Exemplo n.º 1
0
void
rex_mkkeys (rpc_bytes<> *ksc, rpc_bytes<> *kcs, sfs_hash *sessid,
	    sfs_seqno seqno, const sfs_kmsg &sdat, const sfs_kmsg &cdat)
{
  sfs_sessinfo sess;
  sess.type = SFS_SESSINFO;

  rex_sesskeydat skd;
  skd.seqno = seqno;

  skd.type = SFS_KCS;
  sess.kcs.setsize (sha1::hashsize);
  sha1_hmacxdr_2 (sess.kcs.base (),
		  sdat.kcs_share.base (), sdat.kcs_share.size (),
		  cdat.kcs_share.base (), cdat.kcs_share.size (),
		  skd, true);

  skd.type = SFS_KSC;
  sess.ksc.setsize (sha1::hashsize);
  sha1_hmacxdr_2 (sess.ksc.base (),
		  sdat.ksc_share.base (), sdat.ksc_share.size (),
		  cdat.ksc_share.base (), cdat.ksc_share.size (),
		  skd, true);

  if (sessid)
    sha1_hashxdr (sessid->base (), sess, true);
  if (kcs)
    swap (*kcs, sess.kcs);
  if (ksc)
    swap (*ksc, sess.ksc);

  bzero (sess.kcs.base (), sess.kcs.size ());
  bzero (sess.ksc.base (), sess.ksc.size ());
}
static str
hash_sprivk (const sfs_2schnorr_priv_xdr &k)
{
  sfs_hash h;
  if (!sha1_hashxdr (&h, k))
    return NULL;
  return str (h.base (), h.size ());
}
Exemplo n.º 3
0
void
rex_mksecretid (vec<char> &secretid, rpc_bytes<> &ksc, rpc_bytes<> &kcs)
{
    sfs_sessinfo si;
    si.type = SFS_SESSINFO_SECRETID;
    si.ksc = ksc;
    si.kcs = kcs;

    sfs_hash dummy_hash;
    secretid.setsize (dummy_hash.size ());

    sha1_hashxdr (secretid.base (), si, true);
    bzero (si.kcs.base (), si.kcs.size ());
    bzero (si.ksc.base (), si.ksc.size ());
}
Exemplo n.º 4
0
void
sfsproac::authinit (svccb *sbp)
{
  sfsextauth_init *aa = sbp->Xtmpl getarg<sfsextauth_init> ();
  ptr<sfs_authreq2> authreq = New refcounted<sfs_authreq2>;

  authreq->type = SFS_SIGNED_AUTHREQ;
  authreq->user = user;
  authreq->seqno = aa->autharg.seqno;
  if (!sha1_hashxdr (authreq->authid.base (), aa->autharg.authinfo)) {
    warn << "Could not hash authinfo into authid.\n";
    sfsagent_auth_res res;
    res.set_authenticate (false);
    sbp->replyref (res);
    return;
  }

  sfsauth2_sigreq sr;
  sr.set_type (SFS_SIGNED_AUTHREQ);
  *sr.authreq = *authreq;
  privk->sign (sr, aa->autharg.authinfo, 
	       wrap (this, &sfsproac::authinitcb, sbp, authreq));
  return;
}
void
authclnt::sfsauth_sign (svccb *sbp)
{
  sfsauth2_sign_arg *arg = sbp->Xtmpl getarg<sfsauth2_sign_arg> ();
  sfsauth2_sign_res res (true);
  u_int32_t authno = sbp->getaui ();
  sfsauth_dbrec db;
  bool restricted_sign = false;
  urec_t *ur = NULL;
  sfsauth_keyhalf *kh = NULL;
  sfs_idname uname;

  if (authno && (ur = utab[authno])) {
    kh = &ur->kh;
    uname = ur->uname;
  }

  if (!kh && arg->req.type == SFS_SIGNED_AUTHREQ
      && arg->req.authreq->type == SFS_SIGNED_AUTHREQ_NOCRED
      && arg->authinfo.service == SFS_AUTHSERV
      && authid == arg->req.authreq->authid) {
    sfsauth_dbkey key (SFSAUTH_DBKEY_NAME);
    if ((*key.name = arg->user) && get_user_cursor (NULL, NULL, &db, key)) {
      kh = &db.userinfo->srvprivkey;
      uname = db.userinfo->name;
      restricted_sign = true;
    }
  } 

  if (!kh || kh->type != SFSAUTH_KEYHALF_PRIV) {
    res.set_ok (false);
    *res.errmsg = "No valid server private keyhalf for user";
    sbp->replyref (res);
    return;
  }
  if (arg->presig.type != SFS_2SCHNORR) {
    res.set_ok (false);
    *res.errmsg = "Can only answer 2-Schnorr requests";
    sbp->replyref (res);
    return;
  }
  res.sig->set_type (SFS_SCHNORR);
  int i = sfs_schnorr_pub::find (*kh, arg->pubkeyhash);
  if (i < 0) {
    res.set_ok (false);
    *res.errmsg = "No matching keyhalf found on server.";
    sbp->replyref (res);
    return;
  }
  const sfs_2schnorr_priv_xdr &spriv = (*kh->priv)[i];
  if (ur && !sprivk_tab.is_valid (hash_sprivk (spriv))) {
    res.set_ok (false);
    *res.errmsg = "Server keyhalf is no longer valid.";
    sbp->replyref (res);
    return;
  }

  ref<schnorr_srv_priv> srv_key = New refcounted<schnorr_srv_priv> 
    (spriv.p, spriv.q, spriv.g, spriv.y, spriv.x);

  str msg = sigreq2str (arg->req);
  if (!msg) {
    res.set_ok (false);
    *res.errmsg = "Cannot marshal signature request";
    sbp->replyref (res);
    return ;
  }

  sfs_hash aid_tmp;
  if (arg->req.type != SFS_NULL && 
      (!sha1_hashxdr (aid_tmp.base (), arg->authinfo) || 
      !sigreq_authid_cmp (arg->req, aid_tmp))) {
    res.set_ok (false);
    *res.errmsg = "Incorrect authid in request";
    sbp->replyref (res);
    return ;
  }

  if (!siglog (siglogline (*arg, uname))) {
    res.set_ok (false);
    *res.errmsg = "Refusing to sign: could not log signature";
    sbp->replyref (res);
    return;
  }
    
  srv_key->endorse_signature (&res.sig->schnorr->r, &res.sig->schnorr->s, 
			      msg, arg->presig.schnorr->r);
  sbp->replyref (res);
}