diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-08-16 01:47:10 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-08-16 01:47:10 +0200 |
| commit | 5e07e5840aced5826880a31ceac23f2d0c5046f9 (patch) | |
| tree | df7e30bb2e7f7028fb9494f6540fc6a761a14f53 | |
| parent | e9e53fe7b6a29e52e73f59d5b6080561b925a3be (diff) | |
cpu: cleanup ssl code, make sure -p works for any auth method
| -rw-r--r-- | sys/src/cmd/cpu.c | 166 |
1 files changed, 78 insertions, 88 deletions
diff --git a/sys/src/cmd/cpu.c b/sys/src/cmd/cpu.c index 1bfec1764..44792fc90 100644 --- a/sys/src/cmd/cpu.c +++ b/sys/src/cmd/cpu.c @@ -24,7 +24,7 @@ void writestr(int, char*, char*, int); int readstr(int, char*, int); char *rexcall(int*, char*, char*); int setamalg(char*); -char *keyspec = ""; +char *keyspec = ""; int notechan; int exportpid; @@ -43,6 +43,11 @@ char *ealgs = "rc4_256 sha1"; /* message size for exportfs; may be larger so we can do big graphics in CPU window */ int msgsize = Maxfdata+IOHDRSZ; +/* encryption mechanisms */ +static int clear(int); + +int (*encryption)(int) = clear; + /* authentication mechanisms */ static int netkeyauth(int); static int netkeysrvauth(int, char*); @@ -56,8 +61,7 @@ struct AuthMethod { char *name; /* name of method */ int (*cf)(int); /* client side authentication */ int (*sf)(int, char*); /* server side authentication */ -} authmethod[] = -{ +} authmethod[] = { { "p9", p9auth, srvp9auth,}, { "netkey", netkeyauth, netkeysrvauth,}, { "none", noauth, srvnoauth,}, @@ -73,7 +77,7 @@ char *aan = "/bin/aan"; char *anstring = "tcp!*!0"; char *filterp = nil; -int filter(int fd, char *host); +int filter(int fd, char *host); void usage(void) @@ -360,9 +364,12 @@ remoteside(int old) } else writestr(fd, "", "", 1); - fd = (*am->sf)(fd, user); - if(fd < 0) + if((fd = (*am->sf)(fd, user)) < 0) fatal("srvauth: %r"); + if((fd = filter(fd, nil)) < 0) + fatal("filter: %r"); + if((fd = encryption(fd)) < 0) + fatal("encrypt: %r"); /* Now collect invoking cpu's current directory or possibly a command */ gotcmd = 0; @@ -466,10 +473,13 @@ rexcall(int *fd, char *host, char *service) /* authenticate */ procsetname("%s: auth via %s", origargs, am->name); - *fd = (*am->cf)(*fd); - if(*fd < 0) + if((*fd = (*am->cf)(*fd)) < 0) return "can't authenticate"; - return 0; + if((*fd = filter(*fd, system)) < 0) + return "can't filter"; + if((*fd = encryption(*fd)) < 0) + return "can't encrypt"; + return nil; } void @@ -540,7 +550,7 @@ netkeyauth(int fd) if(readstr(fd, chall, sizeof chall) < 0) break; if(*chall == 0) - return filter(fd, system); + return fd; print("challenge: %s\nresponse: ", chall); if(readln(resp, sizeof(resp)) < 0) break; @@ -580,7 +590,21 @@ netkeysrvauth(int fd, char *user) if(auth_chuid(ai, 0) < 0) fatal("newns: %r"); auth_freeAI(ai); - return filter(fd, nil); + return fd; +} + +static int +clear(int fd) +{ + return fd; +} + +static char sslsecret[2][21]; + +static int +sslencrypt(int fd) +{ + return pushssl(fd, ealgs, sslsecret[0], sslsecret[1], nil); } static void @@ -590,55 +614,63 @@ mksecret(char *t, uchar *f) f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9]); } -/* - * plan9 authentication followed by rc4 encryption - */ static int -p9auth(int fd) +sslsetup(int fd, uchar *secret, int nsecret, int isclient) { uchar key[16], digest[SHA1dlen]; - char