xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

libauthsrv: generalize ticket service, not hardcoding ticket format and DES encryption

Browse source 
this is in preparation for replacing DES ticket encryption with
something better. but first need to make the code stop making
assumptions.

the wire encoding of the Ticket might be variable length
with TICKETLEN just giving an upper bound. the details will be
handled by libauthsrv _asgetticket() and _asgetresp() funciotns.

the Authenticator and Passwordreq structures are encrypted
with the random ticket key. The encryption schmeme will depend
on the Ticket format used, so we pass the Ticket* structure
instead of the DES key.

introduce Authkey structure that will hold all the required
cryptographic keys instead of passing DES key.
This commit is contained in:
cinap_lenrek 2015-08-19 21:06:17 +02:00
parent f785d4da07
commit 02cfcfeab4
47 changed files with 471 additions and 482 deletions
Download patch file Download diff file Expand all files Collapse all files

29
sys/include/authsrv.h
View file

@ -12,6 +12,8 @@ typedef struct Passwordreq Passwordreq;
typedef struct OChapreply OChapreply; typedef struct OChapreply OChapreply;
typedef struct OMSchapreply OMSchapreply; typedef struct OMSchapreply OMSchapreply;
typedef struct Authkey Authkey;
enum enum
{ {
ANAMELEN= 28, /* name max size in previous proto */ ANAMELEN= 28, /* name max size in previous proto */
@ -110,22 +112,27 @@ struct OMSchapreply
}; };
#define OMSCHAPREPLYLEN (ANAMELEN+24+24) #define OMSCHAPREPLYLEN (ANAMELEN+24+24)
struct Authkey
{
char des[DESKEYLEN];
};
/* /*
* convert to/from wire format * convert to/from wire format
*/ */
extern int convT2M(Ticket*, char*, char*); extern int convT2M(Ticket*, char*, int, Authkey*);
extern void convM2T(char*, Ticket*, char*); extern int convM2T(char*, int, Ticket*, Authkey*);
extern int convA2M(Authenticator*, char*, char*); extern int convA2M(Authenticator*, char*, int, Ticket*);
extern void convM2A(char*, Authenticator*, char*); extern int convM2A(char*, int, Authenticator*, Ticket*);
extern int convTR2M(Ticketreq*, char*); extern int convTR2M(Ticketreq*, char*, int);
extern void convM2TR(char*, Ticketreq*); extern int convM2TR(char*, int, Ticketreq*);
extern int convPR2M(Passwordreq*, char*, char*); extern int convPR2M(Passwordreq*, char*, int, Ticket*);
extern void convM2PR(char*, Passwordreq*, char*); extern int convM2PR(char*, int, Passwordreq*, Ticket*);
/* /*
* convert ascii password to DES key * convert ascii password to DES key
*/ */
extern int passtokey(char*, char*); extern int passtokey(Authkey*, char*);
/* /*
* Nvram interface * Nvram interface
@ -167,5 +174,7 @@ extern int authdial(char *netroot, char *authdom);
/* /*
* exchange messages with auth server * exchange messages with auth server
*/ */
extern int _asgetticket(int, char*, char*); extern int _asgetticket(int, Ticketreq*, char*, int);
extern int _asrequest(int, Ticketreq*);
extern int _asgetresp(int, Ticket*, Authenticator*, Authkey *);
extern int _asrdresp(int, char*, int); extern int _asrdresp(int, char*, int);

66
sys/man/2/authsrv
View file

@ -1,6 +1,6 @@
.TH AUTHSRV 2 .TH AUTHSRV 2
.SH NAME .SH NAME
authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrdresp \- routines for communicating with authentication servers authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrequest, _asgetresp, _asrdresp \- routines for communicating with authentication servers
.SH SYNOPSIS .SH SYNOPSIS
.nf .nf
.PP .PP
@ -15,7 +15,7 @@ authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, co
int authdial(char *netroot, char *ad); int authdial(char *netroot, char *ad);
.PP .PP
.B .B
int passtokey(char key[DESKEYLEN], char *password) int passtokey(Authkey *key, char *password)
.PP .PP
.B .B
uchar nvcsum(void *mem, int len) uchar nvcsum(void *mem, int len)
@ -24,34 +24,40 @@ uchar nvcsum(void *mem, int len)
int readnvram(Nvrsafe *nv, int flag); int readnvram(Nvrsafe *nv, int flag);
.PPP .PPP
.B .B
int convT2M(Ticket *t, char *msg, char *key) int convT2M(Ticket *t, char *msg, int len, Authkey *key)
.PP .PP
.B .B
void convM2T(char *msg, Ticket *t, char *key) int convM2T(char *msg, int len, Ticket *t, Authkey *key)
.PP .PP
.B .B
int convA2M(Authenticator *a, char *msg, char *key) int convA2M(Authenticator *a, char *msg, int len, Ticket *t)
.PP .PP
.B .B
void convM2A(char *msg, Authenticator *a, char *key) int convM2A(char *msg, int len, Authenticator *a, Ticket *t)
.PP .PP
.B .B
int convTR2M(Ticketreq *tr, char *msg) int convTR2M(Ticketreq *tr, char *msg, int len)
.PP .PP
.B .B
void convM2TR(char *msg, Ticketreq *tr) int convM2TR(char *msg, int len, Ticketreq *tr)
.PP .PP
.B .B
int convPR2M(Passwordreq *pr, char *msg, char *key) int convPR2M(Passwordreq *pr, char *msg, int len, Ticket *t)
.PP .PP
.B .B
void convM2PR(char *msg, Passwordreq *pr, char *key) int convM2PR(char *msg, int len, Passwordreq *pr, Ticket *t)
.PP .PP
.B .B
int _asgetticket(int fd, char *trbuf, char *tbuf); int _asgetticket(int fd, Ticketreq *tr, char *buf, int len)
.PP .PP
.B .B
int _asrdresp(int fd, char *buf, int len); int _asrequest(int fd, Ticketreq *tr)
.PP
.B
int _asgetresp(int fd, Ticket *t, Authenticator *a, Authkey *key)
.PP
.B
int _asrdresp(int fd, char *buf, int len)
.SH DESCRIPTION .SH DESCRIPTION
.I Authdial .I Authdial
dials an authentication server over the dials an authentication server over the
@ -99,7 +105,9 @@ is used to make the call.
.I Passtokey .I Passtokey
converts converts
.I password .I password
into a DES key and stores the result in into a set of cryptographic keys and stores them in the
.I Authkey
structure
.IR key . .IR key .
It returns 0 if It returns 0 if
.I password .I password
@ -213,18 +221,34 @@ are used to convert them back.
.I Key .I Key
is used for encrypting the message before transmission and decrypting is used for encrypting the message before transmission and decrypting
after reception. after reception.
.PP .IR ConvA2M ,
The routine .IR convM2A ,
.I _asgetresp .I convPR2M
receives either a character array or an error string. and
On error, it sets errstr and returns -1. If successful, .I convM2PR
it returns the number of bytes received. encrypt/decrypt the message with the random ticket key.
.PP .PP
The routine The routine
.I _asgetticket .I _asgetticket
sends a ticket request message and then uses sends a ticket request
.I tr
returning the two encrypted tickets in
.IR buf .
The routine
.I _asrequest
encodes the ticket request
.I tr
and sends it not waiting for a response.
After sending a request,
.I _asgetresp .I _asgetresp
to recieve an answer. can be used to receive the response containing a ticket and an optional
authenticator and decrypts the ticket and authenticator using
.IR key .
The routine
.I _asrdresp
receives either a character array or an error string.
On error, it sets errstr and returns -1. If successful,
it returns the number of bytes received.
.SH SOURCE .SH SOURCE
.B /sys/src/libauthsrv .B /sys/src/libauthsrv
.SH SEE ALSO .SH SEE ALSO

1
sys/src/cmd/auth/as.c
View file

@ -8,6 +8,7 @@
#include <bio.h> #include <bio.h>
#include <libsec.h> #include <libsec.h>
#include <auth.h> #include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
int debug; int debug;

12
sys/src/cmd/auth/authcmdlib.h
View file

@ -39,13 +39,14 @@ extern Fs fs[3];
void checksum(char*, char*); void checksum(char*, char*);
void error(char*, ...); void error(char*, ...);
void fail(char*); void fail(char*);
char* findkey(char*, char*, char*); int findkey(char*, char*, Authkey*);
char* finddeskey(char*, char*, char*);
char* findsecret(char*, char*, char*); char* findsecret(char*, char*, char*);
int getauthkey(char*); int getauthkey(Authkey*);
long getexpiration(char *db, char *u); long getexpiration(char *db, char *u);
void getpass(char*, char*, int, int); void getpass(Authkey*, char*, int, int);
int getsecret(int, char*); int getsecret(int, char*);
int keyfmt(Fmt*); int deskeyfmt(Fmt*);
void logfail(char*); void logfail(char*);
int netcheck(void*, long, char*); int netcheck(void*, long, char*);
char* netdecimal(char*); char* netdecimal(char*);
@ -58,7 +59,8 @@ int readfile(char*, char*, int);
void readln(char*, char*, int, int); void readln(char*, char*, int, int);
long readn(int, void*, long); long readn(int, void*, long);
char* secureidcheck(char*, char*); char* secureidcheck(char*, char*);
char* setkey(char*, char*, char*); int setkey(char*, char*, Authkey*);
char* setdeskey(char*, char*, char*);
char* setsecret(char*, char*, char*); char* setsecret(char*, char*, char*);
int smartcheck(void*, long, char*); int smartcheck(void*, long, char*);
void succeed(char*); void succeed(char*);

