passtokey(key, pw); + passtokey(&key, pw); fd = authdial(nil, dom); if(fd < 0){ @@ -227,19 +227,19 @@ authfutz(char *dom, char *user) } /* try ticket request using just user key */ + memset(&tr, 0, sizeof(tr)); tr.type = AuthTreq; strecpy(tr.authid, tr.authid+sizeof tr.authid, user); strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom); strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user); strecpy(tr.uid, tr.uid+sizeof tr.uid, user); memset(tr.chal, 0xAA, sizeof tr.chal); - convTR2M(&tr, trbuf); - if(_asgetticket(fd, trbuf, tbuf) < 0){ - close(fd); + if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){ print("\t_asgetticket failed: %r\n"); + close(fd); return; } - convM2T(tbuf, &t, key); + m = convM2T(tbuf, n, &t, &key); if(t.num != AuthTc){ print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tauth server and you do not agree on key for %s@%s\n", user, dom); @@ -252,7 +252,7 @@ authfutz(char *dom, char *user) return; } - convM2T(tbuf+TICKETLEN, &t, key); + convM2T(tbuf+m, n-m, &t, &key); if(t.num != AuthTs){ print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tauth server and you do not agree on key for %s@%s\n", user, dom); @@ -269,13 +269,12 @@ authfutz(char *dom, char *user) /* try ticket request using bootes key */ snprint(prompt, sizeof prompt, "\tcpu server owner for domain %s ", dom); readcons(prompt, "glenda", 0, tr.authid, sizeof tr.authid); - convTR2M(&tr, trbuf); - if(_asgetticket(fd, trbuf, tbuf) < 0){ + if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){ close(fd); print("\t_asgetticket failed: %r\n"); return; } - convM2T(tbuf, &t, key); + m = convM2T(tbuf, n, &t, &key); if(t.num != AuthTc){ print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tauth server and you do not agree on key for %s@%s\n", user, dom); @@ -295,9 +294,9 @@ authfutz(char *dom, char *user) goto Nobootes; } nobootes = 0; - passtokey(booteskey, pw); + passtokey(&booteskey, pw); - convM2T(tbuf+TICKETLEN, &t, booteskey); + convM2T(tbuf+m, n-m, &t, &booteskey); if(t.num != AuthTs){ print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tauth server and you do not agree on key for %s@%s\n", tr.authid, dom); diff --git a/sys/src/cmd/auth/factotum/apop.c b/sys/src/cmd/auth/factotum/apop.c index 004c8c9b2..a900d8f4f 100644 --- a/sys/src/cmd/auth/factotum/apop.c +++ b/sys/src/cmd/auth/factotum/apop.c @@ -208,7 +208,7 @@ apopclose(Fsstate *fss) static int dochal(State *s) { - char *dom, *user, trbuf[TICKREQLEN]; + char *dom, *user; int n; s->asfd = -1; @@ -228,13 +228,11 @@ dochal(State *s) goto err; memset(&s->tr, 0, sizeof(s->tr)); - s->tr.type = s->astype; safecpy(s->tr.authdom, dom, sizeof s->tr.authdom); safecpy(s->tr.hostid, user, sizeof(s->tr.hostid)); - convTR2M(&s->tr, trbuf); - + s->tr.type = s->astype; alarm(30*1000); - if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ + if(_asrequest(s->asfd, &s->tr) < 0){ alarm(0); goto err; } @@ -254,8 +252,6 @@ err: static int doreply(State *s, char *user, char *response) { - char ticket[TICKETLEN+AUTHENTLEN]; - char trbuf[TICKREQLEN]; int n; Authenticator a; @@ -267,21 +263,16 @@ doreply(State *s, char *user, char *response) memrandom(s->tr.chal, CHALLEN); safecpy(s->tr.uid, user, sizeof(s->tr.uid)); - convTR2M(&s->tr, trbuf); alarm(30*1000); - if((n=write(s->asfd, trbuf, TICKREQLEN)) != TICKREQLEN){ + if(_asrequest(s->asfd, &s->tr) < 0){ alarm(0); - if(n >= 0) - werrstr("short write to auth server"); goto err; } - if((n=write(s->asfd, response, MD5dlen*2)) != MD5dlen*2){ + if(write(s->asfd, response, MD5dlen*2) != MD5dlen*2){ alarm(0); - if(n >= 0) - werrstr("short write to auth server"); goto err; } - n = _asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN); + n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv); alarm(0); if(n < 0){ /* leave connection open so we can try again */ @@ -290,7 +281,6 @@ doreply(State *s, char *user, char *response) close(s->asfd); s->asfd = -1; - convM2T(ticket, &s->t, (char*)s->key->priv); if(s->t.num != AuthTs || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ if(s->key->successes == 0) @@ -299,14 +289,12 @@ doreply(State *s, char *user, char *response) goto err; } s->key->successes++; - convM2A(ticket+TICKETLEN, &a, s->t.key); if(a.num != AuthAc || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || a.id != 0){ werrstr(Easproto); goto err; } - return 0; err: if(s->asfd >= 0) diff --git a/sys/src/cmd/auth/factotum/chap.c b/sys/src/cmd/auth/factotum/chap.c index ca6e0f173..e6e0f6b8f 100644 --- a/sys/src/cmd/auth/factotum/chap.c +++ b/sys/src/cmd/auth/factotum/chap.c @@ -299,8 +299,7 @@ static int dochal(State *s) { char *dom, *user; - char trbuf[TICKREQLEN]; - int ret; + int n; s->asfd = -1; @@ -315,20 +314,17 @@ dochal(State *s) goto err; memset(&s->tr, 0, sizeof(s->tr)); - s->tr.type = s->astype; safecpy(s->tr.authdom, dom, sizeof(s->tr.authdom)); safecpy(s->tr.hostid, user, sizeof(s->tr.hostid)); - convTR2M(&s->tr, trbuf); - + s->tr.type = s->astype; alarm(30*1000); - if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ + if(_asrequest(s->asfd, &s->tr) < 0){ alarm(0); goto err; } - /* readn, not _asrdresp. needs to match auth.srv.c. */ - ret = readn(s->asfd, s->chal, sizeof s->chal); + n = readn(s->asfd, s->chal, sizeof s->chal); alarm(0); - if(ret != sizeof s->chal) + if(n != sizeof s->chal) goto err; return 0; @@ -343,18 +339,16 @@ err: static int doreply(State *s, uchar *reply, int nreply) { - char ticket[TICKETLEN+AUTHENTLEN]; int n; Authenticator a; alarm(30*1000); - if((n=write(s->asfd, reply, nreply)) != nreply){ + if(write(s->asfd, reply, nreply) != nreply){ alarm(0); - if(n >= 0) - werrstr("short write to auth server"); goto err; } - if(_asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN) < 0){ + n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv); + if(n < 0){ alarm(0); /* leave connection open so we can try again */ return -1; @@ -365,7 +359,7 @@ doreply(State *s, uchar *reply, int nreply) s->nsecret = 0; close(s->asfd); s->asfd = -1; - convM2T(ticket, &s->t, s->key->priv); + if(s->t.num != AuthTs || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ if(s->key->successes == 0) @@ -374,14 +368,12 @@ doreply(State *s, uchar *reply, int nreply) return -1; } s->key->successes++; - convM2A(ticket+TICKETLEN, &a, s->t.key); if(a.num != AuthAc || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || a.id != 0){ werrstr(Easproto); return -1; } - return 0; err: if(s->asfd >= 0) diff --git a/sys/src/cmd/auth/factotum/p9cr.c b/sys/src/cmd/auth/factotum/p9cr.c index e3ed2fbfa..858c22473 100644 --- a/sys/src/cmd/auth/factotum/p9cr.c +++ b/sys/src/cmd/auth/factotum/p9cr.c @@ -165,7 +165,7 @@ p9crread(Fsstate *fss, void *va, uint *n) static int p9response(Fsstate *fss, State *s) { - char key[DESKEYLEN]; + Authkey key; uchar buf[8]; ulong chal; char *pw; @@ -173,10 +173,10 @@ p9response(Fsstate *fss, State *s) pw = _strfindattr(s->key->privattr, "!password"); if(pw == nil) return failure(fss, "vncresponse cannot happen"); - passtokey(key, pw); + passtokey(&key, pw); memset(buf, 0, 8); sprint((char*)buf, "%d", atoi(s->chal)); - if(encrypt(key, buf, 8) < 0) + if(encrypt(key.des, buf, 8) < 0) return failure(fss, "can't encrypt response"); chal = (buf[0]<<24)+(buf[1]<<16)+(buf[2]<<8)+buf[3]; s->resplen = snprint(s->resp, sizeof s->resp, "%.8lux", chal); @@ -247,7 +247,6 @@ vncresponse(Fsstate*, State *s) static int p9crwrite(Fsstate *fss, void *va, uint n) { - char tbuf[TICKETLEN+AUTHENTLEN]; State *s; char *data = va; Authenticator a; @@ -288,14 +287,13 @@ p9crwrite(Fsstate *fss, void *va, uint n) return failure(fss, Easproto); } /* get ticket plus authenticator from auth server */ - ret = _asrdresp(s->asfd, tbuf, TICKETLEN+AUTHENTLEN); + ret = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv); alarm(0); if(ret < 0) return failure(fss, nil); /* check ticket */ - convM2T(tbuf, &s->t, s->key->priv); if(s->t.num != AuthTs || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ if (s->key->successes == 0) @@ -303,7 +301,6 @@ p9crwrite(Fsstate *fss, void *va, uint n) return failure(fss, Easproto); } s->key->successes++; - convM2A(tbuf+TICKETLEN, &a, s->t.key); if(a.num != AuthAc || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || a.id != 0) @@ -322,20 +319,18 @@ p9crwrite(Fsstate *fss, void *va, uint n) static int getchal(State *s, Fsstate *fss) { - char trbuf[TICKREQLEN]; int n; safecpy(s->tr.hostid, _strfindattr(s->key->attr, "user"), sizeof(s->tr.hostid)); safecpy(s->tr.authdom, _strfindattr(s->key->attr, "dom"), sizeof(s->tr.authdom)); s->tr.type = s->astype; - convTR2M(&s->tr, trbuf); /* get challenge from auth server */ s->asfd = _authdial(nil, _strfindattr(s->key->attr, "dom")); if(s->asfd < 0) return failure(fss, Easproto); alarm(30*1000); - if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ + if(_asrequest(s->asfd, &s->tr) < 0){ alarm(0); return failure(fss, Easproto); } diff --git a/sys/src/cmd/auth/factotum/p9sk1.c b/sys/src/cmd/auth/factotum/p9sk1.c index a61381b76..ea7eaa5ad 100644 --- a/sys/src/cmd/auth/factotum/p9sk1.c +++ b/sys/src/cmd/auth/factotum/p9sk1.c @@ -25,7 +25,7 @@ struct State