xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

libauthsrv: generalize ticket service, not hardcoding ticket format and DES encryption

Browse source 
this is in preparation for replacing DES ticket encryption with
something better. but first need to make the code stop making
assumptions.

the wire encoding of the Ticket might be variable length
with TICKETLEN just giving an upper bound. the details will be
handled by libauthsrv _asgetticket() and _asgetresp() funciotns.

the Authenticator and Passwordreq structures are encrypted
with the random ticket key. The encryption schmeme will depend
on the Ticket format used, so we pass the Ticket* structure
instead of the DES key.

introduce Authkey structure that will hold all the required
cryptographic keys instead of passing DES key.
This commit is contained in:
cinap_lenrek 2015-08-19 21:06:17 +02:00
parent f785d4da07
commit 02cfcfeab4
47 changed files with 471 additions and 482 deletions
Download patch file Download diff file Expand all files Collapse all files

29
sys/include/authsrv.h
View file

@ -12,6 +12,8 @@ typedef struct Passwordreq Passwordreq;
typedef struct OChapreply OChapreply;
typedef struct OMSchapreply OMSchapreply;
typedef struct Authkey Authkey;
enum
{
ANAMELEN= 28, /* name max size in previous proto */
@ -110,22 +112,27 @@ struct OMSchapreply
};
#define OMSCHAPREPLYLEN (ANAMELEN+24+24)
struct Authkey
{
char des[DESKEYLEN];
};
/*
* convert to/from wire format
*/
extern int convT2M(Ticket*, char*, char*);
extern void convM2T(char*, Ticket*, char*);
extern int convA2M(Authenticator*, char*, char*);
extern void convM2A(char*, Authenticator*, char*);
extern int convTR2M(Ticketreq*, char*);
extern void convM2TR(char*, Ticketreq*);
extern int convPR2M(Passwordreq*, char*, char*);
extern void convM2PR(char*, Passwordreq*, char*);
extern int convT2M(Ticket*, char*, int, Authkey*);
extern int convM2T(char*, int, Ticket*, Authkey*);
extern int convA2M(Authenticator*, char*, int, Ticket*);
extern int convM2A(char*, int, Authenticator*, Ticket*);
extern int convTR2M(Ticketreq*, char*, int);
extern int convM2TR(char*, int, Ticketreq*);
extern int convPR2M(Passwordreq*, char*, int, Ticket*);
extern int convM2PR(char*, int, Passwordreq*, Ticket*);
/*
* convert ascii password to DES key
*/
extern int passtokey(char*, char*);
extern int passtokey(Authkey*, char*);
/*
* Nvram interface
@ -167,5 +174,7 @@ extern int authdial(char *netroot, char *authdom);
/*
* exchange messages with auth server
*/
extern int _asgetticket(int, char*, char*);
extern int _asgetticket(int, Ticketreq*, char*, int);
extern int _asrequest(int, Ticketreq*);
extern int _asgetresp(int, Ticket*, Authenticator*, Authkey *);
extern int _asrdresp(int, char*, int);

66
sys/man/2/authsrv
View file

@ -1,6 +1,6 @@
.TH AUTHSRV 2
.SH NAME
authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrdresp \- routines for communicating with authentication servers
authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrequest, _asgetresp, _asrdresp \- routines for communicating with authentication servers
.SH SYNOPSIS
.nf
.PP
@ -15,7 +15,7 @@ authdial, passtokey, nvcsum, readnvram, convT2M, convM2T, convTR2M, convM2TR, co
int authdial(char *netroot, char *ad);
.PP
.B
int passtokey(char key[DESKEYLEN], char *password)
int passtokey(Authkey *key, char *password)
.PP
.B
uchar nvcsum(void *mem, int len)
@ -24,34 +24,40 @@ uchar nvcsum(void *mem, int len)
int readnvram(Nvrsafe *nv, int flag);
.PPP
.B
int convT2M(Ticket *t, char *msg, char *key)
int convT2M(Ticket *t, char *msg, int len, Authkey *key)
.PP
.B
void convM2T(char *msg, Ticket *t, char *key)
int convM2T(char *msg, int len, Ticket *t, Authkey *key)
.PP
.B
int convA2M(Authenticator *a, char *msg, char *key)
int convA2M(Authenticator *a, char *msg, int len, Ticket *t)
.PP
.B
void convM2A(char *msg, Authenticator *a, char *key)
int convM2A(char *msg, int len, Authenticator *a, Ticket *t)
.PP
.B
int convTR2M(Ticketreq *tr, char *msg)
int convTR2M(Ticketreq *tr, char *msg, int len)
.PP
.B
void convM2TR(char *msg, Ticketreq *tr)
int convM2TR(char *msg, int len, Ticketreq *tr)
.PP
.B
int convPR2M(Passwordreq *pr, char *msg, char *key)
int convPR2M(Passwordreq *pr, char *msg, int len, Ticket *t)
.PP
.B
void convM2PR(char *msg, Passwordreq *pr, char *key)
int convM2PR(char *msg, int len, Passwordreq *pr, Ticket *t)
.PP
.B
int _asgetticket(int fd, char *trbuf, char *tbuf);
int _asgetticket(int fd, Ticketreq *tr, char *buf, int len)
.PP
.B
int _asrdresp(int fd, char *buf, int len);
int _asrequest(int fd, Ticketreq *tr)
.PP
.B
int _asgetresp(int fd, Ticket *t, Authenticator *a, Authkey *key)
.PP
.B
int _asrdresp(int fd, char *buf, int len)
.SH DESCRIPTION
.I Authdial
dials an authentication server over the
@ -99,7 +105,9 @@ is used to make the call.
.I Passtokey
converts
.I password
into a DES key and stores the result in
into a set of cryptographic keys and stores them in the
.I Authkey
structure
.IR key .
It returns 0 if
.I password
@ -213,18 +221,34 @@ are used to convert them back.
.I Key
is used for encrypting the message before transmission and decrypting
after reception.
.PP
The routine
.I _asgetresp
receives either a character array or an error string.
On error, it sets errstr and returns -1. If successful,
it returns the number of bytes received.
.IR ConvA2M ,
.IR convM2A ,
.I convPR2M
and
.I convM2PR
encrypt/decrypt the message with the random ticket key.
.PP
The routine
.I _asgetticket
sends a ticket request message and then uses
sends a ticket request
.I tr
returning the two encrypted tickets in
.IR buf .
The routine
.I _asrequest
encodes the ticket request
.I tr
and sends it not waiting for a response.
After sending a request,
.I _asgetresp
to recieve an answer.
can be used to receive the response containing a ticket and an optional
authenticator and decrypts the ticket and authenticator using
.IR key .
The routine
.I _asrdresp
receives either a character array or an error string.
On error, it sets errstr and returns -1. If successful,
it returns the number of bytes received.
.SH SOURCE
.B /sys/src/libauthsrv
.SH SEE ALSO

1
sys/src/cmd/auth/as.c
View file

@ -8,6 +8,7 @@
#include <bio.h>
#include <libsec.h>
#include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h"
int debug;

12
sys/src/cmd/auth/authcmdlib.h
View file

@ -39,13 +39,14 @@ extern Fs fs[3];
void checksum(char*, char*);
void error(char*, ...);
void fail(char*);
char* findkey(char*, char*, char*);
int findkey(char*, char*, Authkey*);
char* finddeskey(char*, char*, char*);
char* findsecret(char*, char*, char*);
int getauthkey(char*);
int getauthkey(Authkey*);
long getexpiration(char *db, char *u);
void getpass(char*, char*, int, int);
void getpass(Authkey*, char*, int, int);
int getsecret(int, char*);
int keyfmt(Fmt*);
int deskeyfmt(Fmt*);
void logfail(char*);
int netcheck(void*, long, char*);
char* netdecimal(char*);
@ -58,7 +59,8 @@ int readfile(char*, char*, int);
void readln(char*, char*, int, int);
long readn(int, void*, long);
char* secureidcheck(char*, char*);
char* setkey(char*, char*, char*);
int setkey(char*, char*, Authkey*);
char* setdeskey(char*, char*, char*);
char* setsecret(char*, char*, char*);
int smartcheck(void*, long, char*);
void succeed(char*);