234
sys/src/cmd/auth/authsrv.c
View file

@ -30,22 +30,24 @@ void vnc(Ticketreq*);
int speaksfor(char*, char*); int speaksfor(char*, char*);
void replyerror(char*, ...); void replyerror(char*, ...);
void getraddr(char*); void getraddr(char*);
void mkkey(char*); void mkkey(Authkey*);
int samekey(Authkey*, Authkey*);
void mkticket(Ticketreq*, Ticket*);
void randombytes(uchar*, int); void randombytes(uchar*, int);
void nthash(uchar hash[MShashlen], char *passwd); void nthash(uchar hash[MShashlen], char *passwd);
void lmhash(uchar hash[MShashlen], char *passwd); void lmhash(uchar hash[MShashlen], char *passwd);
void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom); void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom);
void mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen]); void mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen]);
void desencrypt(uchar data[8], uchar key[7]); void desencrypt(uchar data[8], uchar key[7]);
int tickauthreply(Ticketreq*, char*); int tickauthreply(Ticketreq*, Authkey*);
void safecpy(char*, char*, int); void safecpy(char*, char*, int);
void void
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
char buf[TICKREQLEN]; char buf[TICKREQLEN];
Ticketreq tr; Ticketreq tr;
int n;
ARGBEGIN{ ARGBEGIN{
case 'd': case 'd':
@ -64,11 +66,10 @@ main(int argc, char *argv[])
srand(time(0)*getpid()); srand(time(0)*getpid());
for(;;){ for(;;){
if(readn(0, buf, TICKREQLEN) <= 0) n = readn(0, buf, sizeof(buf));
if(n <= 0 || convM2TR(buf, n, &tr) <= 0)
exits(0); exits(0);
switch(tr.type){
convM2TR(buf, &tr);
switch(buf[0]){
case AuthTreq: case AuthTreq:
ticketrequest(&tr); ticketrequest(&tr);
break; break;
@ -97,7 +98,7 @@ main(int argc, char *argv[])
vnc(&tr); vnc(&tr);
break; break;
default: default:
syslog(0, AUTHLOG, "unknown ticket request type: %d", buf[0]); syslog(0, AUTHLOG, "unknown ticket request type: %d", tr.type);
exits(0); exits(0);
} }
} }
@ -107,45 +108,39 @@ main(int argc, char *argv[])
int int
ticketrequest(Ticketreq *tr) ticketrequest(Ticketreq *tr)
{ {
char akey[DESKEYLEN]; Authkey akey, hkey;
char hkey[DESKEYLEN];
Ticket t;
char tbuf[2*TICKETLEN+1]; char tbuf[2*TICKETLEN+1];
Ticket t;
int n;
if(findkey(KEYDB, tr->authid, akey) == 0){ if(!findkey(KEYDB, tr->authid, &akey)){
/* make one up so caller doesn't know it was wrong */ /* make one up so caller doesn't know it was wrong */
mkkey(akey); mkkey(&akey);
if(debug) if(debug)
syslog(0, AUTHLOG, "tr-fail authid %s", raddr); syslog(0, AUTHLOG, "tr-fail authid %s", raddr);
} }
if(findkey(KEYDB, tr->hostid, hkey) == 0){ if(!findkey(KEYDB, tr->hostid, &hkey)){
/* make one up so caller doesn't know it was wrong */ /* make one up so caller doesn't know it was wrong */
mkkey(hkey); mkkey(&hkey);
if(debug) if(debug)
syslog(0, AUTHLOG, "tr-fail hostid %s(%s)", tr->hostid, raddr); syslog(0, AUTHLOG, "tr-fail hostid %s(%s)", tr->hostid, raddr);
} }
memset(&t, 0, sizeof(t)); mkticket(tr, &t);
memmove(t.chal, tr->chal, CHALLEN); if(!speaksfor(tr->hostid, tr->uid)){
strcpy(t.cuid, tr->uid); mkkey(&akey);
if(speaksfor(tr->hostid, tr->uid)) mkkey(&hkey);
strcpy(t.suid, tr->uid);
else {
mkkey(akey);
mkkey(hkey);
if(debug) if(debug)
syslog(0, AUTHLOG, "tr-fail %s@%s(%s) -> %s@%s no speaks for", syslog(0, AUTHLOG, "tr-fail %s@%s(%s) -> %s@%s no speaks for",
tr->uid, tr->hostid, raddr, tr->uid, tr->authid); tr->uid, tr->hostid, raddr, tr->uid, tr->authid);
} }
n = 0;
mkkey(t.key); tbuf[n++] = AuthOK;
tbuf[0] = AuthOK;
t.num = AuthTc; t.num = AuthTc;
convT2M(&t, tbuf+1, hkey); n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &hkey);
t.num = AuthTs; t.num = AuthTs;
convT2M(&t, tbuf+1+TICKETLEN, akey); n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &akey);
if(write(1, tbuf, 2*TICKETLEN+1) < 0){ if(write(1, tbuf, n) < 0){
if(debug) if(debug)
syslog(0, AUTHLOG, "tr-fail %s@%s(%s): hangup", syslog(0, AUTHLOG, "tr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr); tr->uid, tr->hostid, raddr);
@ -163,22 +158,23 @@ challengebox(Ticketreq *tr)
{ {
long chal; long chal;
char *key, *netkey; char *key, *netkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN]; Authkey hkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN];
char buf[NETCHLEN+1]; char buf[NETCHLEN+1];
char *err; char *err;
key = findkey(KEYDB, tr->uid, kbuf); key = finddeskey(KEYDB, tr->uid, kbuf);
netkey = findkey(NETKEYDB, tr->uid, nkbuf); netkey = finddeskey(NETKEYDB, tr->uid, nkbuf);
if(key == 0 && netkey == 0){ if(key == nil && netkey == nil){
/* make one up so caller doesn't know it was wrong */ /* make one up so caller doesn't know it was wrong */
mkkey(nkbuf); randombytes((uchar*)nkbuf, DESKEYLEN);
netkey = nkbuf; netkey = nkbuf;
if(debug) if(debug)
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr); syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
} }
if(findkey(KEYDB, tr->hostid, hkey) == 0){ if(!findkey(KEYDB, tr->hostid, &hkey)){
/* make one up so caller doesn't know it was wrong */ /* make one up so caller doesn't know it was wrong */
mkkey(hkey); mkkey(&hkey);
if(debug) if(debug)
syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid, syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid,
tr->uid, raddr); tr->uid, raddr);
@ -195,8 +191,8 @@ challengebox(Ticketreq *tr)
exits(0); exits(0);
if(readn(0, buf, NETCHLEN) < 0) if(readn(0, buf, NETCHLEN) < 0)
exits(0); exits(0);
if(!(key && netcheck(key, chal, buf)) if(!(key != nil && netcheck(key, chal, buf))
&& !(netkey && netcheck(netkey, chal, buf)) && !(netkey != nil && netcheck(netkey, chal, buf))
&& (err = secureidcheck(tr->uid, buf)) != nil){ && (err = secureidcheck(tr->uid, buf)) != nil){
replyerror("cr-fail %s %s %s", err, tr->uid, raddr); replyerror("cr-fail %s %s %s", err, tr->uid, raddr);
logfail(tr->uid); logfail(tr->uid);
@ -210,7 +206,7 @@ challengebox(Ticketreq *tr)
/* /*
* reply with ticket & authenticator * reply with ticket & authenticator
*/ */
if(tickauthreply(tr, hkey) < 0){ if(tickauthreply(tr, &hkey) < 0){
if(debug) if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup", syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr); tr->uid, tr->hostid, raddr);
@ -229,36 +225,36 @@ changepasswd(Ticketreq *tr)
char tbuf[TICKETLEN+1]; char tbuf[TICKETLEN+1];
char prbuf[PASSREQLEN]; char prbuf[PASSREQLEN];
Passwordreq pr; Passwordreq pr;
char okey[DESKEYLEN], nkey[DESKEYLEN]; Authkey okey, nkey;
char *err; char *err;
int n;
if(findkey(KEYDB, tr->uid, okey) == 0){ if(!findkey(KEYDB, tr->uid, &okey)){
/* make one up so caller doesn't know it was wrong */ /* make one up so caller doesn't know it was wrong */
mkkey(okey); mkkey(&okey);
syslog(0, AUTHLOG, "cp-fail uid %s", raddr); syslog(0, AUTHLOG, "cp-fail uid %s", raddr);
} }
/* send back a ticket with a new key */ /* send back a ticket with a new key */
memmove(t.chal, tr->chal, CHALLEN); mkticket(tr, &t);
mkkey(t.key);
tbuf[0] = AuthOK;
t.num = AuthTp; t.num = AuthTp;
safecpy(t.cuid, tr->uid, sizeof(t.cuid)); n = 0;
safecpy(t.suid, tr->uid, sizeof(t.suid)); tbuf[n++] = AuthOK;
convT2M(&t, tbuf+1, okey); n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &okey);
write(1, tbuf, sizeof(tbuf)); if(write(1, tbuf, n) != n)
exits(0);
/* loop trying passwords out */ /* loop trying passwords out */
for(;;){ for(;;){
if(readn(0, prbuf, PASSREQLEN) < 0) n = readn(0, prbuf, sizeof(prbuf));
if(n <= 0 || convM2PR(prbuf, n, &pr, &t) <= 0)
exits(0); exits(0);
convM2PR(prbuf, &pr, t.key);
if(pr.num != AuthPass){ if(pr.num != AuthPass){
replyerror("protocol botch1: %s", raddr); replyerror("protocol botch1: %s", raddr);
exits(0); exits(0);
} }
passtokey(nkey, pr.old); passtokey(&nkey, pr.old);
if(memcmp(nkey, okey, DESKEYLEN)){ if(!samekey(&nkey, &okey)){
replyerror("protocol botch2: %s", raddr); replyerror("protocol botch2: %s", raddr);
continue; continue;
} }
@ -268,13 +264,13 @@ changepasswd(Ticketreq *tr)
replyerror("%s %s", err, raddr); replyerror("%s %s", err, raddr);
continue; continue;
} }
passtokey(nkey, pr.new); passtokey(&nkey, pr.new);
} }
if(pr.changesecret && setsecret(KEYDB, tr->uid, pr.secret) == 0){ if(pr.changesecret && setsecret(KEYDB, tr->uid, pr.secret) == 0){
replyerror("can't write secret %s", raddr); replyerror("can't write secret %s", raddr);
continue; continue;
} }
if(*pr.new && setkey(KEYDB, tr->uid, nkey) == 0){ if(*pr.new && setkey(KEYDB, tr->uid, &nkey) == 0){
replyerror("can't write key %s", raddr); replyerror("can't write key %s", raddr);
continue; continue;
} }
@ -292,15 +288,14 @@ http(Ticketreq *tr)
{ {
Ticket t; Ticket t;
char tbuf[TICKETLEN+1]; char tbuf[TICKETLEN+1];
char key[DESKEYLEN]; Authkey key;
char *p; char *p;
Biobuf *b; Biobuf *b;
int n; int n;
randombytes((uchar*)key, DESKEYLEN);
/* use plan9 key when there is any */ /* use plan9 key when there is any */
findkey(KEYDB, tr->uid, key); if(!findkey(KEYDB, tr->uid, &key))
mkkey(&key);
n = strlen(tr->uid); n = strlen(tr->uid);
b = Bopen("/sys/lib/httppasswords", OREAD); b = Bopen("/sys/lib/httppasswords", OREAD);
@ -315,21 +310,20 @@ http(Ticketreq *tr)
p += n; p += n;
while(*p == ' ' || *p == '\t') while(*p == ' ' || *p == '\t')
p++; p++;
passtokey(key, p); passtokey(&key, p);
} }
} }
Bterm(b); Bterm(b);
} }
/* send back a ticket encrypted with the key */ /* send back a ticket encrypted with the key */
mkticket(tr, &t);
randombytes((uchar*)t.chal, CHALLEN); randombytes((uchar*)t.chal, CHALLEN);
mkkey(t.key);
tbuf[0] = AuthOK;
t.num = AuthHr; t.num = AuthHr;
safecpy(t.cuid, tr->uid, sizeof(t.cuid)); n = 0;
safecpy(t.suid, tr->uid, sizeof(t.suid)); tbuf[n++] = AuthOK;
convT2M(&t, tbuf+1, key); n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &key);
write(1, tbuf, sizeof(tbuf)); write(1, tbuf, n);
} }
static char* static char*
@ -339,13 +333,13 @@ domainname(void)
static char *domain; static char *domain;
int n; int n;
if(domain) if(domain != nil)
return domain; return domain;
if(*sysname) if(*sysname)
return sysname; return sysname;
domain = csgetvalue(0, "sys", sysname, "dom", nil); domain = csgetvalue(0, "sys", sysname, "dom", nil);
if(domain) if(domain != nil)
return domain; return domain;
n = readfile("/dev/sysname", sysname, sizeof(sysname)-1); n = readfile("/dev/sysname", sysname, sizeof(sysname)-1);
@ -373,12 +367,13 @@ h2b(char c)
void void
apop(Ticketreq *tr, int type) apop(Ticketreq *tr, int type)
{ {
int challen, i, tries; int challen, i, n, tries;
char *secret, *hkey, *p; char *secret, *p;
Authkey hkey;
Ticketreq treq; Ticketreq treq;
DigestState *s; DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN]; char sbuf[SECRETLEN];
char tbuf[TICKREQLEN]; char trbuf[TICKREQLEN];
char buf[MD5dlen*2]; char buf[MD5dlen*2];
uchar digest[MD5dlen], resp[MD5dlen]; uchar digest[MD5dlen], resp[MD5dlen];
ulong rb[4]; ulong rb[4];
@ -401,9 +396,9 @@ apop(Ticketreq *tr, int type)
/* /*
* get ticket request * get ticket request
*/ */
if(readn(0, tbuf, TICKREQLEN) < 0) n = readn(0, trbuf, sizeof(trbuf));
if(n <= 0 || convM2TR(trbuf, n, &treq) <= 0)
exits(0); exits(0);
convM2TR(tbuf, &treq);
tr = &treq; tr = &treq;
if(tr->type != type) if(tr->type != type)
exits(0); exits(0);
@ -411,7 +406,7 @@ apop(Ticketreq *tr, int type)
/* /*
* read response * read response
*/ */
if(readn(0, buf, MD5dlen*2) < 0) if(readn(0, buf, MD5dlen*2) != MD5dlen*2)
exits(0); exits(0);
for(i = 0; i < MD5dlen; i++) for(i = 0; i < MD5dlen; i++)
resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]); resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]);
@ -420,8 +415,7 @@ apop(Ticketreq *tr, int type)
* lookup * lookup
*/ */
secret = findsecret(KEYDB, tr->uid, sbuf); secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf); if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
if(hkey == 0 || secret == 0){
replyerror("apop-fail bad response %s", raddr); replyerror("apop-fail bad response %s", raddr);
logfail(tr->uid); logfail(tr->uid);
if(tries > 5) if(tries > 5)
@ -455,7 +449,7 @@ apop(Ticketreq *tr, int type)
/* /*
* reply with ticket & authenticator * reply with ticket & authenticator
*/ */
if(tickauthreply(tr, hkey) < 0) if(tickauthreply(tr, &hkey) < 0)
exits(0); exits(0);
if(debug){ if(debug){
@ -493,10 +487,11 @@ uchar swizzletab[256] = {
void void
vnc(Ticketreq *tr) vnc(Ticketreq *tr)
{ {
char *secret;
Authkey hkey;
uchar chal[VNCchallen+6]; uchar chal[VNCchallen+6];
uchar reply[VNCchallen]; uchar reply[VNCchallen];
char *secret, *hkey; char sbuf[SECRETLEN];
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
DESstate s; DESstate s;
int i; int i;
@ -514,18 +509,15 @@ vnc(Ticketreq *tr)
*/ */
memset(sbuf, 0, sizeof(sbuf)); memset(sbuf, 0, sizeof(sbuf));
secret = findsecret(KEYDB, tr->uid, sbuf); secret = findsecret(KEYDB, tr->uid, sbuf);
if(secret == 0){ if(secret == nil){
randombytes((uchar*)sbuf, sizeof(sbuf)); randombytes((uchar*)sbuf, sizeof(sbuf));
secret = sbuf; secret = sbuf;
} }
for(i = 0; i < 8; i++) for(i = 0; i < 8; i++)
secret[i] = swizzletab[(uchar)secret[i]]; secret[i] = swizzletab[(uchar)secret[i]];
hkey = findkey(KEYDB, tr->hostid, hbuf); if(!findkey(KEYDB, tr->hostid, &hkey))
if(hkey == 0){ mkkey(&hkey);
randombytes((uchar*)hbuf, sizeof(hbuf));
hkey = hbuf;
}
/* /*
* get response * get response
@ -548,7 +540,7 @@ vnc(Ticketreq *tr)
/* /*
* reply with ticket & authenticator * reply with ticket & authenticator
*/ */
if(tickauthreply(tr, hkey) < 0) if(tickauthreply(tr, &hkey) < 0)
exits(0); exits(0);
if(debug) if(debug)
@ -558,9 +550,10 @@ vnc(Ticketreq *tr)
void void
chap(Ticketreq *tr) chap(Ticketreq *tr)
{ {
char *secret, *hkey; char *secret;
Authkey hkey;
DigestState *s; DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN]; char sbuf[SECRETLEN];
uchar digest[MD5dlen]; uchar digest[MD5dlen];
char chal[CHALLEN]; char chal[CHALLEN];
OChapreply reply; OChapreply reply;
@ -582,8 +575,7 @@ chap(Ticketreq *tr)
* lookup * lookup
*/ */
secret = findsecret(KEYDB, tr->uid, sbuf); secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf); if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
if(hkey == 0 || secret == 0){
replyerror("chap-fail bad response %s", raddr); replyerror("chap-fail bad response %s", raddr);
logfail(tr->uid); logfail(tr->uid);
exits(0); exits(0);
@ -607,7 +599,7 @@ chap(Ticketreq *tr)
/* /*
* reply with ticket & authenticator * reply with ticket & authenticator
*/ */
if(tickauthreply(tr, hkey) < 0) if(tickauthreply(tr, &hkey) < 0)
exits(0); exits(0);
if(debug) if(debug)
@ -671,8 +663,9 @@ static uchar ntblobsig[] = {0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
void void
mschap(Ticketreq *tr) mschap(Ticketreq *tr)
{ {
char *secret, *hkey; char *secret;
char sbuf[SECRETLEN], hbuf[DESKEYLEN], windom[128]; Authkey hkey;
char sbuf[SECRETLEN], windom[128];
uchar chal[CHALLEN], ntblob[1024]; uchar chal[CHALLEN], ntblob[1024];
uchar hash[MShashlen]; uchar hash[MShashlen];
uchar hash2[MShashlen]; uchar hash2[MShashlen];
@ -743,8 +736,7 @@ mschap(Ticketreq *tr)
* lookup * lookup
*/ */
secret = findsecret(KEYDB, tr->uid, sbuf); secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf); if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
if(hkey == 0 || secret == 0){
replyerror("mschap-fail bad response %s/%s(%s)", replyerror("mschap-fail bad response %s/%s(%s)",
tr->uid, tr->hostid, raddr); tr->uid, tr->hostid, raddr);
logfail(tr->uid); logfail(tr->uid);
@ -812,7 +804,7 @@ mschap(Ticketreq *tr)
/* /*
* reply with ticket & authenticator * reply with ticket & authenticator
*/ */
if(tickauthreply(tr, hkey) < 0) if(tickauthreply(tr, &hkey) < 0)
exits(0); exits(0);
if(debug) if(debug)
@ -939,16 +931,16 @@ speaksfor(char *speaker, char *user)
if(strcmp(speaker, user) == 0) if(strcmp(speaker, user) == 0)
return 1; return 1;
if(db == 0) if(db == nil)
return 0; return 0;
tp = ndbsearch(db, &s, "hostid", speaker); tp = ndbsearch(db, &s, "hostid", speaker);
if(tp == 0) if(tp == nil)
return 0; return 0;
ok = 0; ok = 0;
snprint(notuser, sizeof notuser, "!%s", user); snprint(notuser, sizeof notuser, "!%s", user);
for(ntp = tp; ntp; ntp = ntp->entry) for(ntp = tp; ntp != nil; ntp = ntp->entry)
if(strcmp(ntp->attr, "uid") == 0){ if(strcmp(ntp->attr, "uid") == 0){
if(strcmp(ntp->val, notuser) == 0){ if(strcmp(ntp->val, notuser) == 0){
ok = 0; ok = 0;
@ -1003,9 +995,25 @@ getraddr(char *dir)
} }
void void
mkkey(char *k) mkkey(Authkey *k)
{ {
randombytes((uchar*)k, DESKEYLEN); randombytes((uchar*)k->des, DESKEYLEN);
}
int
samekey(Authkey *a, Authkey *b)
{
return memcmp(a->des, b->des, DESKEYLEN) == 0;
}
void
mkticket(Ticketreq *tr, Ticket *t)
{
memset(t, 0, sizeof(Ticket));
memmove(t->chal, tr->chal, CHALLEN);
safecpy(t->cuid, tr->uid, sizeof(t->cuid));
safecpy(t->suid, tr->uid, sizeof(t->suid));
randombytes((uchar*)t->key, DESKEYLEN);
} }
void void
@ -1024,25 +1032,24 @@ randombytes(uchar *buf, int len)
* reply with ticket and authenticator * reply with ticket and authenticator
*/ */
int int
tickauthreply(Ticketreq *tr, char *hkey) tickauthreply(Ticketreq *tr, Authkey *hkey)
{ {
Ticket t; Ticket t;
Authenticator a; Authenticator a;
char buf[TICKETLEN+AUTHENTLEN+1]; char buf[TICKETLEN+AUTHENTLEN+1];
int n;
memset(&t, 0, sizeof(t)); mkticket(tr, &t);
memmove(t.chal, tr->chal, CHALLEN);
safecpy(t.cuid, tr->uid, sizeof t.cuid);
safecpy(t.suid, tr->uid, sizeof t.suid);
mkkey(t.key);
buf[0] = AuthOK;
t.num = AuthTs; t.num = AuthTs;
convT2M(&t, buf+1, hkey); n = 0;
buf[n++] = AuthOK;
n += convT2M(&t, buf+n, sizeof(buf)-n, hkey);
memset(&a, 0, sizeof(a));
memmove(a.chal, t.chal, CHALLEN); memmove(a.chal, t.chal, CHALLEN);
a.num = AuthAc; a.num = AuthAc;
a.id = 0; a.id = 0;
convA2M(&a, buf+TICKETLEN+1, t.key); n += convA2M(&a, buf+n, sizeof(buf)-n, &t);
if(write(1, buf, TICKETLEN+AUTHENTLEN+1) < 0) if(write(1, buf, n) != n)
return -1; return -1;
return 0; return 0;
} }
@ -1053,3 +1060,4 @@ safecpy(char *to, char *from, int len)
strncpy(to, from, len); strncpy(to, from, len);
to[len-1] = 0; to[len-1] = 0;
} }

