ref: 5e07e5840aced5826880a31ceac23f2d0c5046f9
parent: e9e53fe7b6a29e52e73f59d5b6080561b925a3be
author: cinap_lenrek <[email protected]>
date: Sat Aug 15 21:47:10 EDT 2015
cpu: cleanup ssl code, make sure -p works for any auth method
--- a/sys/src/cmd/cpu.c
+++ b/sys/src/cmd/cpu.c
@@ -24,7 +24,7 @@
int readstr(int, char*, int);
char *rexcall(int*, char*, char*);
int setamalg(char*);
-char *keyspec = "";
+char *keyspec = "";
int notechan;
int exportpid;
@@ -43,6 +43,11 @@
/* message size for exportfs; may be larger so we can do big graphics in CPU window */
int msgsize = Maxfdata+IOHDRSZ;
+/* encryption mechanisms */
+static int clear(int);
+
+int (*encryption)(int) = clear;
+
/* authentication mechanisms */
static int netkeyauth(int);
static int netkeysrvauth(int, char*);
@@ -56,8 +61,7 @@
char *name; /* name of method */
int (*cf)(int); /* client side authentication */
int (*sf)(int, char*); /* server side authentication */
-} authmethod[] =
-{
+} authmethod[] = {
{ "p9", p9auth, srvp9auth,},
{ "netkey", netkeyauth, netkeysrvauth,},
{ "none", noauth, srvnoauth,},
@@ -73,7 +77,7 @@
char *anstring = "tcp!*!0";
char *filterp = nil;
-int filter(int fd, char *host);
+int filter(int fd, char *host);
void
usage(void)
@@ -360,9 +364,12 @@
} else
writestr(fd, "", "", 1);
- fd = (*am->sf)(fd, user);
- if(fd < 0)
+ if((fd = (*am->sf)(fd, user)) < 0)
fatal("srvauth: %r");
+ if((fd = filter(fd, nil)) < 0)
+ fatal("filter: %r");
+ if((fd = encryption(fd)) < 0)
+ fatal("encrypt: %r");
/* Now collect invoking cpu's current directory or possibly a command */
gotcmd = 0;
@@ -466,10 +473,13 @@
/* authenticate */
procsetname("%s: auth via %s", origargs, am->name);
- *fd = (*am->cf)(*fd);
- if(*fd < 0)
+ if((*fd = (*am->cf)(*fd)) < 0)
return "can't authenticate";
- return 0;
+ if((*fd = filter(*fd, system)) < 0)
+ return "can't filter";
+ if((*fd = encryption(*fd)) < 0)
+ return "can't encrypt";
+ return nil;
}
void
@@ -540,7 +550,7 @@
if(readstr(fd, chall, sizeof chall) < 0)
break;
if(*chall == 0)
- return filter(fd, system);
+ return fd;
print("challenge: %s\nresponse: ", chall);
if(readln(resp, sizeof(resp)) < 0)
break;
@@ -580,9 +590,23 @@
if(auth_chuid(ai, 0) < 0)
fatal("newns: %r");
auth_freeAI(ai);
- return filter(fd, nil);
+ return fd;
}
+static int
+clear(int fd)
+{
+ return fd;
+}
+
+static char sslsecret[2][21];
+
+static int
+sslencrypt(int fd)
+{
+ return pushssl(fd, ealgs, sslsecret[0], sslsecret[1], nil);
+}
+
static void
mksecret(char *t, uchar *f)
{
@@ -590,59 +614,67 @@
f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9]);
}
-/*
- * plan9 authentication followed by rc4 encryption
- */
static int
-p9auth(int fd)
+sslsetup(int fd, uchar *secret, int nsecret, int isclient)
{
uchar key[16], digest[SHA1dlen];
- char fromclientsecret[21];
- char fromserversecret[21];
- AuthInfo *ai;
int i;
- procsetname("%s: auth_proxy proto=%q role=client %s",
- origargs, p9authproto, keyspec);
- ai = auth_proxy(fd, auth_getkey, "proto=%q role=client %s", p9authproto, keyspec);