Ticketreq tr; char cchal[CHALLEN]; char tbuf[TICKETLEN+AUTHENTLEN]; - char authkey[DESKEYLEN]; + int tbuflen; uchar *secret; int speakfor; }; @@ -60,7 +60,7 @@ static char *phasenames[Maxphase] = [SHaveAuth] "SHaveAuth", }; -static int gettickets(State*, char*, char*); +static int gettickets(State*, Ticketreq *, char*, int); static int p9skinit(Proto *p, Fsstate *fss) @@ -119,6 +119,8 @@ p9skinit(Proto *p, Fsstate *fss) break; } } + s->tbuflen = 0; + s->secret = nil; fss->ps = s; return RpcOk; } @@ -147,13 +149,12 @@ p9skread(Fsstate *fss, void *a, uint *n) m = TICKREQLEN; if(*n < m) return toosmall(fss, m); - *n = m; - convTR2M(&s->tr, a); + *n = convTR2M(&s->tr, a, *n); fss->phase = SNeedTicket; return RpcOk; case CHaveTicket: - m = TICKETLEN+AUTHENTLEN; + m = s->tbuflen; if(*n < m) return toosmall(fss, m); *n = m; @@ -162,11 +163,11 @@ p9skread(Fsstate *fss, void *a, uint *n) return RpcOk; case SHaveAuth: - m = AUTHENTLEN; + m = s->tbuflen; if(*n < m) return toosmall(fss, m); *n = m; - memmove(a, s->tbuf+TICKETLEN, m); + memmove(a, s->tbuf, m); fss->ai.cuid = s->t.cuid; fss->ai.suid = s->t.suid; s->secret = emalloc(8); @@ -183,7 +184,7 @@ static int p9skwrite(Fsstate *fss, void *a, uint n) { int m, ret, sret; - char tbuf[2*TICKETLEN], trbuf[TICKREQLEN], *user; + char tbuf[2*TICKETLEN], *user; Attr *attr; Authenticator auth; State *s; @@ -204,12 +205,11 @@ p9skwrite(Fsstate *fss, void *a, uint n) return RpcOk; case CNeedTreq: - m = TICKREQLEN; - if(n < m) - return toosmall(fss, m); + m = convM2TR(a, n, &s->tr); + if(m <= 0) + return toosmall(fss, -m); /* remember server's chal */ - convM2TR(a, &s->tr); if(s->vers == 2) memmove(s->cchal, s->tr.chal, CHALLEN); @@ -263,15 +263,14 @@ p9skwrite(Fsstate *fss, void *a, uint n) else safecpy(s->tr.uid, s->tr.hostid, sizeof s->tr.uid); - convTR2M(&s->tr, trbuf); - /* get tickets, from auth server or invent if we can */ - if(gettickets(s, trbuf, tbuf) < 0){ + ret = gettickets(s, &s->tr, tbuf, sizeof(tbuf)); + if(ret < 0){ _freeattr(attr); return failure(fss, nil); } - convM2T(tbuf, &s->t, (char*)s->key->priv); + m = convM2T(tbuf, ret, &s->t, (Authkey*)s->key->priv); if(s->t.num != AuthTc){ if(s->key->successes == 0 && !s->speakfor) disablekey(s->key); @@ -287,24 +286,27 @@ p9skwrite(Fsstate *fss, void *a, uint n) } s->key->successes++; _freeattr(attr); - memmove(s->tbuf, tbuf+TICKETLEN, TICKETLEN); + ret -= m; + memmove(s->tbuf, tbuf+m, ret); auth.num = AuthAc; memmove(auth.chal, s->tr.chal, CHALLEN); auth.id = 0; - convA2M(&auth, s->tbuf+TICKETLEN, s->t.key); + ret += convA2M(&auth, s->tbuf+ret, sizeof(s->tbuf)-ret, &s->t); + s->tbuflen = ret; fss->phase = CHaveTicket; return RpcOk; case SNeedTicket: - m = TICKETLEN+AUTHENTLEN; - if(n < m) - return toosmall(fss, m); - convM2T(a, &s->t, (char*)s->key->priv); + m = convM2T(a, n, &s->t, (Authkey*)s->key->priv); + if(m <= 0) + return toosmall(fss, -m); if(s->t.num != AuthTs || memcmp(s->t.chal, s->tr.chal, CHALLEN) != 0) return failure(fss, Easproto); - convM2A((char*)a+TICKETLEN, &auth, s->t.key); + ret = convM2A((char*)a+m, n-m, &auth, &s->t); + if(ret <= 0) + return toosmall(fss, -ret + m); if(auth.num != AuthAc || memcmp(auth.chal, s->tr.chal, CHALLEN) != 0 || auth.id != 0) @@ -312,15 +314,14 @@ p9skwrite(Fsstate *fss, void *a, uint n) auth.num = AuthAs; memmove(auth.chal, s->cchal, CHALLEN); auth.id = 0; - convA2M(&auth, s->tbuf+TICKETLEN, s->t.key); + s->tbuflen = convA2M(&auth, s->tbuf, sizeof(s->tbuf), &s->t); fss->phase = SHaveAuth; return RpcOk; case CNeedAuth: - m = AUTHENTLEN; - if(n < m) - return toosmall(fss, m); - convM2A(a, &auth, s->t.key); + m = convM2A(a, n, &auth, &s->t); + if(m <= 0) + return toosmall(fss, -m); if(auth.num != AuthAs || memcmp(auth.chal, s->cchal, CHALLEN) != 0 || auth.id != 0) @@ -384,24 +385,24 @@ hexparse(char *hex, uchar *dat, int ndat) static int p9skaddkey(Key *k, int before) { + Authkey *akey; char *s; - k->priv = emalloc(DESKEYLEN); + akey = emalloc(sizeof(Authkey)); if(s = _strfindattr(k->privattr, "!hex")){ - if(hexparse(s, k->priv, 7) < 0){ - free(k->priv); - k->priv = nil; + if(hexparse(s, (uchar*)akey->des, DESKEYLEN) < 0){ + free(akey); werrstr("malformed key data"); return -1; } }else if(s = _strfindattr(k->privattr, "!password")){ - passtokey((char*)k->priv, s); + passtokey(akey, s); }else{ werrstr("no key data"); - free(k->priv); - k->priv = nil; + free(akey); return -1; } + k->priv = akey; return replacekey(k, before); } @@ -412,7 +413,7 @@ p9skclosekey(Key *k) } static int -getastickets(State *s, char *trbuf, char *tbuf) +getastickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen) { int asfd, rv; char *dom; @@ -425,17 +426,18 @@ getastickets(State *s, char *trbuf, char *tbuf) if(asfd < 0) return -1; alarm(30*1000); - rv = _asgetticket(asfd, trbuf, tbuf); + rv = _asgetticket(asfd, tr, tbuf, tbuflen); alarm(0); close(asfd); return rv; } static int -mkserverticket(State *s, char *tbuf) +mkserverticket(State *s, char *tbuf, int tbuflen) { Ticketreq *tr = &s->tr; Ticket t; + int ret; if(strcmp(tr->authid, tr->hostid) != 0) return -1; @@ -449,22 +451,21 @@ mkserverticket(State *s, char *tbuf) strcpy(t.suid, tr->uid); memrandom(t.key, DESKEYLEN); t.num = AuthTc; - convT2M(&t, tbuf, s->key->priv); + ret = convT2M(&t, tbuf, tbuflen, (Authkey*)s->key->priv); t.num = AuthTs; - convT2M(&t, tbuf+TICKETLEN, s->key->priv); - return 0; + ret += convT2M(&t, tbuf+ret, tbuflen-ret, (Authkey*)s->key->priv); + return ret; } static int -gettickets(State *s, char *trbuf, char *tbuf) +gettickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen) { -/* - if(mktickets(s, trbuf, tbuf) >= 0) - return 0; -*/ - if(getastickets(s, trbuf, tbuf) >= 0) - return 0; - return mkserverticket(s, tbuf); + int ret; + + ret = getastickets(s, tr, tbuf, tbuflen); + if(ret >= 0) + return ret; + return mkserverticket(s, tbuf, tbuflen); } Proto p9sk1 = { diff --git a/sys/src/cmd/auth/guard.srv.c b/sys/src/cmd/auth/guard.srv.c index ffe902e5f..013cd7945 100644 --- a/sys/src/cmd/auth/guard.srv.c +++ b/sys/src/cmd/auth/guard.srv.c @@ -90,7 +90,7 @@ main(int argc, char *argv[]) /* remove password login from guard.research.bell-labs.com, sucre, etc. */ // if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp)) - if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp)) + if(!finddeskey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp)) if((err = secureidcheck(user, resp)) != nil){ print("NO %s", err); write(1, "NO", 2); diff --git a/sys/src/cmd/auth/httpauth.c b/sys/src/cmd/auth/httpauth.c index f54cd252d..4b0f39028 100644 --- a/sys/src/cmd/auth/httpauth.c +++ b/sys/src/cmd/auth/httpauth.c @@ -8,36 +8,25 @@ httpauth(char *name, char *password) int afd; Ticketreq tr; Ticket t; - char key[DESKEYLEN]; - char buf[512]; + Authkey key; afd = authdial(nil, nil); if(afd < 0) return -1; + passtokey(&key, password); + /* send ticket request to AS */ memset(&tr, 0, sizeof(tr)); strcpy(tr.uid, name); tr.type = AuthHttp; - convTR2M(&tr, buf); - if(write(afd, buf, TICKREQLEN) != TICKREQLEN){ - close(afd); - return -1; - } - if(_asrdresp(afd, buf, TICKETLEN) < 0){ + if(_asrequest(afd, &tr) < 0){ close(afd); return -1; } + _asgetresp(afd, &t, nil, &key); close(afd); - - /* - * use password and try to decrypt the - * ticket. If it doesn't work we've got a bad password, - * give up. - */ - passtokey(key, password); - convM2T(buf, &t, key); - if(t.num != AuthHr || strcmp(t.cuid, tr.uid)) + if(t.num != AuthHr || strcmp(t.cuid, tr.uid) != 0) return -1; return 0; diff --git a/sys/src/cmd/auth/keyfs.c b/sys/src/cmd/auth/keyfs.c index 193acf27e..8c6c01748 100644 --- a/sys/src/cmd/auth/keyfs.c +++ b/sys/src/cmd/auth/keyfs.c @@ -13,7 +13,7 @@ #pragma varargck type "W" char* -char authkey[8]; +Authkey authkey; typedef struct Fid Fid; typedef struct User User; @@ -170,9 +170,9 @@ main(int argc, char *argv[]) error("can't make pipe: %r"); if(usepass) { - getpass(authkey, nil, 0, 0); + getpass(&authkey, nil, 0, 0); } else { - if(!getauthkey(authkey)) + if(!getauthkey(&authkey)) print("keyfs: warning: can't read NVRAM\n"); } @@ -690,7 +690,7 @@ passline(Biobuf *b, void *vbuf) if(Bread(b, buf, KEYDBLEN) != KEYDBLEN) return 0; - decrypt(authkey, buf, KEYDBLEN); + decrypt(authkey.des, buf, KEYDBLEN); buf[Namelen-1] = '\0'; return 1; } @@ -780,7 +780,7 @@ writeusers(void) } /* encrypt */ - oldCBCencrypt(authkey, buf, p - buf); + oldCBCencrypt(authkey.des, buf, p - buf); /* write file */ fd = create(userkeys, OWRITE, 0660); @@ -888,7 +888,7 @@ readusers(void) /* decrypt */ n -= n % KEYDBLEN; - oldCBCdecrypt(authkey, buf, n); + oldCBCdecrypt(authkey.des, buf, n); /* unpack */ nu = 0; diff --git a/sys/src/cmd/auth/lib/error.c b/sys/src/cmd/auth/lib/error.c index 71bf63df1..784ae37df 100644 --- a/sys/src/cmd/auth/lib/error.c +++ b/sys/src/cmd/auth/lib/error.c @@ -1,6 +1,7 @@ #include #include #include +#include #include "authcmdlib.h" void diff --git a/sys/src/cmd/auth/lib/fs.c b/sys/src/cmd/auth/lib/fs.c index 43f7db845..35429d0ac 100644 --- a/sys/src/cmd/auth/lib/fs.c +++ b/sys/src/cmd/auth/lib/fs.c @@ -1,6 +1,7 @@ #include #include #include +#include #include "authcmdlib.h" Fs