123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 |
- /*
- * This file is part of the UCB release of Plan 9. It is subject to the license
- * terms in the LICENSE file found in the top-level directory of this
- * distribution and at http://akaros.cs.berkeley.edu/files/Plan9License. No
- * part of the UCB release of Plan 9, including this file, may be copied,
- * modified, propagated, or distributed except according to the terms contained
- * in the LICENSE file.
- */
- /*
- * Network listening authentication.
- * This and all the other network-related
- * code is due to Richard Miller.
- */
- #include "all.h"
- #include "9p1.h"
- int allownone;
- Nvrsafe nvr;
- int didread;
- /*
- * create a challenge for a fid space
- */
- void
- mkchallenge(Chan *cp)
- {
- int i;
- if(!didread && readnvram(&nvr, 0) >= 0)
- didread = 1;
- srand(truerand());
- for(i = 0; i < CHALLEN; i++)
- cp->chal[i] = nrand(256);
- cp->idoffset = 0;
- cp->idvec = 0;
- }
- /*
- * match a challenge from an attach
- */
- Nvrsafe nvr;
- int
- authorize(Chan *cp, Oldfcall *in, Oldfcall *ou)
- {
- Ticket t;
- Authenticator a;
- int x;
- uint32_t bit;
- if (cp == cons.srvchan) /* local channel already safe */
- return 1;
- if(wstatallow) /* set to allow entry during boot */
- return 1;
- if(strcmp(in->uname, "none") == 0)
- return allownone || cp->authed;
- if(in->type == Toattach9p1)
- return 0;
- if(!didread)
- return 0;
- /* decrypt and unpack ticket */
- convM2T(in->ticket, &t, nvr.machkey);
- if(t.num != AuthTs){
- print("bad AuthTs num\n");
- return 0;
- }
- /* decrypt and unpack authenticator */
- convM2A(in->auth, &a, t.key);
- if(a.num != AuthAc){
- print("bad AuthAc num\n");
- return 0;
- }
- /* challenges must match */
- if(memcmp(a.chal, cp->chal, sizeof(a.chal)) != 0){
- print("bad challenge\n");
- return 0;
- }
- /*
- * the id must be in a valid range. the range is specified by a
- * lower bount (idoffset) and a bit vector (idvec) where a
- * bit set to 1 means unusable
- */
- lock(&cp->idlock);
- x = a.id - cp->idoffset;
- bit = 1<<x;
- if(x < 0 || x > 31 || (bit&cp->idvec)){
- unlock(&cp->idlock);
- return 0;
- }
- cp->idvec |= bit;
- /* normalize the vector */
- while(cp->idvec&0xffff0001){
- cp->idvec >>= 1;
- cp->idoffset++;
- }
- unlock(&cp->idlock);
- /* ticket name and attach name must match */
- if(memcmp(in->uname, t.cuid, sizeof(in->uname)) != 0){
- print("names don't match\n");
- return 0;
- }
- /* copy translated name into input record */
- memmove(in->uname, t.suid, sizeof(in->uname));
- /* craft a reply */
- a.num = AuthAs;
- memmove(a.chal, cp->rchal, CHALLEN);
- convA2M(&a, ou->rauth, t.key);
- cp->authed = 1;
- return 1;
- }
|