234
sys/src/cmd/auth/authsrv.c
View file

@ -30,22 +30,24 @@ void vnc(Ticketreq*);
int speaksfor(char*, char*);
void replyerror(char*, ...);
void getraddr(char*);
void mkkey(char*);
void mkkey(Authkey*);
int samekey(Authkey*, Authkey*);
void mkticket(Ticketreq*, Ticket*);
void randombytes(uchar*, int);
void nthash(uchar hash[MShashlen], char *passwd);
void lmhash(uchar hash[MShashlen], char *passwd);
void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom);
void mschalresp(uchar resp[MSresplen], uchar hash[MShashlen], uchar chal[MSchallen]);
void desencrypt(uchar data[8], uchar key[7]);
int tickauthreply(Ticketreq*, char*);
int tickauthreply(Ticketreq*, Authkey*);
void safecpy(char*, char*, int);
void
main(int argc, char *argv[])
{
char buf[TICKREQLEN];
Ticketreq tr;
int n;
ARGBEGIN{
case 'd':
@ -64,11 +66,10 @@ main(int argc, char *argv[])
srand(time(0)*getpid());
for(;;){
if(readn(0, buf, TICKREQLEN) <= 0)
n = readn(0, buf, sizeof(buf));
if(n <= 0 || convM2TR(buf, n, &tr) <= 0)
exits(0);
convM2TR(buf, &tr);
switch(buf[0]){
switch(tr.type){
case AuthTreq:
ticketrequest(&tr);
break;
@ -97,7 +98,7 @@ main(int argc, char *argv[])
vnc(&tr);
break;
default:
syslog(0, AUTHLOG, "unknown ticket request type: %d", buf[0]);
syslog(0, AUTHLOG, "unknown ticket request type: %d", tr.type);
exits(0);
}
}
@ -107,45 +108,39 @@ main(int argc, char *argv[])
int
ticketrequest(Ticketreq *tr)
{
char akey[DESKEYLEN];
char hkey[DESKEYLEN];
Ticket t;
Authkey akey, hkey;
char tbuf[2*TICKETLEN+1];
Ticket t;
int n;
if(findkey(KEYDB, tr->authid, akey) == 0){
if(!findkey(KEYDB, tr->authid, &akey)){
/* make one up so caller doesn't know it was wrong */
mkkey(akey);
mkkey(&akey);
if(debug)
syslog(0, AUTHLOG, "tr-fail authid %s", raddr);
}
if(findkey(KEYDB, tr->hostid, hkey) == 0){
if(!findkey(KEYDB, tr->hostid, &hkey)){
/* make one up so caller doesn't know it was wrong */
mkkey(hkey);
mkkey(&hkey);
if(debug)
syslog(0, AUTHLOG, "tr-fail hostid %s(%s)", tr->hostid, raddr);
}
memset(&t, 0, sizeof(t));
memmove(t.chal, tr->chal, CHALLEN);
strcpy(t.cuid, tr->uid);
if(speaksfor(tr->hostid, tr->uid))
strcpy(t.suid, tr->uid);
else {
mkkey(akey);
mkkey(hkey);
mkticket(tr, &t);
if(!speaksfor(tr->hostid, tr->uid)){
mkkey(&akey);
mkkey(&hkey);
if(debug)
syslog(0, AUTHLOG, "tr-fail %s@%s(%s) -> %s@%s no speaks for",
tr->uid, tr->hostid, raddr, tr->uid, tr->authid);
}
mkkey(t.key);
tbuf[0] = AuthOK;
n = 0;
tbuf[n++] = AuthOK;
t.num = AuthTc;
convT2M(&t, tbuf+1, hkey);
n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &hkey);
t.num = AuthTs;
convT2M(&t, tbuf+1+TICKETLEN, akey);
if(write(1, tbuf, 2*TICKETLEN+1) < 0){
n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &akey);
if(write(1, tbuf, n) < 0){
if(debug)
syslog(0, AUTHLOG, "tr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr);
@ -163,22 +158,23 @@ challengebox(Ticketreq *tr)
{
long chal;
char *key, *netkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN];
Authkey hkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN];
char buf[NETCHLEN+1];
char *err;
key = findkey(KEYDB, tr->uid, kbuf);
netkey = findkey(NETKEYDB, tr->uid, nkbuf);
if(key == 0 && netkey == 0){
key = finddeskey(KEYDB, tr->uid, kbuf);
netkey = finddeskey(NETKEYDB, tr->uid, nkbuf);
if(key == nil && netkey == nil){
/* make one up so caller doesn't know it was wrong */
mkkey(nkbuf);
randombytes((uchar*)nkbuf, DESKEYLEN);
netkey = nkbuf;
if(debug)
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
}
if(findkey(KEYDB, tr->hostid, hkey) == 0){
if(!findkey(KEYDB, tr->hostid, &hkey)){
/* make one up so caller doesn't know it was wrong */
mkkey(hkey);
mkkey(&hkey);
if(debug)
syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid,
tr->uid, raddr);
@ -195,8 +191,8 @@ challengebox(Ticketreq *tr)
exits(0);
if(readn(0, buf, NETCHLEN) < 0)
exits(0);
if(!(key && netcheck(key, chal, buf))
&& !(netkey && netcheck(netkey, chal, buf))
if(!(key != nil && netcheck(key, chal, buf))
&& !(netkey != nil && netcheck(netkey, chal, buf))
&& (err = secureidcheck(tr->uid, buf)) != nil){
replyerror("cr-fail %s %s %s", err, tr->uid, raddr);
logfail(tr->uid);
@ -210,7 +206,7 @@ challengebox(Ticketreq *tr)
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0){
if(tickauthreply(tr, &hkey) < 0){
if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr);
@ -229,36 +225,36 @@ changepasswd(Ticketreq *tr)
char tbuf[TICKETLEN+1];
char prbuf[PASSREQLEN];
Passwordreq pr;
char okey[DESKEYLEN], nkey[DESKEYLEN];
Authkey okey, nkey;
char *err;
int n;
if(findkey(KEYDB, tr->uid, okey) == 0){
if(!findkey(KEYDB, tr->uid, &okey)){
/* make one up so caller doesn't know it was wrong */
mkkey(okey);
mkkey(&okey);
syslog(0, AUTHLOG, "cp-fail uid %s", raddr);
}
/* send back a ticket with a new key */
memmove(t.chal, tr->chal, CHALLEN);
mkkey(t.key);
tbuf[0] = AuthOK;
mkticket(tr, &t);
t.num = AuthTp;
safecpy(t.cuid, tr->uid, sizeof(t.cuid));
safecpy(t.suid, tr->uid, sizeof(t.suid));
convT2M(&t, tbuf+1, okey);
write(1, tbuf, sizeof(tbuf));
n = 0;
tbuf[n++] = AuthOK;
n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &okey);
if(write(1, tbuf, n) != n)
exits(0);
/* loop trying passwords out */
for(;;){
if(readn(0, prbuf, PASSREQLEN) < 0)
n = readn(0, prbuf, sizeof(prbuf));
if(n <= 0 || convM2PR(prbuf, n, &pr, &t) <= 0)
exits(0);
convM2PR(prbuf, &pr, t.key);
if(pr.num != AuthPass){
replyerror("protocol botch1: %s", raddr);
exits(0);
}
passtokey(nkey, pr.old);
if(memcmp(nkey, okey, DESKEYLEN)){
passtokey(&nkey, pr.old);
if(!samekey(&nkey, &okey)){
replyerror("protocol botch2: %s", raddr);
continue;
}
@ -268,13 +264,13 @@ changepasswd(Ticketreq *tr)
replyerror("%s %s", err, raddr);
continue;
}
passtokey(nkey, pr.new);
passtokey(&nkey, pr.new);
}
if(pr.changesecret && setsecret(KEYDB, tr->uid, pr.secret) == 0){
replyerror("can't write secret %s", raddr);
continue;
}
if(*pr.new && setkey(KEYDB, tr->uid, nkey) == 0){
if(*pr.new && setkey(KEYDB, tr->uid, &nkey) == 0){
replyerror("can't write key %s", raddr);
continue;
}
@ -292,15 +288,14 @@ http(Ticketreq *tr)
{
Ticket t;
char tbuf[TICKETLEN+1];
char key[DESKEYLEN];
Authkey key;
char *p;
Biobuf *b;
int n;
randombytes((uchar*)key, DESKEYLEN);
/* use plan9 key when there is any */
findkey(KEYDB, tr->uid, key);
if(!findkey(KEYDB, tr->uid, &key))
mkkey(&key);
n = strlen(tr->uid);
b = Bopen("/sys/lib/httppasswords", OREAD);
@ -315,21 +310,20 @@ http(Ticketreq *tr)
p += n;
while(*p == ' ' || *p == '\t')
p++;
passtokey(key, p);
passtokey(&key, p);
}
}
Bterm(b);
}
/* send back a ticket encrypted with the key */
mkticket(tr, &t);
randombytes((uchar*)t.chal, CHALLEN);
mkkey(t.key);
tbuf[0] = AuthOK;
t.num = AuthHr;
safecpy(t.cuid, tr->uid, sizeof(t.cuid));
safecpy(t.suid, tr->uid, sizeof(t.suid));
convT2M(&t, tbuf+1, key);
write(1, tbuf, sizeof(tbuf));
n = 0;
tbuf[n++] = AuthOK;
n += convT2M(&t, tbuf+n, sizeof(tbuf)-n, &key);
write(1, tbuf, n);
}
static char*
@ -339,13 +333,13 @@ domainname(void)
static char *domain;
int n;
if(domain)
if(domain != nil)
return domain;
if(*sysname)
return sysname;
domain = csgetvalue(0, "sys", sysname, "dom", nil);
if(domain)
if(domain != nil)
return domain;
n = readfile("/dev/sysname", sysname, sizeof(sysname)-1);
@ -373,12 +367,13 @@ h2b(char c)
void
apop(Ticketreq *tr, int type)
{
int challen, i, tries;
char *secret, *hkey, *p;
int challen, i, n, tries;
char *secret, *p;
Authkey hkey;
Ticketreq treq;
DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
char tbuf[TICKREQLEN];
char sbuf[SECRETLEN];
char trbuf[TICKREQLEN];
char buf[MD5dlen*2];
uchar digest[MD5dlen], resp[MD5dlen];
ulong rb[4];
@ -401,9 +396,9 @@ apop(Ticketreq *tr, int type)
/*
* get ticket request
*/
if(readn(0, tbuf, TICKREQLEN) < 0)
n = readn(0, trbuf, sizeof(trbuf));
if(n <= 0 || convM2TR(trbuf, n, &treq) <= 0)
exits(0);
convM2TR(tbuf, &treq);
tr = &treq;
if(tr->type != type)
exits(0);
@ -411,7 +406,7 @@ apop(Ticketreq *tr, int type)
/*
* read response
*/
if(readn(0, buf, MD5dlen*2) < 0)
if(readn(0, buf, MD5dlen*2) != MD5dlen*2)
exits(0);
for(i = 0; i < MD5dlen; i++)
resp[i] = (h2b(buf[2*i])<<4)|h2b(buf[2*i+1]);
@ -420,8 +415,7 @@ apop(Ticketreq *tr, int type)
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
replyerror("apop-fail bad response %s", raddr);
logfail(tr->uid);
if(tries > 5)
@ -455,7 +449,7 @@ apop(Ticketreq *tr, int type)
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
if(tickauthreply(tr, &hkey) < 0)
exits(0);
if(debug){
@ -493,10 +487,11 @@ uchar swizzletab[256] = {
void
vnc(Ticketreq *tr)
{
char *secret;
Authkey hkey;
uchar chal[VNCchallen+6];
uchar reply[VNCchallen];
char *secret, *hkey;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
char sbuf[SECRETLEN];
DESstate s;
int i;
@ -514,18 +509,15 @@ vnc(Ticketreq *tr)
*/
memset(sbuf, 0, sizeof(sbuf));
secret = findsecret(KEYDB, tr->uid, sbuf);
if(secret == 0){
if(secret == nil){
randombytes((uchar*)sbuf, sizeof(sbuf));
secret = sbuf;
}
for(i = 0; i < 8; i++)
secret[i] = swizzletab[(uchar)secret[i]];
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0){
randombytes((uchar*)hbuf, sizeof(hbuf));
hkey = hbuf;
}
if(!findkey(KEYDB, tr->hostid, &hkey))
mkkey(&hkey);
/*
* get response
@ -548,7 +540,7 @@ vnc(Ticketreq *tr)
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
if(tickauthreply(tr, &hkey) < 0)
exits(0);
if(debug)
@ -558,9 +550,10 @@ vnc(Ticketreq *tr)
void
chap(Ticketreq *tr)
{
char *secret, *hkey;
char *secret;
Authkey hkey;
DigestState *s;
char sbuf[SECRETLEN], hbuf[DESKEYLEN];
char sbuf[SECRETLEN];
uchar digest[MD5dlen];
char chal[CHALLEN];
OChapreply reply;
@ -582,8 +575,7 @@ chap(Ticketreq *tr)
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
replyerror("chap-fail bad response %s", raddr);
logfail(tr->uid);
exits(0);
@ -607,7 +599,7 @@ chap(Ticketreq *tr)
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
if(tickauthreply(tr, &hkey) < 0)
exits(0);
if(debug)
@ -671,8 +663,9 @@ static uchar ntblobsig[] = {0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
void
mschap(Ticketreq *tr)
{
char *secret, *hkey;
char sbuf[SECRETLEN], hbuf[DESKEYLEN], windom[128];
char *secret;
Authkey hkey;
char sbuf[SECRETLEN], windom[128];
uchar chal[CHALLEN], ntblob[1024];
uchar hash[MShashlen];
uchar hash2[MShashlen];
@ -743,8 +736,7 @@ mschap(Ticketreq *tr)
* lookup
*/
secret = findsecret(KEYDB, tr->uid, sbuf);
hkey = findkey(KEYDB, tr->hostid, hbuf);
if(hkey == 0 || secret == 0){
if(!findkey(KEYDB, tr->hostid, &hkey) || secret == nil){
replyerror("mschap-fail bad response %s/%s(%s)",
tr->uid, tr->hostid, raddr);
logfail(tr->uid);
@ -812,7 +804,7 @@ mschap(Ticketreq *tr)
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0)
if(tickauthreply(tr, &hkey) < 0)
exits(0);
if(debug)
@ -939,16 +931,16 @@ speaksfor(char *speaker, char *user)
if(strcmp(speaker, user) == 0)
return 1;
if(db == 0)
if(db == nil)
return 0;
tp = ndbsearch(db, &s, "hostid", speaker);
if(tp == 0)
if(tp == nil)
return 0;
ok = 0;
snprint(notuser, sizeof notuser, "!%s", user);
for(ntp = tp; ntp; ntp = ntp->entry)
for(ntp = tp; ntp != nil; ntp = ntp->entry)
if(strcmp(ntp->attr, "uid") == 0){
if(strcmp(ntp->val, notuser) == 0){
ok = 0;
@ -1003,9 +995,25 @@ getraddr(char *dir)
}
void
mkkey(char *k)
mkkey(Authkey *k)
{
randombytes((uchar*)k, DESKEYLEN);
randombytes((uchar*)k->des, DESKEYLEN);
}
int
samekey(Authkey *a, Authkey *b)
{
return memcmp(a->des, b->des, DESKEYLEN) == 0;
}
void
mkticket(Ticketreq *tr, Ticket *t)
{
memset(t, 0, sizeof(Ticket));
memmove(t->chal, tr->chal, CHALLEN);
safecpy(t->cuid, tr->uid, sizeof(t->cuid));
safecpy(t->suid, tr->uid, sizeof(t->suid));
randombytes((uchar*)t->key, DESKEYLEN);
}
void
@ -1024,25 +1032,24 @@ randombytes(uchar *buf, int len)
* reply with ticket and authenticator
*/
int
tickauthreply(Ticketreq *tr, char *hkey)
tickauthreply(Ticketreq *tr, Authkey *hkey)
{
Ticket t;
Authenticator a;
char buf[TICKETLEN+AUTHENTLEN+1];
int n;
memset(&t, 0, sizeof(t));
memmove(t.chal, tr->chal, CHALLEN);
safecpy(t.cuid, tr->uid, sizeof t.cuid);
safecpy(t.suid, tr->uid, sizeof t.suid);
mkkey(t.key);
buf[0] = AuthOK;
mkticket(tr, &t);
t.num = AuthTs;
convT2M(&t, buf+1, hkey);
n = 0;
buf[n++] = AuthOK;
n += convT2M(&t, buf+n, sizeof(buf)-n, hkey);
memset(&a, 0, sizeof(a));
memmove(a.chal, t.chal, CHALLEN);
a.num = AuthAc;
a.id = 0;
convA2M(&a, buf+TICKETLEN+1, t.key);
if(write(1, buf, TICKETLEN+AUTHENTLEN+1) < 0)
n += convA2M(&a, buf+n, sizeof(buf)-n, &t);
if(write(1, buf, n) != n)
return -1;
return 0;
}
@ -1053,3 +1060,4 @@ safecpy(char *to, char *from, int len)
strncpy(to, from, len);
to[len-1] = 0;
}