25
sys/src/cmd/auth/changeuser.c
View file

@ -5,7 +5,7 @@
#include <bio.h> #include <bio.h>
#include "authcmdlib.h" #include "authcmdlib.h"
void install(char*, char*, char*, long, int); void install(char*, char*, Authkey*, long, int);
int exists (char*, char*); int exists (char*, char*);
void void
@ -18,14 +18,15 @@ usage(void)
void void
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
char *u, key[DESKEYLEN], answer[32], p9pass[32]; char *u, answer[32], p9pass[32];
int which, i, newkey, newbio, dosecret; int which, i, newkey, newbio, dosecret;
long t; long t;
Authkey key;
Acctbio a; Acctbio a;
Fs *f; Fs *f;
srand(getpid()*time(0)); srand(getpid()*time(0));
fmtinstall('K', keyfmt); fmtinstall('K', deskeyfmt);
which = 0; which = 0;
ARGBEGIN{ ARGBEGIN{
@ -61,10 +62,10 @@ main(int argc, char *argv[])
newkey = 0; newkey = 0;
} }
if(newkey) if(newkey)
getpass(key, p9pass, 1, 1); getpass(&key, p9pass, 1, 1);
dosecret = getsecret(newkey, p9pass); dosecret = getsecret(newkey, p9pass);
t = getexpiration(f->keys, u); t = getexpiration(f->keys, u);
install(f->keys, u, key, t, newkey); install(f->keys, u, &key, t, newkey);
if(dosecret && setsecret(KEYDB, u, p9pass) == 0) if(dosecret && setsecret(KEYDB, u, p9pass) == 0)
error("error writing Inferno/pop secret"); error("error writing Inferno/pop secret");
newbio = querybio(f->who, u, &a); newbio = querybio(f->who, u, &a);
@ -83,17 +84,17 @@ main(int argc, char *argv[])
} }
if(newkey) if(newkey)
for(i=0; i<DESKEYLEN; i++) for(i=0; i<DESKEYLEN; i++)
key[i] = nrand(256); key.des[i] = nrand(256);
if(a.user == 0){ if(a.user == 0){
t = getexpiration(f->keys, u); t = getexpiration(f->keys, u);
newbio = querybio(f->who, u, &a); newbio = querybio(f->who, u, &a);
} }
install(f->keys, u, key, t, newkey); install(f->keys, u, &key, t, newkey);
if(newbio) if(newbio)
wrbio(f->who, &a); wrbio(f->who, &a);
findkey(f->keys, u, key); finddeskey(f->keys, u, key.des);
print("user %s: SecureNet key: %K\n", u, key); print("user %s: SecureNet key: %K\n", u, key.des);
checksum(key, answer); checksum(key.des, answer);
print("verify with checksum %s\n", answer); print("verify with checksum %s\n", answer);
print("user %s installed for SecureNet\n", u); print("user %s installed for SecureNet\n", u);
syslog(0, AUTHLOG, "user %s installed for securenet", u); syslog(0, AUTHLOG, "user %s installed for securenet", u);
@ -102,7 +103,7 @@ main(int argc, char *argv[])
} }
void void
install(char *db, char *u, char *key, long t, int newkey) install(char *db, char *u, Authkey *key, long t, int newkey)
{ {
char buf[KEYDBBUF+ANAMELEN+20]; char buf[KEYDBBUF+ANAMELEN+20];
int fd; int fd;
@ -118,7 +119,7 @@ install(char *db, char *u, char *key, long t, int newkey)
if(newkey){ if(newkey){
sprint(buf, "%s/%s/key", db, u); sprint(buf, "%s/%s/key", db, u);
fd = open(buf, OWRITE); fd = open(buf, OWRITE);
if(fd < 0 || write(fd, key, DESKEYLEN) != DESKEYLEN) if(fd < 0 || write(fd, key->des, DESKEYLEN) != DESKEYLEN)
error("can't set key: %r"); error("can't set key: %r");
close(fd); close(fd);
} }

