ref: 7a73fd88e63bdc5f95c23ff1e4a2951792f34635
parent: 4e34729a89f7c27142566b4b1fd5d51824c83929
author: cinap_lenrek <[email protected]>
date: Tue Mar 15 10:55:09 EDT 2016
handle role= and !hex= key attributes in secstore p9sk1/dp9ik keys
--- a/aan.c
+++ b/aan.c
@@ -1,7 +1,6 @@
#include <u.h>
#include <libc.h>
#include <fcall.h>
-#include "drawterm.h"
enum {
Hdrsz = 3*4,
--- a/cpu.c
+++ b/cpu.c
@@ -23,6 +23,8 @@
static char *rexcall(int*, char*, char*);
static char *keyspec = "";
static AuthInfo *p9any(int);
+static int getkey(Authkey*, char*, char*, char*);
+static int findkey(Authkey*, char*, char*, char*);
static char *host;
static int nokbd;
@@ -624,8 +626,7 @@
AuthInfo*
p9any(int fd)
{
- char buf[1024], buf2[1024], *bbuf, *p, *proto, *dom, *u;
- char *pass;
+ char buf[1024], buf2[1024], *bbuf, *p, *proto, *dom;
uchar crand[2*NONCELEN], cchal[CHALLEN], y[PAKYLEN];
char tbuf[2*MAXTICKETLEN+MAXAUTHENTLEN+PAKYLEN], trbuf[TICKREQLEN+PAKYLEN];
Authkey authkey;
@@ -688,23 +689,15 @@
if(readn(fd, trbuf, n) != n || convM2TR(trbuf, TICKREQLEN, &tr) <= 0)
fatal(1, "cannot read ticket request in p9sk1");
- u = user;
- pass = findkey(&u, tr.authdom, proto);
- if(pass == nil)
- again:
- pass = getkey(u, tr.authdom, proto);
- if(pass == nil)
- fatal(1, "no password");
+ if(!findkey(&authkey, user, tr.authdom, proto)){
+again: if(!getkey(&authkey, user, tr.authdom, proto))
+ fatal(1, "no password");
+ }
- passtokey(&authkey, pass);
- memset(pass, 0, strlen(pass));
- free(pass);
+ strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user);
+ strecpy(tr.uid, tr.uid+sizeof tr.uid, user);
- strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, u);
- strecpy(tr.uid, tr.uid+sizeof tr.uid, u);
-
if(dp9ik){
- authpak_hash(&authkey, tr.hostid);
memmove(y, trbuf+TICKREQLEN, PAKYLEN);
n = gettickets(&authkey, &tr, y, tbuf, sizeof(tbuf));
} else {
@@ -786,4 +779,117 @@
free(proto);
return ai;
+}
+
+static int
+unhex(char c)
+{
+ if('0' <= c && c <= '9')
+ return c-'0';
+ if('a' <= c && c <= 'f')
+ return c-'a'+10;
+ if('A' <= c && c <= 'F')
+ return c-'A'+10;
+ abort();
+ return -1;
+}
+
+static int
+hexparse(char *hex, uchar *dat, int ndat)
+{
+ int i;
+
+ if(strlen(hex) != 2*ndat)
+ return -1;
+ if(hex[strspn(hex, "0123456789abcdefABCDEF")] != '\0')
+ return -1;
+ for(i=0; i<ndat; i++)
+ dat[i] = (unhex(hex[2*i])<<4)|unhex(hex[2*i+1]);
+ return 0;
+}
+
+static int
+findkey(Authkey *key, char *user, char *dom, char *proto)
+{
+ char buf[1024], *f[50], *p, *ep, *nextp, *hex, *pass, *id, *role;
+ int nf, haveproto, havedom, i;
+
+ for(p=secstorebuf; *p; p=nextp){
+ nextp = strchr(p, '\n');
+ if(nextp == nil){
+ ep = p+strlen(p);
+ nextp = "";
+ }else{
+ ep = nextp++;
+ }
+ if(ep-p >= sizeof buf){
+ print("warning: skipping long line in secstore factotum file\n");
+ continue;
+ }
+ memmove(buf, p, ep-p);
+ buf[ep-p] = 0;
+ nf = tokenize(buf, f, nelem(f));
+ if(nf == 0 || strcmp(f[0], "key") != 0)
+ continue;
+ id = pass = hex = role = nil;
+ havedom = haveproto = 0;
+ for(i=1; i<nf; i++){
+ if(strncmp(f[i], "user=", 5) == 0)
+ id = f[i]+5;
+ if(strncmp(f[i], "!password=", 10) == 0)
+ pass = f[i]+10;
+ if(strncmp(f[i], "!hex=", 5) == 0)
+ hex = f[i]+5;
+ if(strncmp(f[i], "role=", 5) == 0)
+ role = f[i]+5;
+ if(strncmp(f[i], "dom=", 4) == 0 && strcmp(f[i]+4, dom) == 0)
+ havedom = 1;
+ if(strncmp(f[i], "proto=", 6) == 0 && strcmp(f[i]+6, proto) == 0)
