char*
checkkey(Method *mp, char *name, char *key)
{
char *msg;
Ticketreq tr;
Ticket t;
char trbuf[TICKREQLEN];
char tbuf[TICKETLEN];
memset(&tr, 0, sizeof tr);
tr.type = AuthTreq;
strcpy(tr.authid, name);
strcpy(tr.hostid, name);
strcpy(tr.uid, name);
convTR2M(&tr, trbuf);
msg = fromauth(mp, trbuf, tbuf);
if(msg == ccmsg) {
fprint(2, "boot: can't contact auth server, passwd unchecked\n");
return 0;
}
if(msg)
return msg;
convM2T(tbuf, &t, key);
if(t.num == AuthTc && strcmp(name, t.cuid)==0)
return 0;
return "no match";
}
int
httpauth(char *name, char *password)
{
int afd;
Ticketreq tr;
Ticket t;
char key[DESKEYLEN];
char buf[512];
afd = authdial(nil, nil);
if(afd < 0)
return -1;
/* send ticket request to AS */
memset(&tr, 0, sizeof(tr));
strcpy(tr.uid, name);
tr.type = AuthHttp;
convTR2M(&tr, buf);
if(write(afd, buf, TICKREQLEN) != TICKREQLEN){
close(afd);
return -1;
}
if(_asrdresp(afd, buf, TICKETLEN) < 0){
close(afd);
return -1;
}
close(afd);
/*
* use password and try to decrypt the
* ticket. If it doesn't work we've got a bad password,
* give up.
*/
passtokey(key, password);
convM2T(buf, &t, key);
if(t.num != AuthHr || strcmp(t.cuid, tr.uid))
return -1;
return 0;
}
AuthInfo*
p9any(int fd)
{
char buf[1024], buf2[1024], cchal[CHALLEN], *bbuf, *p, *dom, *u;
char *pass;
char tbuf[TICKETLEN+TICKETLEN+AUTHENTLEN], trbuf[TICKREQLEN];
char authkey[DESKEYLEN];
Authenticator auth;
int afd, i, n, v2;
Ticketreq tr;
Ticket t;
AuthInfo *ai;
if((afd = open("/mnt/factotum/ctl", ORDWR)) >= 0)
return p9anyfactotum(fd, afd);
if(readstr(fd, buf, sizeof buf) < 0)
fatal(1, "cannot read p9any negotiation");
bbuf = buf;
v2 = 0;
if(strncmp(buf, "v.2 ", 4) == 0){
v2 = 1;
bbuf += 4;
}
if((p = strchr(bbuf, ' ')))
*p = 0;
p = bbuf;
if((dom = strchr(p, '@')) == nil)
fatal(1, "bad p9any domain");
*dom++ = 0;
if(strcmp(p, "p9sk1") != 0)
fatal(1, "server did not offer p9sk1");
sprint(buf2, "%s %s", p, dom);
if(write(fd, buf2, strlen(buf2)+1) != strlen(buf2)+1)
fatal(1, "cannot write user/domain choice in p9any");
if(v2){
if(readstr(fd, buf, sizeof buf) != 3)
fatal(1, "cannot read OK in p9any");
if(memcmp(buf, "OK\0", 3) != 0)
fatal(1, "did not get OK in p9any");
}
for(i=0; i<CHALLEN; i++)
cchal[i] = fastrand();
if(write(fd, cchal, 8) != 8)
fatal(1, "cannot write p9sk1 challenge");
if(readn(fd, trbuf, TICKREQLEN) != TICKREQLEN)
fatal(1, "cannot read ticket request in p9sk1");
convM2TR(trbuf, &tr);
u = user;
pass = findkey(&u, tr.authdom);
if(pass == nil)
again:
pass = getkey(u, tr.authdom);
if(pass == nil)
fatal(1, "no password");
passtokey(authkey, pass);
memset(pass, 0, strlen(pass));
tr.type = AuthTreq;
strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, u);
strecpy(tr.uid, tr.uid+sizeof tr.uid, u);
convTR2M(&tr, trbuf);
if(gettickets(&tr, authkey, trbuf, tbuf) < 0)
fatal(1, "cannot get auth tickets in p9sk1");
convM2T(tbuf, &t, authkey);
if(t.num != AuthTc){
print("?password mismatch with auth server\n");
goto again;
}
memmove(tbuf, tbuf+TICKETLEN, TICKETLEN);
auth.num = AuthAc;
memmove(auth.chal, tr.chal, CHALLEN);
auth.id = 0;
convA2M(&auth, tbuf+TICKETLEN, t.key);
if(write(fd, tbuf, TICKETLEN+AUTHENTLEN) != TICKETLEN+AUTHENTLEN)
fatal(1, "cannot send ticket and authenticator back in p9sk1");
if((n=readn(fd, tbuf, AUTHENTLEN)) != AUTHENTLEN ||
memcmp(tbuf, "cpu:", 4) == 0){
if(n <= 4)
fatal(1, "cannot read authenticator in p9sk1");
/*
* didn't send back authenticator:
* sent back fatal error message.
*/
memmove(buf, tbuf, n);
i = readn(fd, buf+n, sizeof buf-n-1);
if(i > 0)
n += i;
buf[n] = 0;
werrstr("");
fatal(0, "server says: %s", buf);
}
convM2A(tbuf, &auth, t.key);
if(auth.num != AuthAs
|| memcmp(auth.chal, cchal, CHALLEN) != 0
|| auth.id != 0){
print("?you and auth server agree about password.\n");
print("?server is confused.\n");
fatal(0, "server lies got %llux.%d want %llux.%d",
*(int64_t*)auth.chal, auth.id, *(int64_t*)cchal, 0);
}
//print("i am %s there.\n", t.suid);
ai = mallocz(sizeof(AuthInfo), 1);
ai->secret = mallocz(8, 1);
des56to64((uint8_t*)t.key, ai->secret);
ai->nsecret = 8;
ai->suid = strdup(t.suid);
ai->cuid = strdup(t.cuid);
memset(authkey, 0, sizeof authkey);
return ai;
}