fs[3] = diff --git a/sys/src/cmd/auth/lib/getauthkey.c b/sys/src/cmd/auth/lib/getauthkey.c index 1ae8d4e87..84c3d1557 100644 --- a/sys/src/cmd/auth/lib/getauthkey.c +++ b/sys/src/cmd/auth/lib/getauthkey.c @@ -17,9 +17,10 @@ getkey(char *authkey) } int -getauthkey(char *authkey) +getauthkey(Authkey *authkey) { - if(getkey(authkey) == 0) + memset(authkey, 0, sizeof(Authkey)); + if(getkey(authkey->des) == 0) return 1; print("can't read NVRAM, please enter machine key\n"); getpass(authkey, nil, 0, 1); diff --git a/sys/src/cmd/auth/lib/getexpiration.c b/sys/src/cmd/auth/lib/getexpiration.c index 44ebfaaca..ebbd1c24c 100644 --- a/sys/src/cmd/auth/lib/getexpiration.c +++ b/sys/src/cmd/auth/lib/getexpiration.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "authcmdlib.h" /* diff --git a/sys/src/cmd/auth/lib/keyfmt.c b/sys/src/cmd/auth/lib/keyfmt.c index 86c2378a3..35642c9a5 100644 --- a/sys/src/cmd/auth/lib/keyfmt.c +++ b/sys/src/cmd/auth/lib/keyfmt.c @@ -1,13 +1,14 @@ #include #include #include +#include #include "authcmdlib.h" /* * print a key in des standard form */ int -keyfmt(Fmt *f) +deskeyfmt(Fmt *f) { uchar key[8]; char buf[32]; diff --git a/sys/src/cmd/auth/lib/netcheck.c b/sys/src/cmd/auth/lib/netcheck.c index 5e4220c25..7b8fa92d7 100644 --- a/sys/src/cmd/auth/lib/netcheck.c +++ b/sys/src/cmd/auth/lib/netcheck.c @@ -1,6 +1,7 @@ #include #include #include +#include #include "authcmdlib.h" /* diff --git a/sys/src/cmd/auth/lib/querybio.c b/sys/src/cmd/auth/lib/querybio.c index 97218a6dc..90e54ae74 100644 --- a/sys/src/cmd/auth/lib/querybio.c +++ b/sys/src/cmd/auth/lib/querybio.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "authcmdlib.h" diff --git a/sys/src/cmd/auth/lib/rdbio.c b/sys/src/cmd/auth/lib/rdbio.c index 34196fd36..1d56c5da6 100644 --- a/sys/src/cmd/auth/lib/rdbio.c +++ b/sys/src/cmd/auth/lib/rdbio.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "authcmdlib.h" void diff --git a/sys/src/cmd/auth/lib/readarg.c b/sys/src/cmd/auth/lib/readarg.c index cce957db9..238e8252f 100644 --- a/sys/src/cmd/auth/lib/readarg.c +++ b/sys/src/cmd/auth/lib/readarg.c @@ -1,6 +1,7 @@ #include #include #include +#include #include "authcmdlib.h" int diff --git a/sys/src/cmd/auth/lib/readln.c b/sys/src/cmd/auth/lib/readln.c index ee470a52c..38a712497 100644 --- a/sys/src/cmd/auth/lib/readln.c +++ b/sys/src/cmd/auth/lib/readln.c @@ -5,7 +5,7 @@ #include "authcmdlib.h" void -getpass(char *key, char *pass, int check, int confirm) +getpass(Authkey *key, char *pass, int check, int confirm) { char rpass[32], npass[32]; char *err; diff --git a/sys/src/cmd/auth/lib/readwrite.c b/sys/src/cmd/auth/lib/readwrite.c index 54f494eb4..1c19bad01 100644 --- a/sys/src/cmd/auth/lib/readwrite.c +++ b/sys/src/cmd/auth/lib/readwrite.c @@ -33,7 +33,7 @@ writefile(char *file, char *buf, int n) } char* -findkey(char *db, char *user, char *key) +finddeskey(char *db, char *user, char *key) { int n; char filename[Maxpath]; @@ -46,6 +46,13 @@ findkey(char *db, char *user, char *key) return key; } +int +findkey(char *db, char *user, Authkey *key) +{ + memset(key, 0, sizeof(Authkey)); + return finddeskey(db, user, key->des) != nil; +} + char* findsecret(char *db, char *user, char *secret) { @@ -62,7 +69,7 @@ findsecret(char *db, char *user, char *secret) } char* -setkey(char *db, char *user, char *key) +setdeskey(char *db, char *user, char *key) { int n; char filename[Maxpath]; @@ -75,6 +82,12 @@ setkey(char *db, char *user, char *key) return key; } +int +setkey(char *db, char *user, Authkey *key) +{ + return setdeskey(db, user, key->des) != nil; +} + char* setsecret(char *db, char *user, char *secret) { diff --git a/sys/src/cmd/auth/lib/wrbio.c b/sys/src/cmd/auth/lib/wrbio.c index 9c688dbe1..2590ad72d 100644 --- a/sys/src/cmd/auth/lib/wrbio.c +++ b/sys/src/cmd/auth/lib/wrbio.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "authcmdlib.h" void diff --git a/sys/src/cmd/auth/netkey.c b/sys/src/cmd/auth/netkey.c index ee7b10a28..faca0f3d5 100644 --- a/sys/src/cmd/auth/netkey.c +++ b/sys/src/cmd/auth/netkey.c @@ -15,7 +15,8 @@ usage(void) void main(int argc, char *argv[]) { - char buf[32], pass[32], key[DESKEYLEN]; + Authkey key; + char buf[32], pass[32]; char *s; int n; @@ -33,7 +34,7 @@ main(int argc, char *argv[]) } readln("Password: ", pass, sizeof pass, 1); - passtokey(key, pass); + passtokey(&key, pass); for(;;){ print("challenge: "); @@ -43,7 +44,7 @@ main(int argc, char *argv[]) buf[n] = '\0'; n = strtol(buf, 0, 10); sprint(buf, "%d", n); - netcrypt(key, buf); + netcrypt(key.des, buf); print("response: %s\n", buf); } } diff --git a/sys/src/cmd/auth/passwd.c b/sys/src/cmd/auth/passwd.c index 20369805f..69fb602fb 100644 --- a/sys/src/cmd/auth/passwd.c +++ b/sys/src/cmd/auth/passwd.c @@ -1,52 +1,17 @@ #include #include -#include #include +#include #include "authcmdlib.h" -static char *pbmsg = "AS protocol botch"; - -int -asrdresp(int fd, char *buf, int len) -{ - char error[AERRLEN]; - - if(read(fd, buf, 1) != 1){ - werrstr(pbmsg); - return -1; - } - - switch(buf[0]){ - case AuthOK: - if(readn(fd, buf, len) < 0){ - werrstr(pbmsg); - return -1; - } - break; - case AuthErr: - if(readn(fd, error, AERRLEN) < 0){ - werrstr(pbmsg); - return -1; - } - error[AERRLEN-1] = 0; - errstr(error, sizeof error); - return -1; - default: - werrstr(pbmsg); - return -1; - } - return 0; -} - void main(int argc, char **argv) { - int fd; + int fd, n; Ticketreq tr; Ticket t; Passwordreq pr; - char tbuf[TICKETLEN]; - char key[DESKEYLEN]; + Authkey key; char buf[512]; char *s, *user; @@ -73,12 +38,8 @@ main(int argc, char **argv) memset(&tr, 0, sizeof(tr)); strcpy(tr.uid, user); tr.type = AuthPass; - convTR2M(&tr, buf); - if(write(fd, buf, TICKREQLEN) != TICKREQLEN) - error("protocol botch: %r"); - if(asrdresp(fd, buf, TICKETLEN) < 0) + if(_asrequest(fd, &tr) < 0) error("%r"); - memmove(tbuf, buf, TICKETLEN); /* * get a password from the user and try to decrypt the @@ -86,13 +47,17 @@ main(int argc, char **argv) * give up. */ readln("Plan 9 Password: ", pr.old, sizeof pr.old, 1); - passtokey(key, pr.old); - convM2T(tbuf, &t, key); - if(t.num != AuthTp || strcmp(t.cuid, tr.uid)) + passtokey(&key, pr.old); + + if(_asgetresp(fd, &t, nil, &key) < 0) + error("%r"); + + if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0) error("bad password"); /* loop trying new passwords */ for(;;){ + memset(&pr, 0, sizeof(pr)); pr.changesecret = 0; *pr.new = 0; readln("change Plan 9 Password? (y/n) ", buf, sizeof buf, 0); @@ -126,10 +91,10 @@ main(int argc, char **argv) } } pr.num = AuthPass; - convPR2M(&pr, buf, t.key); - if(write(fd, buf, PASSREQLEN) != PASSREQLEN) + n = convPR2M(&pr, buf, sizeof(buf), &t); + if(write(fd, buf, n) != n) error("AS protocol botch: %r"); - if(asrdresp(fd, buf, 0) == 0) + if(_asrdresp(fd, buf, 0) == 0) break; fprint(2, "passwd: refused: %r\n"); } diff --git a/sys/src/cmd/auth/printnetkey.c b/sys/src/cmd/auth/printnetkey.c index 5840bb8f8..9b5897824 100644 --- a/sys/src/cmd/auth/printnetkey.c +++ b/sys/src/cmd/auth/printnetkey.c @@ -1,10 +1,9 @@ #include #include -#include #include +#include #include "authcmdlib.h" -void install(char*, char*, int); void usage(void); void @@ -15,7 +14,7 @@ main(int argc, char *argv[]) char keybuf[DESKEYLEN]; argv0 = "printnetkey"; - fmtinstall('K', keyfmt); + fmtinstall('K', deskeyfmt); ARGBEGIN{ default: @@ -25,11 +24,9 @@ main(int argc, char *argv[]) usage(); u = argv[0]; - fmtinstall('K', keyfmt); - if(memchr(u, '\0', ANAMELEN) == 0) error("bad user name"); - key = findkey(NETKEYDB, u, keybuf); + key = finddeskey(NETKEYDB, u, keybuf); if(!key) error("%s has no netkey\n", u); print("user %s: net key %K\n", u, key); diff --git a/sys/src/cmd/auth/warning.c b/sys/src/cmd/auth/warning.c index 7aae9c137..b2a33185b 100644 --- a/sys/src/cmd/auth/warning.c +++ b/sys/src/cmd/auth/warning.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "authcmdlib.h" /* working directory */ diff --git a/sys/src/libauth/auth_userpasswd.c b/sys/src/libauth/auth_userpasswd.c index 292899281..e113d83a4 100644 --- a/sys/src/libauth/auth_userpasswd.c +++ b/sys/src/libauth/auth_userpasswd.c @@ -11,13 +11,13 @@ * this was copied from inet's guard. */ static void -netresp(char *key, long chal, char *answer) +netresp(Authkey *key, long chal, char *answer) { uchar buf[8]; memset(buf, 0, sizeof buf); snprint((char *)buf, sizeof buf, "%lud", chal); - if(encrypt(key, buf, 8) < 0) + if(encrypt(key->des, buf, 8) < 0) abort(); sprint(answer, "%.8ux", buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]); } @@ -25,7 +25,8 @@ netresp(char *key, long chal, char *answer) AuthInfo* auth_userpasswd(char *user, char *passwd) { - char key[DESKEYLEN], resp[16]; + char resp[16]; + Authkey key; AuthInfo *ai; Chalstate *ch; @@ -37,9 +38,9 @@ auth_userpasswd(char *user, char *passwd) if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil) return nil; - passtokey(key, passwd); - netresp(key, atol(ch->chal), resp); - memset(key, 0, sizeof key); + passtokey(&key, passwd); + netresp(&key, atol(ch->chal), resp); + memset(&key, 0, sizeof(Authkey)); ch->resp = resp; ch->nresp = strlen(resp); diff --git