22
sys/src/cmd/auth/convkeys.c
View file

@ -7,19 +7,19 @@
#include <bio.h> #include <bio.h>
#include "authcmdlib.h" #include "authcmdlib.h"
char authkey[DESKEYLEN]; Authkey authkey;
int verb; int verb;
int usepass; int usepass;
int convert(char*, char*, int); int convert(char*, Authkey*, int);
int dofcrypt(int, char*, char*, int);
void usage(void); void usage(void);
void void
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
Dir *d; Dir *d;
char *p, *file, key[DESKEYLEN]; Authkey key;
char *p, *file;
int fd, len; int fd, len;
ARGBEGIN{ ARGBEGIN{
@ -40,12 +40,12 @@ main(int argc, char *argv[])
/* get original key */ /* get original key */
if(usepass){ if(usepass){
print("enter password file is encoded with\n"); print("enter password file is encoded with\n");
getpass(authkey, nil, 0, 1); getpass(&authkey, nil, 0, 1);
} else } else
getauthkey(authkey); getauthkey(&authkey);
if(!verb){ if(!verb){
print("enter password to reencode with\n"); print("enter password to reencode with\n");
getpass(key, nil, 0, 1); getpass(&key, nil, 0, 1);
} }
fd = open(file, ORDWR); fd = open(file, ORDWR);
@ -60,7 +60,7 @@ main(int argc, char *argv[])
error("out of memory"); error("out of memory");
if(read(fd, p, len) != len) if(read(fd, p, len) != len)
error("can't read key file: %r\n"); error("can't read key file: %r\n");
len = convert(p, key, len); len = convert(p, &key, len);
if(verb) if(verb)
exits(0); exits(0);
if(pwrite(fd, p, len, 0) != len) if(pwrite(fd, p, len, 0) != len)
@ -128,7 +128,7 @@ badname(char *s)
} }
int int
convert(char *p, char *key, int len) convert(char *p, Authkey *key, int len)
{ {
int i; int i;
@ -139,7 +139,7 @@ convert(char *p, char *key, int len)
len -= len % KEYDBLEN; len -= len % KEYDBLEN;
} }
len += KEYDBOFF; len += KEYDBOFF;
oldCBCdecrypt(authkey, p, len); oldCBCdecrypt(authkey.des, p, len);
for(i = KEYDBOFF; i < len; i += KEYDBLEN) for(i = KEYDBOFF; i < len; i += KEYDBLEN)
if (badname(&p[i])) { if (badname(&p[i])) {
print("bad name %.30s... - aborting\n", &p[i]); print("bad name %.30s... - aborting\n", &p[i]);
@ -150,7 +150,7 @@ convert(char *p, char *key, int len)
print("%s\n", &p[i]); print("%s\n", &p[i]);
randombytes((uchar*)p, 8); randombytes((uchar*)p, 8);
oldCBCencrypt(key, p, len); oldCBCencrypt(key->des, p, len);
return len; return len;
} }

22
sys/src/cmd/auth/convkeys2.c
View file

@ -6,12 +6,11 @@
#include <bio.h> #include <bio.h>
#include "authcmdlib.h" #include "authcmdlib.h"
char authkey[DESKEYLEN]; Authkey authkey;
int verb; int verb;
int usepass; int usepass;
int convert(char*, char*, char*, int); int convert(char*, char*, Authkey*, int);
int dofcrypt(int, char*, char*, int);
void usage(void); void usage(void);
void randombytes(uchar*, int); void randombytes(uchar*, int);
@ -19,7 +18,8 @@ void
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
Dir *d; Dir *d;
char *p, *np, *file, key[DESKEYLEN]; Authkey key;
char *p, *np, *file;
int fd, len; int fd, len;
ARGBEGIN{ ARGBEGIN{
@ -40,11 +40,11 @@ main(int argc, char *argv[])
/* get original key */ /* get original key */
if(usepass){ if(usepass){
print("enter password file is encoded with\n"); print("enter password file is encoded with\n");
getpass(authkey, nil, 0, 1); getpass(&authkey, nil, 0, 1);
} else } else
getauthkey(authkey); getauthkey(&authkey);
print("enter password to reencode with\n"); print("enter password to reencode with\n");
getpass(key, nil, 0, 1); getpass(&key, nil, 0, 1);
fd = open(file, ORDWR); fd = open(file, ORDWR);
if(fd < 0) if(fd < 0)
@ -61,7 +61,7 @@ main(int argc, char *argv[])
error("out of memory"); error("out of memory");
if(read(fd, p, len) != len) if(read(fd, p, len) != len)
error("can't read key file: %r\n"); error("can't read key file: %r\n");
len = convert(p, np, key, len); len = convert(p, np, &key, len);
if(verb) if(verb)
exits(0); exits(0);
if(pwrite(fd, np, len, 0) != len) if(pwrite(fd, np, len, 0) != len)
@ -84,7 +84,7 @@ oldCBCencrypt(char *key7, char *p, int len)
} }
int int
convert(char *p, char *np, char *key, int len) convert(char *p, char *np, Authkey *key, int len)
{ {
int i, off, noff; int i, off, noff;
@ -95,7 +95,7 @@ convert(char *p, char *np, char *key, int len)
for(i = 0; i < len; i ++){ for(i = 0; i < len; i ++){
off = i*OKEYDBLEN; off = i*OKEYDBLEN;
noff = KEYDBOFF+i*(KEYDBLEN); noff = KEYDBOFF+i*(KEYDBLEN);
decrypt(authkey, &p[off], OKEYDBLEN); decrypt(authkey.des, &p[off], OKEYDBLEN);
memmove(&np[noff], &p[off], OKEYDBLEN); memmove(&np[noff], &p[off], OKEYDBLEN);
memset(&np[noff-SECRETLEN], 0, SECRETLEN); memset(&np[noff-SECRETLEN], 0, SECRETLEN);
if(verb) if(verb)
@ -103,7 +103,7 @@ convert(char *p, char *np, char *key, int len)
} }
randombytes((uchar*)np, KEYDBOFF); randombytes((uchar*)np, KEYDBOFF);
len = (len*KEYDBLEN) + KEYDBOFF; len = (len*KEYDBLEN) + KEYDBOFF;
oldCBCencrypt(key, np, len); oldCBCencrypt(key->des, np, len);
return len; return len;
} }

1
sys/src/cmd/auth/cron.c
View file

@ -3,6 +3,7 @@
#include <bio.h> #include <bio.h>
#include <libsec.h> #include <libsec.h>
#include <auth.h> #include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
char CRONLOG[] = "cron"; char CRONLOG[] = "cron";

27
sys/src/cmd/auth/debug.c
View file

@ -208,9 +208,9 @@ authdialfutz(char *dom, char *user)
void void
authfutz(char *dom, char *user) authfutz(char *dom, char *user)
{ {
int fd, nobootes; int fd, nobootes, n, m;
char pw[128], prompt[128], key[DESKEYLEN], booteskey[DESKEYLEN], tbuf[2*TICKETLEN], char pw[128], prompt[128], tbuf[2*TICKETLEN];
trbuf[TICKREQLEN]; Authkey key, booteskey;
Ticket t; Ticket t;
Ticketreq tr; Ticketreq tr;
@ -218,7 +218,7 @@ authfutz(char *dom, char *user)
readcons(prompt, nil, 1, pw, sizeof pw); readcons(prompt, nil, 1, pw, sizeof pw);
if(pw[0] == '\0') if(pw[0] == '\0')
return; return;
passtokey(key, pw); passtokey(&key, pw);
fd = authdial(nil, dom); fd = authdial(nil, dom);
if(fd < 0){ if(fd < 0){
@ -227,19 +227,19 @@ authfutz(char *dom, char *user)
} }
/* try ticket request using just user key */ /* try ticket request using just user key */
memset(&tr, 0, sizeof(tr));
tr.type = AuthTreq; tr.type = AuthTreq;
strecpy(tr.authid, tr.authid+sizeof tr.authid, user); strecpy(tr.authid, tr.authid+sizeof tr.authid, user);
strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom); strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom);
strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user); strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user);
strecpy(tr.uid, tr.uid+sizeof tr.uid, user); strecpy(tr.uid, tr.uid+sizeof tr.uid, user);
memset(tr.chal, 0xAA, sizeof tr.chal); memset(tr.chal, 0xAA, sizeof tr.chal);
convTR2M(&tr, trbuf); if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
if(_asgetticket(fd, trbuf, tbuf) < 0){
close(fd);
print("\t_asgetticket failed: %r\n"); print("\t_asgetticket failed: %r\n");
close(fd);
return; return;
} }
convM2T(tbuf, &t, key); m = convM2T(tbuf, n, &t, &key);
if(t.num != AuthTc){ if(t.num != AuthTc){
print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom); print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -252,7 +252,7 @@ authfutz(char *dom, char *user)
return; return;
} }
convM2T(tbuf+TICKETLEN, &t, key); convM2T(tbuf+m, n-m, &t, &key);
if(t.num != AuthTs){ if(t.num != AuthTs){
print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom); print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -269,13 +269,12 @@ authfutz(char *dom, char *user)
/* try ticket request using bootes key */ /* try ticket request using bootes key */
snprint(prompt, sizeof prompt, "\tcpu server owner for domain %s ", dom); snprint(prompt, sizeof prompt, "\tcpu server owner for domain %s ", dom);
readcons(prompt, "glenda", 0, tr.authid, sizeof tr.authid); readcons(prompt, "glenda", 0, tr.authid, sizeof tr.authid);
convTR2M(&tr, trbuf); if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
if(_asgetticket(fd, trbuf, tbuf) < 0){
close(fd); close(fd);
print("\t_asgetticket failed: %r\n"); print("\t_asgetticket failed: %r\n");
return; return;
} }
convM2T(tbuf, &t, key); m = convM2T(tbuf, n, &t, &key);
if(t.num != AuthTc){ if(t.num != AuthTc){
print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom); print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -295,9 +294,9 @@ authfutz(char *dom, char *user)
goto Nobootes; goto Nobootes;
} }
nobootes = 0; nobootes = 0;
passtokey(booteskey, pw); passtokey(&booteskey, pw);
convM2T(tbuf+TICKETLEN, &t, booteskey); convM2T(tbuf+m, n-m, &t, &booteskey);
if(t.num != AuthTs){ if(t.num != AuthTs){
print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num); print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", tr.authid, dom); print("\tauth server and you do not agree on key for %s@%s\n", tr.authid, dom);