25
sys/src/cmd/auth/changeuser.c
View file

@ -5,7 +5,7 @@
#include <bio.h>
#include "authcmdlib.h"
void install(char*, char*, char*, long, int);
void install(char*, char*, Authkey*, long, int);
int exists (char*, char*);
void
@ -18,14 +18,15 @@ usage(void)
void
main(int argc, char *argv[])
{
char *u, key[DESKEYLEN], answer[32], p9pass[32];
char *u, answer[32], p9pass[32];
int which, i, newkey, newbio, dosecret;
long t;
Authkey key;
Acctbio a;
Fs *f;
srand(getpid()*time(0));
fmtinstall('K', keyfmt);
fmtinstall('K', deskeyfmt);
which = 0;
ARGBEGIN{
@ -61,10 +62,10 @@ main(int argc, char *argv[])
newkey = 0;
}
if(newkey)
getpass(key, p9pass, 1, 1);
getpass(&key, p9pass, 1, 1);
dosecret = getsecret(newkey, p9pass);
t = getexpiration(f->keys, u);
install(f->keys, u, key, t, newkey);
install(f->keys, u, &key, t, newkey);
if(dosecret && setsecret(KEYDB, u, p9pass) == 0)
error("error writing Inferno/pop secret");
newbio = querybio(f->who, u, &a);
@ -83,17 +84,17 @@ main(int argc, char *argv[])
}
if(newkey)
for(i=0; i<DESKEYLEN; i++)
key[i] = nrand(256);
key.des[i] = nrand(256);
if(a.user == 0){
t = getexpiration(f->keys, u);
newbio = querybio(f->who, u, &a);
}
install(f->keys, u, key, t, newkey);
install(f->keys, u, &key, t, newkey);
if(newbio)
wrbio(f->who, &a);
findkey(f->keys, u, key);
print("user %s: SecureNet key: %K\n", u, key);
checksum(key, answer);
finddeskey(f->keys, u, key.des);
print("user %s: SecureNet key: %K\n", u, key.des);
checksum(key.des, answer);
print("verify with checksum %s\n", answer);
print("user %s installed for SecureNet\n", u);
syslog(0, AUTHLOG, "user %s installed for securenet", u);
@ -102,7 +103,7 @@ main(int argc, char *argv[])
}
void
install(char *db, char *u, char *key, long t, int newkey)
install(char *db, char *u, Authkey *key, long t, int newkey)
{
char buf[KEYDBBUF+ANAMELEN+20];
int fd;
@ -118,7 +119,7 @@ install(char *db, char *u, char *key, long t, int newkey)
if(newkey){
sprint(buf, "%s/%s/key", db, u);
fd = open(buf, OWRITE);
if(fd < 0 || write(fd, key, DESKEYLEN) != DESKEYLEN)
if(fd < 0 || write(fd, key->des, DESKEYLEN) != DESKEYLEN)
error("can't set key: %r");
close(fd);
}