- if(ai == nil)
- return -1;
- if(ealgs == nil){
- auth_freeAI(ai);
+ if(ealgs == nil)
return fd;
+
+ if(nsecret < 8){
+ werrstr("secret too small to ssl");
+ return -1;
}
- assert(ai->nsecret <= sizeof(key)-4);
- memmove(key+4, ai->secret, ai->nsecret);
- auth_freeAI(ai);
+ memmove(key+4, secret, 8);
/* exchange random numbers */
srand(truerand());
- for(i = 0; i < 4; i++)
- key[i] = rand();
- procsetname("writing p9 key");
- if(write(fd, key, 4) != 4)
- return -1;
- procsetname("reading p9 key");
- if(readn(fd, key+12, 4) != 4)
- return -1;
+ if(isclient){
+ for(i = 0; i < 4; i++)
+ key[i] = rand();
+ if(write(fd, key, 4) != 4)
+ return -1;
+ if(readn(fd, key+12, 4) != 4)
+ return -1;
+ } else {
+ for(i = 0; i < 4; i++)
+ key[i+12] = rand();
+ if(readn(fd, key, 4) != 4)
+ return -1;
+ if(write(fd, key+12, 4) != 4)
+ return -1;
+ }
+
/* scramble into two secrets */
sha1(key, sizeof(key), digest, nil);
- mksecret(fromclientsecret, digest);
- mksecret(fromserversecret, digest+10);
+ mksecret(sslsecret[isclient == 0], digest);
+ mksecret(sslsecret[isclient != 0], digest+10);
- if((fd = filter(fd, system)) < 0)
- return -1;
+ encryption = sslencrypt;
- /* set up encryption */
- procsetname("pushssl");
- fd = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil);
- if(fd < 0)
- werrstr("can't establish ssl connection: %r");
return fd;
}
+/*
+ * plan9 authentication followed by rc4 encryption
+ */
static int
+p9auth(int fd)
+{
+ AuthInfo *ai;
+
+ ai = auth_proxy(fd, auth_getkey, "proto=%q role=client %s", p9authproto, keyspec);
+ if(ai == nil)
+ return -1;
+ fd = sslsetup(fd, ai->secret, ai->nsecret, 1);
+ auth_freeAI(ai);
+ return fd;
+}
+
+static int
noauth(int fd)
{
ealgs = nil;
@@ -658,25 +690,10 @@
return fd;
}
-void
-loghex(uchar *p, int n)
-{
- char buf[100];
- int i;
-
- for(i = 0; i < n; i++)
- sprint(buf+2*i, "%2.2ux", p[i]);
- syslog(0, "cpu", "%s", buf);
-}
-
static int
srvp9auth(int fd, char *user)
{
- uchar key[16], digest[SHA1dlen];
- char fromclientsecret[21];
- char fromserversecret[21];
AuthInfo *ai;
- int i;
ai = auth_proxy(fd, nil, "proto=%q role=server %s", p9authproto, keyspec);
if(ai == nil)
@@ -684,35 +701,8 @@
if(auth_chuid(ai, nil) < 0)
fatal("newns: %r");
snprint(user, MaxStr, "%s", ai->cuid);
- if(ealgs == nil){
- auth_freeAI(ai);
- return fd;
- }
- assert(ai->nsecret <= sizeof(key)-4);
- memmove(key+4, ai->secret, ai->nsecret);
+ fd = sslsetup(fd, ai->secret, ai->nsecret, 0);
auth_freeAI(ai);
-
- /* exchange random numbers */
- srand(truerand());
- for(i = 0; i < 4; i++)
- key[i+12] = rand();
- if(readn(fd, key, 4) != 4)
- return -1;
- if(write(fd, key+12, 4) != 4)
- return -1;
-
- /* scramble into two secrets */
- sha1(key, sizeof(key), digest, nil);
- mksecret(fromclientsecret, digest);
- mksecret(fromserversecret, digest+10);
-
- if((fd = filter(fd, nil)) < 0)
- return -1;
-
- /* set up encryption */
- fd = pushssl(fd, ealgs, fromserversecret, fromclientsecret, nil);
- if(fd < 0)
- werrstr("can't establish ssl connection: %r");
return fd;
}