24
sys/src/cmd/auth/factotum/apop.c
View file

@ -208,7 +208,7 @@ apopclose(Fsstate *fss)
static int static int
dochal(State *s) dochal(State *s)
{ {
char *dom, *user, trbuf[TICKREQLEN]; char *dom, *user;
int n; int n;
s->asfd = -1; s->asfd = -1;
@ -228,13 +228,11 @@ dochal(State *s)
goto err; goto err;
memset(&s->tr, 0, sizeof(s->tr)); memset(&s->tr, 0, sizeof(s->tr));
s->tr.type = s->astype;
safecpy(s->tr.authdom, dom, sizeof s->tr.authdom); safecpy(s->tr.authdom, dom, sizeof s->tr.authdom);
safecpy(s->tr.hostid, user, sizeof(s->tr.hostid)); safecpy(s->tr.hostid, user, sizeof(s->tr.hostid));
convTR2M(&s->tr, trbuf); s->tr.type = s->astype;
alarm(30*1000); alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0); alarm(0);
goto err; goto err;
} }
@ -254,8 +252,6 @@ err:
static int static int
doreply(State *s, char *user, char *response) doreply(State *s, char *user, char *response)
{ {
char ticket[TICKETLEN+AUTHENTLEN];
char trbuf[TICKREQLEN];
int n; int n;
Authenticator a; Authenticator a;
@ -267,21 +263,16 @@ doreply(State *s, char *user, char *response)
memrandom(s->tr.chal, CHALLEN); memrandom(s->tr.chal, CHALLEN);
safecpy(s->tr.uid, user, sizeof(s->tr.uid)); safecpy(s->tr.uid, user, sizeof(s->tr.uid));
convTR2M(&s->tr, trbuf);
alarm(30*1000); alarm(30*1000);
if((n=write(s->asfd, trbuf, TICKREQLEN)) != TICKREQLEN){ if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0); alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err; goto err;
} }
if((n=write(s->asfd, response, MD5dlen*2)) != MD5dlen*2){ if(write(s->asfd, response, MD5dlen*2) != MD5dlen*2){
alarm(0); alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err; goto err;
} }
n = _asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN); n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
alarm(0); alarm(0);
if(n < 0){ if(n < 0){
/* leave connection open so we can try again */ /* leave connection open so we can try again */
@ -290,7 +281,6 @@ doreply(State *s, char *user, char *response)
close(s->asfd); close(s->asfd);
s->asfd = -1; s->asfd = -1;
convM2T(ticket, &s->t, (char*)s->key->priv);
if(s->t.num != AuthTs if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if(s->key->successes == 0) if(s->key->successes == 0)
@ -299,14 +289,12 @@ doreply(State *s, char *user, char *response)
goto err; goto err;
} }
s->key->successes++; s->key->successes++;
convM2A(ticket+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0){ || a.id != 0){
werrstr(Easproto); werrstr(Easproto);
goto err; goto err;
} }
return 0; return 0;
err: err:
if(s->asfd >= 0) if(s->asfd >= 0)

26
sys/src/cmd/auth/factotum/chap.c
View file

@ -299,8 +299,7 @@ static int
dochal(State *s) dochal(State *s)
{ {
char *dom, *user; char *dom, *user;
char trbuf[TICKREQLEN]; int n;
int ret;
s->asfd = -1; s->asfd = -1;
@ -315,20 +314,17 @@ dochal(State *s)
goto err; goto err;
memset(&s->tr, 0, sizeof(s->tr)); memset(&s->tr, 0, sizeof(s->tr));
s->tr.type = s->astype;
safecpy(s->tr.authdom, dom, sizeof(s->tr.authdom)); safecpy(s->tr.authdom, dom, sizeof(s->tr.authdom));
safecpy(s->tr.hostid, user, sizeof(s->tr.hostid)); safecpy(s->tr.hostid, user, sizeof(s->tr.hostid));
convTR2M(&s->tr, trbuf); s->tr.type = s->astype;
alarm(30*1000); alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0); alarm(0);
goto err; goto err;
} }
/* readn, not _asrdresp. needs to match auth.srv.c. */ n = readn(s->asfd, s->chal, sizeof s->chal);
ret = readn(s->asfd, s->chal, sizeof s->chal);
alarm(0); alarm(0);
if(ret != sizeof s->chal) if(n != sizeof s->chal)
goto err; goto err;
return 0; return 0;
@ -343,18 +339,16 @@ err:
static int static int
doreply(State *s, uchar *reply, int nreply) doreply(State *s, uchar *reply, int nreply)
{ {
char ticket[TICKETLEN+AUTHENTLEN];
int n; int n;
Authenticator a; Authenticator a;
alarm(30*1000); alarm(30*1000);
if((n=write(s->asfd, reply, nreply)) != nreply){ if(write(s->asfd, reply, nreply) != nreply){
alarm(0); alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err; goto err;
} }
if(_asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN) < 0){ n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
if(n < 0){
alarm(0); alarm(0);
/* leave connection open so we can try again */ /* leave connection open so we can try again */
return -1; return -1;
@ -365,7 +359,7 @@ doreply(State *s, uchar *reply, int nreply)
s->nsecret = 0; s->nsecret = 0;
close(s->asfd); close(s->asfd);
s->asfd = -1; s->asfd = -1;
convM2T(ticket, &s->t, s->key->priv);
if(s->t.num != AuthTs if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if(s->key->successes == 0) if(s->key->successes == 0)
@ -374,14 +368,12 @@ doreply(State *s, uchar *reply, int nreply)
return -1; return -1;
} }
s->key->successes++; s->key->successes++;
convM2A(ticket+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0){ || a.id != 0){
werrstr(Easproto); werrstr(Easproto);
return -1; return -1;
} }
return 0; return 0;
err: err:
if(s->asfd >= 0) if(s->asfd >= 0)

15
sys/src/cmd/auth/factotum/p9cr.c
View file

@ -165,7 +165,7 @@ p9crread(Fsstate *fss, void *va, uint *n)
static int static int
p9response(Fsstate *fss, State *s) p9response(Fsstate *fss, State *s)
{ {
char key[DESKEYLEN]; Authkey key;
uchar buf[8]; uchar buf[8];
ulong chal; ulong chal;
char *pw; char *pw;
@ -173,10 +173,10 @@ p9response(Fsstate *fss, State *s)
pw = _strfindattr(s->key->privattr, "!password"); pw = _strfindattr(s->key->privattr, "!password");
if(pw == nil) if(pw == nil)
return failure(fss, "vncresponse cannot happen"); return failure(fss, "vncresponse cannot happen");
passtokey(key, pw); passtokey(&key, pw);
memset(buf, 0, 8); memset(buf, 0, 8);
sprint((char*)buf, "%d", atoi(s->chal)); sprint((char*)buf, "%d", atoi(s->chal));
if(encrypt(key, buf, 8) < 0) if(encrypt(key.des, buf, 8) < 0)
return failure(fss, "can't encrypt response"); return failure(fss, "can't encrypt response");
chal = (buf[0]<<24)+(buf[1]<<16)+(buf[2]<<8)+buf[3]; chal = (buf[0]<<24)+(buf[1]<<16)+(buf[2]<<8)+buf[3];
s->resplen = snprint(s->resp, sizeof s->resp, "%.8lux", chal); s->resplen = snprint(s->resp, sizeof s->resp, "%.8lux", chal);
@ -247,7 +247,6 @@ vncresponse(Fsstate*, State *s)
static int static int
p9crwrite(Fsstate *fss, void *va, uint n) p9crwrite(Fsstate *fss, void *va, uint n)
{ {
char tbuf[TICKETLEN+AUTHENTLEN];
State *s; State *s;
char *data = va; char *data = va;
Authenticator a; Authenticator a;
@ -288,14 +287,13 @@ p9crwrite(Fsstate *fss, void *va, uint n)
return failure(fss, Easproto); return failure(fss, Easproto);
} }
/* get ticket plus authenticator from auth server */ /* get ticket plus authenticator from auth server */
ret = _asrdresp(s->asfd, tbuf, TICKETLEN+AUTHENTLEN); ret = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
alarm(0); alarm(0);
if(ret < 0) if(ret < 0)
return failure(fss, nil); return failure(fss, nil);
/* check ticket */ /* check ticket */
convM2T(tbuf, &s->t, s->key->priv);
if(s->t.num != AuthTs if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){ || memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if (s->key->successes == 0) if (s->key->successes == 0)
@ -303,7 +301,6 @@ p9crwrite(Fsstate *fss, void *va, uint n)
return failure(fss, Easproto); return failure(fss, Easproto);
} }
s->key->successes++; s->key->successes++;
convM2A(tbuf+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0 || memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0) || a.id != 0)
@ -322,20 +319,18 @@ p9crwrite(Fsstate *fss, void *va, uint n)
static int static int
getchal(State *s, Fsstate *fss) getchal(State *s, Fsstate *fss)
{ {
char trbuf[TICKREQLEN];
int n; int n;
safecpy(s->tr.hostid, _strfindattr(s->key->attr, "user"), sizeof(s->tr.hostid)); safecpy(s->tr.hostid, _strfindattr(s->key->attr, "user"), sizeof(s->tr.hostid));
safecpy(s->tr.authdom, _strfindattr(s->key->attr, "dom"), sizeof(s->tr.authdom)); safecpy(s->tr.authdom, _strfindattr(s->key->attr, "dom"), sizeof(s->tr.authdom));
s->tr.type = s->astype; s->tr.type = s->astype;
convTR2M(&s->tr, trbuf);
/* get challenge from auth server */ /* get challenge from auth server */
s->asfd = _authdial(nil, _strfindattr(s->key->attr, "dom")); s->asfd = _authdial(nil, _strfindattr(s->key->attr, "dom"));
if(s->asfd < 0) if(s->asfd < 0)
return failure(fss, Easproto); return failure(fss, Easproto);
alarm(30*1000); alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){ if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0); alarm(0);
return failure(fss, Easproto); return failure(fss, Easproto);
} }