22
sys/src/cmd/auth/convkeys.c
View file

@ -7,19 +7,19 @@
#include <bio.h>
#include "authcmdlib.h"
char authkey[DESKEYLEN];
Authkey authkey;
int verb;
int usepass;
int convert(char*, char*, int);
int dofcrypt(int, char*, char*, int);
int convert(char*, Authkey*, int);
void usage(void);
void
main(int argc, char *argv[])
{
Dir *d;
char *p, *file, key[DESKEYLEN];
Authkey key;
char *p, *file;
int fd, len;
ARGBEGIN{
@ -40,12 +40,12 @@ main(int argc, char *argv[])
/* get original key */
if(usepass){
print("enter password file is encoded with\n");
getpass(authkey, nil, 0, 1);
getpass(&authkey, nil, 0, 1);
} else
getauthkey(authkey);
getauthkey(&authkey);
if(!verb){
print("enter password to reencode with\n");
getpass(key, nil, 0, 1);
getpass(&key, nil, 0, 1);
}
fd = open(file, ORDWR);
@ -60,7 +60,7 @@ main(int argc, char *argv[])
error("out of memory");
if(read(fd, p, len) != len)
error("can't read key file: %r\n");
len = convert(p, key, len);
len = convert(p, &key, len);
if(verb)
exits(0);
if(pwrite(fd, p, len, 0) != len)
@ -128,7 +128,7 @@ badname(char *s)
}
int
convert(char *p, char *key, int len)
convert(char *p, Authkey *key, int len)
{
int i;
@ -139,7 +139,7 @@ convert(char *p, char *key, int len)
len -= len % KEYDBLEN;
}
len += KEYDBOFF;
oldCBCdecrypt(authkey, p, len);
oldCBCdecrypt(authkey.des, p, len);
for(i = KEYDBOFF; i < len; i += KEYDBLEN)
if (badname(&p[i])) {
print("bad name %.30s... - aborting\n", &p[i]);
@ -150,7 +150,7 @@ convert(char *p, char *key, int len)
print("%s\n", &p[i]);
randombytes((uchar*)p, 8);
oldCBCencrypt(key, p, len);
oldCBCencrypt(key->des, p, len);
return len;
}

22
sys/src/cmd/auth/convkeys2.c
View file

@ -6,12 +6,11 @@
#include <bio.h>
#include "authcmdlib.h"
char authkey[DESKEYLEN];
Authkey authkey;
int verb;
int usepass;
int convert(char*, char*, char*, int);
int dofcrypt(int, char*, char*, int);
int convert(char*, char*, Authkey*, int);
void usage(void);
void randombytes(uchar*, int);
@ -19,7 +18,8 @@ void
main(int argc, char *argv[])
{
Dir *d;
char *p, *np, *file, key[DESKEYLEN];
Authkey key;
char *p, *np, *file;
int fd, len;
ARGBEGIN{
@ -40,11 +40,11 @@ main(int argc, char *argv[])
/* get original key */
if(usepass){
print("enter password file is encoded with\n");
getpass(authkey, nil, 0, 1);
getpass(&authkey, nil, 0, 1);
} else
getauthkey(authkey);
getauthkey(&authkey);
print("enter password to reencode with\n");
getpass(key, nil, 0, 1);
getpass(&key, nil, 0, 1);
fd = open(file, ORDWR);
if(fd < 0)
@ -61,7 +61,7 @@ main(int argc, char *argv[])
error("out of memory");
if(read(fd, p, len) != len)
error("can't read key file: %r\n");
len = convert(p, np, key, len);
len = convert(p, np, &key, len);
if(verb)
exits(0);
if(pwrite(fd, np, len, 0) != len)
@ -84,7 +84,7 @@ oldCBCencrypt(char *key7, char *p, int len)
}
int
convert(char *p, char *np, char *key, int len)
convert(char *p, char *np, Authkey *key, int len)
{
int i, off, noff;
@ -95,7 +95,7 @@ convert(char *p, char *np, char *key, int len)
for(i = 0; i < len; i ++){
off = i*OKEYDBLEN;
noff = KEYDBOFF+i*(KEYDBLEN);
decrypt(authkey, &p[off], OKEYDBLEN);
decrypt(authkey.des, &p[off], OKEYDBLEN);
memmove(&np[noff], &p[off], OKEYDBLEN);
memset(&np[noff-SECRETLEN], 0, SECRETLEN);
if(verb)
@ -103,7 +103,7 @@ convert(char *p, char *np, char *key, int len)
}
randombytes((uchar*)np, KEYDBOFF);
len = (len*KEYDBLEN) + KEYDBOFF;
oldCBCencrypt(key, np, len);
oldCBCencrypt(key->des, np, len);
return len;
}

1
sys/src/cmd/auth/cron.c
View file

@ -3,6 +3,7 @@
#include <bio.h>
#include <libsec.h>
#include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h"
char CRONLOG[] = "cron";

27
sys/src/cmd/auth/debug.c
View file

@ -208,9 +208,9 @@ authdialfutz(char *dom, char *user)
void
authfutz(char *dom, char *user)
{
int fd, nobootes;
char pw[128], prompt[128], key[DESKEYLEN], booteskey[DESKEYLEN], tbuf[2*TICKETLEN],
trbuf[TICKREQLEN];
int fd, nobootes, n, m;
char pw[128], prompt[128], tbuf[2*TICKETLEN];
Authkey key, booteskey;
Ticket t;
Ticketreq tr;
@ -218,7 +218,7 @@ authfutz(char *dom, char *user)
readcons(prompt, nil, 1, pw, sizeof pw);
if(pw[0] == '\0')
return;
passtokey(key, pw);
passtokey(&key, pw);
fd = authdial(nil, dom);
if(fd < 0){
@ -227,19 +227,19 @@ authfutz(char *dom, char *user)
}
/* try ticket request using just user key */
memset(&tr, 0, sizeof(tr));
tr.type = AuthTreq;
strecpy(tr.authid, tr.authid+sizeof tr.authid, user);
strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom);
strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user);
strecpy(tr.uid, tr.uid+sizeof tr.uid, user);
memset(tr.chal, 0xAA, sizeof tr.chal);
convTR2M(&tr, trbuf);
if(_asgetticket(fd, trbuf, tbuf) < 0){
close(fd);
if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
print("\t_asgetticket failed: %r\n");
close(fd);
return;
}
convM2T(tbuf, &t, key);
m = convM2T(tbuf, n, &t, &key);
if(t.num != AuthTc){
print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -252,7 +252,7 @@ authfutz(char *dom, char *user)
return;
}
convM2T(tbuf+TICKETLEN, &t, key);
convM2T(tbuf+m, n-m, &t, &key);
if(t.num != AuthTs){
print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -269,13 +269,12 @@ authfutz(char *dom, char *user)
/* try ticket request using bootes key */
snprint(prompt, sizeof prompt, "\tcpu server owner for domain %s ", dom);
readcons(prompt, "glenda", 0, tr.authid, sizeof tr.authid);
convTR2M(&tr, trbuf);
if(_asgetticket(fd, trbuf, tbuf) < 0){
if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
close(fd);
print("\t_asgetticket failed: %r\n");
return;
}
convM2T(tbuf, &t, key);
m = convM2T(tbuf, n, &t, &key);
if(t.num != AuthTc){
print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
@ -295,9 +294,9 @@ authfutz(char *dom, char *user)
goto Nobootes;
}
nobootes = 0;
passtokey(booteskey, pw);
passtokey(&booteskey, pw);
convM2T(tbuf+TICKETLEN, &t, booteskey);
convM2T(tbuf+m, n-m, &t, &booteskey);
if(t.num != AuthTs){
print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
print("\tauth server and you do not agree on key for %s@%s\n", tr.authid, dom);

24
sys/src/cmd/auth/factotum/apop.c
View file

@ -208,7 +208,7 @@ apopclose(Fsstate *fss)
static int
dochal(State *s)
{
char *dom, *user, trbuf[TICKREQLEN];
char *dom, *user;
int n;
s->asfd = -1;
@ -228,13 +228,11 @@ dochal(State *s)
goto err;
memset(&s->tr, 0, sizeof(s->tr));
s->tr.type = s->astype;
safecpy(s->tr.authdom, dom, sizeof s->tr.authdom);
safecpy(s->tr.hostid, user, sizeof(s->tr.hostid));
convTR2M(&s->tr, trbuf);
s->tr.type = s->astype;
alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){
if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0);
goto err;
}
@ -254,8 +252,6 @@ err:
static int
doreply(State *s, char *user, char *response)
{
char ticket[TICKETLEN+AUTHENTLEN];
char trbuf[TICKREQLEN];
int n;
Authenticator a;
@ -267,21 +263,16 @@ doreply(State *s, char *user, char *response)
memrandom(s->tr.chal, CHALLEN);
safecpy(s->tr.uid, user, sizeof(s->tr.uid));
convTR2M(&s->tr, trbuf);
alarm(30*1000);
if((n=write(s->asfd, trbuf, TICKREQLEN)) != TICKREQLEN){
if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err;
}
if((n=write(s->asfd, response, MD5dlen*2)) != MD5dlen*2){
if(write(s->asfd, response, MD5dlen*2) != MD5dlen*2){
alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err;
}
n = _asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN);
n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
alarm(0);
if(n < 0){
/* leave connection open so we can try again */
@ -290,7 +281,6 @@ doreply(State *s, char *user, char *response)
close(s->asfd);
s->asfd = -1;
convM2T(ticket, &s->t, (char*)s->key->priv);
if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if(s->key->successes == 0)
@ -299,14 +289,12 @@ doreply(State *s, char *user, char *response)
goto err;
}
s->key->successes++;
convM2A(ticket+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0){
werrstr(Easproto);
goto err;
}
return 0;
err:
if(s->asfd >= 0)

