shithub: riscv

ref: a11fe1959db311c090c7a025d96643c7ad8b76e5
dir: /sys/src/cmd/disk/kfs/auth.c/

View raw version
/*
 * Network listening authentication.
 * This and all the other network-related 
 * code is due to Richard Miller.
 */
#include	"all.h"
#include	"9p1.h"

int allownone;
Nvrsafe nvr;
int didread;

/*
 *  create a challenge for a fid space
 */
void
mkchallenge(Chan *cp)
{
	int i;

	if(!didread && readnvram(&nvr, 0) >= 0)
		didread = 1;

	srand(truerand());
	for(i = 0; i < CHALLEN; i++)
		cp->chal[i] = nrand(256);

	cp->idoffset = 0;
	cp->idvec = 0;
}

/*
 *  match a challenge from an attach
 */
Nvrsafe nvr;

int
authorize(Chan *cp, Oldfcall *in, Oldfcall *ou)
{
	Ticket t;
	Authenticator a;
	int x;
	ulong bit;

	if (cp == cons.srvchan)               /* local channel already safe */
		return 1;

	if(wstatallow)		/* set to allow entry during boot */
		return 1;

	if(strcmp(in->uname, "none") == 0)
		return allownone || cp->authed;

	if(in->type == Toattach9p1)
		return 0;

	if(!didread)
		return 0;

	/* decrypt and unpack ticket */
	convM2T(in->ticket, &t, nvr.machkey);
	if(t.num != AuthTs){
print("bad AuthTs num\n");
		return 0;
	}

	/* decrypt and unpack authenticator */
	convM2A(in->auth, &a, t.key);
	if(a.num != AuthAc){
print("bad AuthAc num\n");
		return 0;
	}

	/* challenges must match */
	if(memcmp(a.chal, cp->chal, sizeof(a.chal)) != 0){
print("bad challenge\n");
		return 0;
	}

	/*
	 *  the id must be in a valid range.  the range is specified by a
	 *  lower bount (idoffset) and a bit vector (idvec) where a
	 *  bit set to 1 means unusable
	 */
	lock(&cp->idlock);
	x = a.id - cp->idoffset;
	bit = 1<<x;
	if(x < 0 || x > 31 || (bit&cp->idvec)){
		unlock(&cp->idlock);
		return 0;
	}
	cp->idvec |= bit;

	/* normalize the vector */
	while(cp->idvec&0xffff0001){
		cp->idvec >>= 1;
		cp->idoffset++;
	}
	unlock(&cp->idlock);

	/* ticket name and attach name must match */
	if(memcmp(in->uname, t.cuid, sizeof(in->uname)) != 0){
print("names don't match\n");
		return 0;
	}

	/* copy translated name into input record */
	memmove(in->uname, t.suid, sizeof(in->uname));

	/* craft a reply */
	a.num = AuthAs;
	memmove(a.chal, cp->rchal, CHALLEN);
	convA2M(&a, ou->rauth, t.key);

	cp->authed = 1;
	return 1;
}