99
sys/src/cmd/auth/factotum/p9sk1.c
View file

@ -25,7 +25,7 @@ struct State
Ticketreq tr; Ticketreq tr;
char cchal[CHALLEN]; char cchal[CHALLEN];
char tbuf[TICKETLEN+AUTHENTLEN]; char tbuf[TICKETLEN+AUTHENTLEN];
char authkey[DESKEYLEN]; int tbuflen;
uchar *secret; uchar *secret;
int speakfor; int speakfor;
}; };
@ -60,7 +60,7 @@ static char *phasenames[Maxphase] =
[SHaveAuth] "SHaveAuth", [SHaveAuth] "SHaveAuth",
}; };
static int gettickets(State*, char*, char*); static int gettickets(State*, Ticketreq *, char*, int);
static int static int
p9skinit(Proto *p, Fsstate *fss) p9skinit(Proto *p, Fsstate *fss)
@ -119,6 +119,8 @@ p9skinit(Proto *p, Fsstate *fss)
break; break;
} }
} }
s->tbuflen = 0;
s->secret = nil;
fss->ps = s; fss->ps = s;
return RpcOk; return RpcOk;
} }
@ -147,13 +149,12 @@ p9skread(Fsstate *fss, void *a, uint *n)
m = TICKREQLEN; m = TICKREQLEN;
if(*n < m) if(*n < m)
return toosmall(fss, m); return toosmall(fss, m);
*n = m; *n = convTR2M(&s->tr, a, *n);
convTR2M(&s->tr, a);
fss->phase = SNeedTicket; fss->phase = SNeedTicket;
return RpcOk; return RpcOk;
case CHaveTicket: case CHaveTicket:
m = TICKETLEN+AUTHENTLEN; m = s->tbuflen;
if(*n < m) if(*n < m)
return toosmall(fss, m); return toosmall(fss, m);
*n = m; *n = m;
@ -162,11 +163,11 @@ p9skread(Fsstate *fss, void *a, uint *n)
return RpcOk; return RpcOk;
case SHaveAuth: case SHaveAuth:
m = AUTHENTLEN; m = s->tbuflen;
if(*n < m) if(*n < m)
return toosmall(fss, m); return toosmall(fss, m);
*n = m; *n = m;
memmove(a, s->tbuf+TICKETLEN, m); memmove(a, s->tbuf, m);
fss->ai.cuid = s->t.cuid; fss->ai.cuid = s->t.cuid;
fss->ai.suid = s->t.suid; fss->ai.suid = s->t.suid;
s->secret = emalloc(8); s->secret = emalloc(8);
@ -183,7 +184,7 @@ static int
p9skwrite(Fsstate *fss, void *a, uint n) p9skwrite(Fsstate *fss, void *a, uint n)
{ {
int m, ret, sret; int m, ret, sret;
char tbuf[2*TICKETLEN], trbuf[TICKREQLEN], *user; char tbuf[2*TICKETLEN], *user;
Attr *attr; Attr *attr;
Authenticator auth; Authenticator auth;
State *s; State *s;
@ -204,12 +205,11 @@ p9skwrite(Fsstate *fss, void *a, uint n)
return RpcOk; return RpcOk;
case CNeedTreq: case CNeedTreq:
m = TICKREQLEN; m = convM2TR(a, n, &s->tr);
if(n < m) if(m <= 0)
return toosmall(fss, m); return toosmall(fss, -m);
/* remember server's chal */ /* remember server's chal */
convM2TR(a, &s->tr);
if(s->vers == 2) if(s->vers == 2)
memmove(s->cchal, s->tr.chal, CHALLEN); memmove(s->cchal, s->tr.chal, CHALLEN);
@ -263,15 +263,14 @@ p9skwrite(Fsstate *fss, void *a, uint n)
else else
safecpy(s->tr.uid, s->tr.hostid, sizeof s->tr.uid); safecpy(s->tr.uid, s->tr.hostid, sizeof s->tr.uid);
convTR2M(&s->tr, trbuf);
/* get tickets, from auth server or invent if we can */ /* get tickets, from auth server or invent if we can */
if(gettickets(s, trbuf, tbuf) < 0){ ret = gettickets(s, &s->tr, tbuf, sizeof(tbuf));
if(ret < 0){
_freeattr(attr); _freeattr(attr);
return failure(fss, nil); return failure(fss, nil);
} }
convM2T(tbuf, &s->t, (char*)s->key->priv); m = convM2T(tbuf, ret, &s->t, (Authkey*)s->key->priv);
if(s->t.num != AuthTc){ if(s->t.num != AuthTc){
if(s->key->successes == 0 && !s->speakfor) if(s->key->successes == 0 && !s->speakfor)
disablekey(s->key); disablekey(s->key);
@ -287,24 +286,27 @@ p9skwrite(Fsstate *fss, void *a, uint n)
} }
s->key->successes++; s->key->successes++;
_freeattr(attr); _freeattr(attr);
memmove(s->tbuf, tbuf+TICKETLEN, TICKETLEN); ret -= m;
memmove(s->tbuf, tbuf+m, ret);
auth.num = AuthAc; auth.num = AuthAc;
memmove(auth.chal, s->tr.chal, CHALLEN); memmove(auth.chal, s->tr.chal, CHALLEN);
auth.id = 0; auth.id = 0;
convA2M(&auth, s->tbuf+TICKETLEN, s->t.key); ret += convA2M(&auth, s->tbuf+ret, sizeof(s->tbuf)-ret, &s->t);
s->tbuflen = ret;
fss->phase = CHaveTicket; fss->phase = CHaveTicket;
return RpcOk; return RpcOk;
case SNeedTicket: case SNeedTicket:
m = TICKETLEN+AUTHENTLEN; m = convM2T(a, n, &s->t, (Authkey*)s->key->priv);
if(n < m) if(m <= 0)
return toosmall(fss, m); return toosmall(fss, -m);
convM2T(a, &s->t, (char*)s->key->priv);
if(s->t.num != AuthTs if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, CHALLEN) != 0) || memcmp(s->t.chal, s->tr.chal, CHALLEN) != 0)
return failure(fss, Easproto); return failure(fss, Easproto);
convM2A((char*)a+TICKETLEN, &auth, s->t.key); ret = convM2A((char*)a+m, n-m, &auth, &s->t);
if(ret <= 0)
return toosmall(fss, -ret + m);
if(auth.num != AuthAc if(auth.num != AuthAc
|| memcmp(auth.chal, s->tr.chal, CHALLEN) != 0 || memcmp(auth.chal, s->tr.chal, CHALLEN) != 0
|| auth.id != 0) || auth.id != 0)
@ -312,15 +314,14 @@ p9skwrite(Fsstate *fss, void *a, uint n)
auth.num = AuthAs; auth.num = AuthAs;
memmove(auth.chal, s->cchal, CHALLEN); memmove(auth.chal, s->cchal, CHALLEN);
auth.id = 0; auth.id = 0;
convA2M(&auth, s->tbuf+TICKETLEN, s->t.key); s->tbuflen = convA2M(&auth, s->tbuf, sizeof(s->tbuf), &s->t);
fss->phase = SHaveAuth; fss->phase = SHaveAuth;
return RpcOk; return RpcOk;
case CNeedAuth: case CNeedAuth:
m = AUTHENTLEN; m = convM2A(a, n, &auth, &s->t);
if(n < m) if(m <= 0)
return toosmall(fss, m); return toosmall(fss, -m);
convM2A(a, &auth, s->t.key);
if(auth.num != AuthAs if(auth.num != AuthAs
|| memcmp(auth.chal, s->cchal, CHALLEN) != 0 || memcmp(auth.chal, s->cchal, CHALLEN) != 0
|| auth.id != 0) || auth.id != 0)
@ -384,24 +385,24 @@ hexparse(char *hex, uchar *dat, int ndat)
static int static int
p9skaddkey(Key *k, int before) p9skaddkey(Key *k, int before)
{ {
Authkey *akey;
char *s; char *s;
k->priv = emalloc(DESKEYLEN); akey = emalloc(sizeof(Authkey));
if(s = _strfindattr(k->privattr, "!hex")){ if(s = _strfindattr(k->privattr, "!hex")){
if(hexparse(s, k->priv, 7) < 0){ if(hexparse(s, (uchar*)akey->des, DESKEYLEN) < 0){
free(k->priv); free(akey);
k->priv = nil;
werrstr("malformed key data"); werrstr("malformed key data");
return -1; return -1;
} }
}else if(s = _strfindattr(k->privattr, "!password")){ }else if(s = _strfindattr(k->privattr, "!password")){
passtokey((char*)k->priv, s); passtokey(akey, s);
}else{ }else{
werrstr("no key data"); werrstr("no key data");
free(k->priv); free(akey);
k->priv = nil;
return -1; return -1;
} }
k->priv = akey;
return replacekey(k, before); return replacekey(k, before);
} }
@ -412,7 +413,7 @@ p9skclosekey(Key *k)
} }
static int static int
getastickets(State *s, char *trbuf, char *tbuf) getastickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen)
{ {
int asfd, rv; int asfd, rv;
char *dom; char *dom;
@ -425,17 +426,18 @@ getastickets(State *s, char *trbuf, char *tbuf)
if(asfd < 0) if(asfd < 0)
return -1; return -1;
alarm(30*1000); alarm(30*1000);
rv = _asgetticket(asfd, trbuf, tbuf); rv = _asgetticket(asfd, tr, tbuf, tbuflen);
alarm(0); alarm(0);
close(asfd); close(asfd);
return rv; return rv;
} }
static int static int
mkserverticket(State *s, char *tbuf) mkserverticket(State *s, char *tbuf, int tbuflen)
{ {
Ticketreq *tr = &s->tr; Ticketreq *tr = &s->tr;
Ticket t; Ticket t;
int ret;
if(strcmp(tr->authid, tr->hostid) != 0) if(strcmp(tr->authid, tr->hostid) != 0)
return -1; return -1;
@ -449,22 +451,21 @@ mkserverticket(State *s, char *tbuf)
strcpy(t.suid, tr->uid); strcpy(t.suid, tr->uid);
memrandom(t.key, DESKEYLEN); memrandom(t.key, DESKEYLEN);
t.num = AuthTc; t.num = AuthTc;
convT2M(&t, tbuf, s->key->priv); ret = convT2M(&t, tbuf, tbuflen, (Authkey*)s->key->priv);
t.num = AuthTs; t.num = AuthTs;
convT2M(&t, tbuf+TICKETLEN, s->key->priv); ret += convT2M(&t, tbuf+ret, tbuflen-ret, (Authkey*)s->key->priv);
return 0; return ret;
} }
static int static int
gettickets(State *s, char *trbuf, char *tbuf) gettickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen)
{ {
/* int ret;
if(mktickets(s, trbuf, tbuf) >= 0)
return 0; ret = getastickets(s, tr, tbuf, tbuflen);
*/ if(ret >= 0)
if(getastickets(s, trbuf, tbuf) >= 0) return ret;
return 0; return mkserverticket(s, tbuf, tbuflen);
return mkserverticket(s, tbuf);
} }
Proto p9sk1 = { Proto p9sk1 = {

2
sys/src/cmd/auth/guard.srv.c
View file

@ -90,7 +90,7 @@ main(int argc, char *argv[])
/* remove password login from guard.research.bell-labs.com, sucre, etc. */ /* remove password login from guard.research.bell-labs.com, sucre, etc. */
// if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp)) // if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp)) if(!finddeskey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if((err = secureidcheck(user, resp)) != nil){ if((err = secureidcheck(user, resp)) != nil){
print("NO %s", err); print("NO %s", err);
write(1, "NO", 2); write(1, "NO", 2);

23
sys/src/cmd/auth/httpauth.c
View file

@ -8,36 +8,25 @@ httpauth(char *name, char *password)
int afd; int afd;
Ticketreq tr; Ticketreq tr;
Ticket t; Ticket t;
char key[DESKEYLEN]; Authkey key;
char buf[512];
afd = authdial(nil, nil); afd = authdial(nil, nil);
if(afd < 0) if(afd < 0)
return -1; return -1;
passtokey(&key, password);
/* send ticket request to AS */ /* send ticket request to AS */
memset(&tr, 0, sizeof(tr)); memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, name); strcpy(tr.uid, name);
tr.type = AuthHttp; tr.type = AuthHttp;
convTR2M(&tr, buf); if(_asrequest(afd, &tr) < 0){
if(write(afd, buf, TICKREQLEN) != TICKREQLEN){
close(afd); close(afd);
return -1; return -1;
} }
if(_asrdresp(afd, buf, TICKETLEN) < 0){ _asgetresp(afd, &t, nil, &key);
close(afd); close(afd);
return -1; if(t.num != AuthHr || strcmp(t.cuid, tr.uid) != 0)
}
close(afd);
/*
* use password and try to decrypt the
* ticket. If it doesn't work we've got a bad password,
* give up.
*/
passtokey(key, password);
convM2T(buf, &t, key);
if(t.num != AuthHr || strcmp(t.cuid, tr.uid))
return -1; return -1;
return 0; return 0;

12
sys/src/cmd/auth/keyfs.c
View file

@ -13,7 +13,7 @@
#pragma varargck type "W" char* #pragma varargck type "W" char*
char authkey[8]; Authkey authkey;
typedef struct Fid Fid; typedef struct Fid Fid;
typedef struct User User; typedef struct User User;
@ -170,9 +170,9 @@ main(int argc, char *argv[])
error("can't make pipe: %r"); error("can't make pipe: %r");
if(usepass) { if(usepass) {
getpass(authkey, nil, 0, 0); getpass(&authkey, nil, 0, 0);
} else { } else {
if(!getauthkey(authkey)) if(!getauthkey(&authkey))
print("keyfs: warning: can't read NVRAM\n"); print("keyfs: warning: can't read NVRAM\n");
} }
@ -690,7 +690,7 @@ passline(Biobuf *b, void *vbuf)
if(Bread(b, buf, KEYDBLEN) != KEYDBLEN) if(Bread(b, buf, KEYDBLEN) != KEYDBLEN)
return 0; return 0;
decrypt(authkey, buf, KEYDBLEN); decrypt(authkey.des, buf, KEYDBLEN);
buf[Namelen-1] = '\0'; buf[Namelen-1] = '\0';
return 1; return 1;
} }
@ -780,7 +780,7 @@ writeusers(void)
} }
/* encrypt */ /* encrypt */
oldCBCencrypt(authkey, buf, p - buf); oldCBCencrypt(authkey.des, buf, p - buf);
/* write file */ /* write file */
fd = create(userkeys, OWRITE, 0660); fd = create(userkeys, OWRITE, 0660);
@ -888,7 +888,7 @@ readusers(void)
/* decrypt */ /* decrypt */
n -= n % KEYDBLEN; n -= n % KEYDBLEN;
oldCBCdecrypt(authkey, buf, n); oldCBCdecrypt(authkey.des, buf, n);
/* unpack */ /* unpack */
nu = 0; nu = 0;