+ haveproto = 1;
+ }
+ if(!haveproto || !havedom)
+ continue;
+ if(role != nil && strcmp(role, "client") != 0)
+ continue;
+ if(id == nil || strcmp(user, id) != 0)
+ continue;
+ if(pass == nil && hex == nil)
+ continue;
+ if(hex != nil){
+ memset(key, 0, sizeof(*key));
+ if(strcmp(proto, "dp9ik") == 0) {
+ if(hexparse(hex, key->aes, AESKEYLEN) != 0)
+ continue;
+ } else {
+ if(hexparse(hex, (uchar*)key->des, DESKEYLEN) != 0)
+ continue;
+ }
+ } else {
+ passtokey(key, pass);
+ }
+ if(strcmp(proto, "dp9ik") == 0)
+ authpak_hash(key, user);
+ memset(buf, 0, sizeof buf);
+ return 1;
+ }
+ memset(buf, 0, sizeof buf);
+ return 0;
+}
+
+static int
+getkey(Authkey *key, char *user, char *dom, char *proto)
+{
+ char buf[1024], *pass;
+
+ snprint(buf, sizeof buf, "%s@%s %s password", user, dom, proto);
+ pass = readcons(buf, nil, 1);
+ memset(buf, 0, sizeof buf);
+ if(pass != nil){
+ snprint(secstorebuf, sizeof(secstorebuf), "key proto=%q dom=%q user=%q !password=%q\n",
+ proto, dom, user, pass);
+ memset(pass, 0, strlen(pass));
+ free(pass);
+ return findkey(key, user, dom, proto);
+ }
+ return 0;
}
--- a/drawterm.h
+++ b/drawterm.h
@@ -6,8 +6,6 @@
extern char *readcons(char *prompt, char *def, int secret);
extern int exportfs(int);
extern char *user;
-extern char *getkey(char*, char*, char*);
-extern char *findkey(char**, char*, char*);
extern int dialfactotum(void);
extern char *getuser(void);
extern void cpumain(int, char**);
--- a/kern/dat.h
+++ b/kern/dat.h
@@ -1,5 +1,4 @@
#define KNAMELEN 28 /* max length of name held in kernel */
-#define DOMLEN 64
#define BLOCKALIGN 8
--- a/kern/devcons.c
+++ b/kern/devcons.c
@@ -6,6 +6,8 @@
#include "keyboard.h"
+#include <authsrv.h>
+
void (*consdebug)(void) = 0;
void (*screenputs)(char*, int) = 0;
--- a/main.c
+++ b/main.c
@@ -3,7 +3,6 @@
#include "kern/dat.h"
#include "kern/fns.h"
#include "user.h"
-
#include "drawterm.h"
char *argv0;
@@ -69,63 +68,3 @@
cpumain(argc, argv);
return 0;
}
-
-char*
-getkey(char *user, char *dom, char *proto)
-{
- char buf[1024], *key;
-
- snprint(buf, sizeof buf, "%s@%s %s password", user, dom, proto);
- key = readcons(buf, nil, 1);
- if(key != nil)
- snprint(secstorebuf, sizeof(secstorebuf), "key proto=%q dom=%q user=%q !password=%q\n",
- proto, dom, user, key);
- return key;
-}
-
-char*
-findkey(char **puser, char *dom, char *proto)
-{
- char buf[1024], *f[50], *p, *ep, *nextp, *pass, *user;
- int nf, haveproto, havedom, i;
-
- for(p=secstorebuf; *p; p=nextp){
- nextp = strchr(p, '\n');
- if(nextp == nil){
- ep = p+strlen(p);
- nextp = "";
- }else{
- ep = nextp++;
- }
- if(ep-p >= sizeof buf){
- print("warning: skipping long line in secstore factotum file\n");
- continue;
- }
- memmove(buf, p, ep-p);
- buf[ep-p] = 0;
- nf = tokenize(buf, f, nelem(f));
- if(nf == 0 || strcmp(f[0], "key") != 0)
- continue;
- pass = nil;
- haveproto = havedom = 0;
- user = nil;
- for(i=1; i<nf; i++){
- if(strncmp(f[i], "user=", 5) == 0)
- user = f[i]+5;
- if(strncmp(f[i], "!password=", 10) == 0)
- pass = f[i]+10;
- if(strncmp(f[i], "dom=", 4) == 0 && strcmp(f[i]+4, dom) == 0)
- havedom = 1;
- if(strncmp(f[i], "proto=", 6) == 0 && strcmp(f[i]+6, proto) == 0)
- haveproto = 1;
- }
- if(!haveproto || !havedom || !pass || !user)
- continue;
- *puser = estrdup(user);
- pass = estrdup(pass);
- memset(buf, 0, sizeof buf);
- return pass;
- }
- return nil;
-}
-