a/sys/src/libauth/httpauth.c b/sys/src/libauth/httpauth.c deleted file mode 100644 index 9d1b0d26f..000000000 --- a/sys/src/libauth/httpauth.c +++ /dev/null @@ -1,51 +0,0 @@ -#include -#include -#include -#include - -/* deprecated. - This is the mechanism that put entries in /sys/lib/httpd.rewrite - and passwords on the authserver in /sys/lib/httppasswords, which - was awkward to administer. Instead, use local .httplogin files, - which are implemented in sys/src/cmd/ip/httpd/authorize.c */ - -int -httpauth(char *name, char *password) -{ - int afd; - Ticketreq tr; - Ticket t; - char key[DESKEYLEN]; - char buf[512]; - - afd = authdial(nil, nil); - if(afd < 0) - return -1; - - /* send ticket request to AS */ - memset(&tr, 0, sizeof(tr)); - strcpy(tr.uid, name); - tr.type = AuthHttp; - convTR2M(&tr, buf); - if(write(afd, buf, TICKREQLEN) != TICKREQLEN){ - close(afd); - return -1; - } - if(_asrdresp(afd, buf, TICKETLEN) < 0){ - close(afd); - return -1; - } - close(afd); - - /* - * use password and try to decrypt the - * ticket. If it doesn't work we've got a bad password, - * give up. - */ - passtokey(key, password); - convM2T(buf, &t, key); - if(t.num != AuthHr || strcmp(t.cuid, tr.uid)) - return -1; - - return 0; -} diff --git a/sys/src/libauthsrv/_asgetticket.c b/sys/src/libauthsrv/_asgetticket.c index 46283bd5a..11a344621 100644 --- a/sys/src/libauthsrv/_asgetticket.c +++ b/sys/src/libauthsrv/_asgetticket.c @@ -5,11 +5,13 @@ static char *pbmsg = "AS protocol botch"; int -_asgetticket(int fd, char *trbuf, char *tbuf) +_asgetticket(int fd, Ticketreq *tr, char *tbuf, int tbuflen) { - if(write(fd, trbuf, TICKREQLEN) < 0){ + if(_asrequest(fd, tr) < 0){ werrstr(pbmsg); return -1; } - return _asrdresp(fd, tbuf, 2*TICKETLEN); + if(tbuflen > 2*TICKETLEN) + tbuflen = 2*TICKETLEN; + return _asrdresp(fd, tbuf, tbuflen); } diff --git a/sys/src/libauthsrv/convA2M.c b/sys/src/libauthsrv/convA2M.c index 2799cbf56..d285ad770 100644 --- a/sys/src/libauthsrv/convA2M.c +++ b/sys/src/libauthsrv/convA2M.c @@ -9,17 +9,19 @@ #define STRING(x,n) memmove(p, f->x, n); p += n int -convA2M(Authenticator *f, char *ap, char *key) +convA2M(Authenticator *f, char *ap, int n, Ticket *t) { - int n; uchar *p; + if(n < AUTHENTLEN) + return 0; + p = (uchar*)ap; CHAR(num); STRING(chal, CHALLEN); LONG(id); n = p - (uchar*)ap; - if(key) - encrypt(key, ap, n); + if(t) + encrypt(t->key, ap, n); return n; } diff --git a/sys/src/libauthsrv/convM2A.c b/sys/src/libauthsrv/convM2A.c index 3d58f9b59..b0d6712ca 100644 --- a/sys/src/libauthsrv/convM2A.c +++ b/sys/src/libauthsrv/convM2A.c @@ -8,16 +8,24 @@ #define LONG(x) VLONG(f->x) #define STRING(x,n) memmove(f->x, p, n); p += n -void -convM2A(char *ap, Authenticator *f, char *key) +int +convM2A(char *ap, int n, Authenticator *f, Ticket *t) { - uchar *p; + uchar *p, buf[AUTHENTLEN]; - if(key) - decrypt(key, ap, AUTHENTLEN); + memset(f, 0, sizeof(Authenticator)); + if(n < AUTHENTLEN) + return -AUTHENTLEN; + + if(t) { + memmove(buf, ap, AUTHENTLEN); + ap = (char*)buf; + decrypt(t->key, ap, AUTHENTLEN); + } p = (uchar*)ap; CHAR(num); STRING(chal, CHALLEN); LONG(id); - USED(p); + n = p - (uchar*)ap; + return n; } diff --git a/sys/src/libauthsrv/convM2PR.c b/sys/src/libauthsrv/convM2PR.c index 21df5b508..c7bd4974d 100644 --- a/sys/src/libauthsrv/convM2PR.c +++ b/sys/src/libauthsrv/convM2PR.c @@ -8,14 +8,21 @@ #define LONG(x) VLONG(f->x) #define STRING(x,n) memmove(f->x, p, n); p += n -void -convM2PR(char *ap, Passwordreq *f, char *key) +int +convM2PR(char *ap, int n, Passwordreq *f, Ticket *t) { - uchar *p; + uchar *p, buf[PASSREQLEN]; + memset(f, 0, sizeof(Passwordreq)); + if(n < PASSREQLEN) + return -PASSREQLEN; + + if(t){ + memmove(buf, ap, PASSREQLEN); + ap = (char*)buf; + decrypt(t->key, ap, PASSREQLEN); + } p = (uchar*)ap; - if(key) - decrypt(key, ap, PASSREQLEN); CHAR(num); STRING(old, ANAMELEN); f->old[ANAMELEN-1] = 0; @@ -24,5 +31,6 @@ convM2PR(char *ap, Passwordreq *f, char *key) CHAR(changesecret); STRING(secret, SECRETLEN); f->secret[SECRETLEN-1] = 0; - USED(p); + n = p - (uchar*)ap; + return n; } diff --git a/sys/src/libauthsrv/convM2T.c b/sys/src/libauthsrv/convM2T.c index 372825a87..425ebefdd 100644 --- a/sys/src/libauthsrv/convM2T.c +++ b/sys/src/libauthsrv/convM2T.c @@ -8,13 +8,20 @@ #define LONG(x) VLONG(f->x) #define STRING(x,n) memmove(f->x, p, n); p += n -void -convM2T(char *ap, Ticket *f, char *key) +int +convM2T(char *ap, int n, Ticket *f, Authkey *key) { - uchar *p; + uchar *p, buf[TICKETLEN]; - if(key) - decrypt(key, ap, TICKETLEN); + memset(f, 