1
sys/src/cmd/auth/lib/error.c
View file

@ -1,6 +1,7 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
void void

1
sys/src/cmd/auth/lib/fs.c
View file

@ -1,6 +1,7 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
Fs fs[3] = Fs fs[3] =

5
sys/src/cmd/auth/lib/getauthkey.c
View file

@ -17,9 +17,10 @@ getkey(char *authkey)
} }
int int
getauthkey(char *authkey) getauthkey(Authkey *authkey)
{ {
if(getkey(authkey) == 0) memset(authkey, 0, sizeof(Authkey));
if(getkey(authkey->des) == 0)
return 1; return 1;
print("can't read NVRAM, please enter machine key\n"); print("can't read NVRAM, please enter machine key\n");
getpass(authkey, nil, 0, 1); getpass(authkey, nil, 0, 1);

1
sys/src/cmd/auth/lib/getexpiration.c
View file

@ -2,6 +2,7 @@
#include <libc.h> #include <libc.h>
#include <ctype.h> #include <ctype.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
/* /*

3
sys/src/cmd/auth/lib/keyfmt.c
View file

@ -1,13 +1,14 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
/* /*
* print a key in des standard form * print a key in des standard form
*/ */
int int
keyfmt(Fmt *f) deskeyfmt(Fmt *f)
{ {
uchar key[8]; uchar key[8];
char buf[32]; char buf[32];

1
sys/src/cmd/auth/lib/netcheck.c
View file

@ -1,6 +1,7 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
/* /*

1
sys/src/cmd/auth/lib/querybio.c
View file

@ -2,6 +2,7 @@
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <ctype.h> #include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"

1
sys/src/cmd/auth/lib/rdbio.c
View file

@ -2,6 +2,7 @@
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <ctype.h> #include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
void void

1
sys/src/cmd/auth/lib/readarg.c
View file

@ -1,6 +1,7 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
int int

2
sys/src/cmd/auth/lib/readln.c
View file

@ -5,7 +5,7 @@
#include "authcmdlib.h" #include "authcmdlib.h"
void void
getpass(char *key, char *pass, int check, int confirm) getpass(Authkey *key, char *pass, int check, int confirm)
{ {
char rpass[32], npass[32]; char rpass[32], npass[32];
char *err; char *err;

17
sys/src/cmd/auth/lib/readwrite.c
View file

@ -33,7 +33,7 @@ writefile(char *file, char *buf, int n)
} }
char* char*
findkey(char *db, char *user, char *key) finddeskey(char *db, char *user, char *key)
{ {
int n; int n;
char filename[Maxpath]; char filename[Maxpath];
@ -46,6 +46,13 @@ findkey(char *db, char *user, char *key)
return key; return key;
} }
int
findkey(char *db, char *user, Authkey *key)
{
memset(key, 0, sizeof(Authkey));
return finddeskey(db, user, key->des) != nil;
}
char* char*
findsecret(char *db, char *user, char *secret) findsecret(char *db, char *user, char *secret)
{ {
@ -62,7 +69,7 @@ findsecret(char *db, char *user, char *secret)
} }
char* char*
setkey(char *db, char *user, char *key) setdeskey(char *db, char *user, char *key)
{ {
int n; int n;
char filename[Maxpath]; char filename[Maxpath];
@ -75,6 +82,12 @@ setkey(char *db, char *user, char *key)
return key; return key;
} }
int
setkey(char *db, char *user, Authkey *key)
{
return setdeskey(db, user, key->des) != nil;
}
char* char*
setsecret(char *db, char *user, char *secret) setsecret(char *db, char *user, char *secret)
{ {

1
sys/src/cmd/auth/lib/wrbio.c
View file

@ -2,6 +2,7 @@
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <ctype.h> #include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
void void

7
sys/src/cmd/auth/netkey.c
View file

@ -15,7 +15,8 @@ usage(void)
void void
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
char buf[32], pass[32], key[DESKEYLEN]; Authkey key;
char buf[32], pass[32];
char *s; char *s;
int n; int n;
@ -33,7 +34,7 @@ main(int argc, char *argv[])
} }
readln("Password: ", pass, sizeof pass, 1); readln("Password: ", pass, sizeof pass, 1);
passtokey(key, pass); passtokey(&key, pass);
for(;;){ for(;;){
print("challenge: "); print("challenge: ");
@ -43,7 +44,7 @@ main(int argc, char *argv[])
buf[n] = '\0'; buf[n] = '\0';
n = strtol(buf, 0, 10); n = strtol(buf, 0, 10);
sprint(buf, "%d", n); sprint(buf, "%d", n);
netcrypt(key, buf); netcrypt(key.des, buf);
print("response: %s\n", buf); print("response: %s\n", buf);
} }
} }

63
sys/src/cmd/auth/passwd.c
View file

@ -1,52 +1,17 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <authsrv.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
static char *pbmsg = "AS protocol botch";
int
asrdresp(int fd, char *buf, int len)
{
char error[AERRLEN];
if(read(fd, buf, 1) != 1){
werrstr(pbmsg);
return -1;
}
switch(buf[0]){
case AuthOK:
if(readn(fd, buf, len) < 0){
werrstr(pbmsg);
return -1;
}
break;
case AuthErr:
if(readn(fd, error, AERRLEN) < 0){
werrstr(pbmsg);
return -1;
}
error[AERRLEN-1] = 0;
errstr(error, sizeof error);
return -1;
default:
werrstr(pbmsg);
return -1;
}
return 0;
}
void void
main(int argc, char **argv) main(int argc, char **argv)
{ {
int fd; int fd, n;
Ticketreq tr; Ticketreq tr;
Ticket t; Ticket t;
Passwordreq pr; Passwordreq pr;
char tbuf[TICKETLEN]; Authkey key;
char key[DESKEYLEN];
char buf[512]; char buf[512];
char *s, *user; char *s, *user;
@ -73,12 +38,8 @@ main(int argc, char **argv)
memset(&tr, 0, sizeof(tr)); memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, user); strcpy(tr.uid, user);
tr.type = AuthPass; tr.type = AuthPass;
convTR2M(&tr, buf); if(_asrequest(fd, &tr) < 0)
if(write(fd, buf, TICKREQLEN) != TICKREQLEN)
error("protocol botch: %r");
if(asrdresp(fd, buf, TICKETLEN) < 0)
error("%r"); error("%r");
memmove(tbuf, buf, TICKETLEN);
/* /*
* get a password from the user and try to decrypt the * get a password from the user and try to decrypt the
@ -86,13 +47,17 @@ main(int argc, char **argv)
* give up. * give up.
*/ */
readln("Plan 9 Password: ", pr.old, sizeof pr.old, 1); readln("Plan 9 Password: ", pr.old, sizeof pr.old, 1);
passtokey(key, pr.old); passtokey(&key, pr.old);
convM2T(tbuf, &t, key);
if(t.num != AuthTp || strcmp(t.cuid, tr.uid)) if(_asgetresp(fd, &t, nil, &key) < 0)
error("%r");
if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0)
error("bad password"); error("bad password");
/* loop trying new passwords */ /* loop trying new passwords */
for(;;){ for(;;){
memset(&pr, 0, sizeof(pr));
pr.changesecret = 0; pr.changesecret = 0;
*pr.new = 0; *pr.new = 0;
readln("change Plan 9 Password? (y/n) ", buf, sizeof buf, 0); readln("change Plan 9 Password? (y/n) ", buf, sizeof buf, 0);
@ -126,10 +91,10 @@ main(int argc, char **argv)
} }
} }
pr.num = AuthPass; pr.num = AuthPass;
convPR2M(&pr, buf, t.key); n = convPR2M(&pr, buf, sizeof(buf), &t);
if(write(fd, buf, PASSREQLEN) != PASSREQLEN) if(write(fd, buf, n) != n)
error("AS protocol botch: %r"); error("AS protocol botch: %r");
if(asrdresp(fd, buf, 0) == 0) if(_asrdresp(fd, buf, 0) == 0)
break; break;
fprint(2, "passwd: refused: %r\n"); fprint(2, "passwd: refused: %r\n");
} }

9
sys/src/cmd/auth/printnetkey.c
View file

@ -1,10 +1,9 @@
#include <u.h> #include <u.h>
#include <libc.h> #include <libc.h>
#include <authsrv.h>
#include <bio.h> #include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
void install(char*, char*, int);
void usage(void); void usage(void);
void void
@ -15,7 +14,7 @@ main(int argc, char *argv[])
char keybuf[DESKEYLEN]; char keybuf[DESKEYLEN];
argv0 = "printnetkey"; argv0 = "printnetkey";
fmtinstall('K', keyfmt); fmtinstall('K', deskeyfmt);
ARGBEGIN{ ARGBEGIN{
default: default:
@ -25,11 +24,9 @@ main(int argc, char *argv[])
usage(); usage();
u = argv[0]; u = argv[0];
fmtinstall('K', keyfmt);
if(memchr(u, '\0', ANAMELEN) == 0) if(memchr(u, '\0', ANAMELEN) == 0)
error("bad user name"); error("bad user name");
key = findkey(NETKEYDB, u, keybuf); key = finddeskey(NETKEYDB, u, keybuf);
if(!key) if(!key)
error("%s has no netkey\n", u); error("%s has no netkey\n", u);
print("user %s: net key %K\n", u, key); print("user %s: net key %K\n", u, key);

1
sys/src/cmd/auth/warning.c
View file

@ -2,6 +2,7 @@
#include <libc.h> #include <libc.h>
#include <bio.h> #include <bio.h>
#include <auth.h> #include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h" #include "authcmdlib.h"
/* working directory */ /* working directory */

13
sys/src/libauth/auth_userpasswd.c
View file

@ -11,13 +11,13 @@
* this was copied from inet's guard. * this was copied from inet's guard.
*/ */
static void static void
netresp(char *key, long chal, char *answer) netresp(Authkey *key, long chal, char *answer)
{ {
uchar buf[8]; uchar buf[8];
memset(buf, 0, sizeof buf); memset(buf, 0, sizeof buf);
snprint((char *)buf, sizeof buf, "%lud", chal); snprint((char *)buf, sizeof buf, "%lud", chal);
if(encrypt(key, buf, 8) < 0) if(encrypt(key->des, buf, 8) < 0)
abort(); abort();
sprint(answer, "%.8ux", buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]); sprint(answer, "%.8ux", buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]);
} }
@ -25,7 +25,8 @@ netresp(char *key, long chal, char *answer)
AuthInfo* AuthInfo*
auth_userpasswd(char *user, char *passwd) auth_userpasswd(char *user, char *passwd)
{ {
char key[DESKEYLEN], resp[16]; char resp[16];
Authkey key;
AuthInfo *ai; AuthInfo *ai;
Chalstate *ch; Chalstate *ch;
@ -37,9 +38,9 @@ auth_userpasswd(char *user, char *passwd)
if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil) if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil)
return nil; return nil;
passtokey(key, passwd); passtokey(&key, passwd);
netresp(key, atol(ch->chal), resp); netresp(&key, atol(ch->chal), resp);
memset(key, 0, sizeof key); memset(&key, 0, sizeof(Authkey));
ch->resp = resp; ch->resp = resp;
ch->nresp = strlen(resp); ch->nresp = strlen(resp);

51
sys/src/libauth/httpauth.c
View file

@ -1,51 +0,0 @@
#include <u.h>
#include <libc.h>
#include <auth.h>
#include <authsrv.h>
/* deprecated.
This is the mechanism that put entries in /sys/lib/httpd.rewrite
and passwords on the authserver in /sys/lib/httppasswords, which
was awkward to administer. Instead, use local .httplogin files,
which are implemented in sys/src/cmd/ip/httpd/authorize.c */
int
httpauth(char *name, char *password)
{
int afd;
Ticketreq tr;
Ticket t;
char key[DESKEYLEN];
char buf[512];
afd = authdial(nil, nil);
if(afd < 0)
return -1;
/* send ticket request to AS */
memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, name);
tr.type = AuthHttp;
convTR2M(&tr, buf);
if(write(afd, buf, TICKREQLEN) != TICKREQLEN){
close(afd);
return -1;
}
if(_asrdresp(afd, buf, TICKETLEN) < 0){
close(afd);
return -1;
}
close(afd);
/*
* use password and try to decrypt the
* ticket. If it doesn't work we've got a bad password,
* give up.
*/
passtokey(key, password);
convM2T(buf, &t, key);
if(t.num != AuthHr || strcmp(t.cuid, tr.uid))
return -1;
return 0;
}