fromclientsecret[21]; - char fromserversecret[21]; - AuthInfo *ai; int i; - procsetname("%s: auth_proxy proto=%q role=client %s", - origargs, p9authproto, keyspec); - ai = auth_proxy(fd, auth_getkey, "proto=%q role=client %s", p9authproto, keyspec); - if(ai == nil) - return -1; - if(ealgs == nil){ - auth_freeAI(ai); + if(ealgs == nil) return fd; + + if(nsecret < 8){ + werrstr("secret too small to ssl"); + return -1; } - assert(ai->nsecret <= sizeof(key)-4); - memmove(key+4, ai->secret, ai->nsecret); - auth_freeAI(ai); + memmove(key+4, secret, 8); /* exchange random numbers */ srand(truerand()); - for(i = 0; i < 4; i++) - key[i] = rand(); - procsetname("writing p9 key"); - if(write(fd, key, 4) != 4) - return -1; - procsetname("reading p9 key"); - if(readn(fd, key+12, 4) != 4) - return -1; + + if(isclient){ + for(i = 0; i < 4; i++) + key[i] = rand(); + if(write(fd, key, 4) != 4) + return -1; + if(readn(fd, key+12, 4) != 4) + return -1; + } else { + for(i = 0; i < 4; i++) + key[i+12] = rand(); + if(readn(fd, key, 4) != 4) + return -1; + if(write(fd, key+12, 4) != 4) + return -1; + } /* scramble into two secrets */ sha1(key, sizeof(key), digest, nil); - mksecret(fromclientsecret, digest); - mksecret(fromserversecret, digest+10); + mksecret(sslsecret[isclient == 0], digest); + mksecret(sslsecret[isclient != 0], digest+10); - if((fd = filter(fd, system)) < 0) - return -1; + encryption = sslencrypt; - /* set up encryption */ - procsetname("pushssl"); - fd = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil); - if(fd < 0) - werrstr("can't establish ssl connection: %r"); + return fd; +} + +/* + * plan9 authentication followed by rc4 encryption + */ +static int +p9auth(int fd) +{ + AuthInfo *ai; + + ai = auth_proxy(fd, auth_getkey, "proto=%q role=client %s", p9authproto, keyspec); + if(ai == nil) + return -1; + fd = sslsetup(fd, ai->secret, ai->nsecret, 1); + auth_freeAI(ai); return fd; } @@ -658,25 +690,10 @@ srvnoauth(int fd, char *user) return fd; } -void -loghex(uchar *p, int n) -{ - char buf[100]; - int i; - - for(i = 0; i < n; i++) - sprint(buf+2*i, "%2.2ux", p[i]); - syslog(0, "cpu", "%s", buf); -} - static int srvp9auth(int fd, char *user) { - uchar key[16], digest[SHA1dlen]; - char fromclientsecret[21]; - char fromserversecret[21]; AuthInfo *ai; - int i; ai = auth_proxy(fd, nil, "proto=%q role=server %s", p9authproto, keyspec); if(ai == nil) @@ -684,35 +701,8 @@ srvp9auth(int fd, char *user) if(auth_chuid(ai, nil) < 0) fatal("newns: %r"); snprint(user, MaxStr, "%s", ai->cuid); - if(ealgs == nil){ - auth_freeAI(ai); - return fd; - } - assert(ai->nsecret <= sizeof(key)-4); - memmove(key+4, ai->secret, ai->nsecret); + fd = sslsetup(fd, ai->secret, ai->nsecret, 0); auth_freeAI(ai); - - /* exchange random numbers */ - srand(truerand()); - for(i = 0; i < 4; i++) - key[i+12] = rand(); - if(readn(fd, key, 4) != 4) - return -1; - if(write(fd, key+12, 4) != 4) - return -1; - - /* scramble into two secrets */ - sha1(key, sizeof(key), digest, nil); - mksecret(fromclientsecret, digest); - mksecret(fromserversecret, digest+10); - - if((fd = filter(fd, nil)) < 0) - return -1; - - /* set up encryption */ - fd = pushssl(fd, ealgs, fromserversecret, fromclientsecret, nil); - if(fd < 0) - werrstr("can't establish ssl connection: %r"); return fd; } |