26
sys/src/cmd/auth/factotum/chap.c
View file

@ -299,8 +299,7 @@ static int
dochal(State *s)
{
char *dom, *user;
char trbuf[TICKREQLEN];
int ret;
int n;
s->asfd = -1;
@ -315,20 +314,17 @@ dochal(State *s)
goto err;
memset(&s->tr, 0, sizeof(s->tr));
s->tr.type = s->astype;
safecpy(s->tr.authdom, dom, sizeof(s->tr.authdom));
safecpy(s->tr.hostid, user, sizeof(s->tr.hostid));
convTR2M(&s->tr, trbuf);
s->tr.type = s->astype;
alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){
if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0);
goto err;
}
/* readn, not _asrdresp. needs to match auth.srv.c. */
ret = readn(s->asfd, s->chal, sizeof s->chal);
n = readn(s->asfd, s->chal, sizeof s->chal);
alarm(0);
if(ret != sizeof s->chal)
if(n != sizeof s->chal)
goto err;
return 0;
@ -343,18 +339,16 @@ err:
static int
doreply(State *s, uchar *reply, int nreply)
{
char ticket[TICKETLEN+AUTHENTLEN];
int n;
Authenticator a;
alarm(30*1000);
if((n=write(s->asfd, reply, nreply)) != nreply){
if(write(s->asfd, reply, nreply) != nreply){
alarm(0);
if(n >= 0)
werrstr("short write to auth server");
goto err;
}
if(_asrdresp(s->asfd, ticket, TICKETLEN+AUTHENTLEN) < 0){
n = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
if(n < 0){
alarm(0);
/* leave connection open so we can try again */
return -1;
@ -365,7 +359,7 @@ doreply(State *s, uchar *reply, int nreply)
s->nsecret = 0;
close(s->asfd);
s->asfd = -1;
convM2T(ticket, &s->t, s->key->priv);
if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if(s->key->successes == 0)
@ -374,14 +368,12 @@ doreply(State *s, uchar *reply, int nreply)
return -1;
}
s->key->successes++;
convM2A(ticket+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0){
werrstr(Easproto);
return -1;
}
return 0;
err:
if(s->asfd >= 0)

15
sys/src/cmd/auth/factotum/p9cr.c
View file

@ -165,7 +165,7 @@ p9crread(Fsstate *fss, void *va, uint *n)
static int
p9response(Fsstate *fss, State *s)
{
char key[DESKEYLEN];
Authkey key;
uchar buf[8];
ulong chal;
char *pw;
@ -173,10 +173,10 @@ p9response(Fsstate *fss, State *s)
pw = _strfindattr(s->key->privattr, "!password");
if(pw == nil)
return failure(fss, "vncresponse cannot happen");
passtokey(key, pw);
passtokey(&key, pw);
memset(buf, 0, 8);
sprint((char*)buf, "%d", atoi(s->chal));
if(encrypt(key, buf, 8) < 0)
if(encrypt(key.des, buf, 8) < 0)
return failure(fss, "can't encrypt response");
chal = (buf[0]<<24)+(buf[1]<<16)+(buf[2]<<8)+buf[3];
s->resplen = snprint(s->resp, sizeof s->resp, "%.8lux", chal);
@ -247,7 +247,6 @@ vncresponse(Fsstate*, State *s)
static int
p9crwrite(Fsstate *fss, void *va, uint n)
{
char tbuf[TICKETLEN+AUTHENTLEN];
State *s;
char *data = va;
Authenticator a;
@ -288,14 +287,13 @@ p9crwrite(Fsstate *fss, void *va, uint n)
return failure(fss, Easproto);
}
/* get ticket plus authenticator from auth server */
ret = _asrdresp(s->asfd, tbuf, TICKETLEN+AUTHENTLEN);
ret = _asgetresp(s->asfd, &s->t, &a, (Authkey*)s->key->priv);
alarm(0);
if(ret < 0)
return failure(fss, nil);
/* check ticket */
convM2T(tbuf, &s->t, s->key->priv);
if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, sizeof(s->t.chal)) != 0){
if (s->key->successes == 0)
@ -303,7 +301,6 @@ p9crwrite(Fsstate *fss, void *va, uint n)
return failure(fss, Easproto);
}
s->key->successes++;
convM2A(tbuf+TICKETLEN, &a, s->t.key);
if(a.num != AuthAc
|| memcmp(a.chal, s->tr.chal, sizeof(a.chal)) != 0
|| a.id != 0)
@ -322,20 +319,18 @@ p9crwrite(Fsstate *fss, void *va, uint n)
static int
getchal(State *s, Fsstate *fss)
{
char trbuf[TICKREQLEN];
int n;
safecpy(s->tr.hostid, _strfindattr(s->key->attr, "user"), sizeof(s->tr.hostid));
safecpy(s->tr.authdom, _strfindattr(s->key->attr, "dom"), sizeof(s->tr.authdom));
s->tr.type = s->astype;
convTR2M(&s->tr, trbuf);
/* get challenge from auth server */
s->asfd = _authdial(nil, _strfindattr(s->key->attr, "dom"));
if(s->asfd < 0)
return failure(fss, Easproto);
alarm(30*1000);
if(write(s->asfd, trbuf, TICKREQLEN) != TICKREQLEN){
if(_asrequest(s->asfd, &s->tr) < 0){
alarm(0);
return failure(fss, Easproto);
}