8
sys/src/libauthsrv/_asgetticket.c
View file

@ -5,11 +5,13 @@
static char *pbmsg = "AS protocol botch"; static char *pbmsg = "AS protocol botch";
int int
_asgetticket(int fd, char *trbuf, char *tbuf) _asgetticket(int fd, Ticketreq *tr, char *tbuf, int tbuflen)
{ {
if(write(fd, trbuf, TICKREQLEN) < 0){ if(_asrequest(fd, tr) < 0){
werrstr(pbmsg); werrstr(pbmsg);
return -1; return -1;
} }
return _asrdresp(fd, tbuf, 2*TICKETLEN); if(tbuflen > 2*TICKETLEN)
tbuflen = 2*TICKETLEN;
return _asrdresp(fd, tbuf, tbuflen);
} }

10
sys/src/libauthsrv/convA2M.c
View file

@ -9,17 +9,19 @@
#define STRING(x,n) memmove(p, f->x, n); p += n #define STRING(x,n) memmove(p, f->x, n); p += n
int int
convA2M(Authenticator *f, char *ap, char *key) convA2M(Authenticator *f, char *ap, int n, Ticket *t)
{ {
int n;
uchar *p; uchar *p;
if(n < AUTHENTLEN)
return 0;
p = (uchar*)ap; p = (uchar*)ap;
CHAR(num); CHAR(num);
STRING(chal, CHALLEN); STRING(chal, CHALLEN);
LONG(id); LONG(id);
n = p - (uchar*)ap; n = p - (uchar*)ap;
if(key) if(t)
encrypt(key, ap, n); encrypt(t->key, ap, n);
return n; return n;
} }

20
sys/src/libauthsrv/convM2A.c
View file

@ -8,16 +8,24 @@
#define LONG(x) VLONG(f->x) #define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n #define STRING(x,n) memmove(f->x, p, n); p += n
void int
convM2A(char *ap, Authenticator *f, char *key) convM2A(char *ap, int n, Authenticator *f, Ticket *t)
{ {
uchar *p; uchar *p, buf[AUTHENTLEN];
if(key) memset(f, 0, sizeof(Authenticator));
decrypt(key, ap, AUTHENTLEN); if(n < AUTHENTLEN)
return -AUTHENTLEN;
if(t) {
memmove(buf, ap, AUTHENTLEN);
ap = (char*)buf;
decrypt(t->key, ap, AUTHENTLEN);
}
p = (uchar*)ap; p = (uchar*)ap;
CHAR(num); CHAR(num);
STRING(chal, CHALLEN); STRING(chal, CHALLEN);
LONG(id); LONG(id);
USED(p); n = p - (uchar*)ap;
return n;
} }

20
sys/src/libauthsrv/convM2PR.c
View file

@ -8,14 +8,21 @@
#define LONG(x) VLONG(f->x) #define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n #define STRING(x,n) memmove(f->x, p, n); p += n
void int
convM2PR(char *ap, Passwordreq *f, char *key) convM2PR(char *ap, int n, Passwordreq *f, Ticket *t)
{ {
uchar *p; uchar *p, buf[PASSREQLEN];
memset(f, 0, sizeof(Passwordreq));
if(n < PASSREQLEN)
return -PASSREQLEN;
if(t){
memmove(buf, ap, PASSREQLEN);
ap = (char*)buf;
decrypt(t->key, ap, PASSREQLEN);
}
p = (uchar*)ap; p = (uchar*)ap;
if(key)
decrypt(key, ap, PASSREQLEN);
CHAR(num); CHAR(num);
STRING(old, ANAMELEN); STRING(old, ANAMELEN);
f->old[ANAMELEN-1] = 0; f->old[ANAMELEN-1] = 0;
@ -24,5 +31,6 @@ convM2PR(char *ap, Passwordreq *f, char *key)
CHAR(changesecret); CHAR(changesecret);
STRING(secret, SECRETLEN); STRING(secret, SECRETLEN);
f->secret[SECRETLEN-1] = 0; f->secret[SECRETLEN-1] = 0;
USED(p); n = p - (uchar*)ap;
return n;
} }

21
sys/src/libauthsrv/convM2T.c
View file

@ -8,13 +8,20 @@
#define LONG(x) VLONG(f->x) #define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n #define STRING(x,n) memmove(f->x, p, n); p += n
void int
convM2T(char *ap, Ticket *f, char *key) convM2T(char *ap, int n, Ticket *f, Authkey *key)
{ {
uchar *p; uchar *p, buf[TICKETLEN];
if(key) memset(f, 0, sizeof(Ticket));
decrypt(key, ap, TICKETLEN); if(n < TICKETLEN)
return -TICKETLEN;
if(key){
memmove(buf, ap, TICKETLEN);
ap = (char*)buf;
decrypt(key->des, ap, TICKETLEN);
}
p = (uchar*)ap; p = (uchar*)ap;
CHAR(num); CHAR(num);
STRING(chal, CHALLEN); STRING(chal, CHALLEN);
@ -23,6 +30,6 @@ convM2T(char *ap, Ticket *f, char *key)
STRING(suid, ANAMELEN); STRING(suid, ANAMELEN);
f->suid[ANAMELEN-1] = 0; f->suid[ANAMELEN-1] = 0;
STRING(key, DESKEYLEN); STRING(key, DESKEYLEN);
USED(p); n = p - (uchar*)ap;
return n;
} }

11
sys/src/libauthsrv/convM2TR.c
View file

@ -8,11 +8,15 @@
#define LONG(x) VLONG(f->x) #define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n #define STRING(x,n) memmove(f->x, p, n); p += n
void int
convM2TR(char *ap, Ticketreq *f) convM2TR(char *ap, int n, Ticketreq *f)
{ {
uchar *p; uchar *p;
memset(f, 0, sizeof(Ticketreq));
if(n < TICKREQLEN)
return -TICKREQLEN;
p = (uchar*)ap; p = (uchar*)ap;
CHAR(type); CHAR(type);
STRING(authid, ANAMELEN); STRING(authid, ANAMELEN);
@ -24,5 +28,6 @@ convM2TR(char *ap, Ticketreq *f)
f->hostid[ANAMELEN-1] = 0; f->hostid[ANAMELEN-1] = 0;
STRING(uid, ANAMELEN); STRING(uid, ANAMELEN);
f->uid[ANAMELEN-1] = 0; f->uid[ANAMELEN-1] = 0;
USED(p); n = p - (uchar*)ap;
return n;
} }

10
sys/src/libauthsrv/convPR2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n #define STRING(x,n) memmove(p, f->x, n); p += n
int int
convPR2M(Passwordreq *f, char *ap, char *key) convPR2M(Passwordreq *f, char *ap, int n, Ticket *t)
{ {
int n;
uchar *p; uchar *p;
if(n < PASSREQLEN)
return 0;
p = (uchar*)ap; p = (uchar*)ap;
CHAR(num); CHAR(num);
STRING(old, ANAMELEN); STRING(old, ANAMELEN);
@ -21,8 +23,8 @@ convPR2M(Passwordreq *f, char *ap, char *key)
CHAR(changesecret); CHAR(changesecret);
STRING(secret, SECRETLEN); STRING(secret, SECRETLEN);
n = p - (uchar*)ap; n = p - (uchar*)ap;
if(key) if(t)
encrypt(key, ap, n); encrypt(t->key, ap, n);
return n; return n;
} }

8
sys/src/libauthsrv/convT2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n #define STRING(x,n) memmove(p, f->x, n); p += n
int int
convT2M(Ticket *f, char *ap, char *key) convT2M(Ticket *f, char *ap, int n, Authkey *key)
{ {
int n;
uchar *p; uchar *p;
if(n < TICKETLEN)
return 0;
p = (uchar*)ap; p = (uchar*)ap;
CHAR(num); CHAR(num);
STRING(chal, CHALLEN); STRING(chal, CHALLEN);
@ -22,6 +24,6 @@ convT2M(Ticket *f, char *ap, char *key)
STRING(key, DESKEYLEN); STRING(key, DESKEYLEN);
n = p - (uchar*)ap; n = p - (uchar*)ap;
if(key) if(key)
encrypt(key, ap, n); encrypt(key->des, ap, n);
return n; return n;
} }

7
sys/src/libauthsrv/convTR2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n #define STRING(x,n) memmove(p, f->x, n); p += n
int int
convTR2M(Ticketreq *f, char *ap) convTR2M(Ticketreq *f, char *ap, int n)
{ {
int n;
uchar *p; uchar *p;
if(n < TICKREQLEN)
return 0;
p = (uchar*)ap; p = (uchar*)ap;
CHAR(type); CHAR(type);
STRING(authid, 28); /* BUG */ STRING(authid, 28); /* BUG */
@ -24,4 +26,3 @@ convTR2M(Ticketreq *f, char *ap)
n = p - (uchar*)ap; n = p - (uchar*)ap;
return n; return n;
} }

2
sys/src/libauthsrv/mkfile
View file

@ -3,6 +3,8 @@
LIB=/$objtype/lib/libauthsrv.a LIB=/$objtype/lib/libauthsrv.a
OFILES=\ OFILES=\
_asgetticket.$O\ _asgetticket.$O\
_asgetresp.$O\
_asrequest.$O\
_asrdresp.$O\ _asrdresp.$O\
authdial.$O\ authdial.$O\
convA2M.$O\ convA2M.$O\

8
sys/src/libauthsrv/passtokey.c
View file

@ -3,7 +3,7 @@
#include <authsrv.h> #include <authsrv.h>
int int
passtokey(char *key, char *p) passtokey(Authkey *key, char *p)
{ {
uchar buf[ANAMELEN], *t; uchar buf[ANAMELEN], *t;
int i, n; int i, n;
@ -15,10 +15,10 @@ passtokey(char *key, char *p)
t = buf; t = buf;
strncpy((char*)t, p, n); strncpy((char*)t, p, n);
t[n] = 0; t[n] = 0;
memset(key, 0, DESKEYLEN); memset(key, 0, sizeof(Authkey));
for(;;){ for(;;){
for(i = 0; i < DESKEYLEN; i++) for(i = 0; i < DESKEYLEN; i++)
key[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1))); key->des[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1)));
if(n <= 8) if(n <= 8)
return 1; return 1;
n -= 8; n -= 8;
@ -27,6 +27,6 @@ passtokey(char *key, char *p)
t -= 8 - n; t -= 8 - n;
n = 8; n = 8;
} }
encrypt(key, t, 8); encrypt(key->des, t, 8);
} }
} }

9
sys/src/libauthsrv/readnvram.c
View file

@ -292,13 +292,16 @@ readnvram(Nvrsafe *safep, int flag)
readcons("secstore key", nil, 1, safe->config, readcons("secstore key", nil, 1, safe->config,
sizeof safe->config); sizeof safe->config);
for(;;){ for(;;){
if(readcons("password", nil, 1, in, sizeof in) Authkey k;
== nil)
if(readcons("password", nil, 1, in, sizeof in) == nil)
goto Out; goto Out;
if(passtokey(safe->machkey, in)) if(passtokey(&k, in)){
memmove(safe->machkey, k.des, DESKEYLEN);
break; break;
} }
} }
}
// safe->authsum = nvcsum(safe->authkey, DESKEYLEN); // safe->authsum = nvcsum(safe->authkey, DESKEYLEN);
safe->machsum = nvcsum(safe->machkey, DESKEYLEN); safe->machsum = nvcsum(safe->machkey, DESKEYLEN);