0, sizeof(Ticket)); + if(n < TICKETLEN) + return -TICKETLEN; + + if(key){ + memmove(buf, ap, TICKETLEN); + ap = (char*)buf; + decrypt(key->des, ap, TICKETLEN); + } p = (uchar*)ap; CHAR(num); STRING(chal, CHALLEN); @@ -23,6 +30,6 @@ convM2T(char *ap, Ticket *f, char *key) STRING(suid, ANAMELEN); f->suid[ANAMELEN-1] = 0; STRING(key, DESKEYLEN); - USED(p); + n = p - (uchar*)ap; + return n; } - diff --git a/sys/src/libauthsrv/convM2TR.c b/sys/src/libauthsrv/convM2TR.c index ffad75c77..d6491705b 100644 --- a/sys/src/libauthsrv/convM2TR.c +++ b/sys/src/libauthsrv/convM2TR.c @@ -8,11 +8,15 @@ #define LONG(x) VLONG(f->x) #define STRING(x,n) memmove(f->x, p, n); p += n -void -convM2TR(char *ap, Ticketreq *f) +int +convM2TR(char *ap, int n, Ticketreq *f) { uchar *p; + memset(f, 0, sizeof(Ticketreq)); + if(n < TICKREQLEN) + return -TICKREQLEN; + p = (uchar*)ap; CHAR(type); STRING(authid, ANAMELEN); @@ -24,5 +28,6 @@ convM2TR(char *ap, Ticketreq *f) f->hostid[ANAMELEN-1] = 0; STRING(uid, ANAMELEN); f->uid[ANAMELEN-1] = 0; - USED(p); + n = p - (uchar*)ap; + return n; } diff --git a/sys/src/libauthsrv/convPR2M.c b/sys/src/libauthsrv/convPR2M.c index 8b2422f1b..d5c0ee7ac 100644 --- a/sys/src/libauthsrv/convPR2M.c +++ b/sys/src/libauthsrv/convPR2M.c @@ -9,11 +9,13 @@ #define STRING(x,n) memmove(p, f->x, n); p += n int -convPR2M(Passwordreq *f, char *ap, char *key) +convPR2M(Passwordreq *f, char *ap, int n, Ticket *t) { - int n; uchar *p; + if(n < PASSREQLEN) + return 0; + p = (uchar*)ap; CHAR(num); STRING(old, ANAMELEN); @@ -21,8 +23,8 @@ convPR2M(Passwordreq *f, char *ap, char *key) CHAR(changesecret); STRING(secret, SECRETLEN); n = p - (uchar*)ap; - if(key) - encrypt(key, ap, n); + if(t) + encrypt(t->key, ap, n); return n; } diff --git a/sys/src/libauthsrv/convT2M.c b/sys/src/libauthsrv/convT2M.c index 810ba5c67..77edcef1f 100644 --- a/sys/src/libauthsrv/convT2M.c +++ b/sys/src/libauthsrv/convT2M.c @@ -9,11 +9,13 @@ #define STRING(x,n) memmove(p, f->x, n); p += n int -convT2M(Ticket *f, char *ap, char *key) +convT2M(Ticket *f, char *ap, int n, Authkey *key) { - int n; uchar *p; + if(n < TICKETLEN) + return 0; + p = (uchar*)ap; CHAR(num); STRING(chal, CHALLEN); @@ -22,6 +24,6 @@ convT2M(Ticket *f, char *ap, char *key) STRING(key, DESKEYLEN); n = p - (uchar*)ap; if(key) - encrypt(key, ap, n); + encrypt(key->des, ap, n); return n; } diff --git a/sys/src/libauthsrv/convTR2M.c b/sys/src/libauthsrv/convTR2M.c index 3a7610a71..0bbe9cb6f 100644 --- a/sys/src/libauthsrv/convTR2M.c +++ b/sys/src/libauthsrv/convTR2M.c @@ -9,11 +9,13 @@ #define STRING(x,n) memmove(p, f->x, n); p += n int -convTR2M(Ticketreq *f, char *ap) +convTR2M(Ticketreq *f, char *ap, int n) { - int n; uchar *p; + if(n < TICKREQLEN) + return 0; + p = (uchar*)ap; CHAR(type); STRING(authid, 28); /* BUG */ @@ -24,4 +26,3 @@ convTR2M(Ticketreq *f, char *ap) n = p - (uchar*)ap; return n; } - diff --git a/sys/src/libauthsrv/mkfile b/sys/src/libauthsrv/mkfile index b3e59b670..d46fa52d7 100644 --- a/sys/src/libauthsrv/mkfile +++ b/sys/src/libauthsrv/mkfile @@ -3,6 +3,8 @@ LIB=/$objtype/lib/libauthsrv.a OFILES=\ _asgetticket.$O\ + _asgetresp.$O\ + _asrequest.$O\ _asrdresp.$O\ authdial.$O\ convA2M.$O\ diff --git a/sys/src/libauthsrv/passtokey.c b/sys/src/libauthsrv/passtokey.c index cde9a2422..44963cec6 100644 --- a/sys/src/libauthsrv/passtokey.c +++ b/sys/src/libauthsrv/passtokey.c @@ -3,7 +3,7 @@ #include int -passtokey(char *key, char *p) +passtokey(Authkey *key, char *p) { uchar buf[ANAMELEN], *t; int i, n; @@ -15,10 +15,10 @@ passtokey(char *key, char *p) t = buf; strncpy((char*)t, p, n); t[n] = 0; - memset(key, 0, DESKEYLEN); + memset(key, 0, sizeof(Authkey)); for(;;){ for(i = 0; i < DESKEYLEN; i++) - key[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1))); + key->des[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1))); if(n <= 8) return 1; n -= 8; @@ -27,6 +27,6 @@ passtokey(char *key, char *p) t -= 8 - n; n = 8; } - encrypt(key, t, 8); + encrypt(key->des, t, 8); } } diff --git a/sys/src/libauthsrv/readnvram.c b/sys/src/libauthsrv/readnvram.c index ef9c91249..5d054725d 100644 --- a/sys/src/libauthsrv/readnvram.c +++ b/sys/src/libauthsrv/readnvram.c @@ -292,11 +292,14 @@ readnvram(Nvrsafe *safep, int flag) readcons("secstore key", nil, 1, safe->config, sizeof safe->config); for(;;){ - if(readcons("password", nil, 1, in, sizeof in) - == nil) + Authkey k; + + if(readcons("password", nil, 1, in, sizeof in) == nil) goto Out; - if(passtokey(safe->machkey, in)) + if(passtokey(&k, in)){ + memmove(safe->machkey, k.des, DESKEYLEN); break; + } } }