99
sys/src/cmd/auth/factotum/p9sk1.c
View file

@ -25,7 +25,7 @@ struct State
Ticketreq tr;
char cchal[CHALLEN];
char tbuf[TICKETLEN+AUTHENTLEN];
char authkey[DESKEYLEN];
int tbuflen;
uchar *secret;
int speakfor;
};
@ -60,7 +60,7 @@ static char *phasenames[Maxphase] =
[SHaveAuth] "SHaveAuth",
};
static int gettickets(State*, char*, char*);
static int gettickets(State*, Ticketreq *, char*, int);
static int
p9skinit(Proto *p, Fsstate *fss)
@ -119,6 +119,8 @@ p9skinit(Proto *p, Fsstate *fss)
break;
}
}
s->tbuflen = 0;
s->secret = nil;
fss->ps = s;
return RpcOk;
}
@ -147,13 +149,12 @@ p9skread(Fsstate *fss, void *a, uint *n)
m = TICKREQLEN;
if(*n < m)
return toosmall(fss, m);
*n = m;
convTR2M(&s->tr, a);
*n = convTR2M(&s->tr, a, *n);
fss->phase = SNeedTicket;
return RpcOk;
case CHaveTicket:
m = TICKETLEN+AUTHENTLEN;
m = s->tbuflen;
if(*n < m)
return toosmall(fss, m);
*n = m;
@ -162,11 +163,11 @@ p9skread(Fsstate *fss, void *a, uint *n)
return RpcOk;
case SHaveAuth:
m = AUTHENTLEN;
m = s->tbuflen;
if(*n < m)
return toosmall(fss, m);
*n = m;
memmove(a, s->tbuf+TICKETLEN, m);
memmove(a, s->tbuf, m);
fss->ai.cuid = s->t.cuid;
fss->ai.suid = s->t.suid;
s->secret = emalloc(8);
@ -183,7 +184,7 @@ static int
p9skwrite(Fsstate *fss, void *a, uint n)
{
int m, ret, sret;
char tbuf[2*TICKETLEN], trbuf[TICKREQLEN], *user;
char tbuf[2*TICKETLEN], *user;
Attr *attr;
Authenticator auth;
State *s;
@ -204,12 +205,11 @@ p9skwrite(Fsstate *fss, void *a, uint n)
return RpcOk;
case CNeedTreq:
m = TICKREQLEN;
if(n < m)
return toosmall(fss, m);
m = convM2TR(a, n, &s->tr);
if(m <= 0)
return toosmall(fss, -m);
/* remember server's chal */
convM2TR(a, &s->tr);
if(s->vers == 2)
memmove(s->cchal, s->tr.chal, CHALLEN);
@ -263,15 +263,14 @@ p9skwrite(Fsstate *fss, void *a, uint n)
else
safecpy(s->tr.uid, s->tr.hostid, sizeof s->tr.uid);
convTR2M(&s->tr, trbuf);
/* get tickets, from auth server or invent if we can */
if(gettickets(s, trbuf, tbuf) < 0){
ret = gettickets(s, &s->tr, tbuf, sizeof(tbuf));
if(ret < 0){
_freeattr(attr);
return failure(fss, nil);
}
convM2T(tbuf, &s->t, (char*)s->key->priv);
m = convM2T(tbuf, ret, &s->t, (Authkey*)s->key->priv);
if(s->t.num != AuthTc){
if(s->key->successes == 0 && !s->speakfor)
disablekey(s->key);
@ -287,24 +286,27 @@ p9skwrite(Fsstate *fss, void *a, uint n)
}
s->key->successes++;
_freeattr(attr);
memmove(s->tbuf, tbuf+TICKETLEN, TICKETLEN);
ret -= m;
memmove(s->tbuf, tbuf+m, ret);
auth.num = AuthAc;
memmove(auth.chal, s->tr.chal, CHALLEN);
auth.id = 0;
convA2M(&auth, s->tbuf+TICKETLEN, s->t.key);
ret += convA2M(&auth, s->tbuf+ret, sizeof(s->tbuf)-ret, &s->t);
s->tbuflen = ret;
fss->phase = CHaveTicket;
return RpcOk;
case SNeedTicket:
m = TICKETLEN+AUTHENTLEN;
if(n < m)
return toosmall(fss, m);
convM2T(a, &s->t, (char*)s->key->priv);
m = convM2T(a, n, &s->t, (Authkey*)s->key->priv);
if(m <= 0)
return toosmall(fss, -m);
if(s->t.num != AuthTs
|| memcmp(s->t.chal, s->tr.chal, CHALLEN) != 0)
return failure(fss, Easproto);
convM2A((char*)a+TICKETLEN, &auth, s->t.key);
ret = convM2A((char*)a+m, n-m, &auth, &s->t);
if(ret <= 0)
return toosmall(fss, -ret + m);
if(auth.num != AuthAc
|| memcmp(auth.chal, s->tr.chal, CHALLEN) != 0
|| auth.id != 0)
@ -312,15 +314,14 @@ p9skwrite(Fsstate *fss, void *a, uint n)
auth.num = AuthAs;
memmove(auth.chal, s->cchal, CHALLEN);
auth.id = 0;
convA2M(&auth, s->tbuf+TICKETLEN, s->t.key);
s->tbuflen = convA2M(&auth, s->tbuf, sizeof(s->tbuf), &s->t);
fss->phase = SHaveAuth;
return RpcOk;
case CNeedAuth:
m = AUTHENTLEN;
if(n < m)
return toosmall(fss, m);
convM2A(a, &auth, s->t.key);
m = convM2A(a, n, &auth, &s->t);
if(m <= 0)
return toosmall(fss, -m);
if(auth.num != AuthAs
|| memcmp(auth.chal, s->cchal, CHALLEN) != 0
|| auth.id != 0)
@ -384,24 +385,24 @@ hexparse(char *hex, uchar *dat, int ndat)
static int
p9skaddkey(Key *k, int before)
{
Authkey *akey;
char *s;
k->priv = emalloc(DESKEYLEN);
akey = emalloc(sizeof(Authkey));
if(s = _strfindattr(k->privattr, "!hex")){
if(hexparse(s, k->priv, 7) < 0){
free(k->priv);
k->priv = nil;
if(hexparse(s, (uchar*)akey->des, DESKEYLEN) < 0){
free(akey);
werrstr("malformed key data");
return -1;
}
}else if(s = _strfindattr(k->privattr, "!password")){
passtokey((char*)k->priv, s);
passtokey(akey, s);
}else{
werrstr("no key data");
free(k->priv);
k->priv = nil;
free(akey);
return -1;
}
k->priv = akey;
return replacekey(k, before);
}
@ -412,7 +413,7 @@ p9skclosekey(Key *k)
}
static int
getastickets(State *s, char *trbuf, char *tbuf)
getastickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen)
{
int asfd, rv;
char *dom;
@ -425,17 +426,18 @@ getastickets(State *s, char *trbuf, char *tbuf)
if(asfd < 0)
return -1;
alarm(30*1000);
rv = _asgetticket(asfd, trbuf, tbuf);
rv = _asgetticket(asfd, tr, tbuf, tbuflen);
alarm(0);
close(asfd);
return rv;
}
static int
mkserverticket(State *s, char *tbuf)
mkserverticket(State *s, char *tbuf, int tbuflen)
{
Ticketreq *tr = &s->tr;
Ticket t;
int ret;
if(strcmp(tr->authid, tr->hostid) != 0)
return -1;
@ -449,22 +451,21 @@ mkserverticket(State *s, char *tbuf)
strcpy(t.suid, tr->uid);
memrandom(t.key, DESKEYLEN);
t.num = AuthTc;
convT2M(&t, tbuf, s->key->priv);
ret = convT2M(&t, tbuf, tbuflen, (Authkey*)s->key->priv);
t.num = AuthTs;
convT2M(&t, tbuf+TICKETLEN, s->key->priv);
return 0;
ret += convT2M(&t, tbuf+ret, tbuflen-ret, (Authkey*)s->key->priv);
return ret;
}
static int
gettickets(State *s, char *trbuf, char *tbuf)
gettickets(State *s, Ticketreq *tr, char *tbuf, int tbuflen)
{
/*
if(mktickets(s, trbuf, tbuf) >= 0)
return 0;
*/
if(getastickets(s, trbuf, tbuf) >= 0)
return 0;
return mkserverticket(s, tbuf);
int ret;
ret = getastickets(s, tr, tbuf, tbuflen);
if(ret >= 0)
return ret;
return mkserverticket(s, tbuf, tbuflen);
}
Proto p9sk1 = {

2
sys/src/cmd/auth/guard.srv.c
View file

@ -90,7 +90,7 @@ main(int argc, char *argv[])
/* remove password login from guard.research.bell-labs.com, sucre, etc. */
// if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if(!finddeskey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if((err = secureidcheck(user, resp)) != nil){
print("NO %s", err);
write(1, "NO", 2);

23
sys/src/cmd/auth/httpauth.c
View file

@ -8,36 +8,25 @@ httpauth(char *name, char *password)
int afd;
Ticketreq tr;
Ticket t;
char key[DESKEYLEN];
char buf[512];
Authkey key;
afd = authdial(nil, nil);
if(afd < 0)
return -1;
passtokey(&key, password);
/* send ticket request to AS */
memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, name);
tr.type = AuthHttp;
convTR2M(&tr, buf);
if(write(afd, buf, TICKREQLEN) != TICKREQLEN){
if(_asrequest(afd, &tr) < 0){
close(afd);
return -1;
}
if(_asrdresp(afd, buf, TICKETLEN) < 0){
_asgetresp(afd, &t, nil, &key);
close(afd);
return -1;
}
close(afd);
/*
* use password and try to decrypt the
* ticket. If it doesn't work we've got a bad password,
* give up.
*/
passtokey(key, password);
convM2T(buf, &t, key);
if(t.num != AuthHr || strcmp(t.cuid, tr.uid))
if(t.num != AuthHr || strcmp(t.cuid, tr.uid) != 0)
return -1;
return 0;

12
sys/src/cmd/auth/keyfs.c
View file

@ -13,7 +13,7 @@
#pragma varargck type "W" char*
char authkey[8];
Authkey authkey;
typedef struct Fid Fid;
typedef struct User User;
@ -170,9 +170,9 @@ main(int argc, char *argv[])
error("can't make pipe: %r");
if(usepass) {
getpass(authkey, nil, 0, 0);
getpass(&authkey, nil, 0, 0);
} else {
if(!getauthkey(authkey))
if(!getauthkey(&authkey))
print("keyfs: warning: can't read NVRAM\n");
}
@ -690,7 +690,7 @@ passline(Biobuf *b, void *vbuf)
if(Bread(b, buf, KEYDBLEN) != KEYDBLEN)
return 0;
decrypt(authkey, buf, KEYDBLEN);
decrypt(authkey.des, buf, KEYDBLEN);
buf[Namelen-1] = '\0';
return 1;
}
@ -780,7 +780,7 @@ writeusers(void)
}
/* encrypt */
oldCBCencrypt(authkey, buf, p - buf);
oldCBCencrypt(authkey.des, buf, p - buf);
/* write file */
fd = create(userkeys, OWRITE, 0660);
@ -888,7 +888,7 @@ readusers(void)
/* decrypt */
n -= n % KEYDBLEN;
oldCBCdecrypt(authkey, buf, n);
oldCBCdecrypt(authkey.des, buf, n);
/* unpack */
nu = 0;

1
sys/src/cmd/auth/lib/error.c
View file

@ -1,6 +1,7 @@
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
void

1
sys/src/cmd/auth/lib/fs.c
View file

@ -1,6 +1,7 @@
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
Fs fs[3] =

5
sys/src/cmd/auth/lib/getauthkey.c
View file

@ -17,9 +17,10 @@ getkey(char *authkey)
}
int
getauthkey(char *authkey)
getauthkey(Authkey *authkey)
{
if(getkey(authkey) == 0)
memset(authkey, 0, sizeof(Authkey));
if(getkey(authkey->des) == 0)
return 1;
print("can't read NVRAM, please enter machine key\n");
getpass(authkey, nil, 0, 1);

1
sys/src/cmd/auth/lib/getexpiration.c
View file

@ -2,6 +2,7 @@
#include <libc.h>
#include <ctype.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
/*

3
sys/src/cmd/auth/lib/keyfmt.c
View file

@ -1,13 +1,14 @@
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
/*
* print a key in des standard form
*/
int
keyfmt(Fmt *f)
deskeyfmt(Fmt *f)
{
uchar key[8];
char buf[32];

1
sys/src/cmd/auth/lib/netcheck.c
View file

@ -1,6 +1,7 @@
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
/*

1
sys/src/cmd/auth/lib/querybio.c
View file

@ -2,6 +2,7 @@
#include <libc.h>
#include <bio.h>
#include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h"

1
sys/src/cmd/auth/lib/rdbio.c
View file

@ -2,6 +2,7 @@
#include <libc.h>
#include <bio.h>
#include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h"
void

1
sys/src/cmd/auth/lib/readarg.c
View file

@ -1,6 +1,7 @@
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
int

2
sys/src/cmd/auth/lib/readln.c
View file

@ -5,7 +5,7 @@
#include "authcmdlib.h"
void
getpass(char *key, char *pass, int check, int confirm)
getpass(Authkey *key, char *pass, int check, int confirm)
{
char rpass[32], npass[32];
char *err;

17
sys/src/cmd/auth/lib/readwrite.c
View file

@ -33,7 +33,7 @@ writefile(char *file, char *buf, int n)
}
char*
findkey(char *db, char *user, char *key)
finddeskey(char *db, char *user, char *key)
{
int n;
char filename[Maxpath];
@ -46,6 +46,13 @@ findkey(char *db, char *user, char *key)
return key;
}
int
findkey(char *db, char *user, Authkey *key)
{
memset(key, 0, sizeof(Authkey));
return finddeskey(db, user, key->des) != nil;
}
char*
findsecret(char *db, char *user, char *secret)
{
@ -62,7 +69,7 @@ findsecret(char *db, char *user, char *secret)
}
char*
setkey(char *db, char *user, char *key)
setdeskey(char *db, char *user, char *key)
{
int n;
char filename[Maxpath];
@ -75,6 +82,12 @@ setkey(char *db, char *user, char *key)
return key;
}
int
setkey(char *db, char *user, Authkey *key)
{
return setdeskey(db, user, key->des) != nil;
}
char*
setsecret(char *db, char *user, char *secret)
{

1
sys/src/cmd/auth/lib/wrbio.c
View file

@ -2,6 +2,7 @@
#include <libc.h>
#include <bio.h>
#include <ctype.h>
#include <authsrv.h>
#include "authcmdlib.h"
void

7
sys/src/cmd/auth/netkey.c
View file

@ -15,7 +15,8 @@ usage(void)
void
main(int argc, char *argv[])
{
char buf[32], pass[32], key[DESKEYLEN];
Authkey key;
char buf[32], pass[32];
char *s;
int n;
@ -33,7 +34,7 @@ main(int argc, char *argv[])
}
readln("Password: ", pass, sizeof pass, 1);
passtokey(key, pass);
passtokey(&key, pass);
for(;;){
print("challenge: ");
@ -43,7 +44,7 @@ main(int argc, char *argv[])
buf[n] = '\0';
n = strtol(buf, 0, 10);
sprint(buf, "%d", n);
netcrypt(key, buf);
netcrypt(key.des, buf);
print("response: %s\n", buf);
}
}

63
sys/src/cmd/auth/passwd.c
View file

@ -1,52 +1,17 @@
#include <u.h>
#include <libc.h>
#include <authsrv.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
static char *pbmsg = "AS protocol botch";
int
asrdresp(int fd, char *buf, int len)
{
char error[AERRLEN];
if(read(fd, buf, 1) != 1){
werrstr(pbmsg);
return -1;
}
switch(buf[0]){
case AuthOK:
if(readn(fd, buf, len) < 0){
werrstr(pbmsg);
return -1;
}
break;
case AuthErr:
if(readn(fd, error, AERRLEN) < 0){
werrstr(pbmsg);
return -1;
}
error[AERRLEN-1] = 0;
errstr(error, sizeof error);
return -1;
default:
werrstr(pbmsg);
return -1;
}
return 0;
}
void
main(int argc, char **argv)
{
int fd;
int fd, n;
Ticketreq tr;
Ticket t;
Passwordreq pr;
char tbuf[TICKETLEN];
char key[DESKEYLEN];
Authkey key;
char buf[512];
char *s, *user;
@ -73,12 +38,8 @@ main(int argc, char **argv)
memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, user);
tr.type = AuthPass;
convTR2M(&tr, buf);
if(write(fd, buf, TICKREQLEN) != TICKREQLEN)
error("protocol botch: %r");
if(asrdresp(fd, buf, TICKETLEN) < 0)
if(_asrequest(fd, &tr) < 0)
error("%r");
memmove(tbuf, buf, TICKETLEN);
/*
* get a password from the user and try to decrypt the
@ -86,13 +47,17 @@ main(int argc, char **argv)
* give up.
*/
readln("Plan 9 Password: ", pr.old, sizeof pr.old, 1);
passtokey(key, pr.old);
convM2T(tbuf, &t, key);
if(t.num != AuthTp || strcmp(t.cuid, tr.uid))
passtokey(&key, pr.old);
if(_asgetresp(fd, &t, nil, &key) < 0)
error("%r");
if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0)
error("bad password");
/* loop trying new passwords */
for(;;){
memset(&pr, 0, sizeof(pr));
pr.changesecret = 0;
*pr.new = 0;
readln("change Plan 9 Password? (y/n) ", buf, sizeof buf, 0);
@ -126,10 +91,10 @@ main(int argc, char **argv)
}
}
pr.num = AuthPass;
convPR2M(&pr, buf, t.key);
if(write(fd, buf, PASSREQLEN) != PASSREQLEN)
n = convPR2M(&pr, buf, sizeof(buf), &t);
if(write(fd, buf, n) != n)
error("AS protocol botch: %r");
if(asrdresp(fd, buf, 0) == 0)
if(_asrdresp(fd, buf, 0) == 0)
break;
fprint(2, "passwd: refused: %r\n");
}

9
sys/src/cmd/auth/printnetkey.c
View file

@ -1,10 +1,9 @@
#include <u.h>
#include <libc.h>
#include <authsrv.h>
#include <bio.h>
#include <authsrv.h>
#include "authcmdlib.h"
void install(char*, char*, int);
void usage(void);
void
@ -15,7 +14,7 @@ main(int argc, char *argv[])
char keybuf[DESKEYLEN];
argv0 = "printnetkey";
fmtinstall('K', keyfmt);
fmtinstall('K', deskeyfmt);
ARGBEGIN{
default:
@ -25,11 +24,9 @@ main(int argc, char *argv[])
usage();
u = argv[0];
fmtinstall('K', keyfmt);
if(memchr(u, '\0', ANAMELEN) == 0)
error("bad user name");
key = findkey(NETKEYDB, u, keybuf);
key = finddeskey(NETKEYDB, u, keybuf);
if(!key)
error("%s has no netkey\n", u);
print("user %s: net key %K\n", u, key);

1
sys/src/cmd/auth/warning.c
View file

@ -2,6 +2,7 @@
#include <libc.h>
#include <bio.h>
#include <auth.h>
#include <authsrv.h>
#include "authcmdlib.h"
/* working directory */

13
sys/src/libauth/auth_userpasswd.c
View file

@ -11,13 +11,13 @@
* this was copied from inet's guard.
*/
static void
netresp(char *key, long chal, char *answer)
netresp(Authkey *key, long chal, char *answer)
{
uchar buf[8];
memset(buf, 0, sizeof buf);
snprint((char *)buf, sizeof buf, "%lud", chal);
if(encrypt(key, buf, 8) < 0)
if(encrypt(key->des, buf, 8) < 0)
abort();
sprint(answer, "%.8ux", buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]);
}
@ -25,7 +25,8 @@ netresp(char *key, long chal, char *answer)
AuthInfo*
auth_userpasswd(char *user, char *passwd)
{
char key[DESKEYLEN], resp[16];
char resp[16];
Authkey key;
AuthInfo *ai;
Chalstate *ch;
@ -37,9 +38,9 @@ auth_userpasswd(char *user, char *passwd)
if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil)
return nil;
passtokey(key, passwd);
netresp(key, atol(ch->chal), resp);
memset(key, 0, sizeof key);
passtokey(&key, passwd);
netresp(&key, atol(ch->chal), resp);
memset(&key, 0, sizeof(Authkey));
ch->resp = resp;
ch->nresp = strlen(resp);

51
sys/src/libauth/httpauth.c
View file

@ -1,51 +0,0 @@
#include <u.h>
#include <libc.h>
#include <auth.h>
#include <authsrv.h>
/* deprecated.
This is the mechanism that put entries in /sys/lib/httpd.rewrite
and passwords on the authserver in /sys/lib/httppasswords, which
was awkward to administer. Instead, use local .httplogin files,
which are implemented in sys/src/cmd/ip/httpd/authorize.c */
int
httpauth(char *name, char *password)
{
int afd;
Ticketreq tr;
Ticket t;
char key[DESKEYLEN];
char buf[512];
afd = authdial(nil, nil);
if(afd < 0)
return -1;
/* send ticket request to AS */
memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, name);
tr.type = AuthHttp;
convTR2M(&tr, buf);
if(write(afd, buf, TICKREQLEN) != TICKREQLEN){
close(afd);
return -1;
}
if(_asrdresp(afd, buf, TICKETLEN) < 0){
close(afd);
return -1;
}
close(afd);
/*
* use password and try to decrypt the
* ticket. If it doesn't work we've got a bad password,
* give up.
*/
passtokey(key, password);
convM2T(buf, &t, key);
if(t.num != AuthHr || strcmp(t.cuid, tr.uid))
return -1;
return 0;
}

8
sys/src/libauthsrv/_asgetticket.c
View file

@ -5,11 +5,13 @@
static char *pbmsg = "AS protocol botch";
int
_asgetticket(int fd, char *trbuf, char *tbuf)
_asgetticket(int fd, Ticketreq *tr, char *tbuf, int tbuflen)
{
if(write(fd, trbuf, TICKREQLEN) < 0){
if(_asrequest(fd, tr) < 0){
werrstr(pbmsg);
return -1;
}
return _asrdresp(fd, tbuf, 2*TICKETLEN);
if(tbuflen > 2*TICKETLEN)
tbuflen = 2*TICKETLEN;
return _asrdresp(fd, tbuf, tbuflen);
}

10
sys/src/libauthsrv/convA2M.c
View file

@ -9,17 +9,19 @@
#define STRING(x,n) memmove(p, f->x, n); p += n
int
convA2M(Authenticator *f, char *ap, char *key)
convA2M(Authenticator *f, char *ap, int n, Ticket *t)
{
int n;
uchar *p;
if(n < AUTHENTLEN)
return 0;
p = (uchar*)ap;
CHAR(num);
STRING(chal, CHALLEN);
LONG(id);
n = p - (uchar*)ap;
if(key)
encrypt(key, ap, n);
if(t)
encrypt(t->key, ap, n);
return n;
}

20
sys/src/libauthsrv/convM2A.c
View file

@ -8,16 +8,24 @@
#define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n
void
convM2A(char *ap, Authenticator *f, char *key)
int
convM2A(char *ap, int n, Authenticator *f, Ticket *t)
{
uchar *p;
uchar *p, buf[AUTHENTLEN];
if(key)
decrypt(key, ap, AUTHENTLEN);
memset(f, 0, sizeof(Authenticator));
if(n < AUTHENTLEN)
return -AUTHENTLEN;
if(t) {
memmove(buf, ap, AUTHENTLEN);
ap = (char*)buf;
decrypt(t->key, ap, AUTHENTLEN);
}
p = (uchar*)ap;
CHAR(num);
STRING(chal, CHALLEN);
LONG(id);
USED(p);
n = p - (uchar*)ap;
return n;
}

20
sys/src/libauthsrv/convM2PR.c
View file

@ -8,14 +8,21 @@
#define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n
void
convM2PR(char *ap, Passwordreq *f, char *key)
int
convM2PR(char *ap, int n, Passwordreq *f, Ticket *t)
{
uchar *p;
uchar *p, buf[PASSREQLEN];
memset(f, 0, sizeof(Passwordreq));
if(n < PASSREQLEN)
return -PASSREQLEN;
if(t){
memmove(buf, ap, PASSREQLEN);
ap = (char*)buf;
decrypt(t->key, ap, PASSREQLEN);
}
p = (uchar*)ap;
if(key)
decrypt(key, ap, PASSREQLEN);
CHAR(num);
STRING(old, ANAMELEN);
f->old[ANAMELEN-1] = 0;
@ -24,5 +31,6 @@ convM2PR(char *ap, Passwordreq *f, char *key)
CHAR(changesecret);
STRING(secret, SECRETLEN);
f->secret[SECRETLEN-1] = 0;
USED(p);
n = p - (uchar*)ap;
return n;
}

21
sys/src/libauthsrv/convM2T.c
View file

@ -8,13 +8,20 @@
#define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n
void
convM2T(char *ap, Ticket *f, char *key)
int
convM2T(char *ap, int n, Ticket *f, Authkey *key)
{
uchar *p;
uchar *p, buf[TICKETLEN];
if(key)
decrypt(key, ap, TICKETLEN);
memset(f, 0, sizeof(Ticket));
if(n < TICKETLEN)
return -TICKETLEN;
if(key){
memmove(buf, ap, TICKETLEN);
ap = (char*)buf;
decrypt(key->des, ap, TICKETLEN);
}
p = (uchar*)ap;
CHAR(num);
STRING(chal, CHALLEN);
@ -23,6 +30,6 @@ convM2T(char *ap, Ticket *f, char *key)
STRING(suid, ANAMELEN);
f->suid[ANAMELEN-1] = 0;
STRING(key, DESKEYLEN);
USED(p);
n = p - (uchar*)ap;
return n;
}

11
sys/src/libauthsrv/convM2TR.c
View file

@ -8,11 +8,15 @@
#define LONG(x) VLONG(f->x)
#define STRING(x,n) memmove(f->x, p, n); p += n
void
convM2TR(char *ap, Ticketreq *f)
int
convM2TR(char *ap, int n, Ticketreq *f)
{
uchar *p;
memset(f, 0, sizeof(Ticketreq));
if(n < TICKREQLEN)
return -TICKREQLEN;
p = (uchar*)ap;
CHAR(type);
STRING(authid, ANAMELEN);
@ -24,5 +28,6 @@ convM2TR(char *ap, Ticketreq *f)
f->hostid[ANAMELEN-1] = 0;
STRING(uid, ANAMELEN);
f->uid[ANAMELEN-1] = 0;
USED(p);
n = p - (uchar*)ap;
return n;
}

10
sys/src/libauthsrv/convPR2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n
int
convPR2M(Passwordreq *f, char *ap, char *key)
convPR2M(Passwordreq *f, char *ap, int n, Ticket *t)
{
int n;
uchar *p;
if(n < PASSREQLEN)
return 0;
p = (uchar*)ap;
CHAR(num);
STRING(old, ANAMELEN);
@ -21,8 +23,8 @@ convPR2M(Passwordreq *f, char *ap, char *key)
CHAR(changesecret);
STRING(secret, SECRETLEN);
n = p - (uchar*)ap;
if(key)
encrypt(key, ap, n);
if(t)
encrypt(t->key, ap, n);
return n;
}

8
sys/src/libauthsrv/convT2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n
int
convT2M(Ticket *f, char *ap, char *key)
convT2M(Ticket *f, char *ap, int n, Authkey *key)
{
int n;
uchar *p;
if(n < TICKETLEN)
return 0;
p = (uchar*)ap;
CHAR(num);
STRING(chal, CHALLEN);
@ -22,6 +24,6 @@ convT2M(Ticket *f, char *ap, char *key)
STRING(key, DESKEYLEN);
n = p - (uchar*)ap;
if(key)
encrypt(key, ap, n);
encrypt(key->des, ap, n);
return n;
}

7
sys/src/libauthsrv/convTR2M.c
View file

@ -9,11 +9,13 @@
#define STRING(x,n) memmove(p, f->x, n); p += n
int
convTR2M(Ticketreq *f, char *ap)
convTR2M(Ticketreq *f, char *ap, int n)
{
int n;
uchar *p;
if(n < TICKREQLEN)
return 0;
p = (uchar*)ap;
CHAR(type);
STRING(authid, 28); /* BUG */
@ -24,4 +26,3 @@ convTR2M(Ticketreq *f, char *ap)
n = p - (uchar*)ap;
return n;
}

2
sys/src/libauthsrv/mkfile
View file

@ -3,6 +3,8 @@
LIB=/$objtype/lib/libauthsrv.a
OFILES=\
_asgetticket.$O\
_asgetresp.$O\
_asrequest.$O\
_asrdresp.$O\
authdial.$O\
convA2M.$O\

8
sys/src/libauthsrv/passtokey.c
View file

@ -3,7 +3,7 @@
#include <authsrv.h>
int
passtokey(char *key, char *p)
passtokey(Authkey *key, char *p)
{
uchar buf[ANAMELEN], *t;
int i, n;
@ -15,10 +15,10 @@ passtokey(char *key, char *p)
t = buf;
strncpy((char*)t, p, n);
t[n] = 0;
memset(key, 0, DESKEYLEN);
memset(key, 0, sizeof(Authkey));
for(;;){
for(i = 0; i < DESKEYLEN; i++)
key[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1)));
key->des[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1)));
if(n <= 8)
return 1;
n -= 8;
@ -27,6 +27,6 @@ passtokey(char *key, char *p)
t -= 8 - n;
n = 8;
}
encrypt(key, t, 8);
encrypt(key->des, t, 8);
}
}

9
sys/src/libauthsrv/readnvram.c
View file

@ -292,13 +292,16 @@ readnvram(Nvrsafe *safep, int flag)
readcons("secstore key", nil, 1, safe->config,
sizeof safe->config);
for(;;){
if(readcons("password", nil, 1, in, sizeof in)
== nil)
Authkey k;
if(readcons("password", nil, 1, in, sizeof in) == nil)
goto Out;
if(passtokey(safe->machkey, in))
if(passtokey(&k, in)){
memmove(safe->machkey, k.des, DESKEYLEN);
break;
}
}
}
// safe->authsum = nvcsum(safe->authkey, DESKEYLEN);
safe->machsum = nvcsum(safe->machkey, DESKEYLEN);