2 * Test various aspects of the authentication setup.
12 /* private copy with added debugging */
14 authdial(char *netroot, char *dom)
20 /* look up an auth server in an authentication domain */
21 p = csgetvalue(netroot, "authdom", dom, "auth", nil);
23 /* if that didn't work, just try the IP domain */
25 p = csgetvalue(netroot, "dom", dom, "auth", nil);
27 werrstr("no auth server found for %s", dom);
30 print("\tdialing auth server %s\n",
31 netmkaddr(p, netroot, "ticket"));
32 rv = dial(netmkaddr(p, netroot, "ticket"), 0, 0, 0);
36 /* look for one relative to my machine */
37 return dial(netmkaddr("$auth", netroot, "ticket"), 0, 0, 0);
43 fprint(2, "usage: auth/debug\n");
47 void authdialfutz(char*, char*, char*);
48 void authfutz(char*, char*, char*);
50 /* scan factotum for p9sk1 keys; check them */
52 debugfactotumkeys(void)
54 char *s, *dom, *proto, *user;
59 b = Bopen("/mnt/factotum/ctl", OREAD);
61 fprint(2, "debug: cannot open /mnt/factotum/ctl\n");
65 while((s = Brdstr(b, '\n', 1)) != nil){
66 if(strncmp(s, "key ", 4) != 0){
67 print("malformed ctl line: %s\n", s);
73 proto = _strfindattr(a, "proto");
74 if(proto==nil || (strcmp(proto, "p9sk1")!=0 && strcmp(proto, "dp9ik")!=0))
76 dom = _strfindattr(a, "dom");
78 print("p9sk1 key with no dom: %A\n", a);
82 user = _strfindattr(a, "user");
84 print("p9sk1 key with no user: %A\n", a);
88 print("key: %A\n", a);
90 authdialfutz(dom, user, proto);
94 print("no p9sk1/dp9ik keys found in factotum\n");
98 authdialfutz(char *dom, char *user, char *proto)
104 fd = authdial(nil, dom);
106 print("\tsuccessfully dialed auth server\n");
108 authfutz(dom, user, proto);
111 print("\tcannot dial auth server: %r\n");
112 server = csgetvalue(nil, "authdom", dom, "auth", nil);
114 print("\tcsquery authdom=%q auth=%s\n", dom, server);
118 print("\tcsquery authdom=%q auth=* failed\n", dom);
119 server = csgetvalue(nil, "dom", dom, "auth", nil);
121 print("\tcsquery dom=%q auth=%q\n", dom, server);
125 print("\tcsquery dom=%q auth=*\n", dom);
127 fd = dial(addr=netmkaddr("$auth", nil, "ticket"), 0, 0, 0);
129 print("\tdial %s succeeded\n", addr);
133 print("\tdial %s failed: %r\n", addr);
137 getpakkeys(int fd, Ticketreq *tr, Authkey *akey, Authkey *hkey)
146 if(_asrequest(fd, tr) < 0 || _asrdresp(fd, (char*)y, 0) < 0)
149 authpak_hash(akey, tr->authid);
150 authpak_new(&p, akey, y, 1);
151 if(write(fd, y, PAKYLEN) != PAKYLEN
152 || readn(fd, y, PAKYLEN) != PAKYLEN
153 || authpak_finish(&p, akey, y))
156 authpak_hash(hkey, tr->hostid);
157 authpak_new(&p, hkey, y, 1);
158 if(write(fd, y, PAKYLEN) != PAKYLEN
159 || readn(fd, y, PAKYLEN) != PAKYLEN
160 || authpak_finish(&p, hkey, y))
170 authfutz(char *dom, char *user, char *proto)
173 char prompt[128], tbuf[2*MAXTICKETLEN], *pass;
174 Authkey key, booteskey;
178 snprint(prompt, sizeof prompt, "\tpassword for %s@%s [hit enter to skip test]", user, dom);
179 pass = readcons(prompt, nil, 1);
180 if(pass == nil || *pass == 0){
184 passtokey(&key, pass);
186 memset(pass, 0, strlen(pass));
189 fd = authdial(nil, dom);
191 print("\tauthdial failed(!): %r\n");
195 /* try ticket request using just user key */
196 memset(&tr, 0, sizeof(tr));
198 strecpy(tr.authid, tr.authid+sizeof tr.authid, user);
199 strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom);
200 strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user);
201 strecpy(tr.uid, tr.uid+sizeof tr.uid, user);
202 memset(tr.chal, 0xAA, sizeof tr.chal);
204 if(strcmp(proto, "dp9ik") == 0 && getpakkeys(fd, &tr, &booteskey, &key) < 0){
205 print("\tgetpakkeys failed: %r\n");
210 if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
211 print("\t_asgetticket failed: %r\n");
215 m = convM2T(tbuf, n, &t, &key);
217 print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
218 print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
221 if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
222 print("\tbad challenge1 from auth server got %.*H wanted %.*H\n",
223 sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
224 print("\tauth server is rogue\n");
228 convM2T(tbuf+m, n-m, &t, &booteskey);
230 print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
231 print("\tauth server and you do not agree on key for %s@%s\n", user, dom);
234 if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
235 print("\tbad challenge2 from auth server got %.*H wanted %.*H\n",
236 sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
237 print("\tauth server is rogue\n");
240 print("\tticket request using %s@%s key succeeded\n", user, dom);
242 /* try ticket request using bootes key */
243 snprint(prompt, sizeof prompt, "\tcpu server owner for domain %s ", dom);
244 user = readcons(prompt, "glenda", 0);
245 if(user == nil || *user == '\0'){
249 strecpy(tr.authid, tr.authid+sizeof tr.authid, user);
251 snprint(prompt, sizeof prompt, "\tpassword for %s@%s [hit enter to skip test]", tr.authid, dom);
252 pass = readcons(prompt, nil, 1);
253 if(pass == nil || *pass == '\0'){
257 passtokey(&booteskey, pass);
258 memset(pass, 0, strlen(pass));
261 if(strcmp(proto, "dp9ik") == 0 && getpakkeys(fd, &tr, &booteskey, &key) < 0){
262 print("\tgetpakkeys failed: %r\n");
267 if((n = _asgetticket(fd, &tr, tbuf, sizeof(tbuf))) < 0){
268 print("\t_asgetticket failed: %r\n");
272 m = convM2T(tbuf, n, &t, &key);
274 print("\tcannot decrypt ticket1 from auth server (bad t.num=0x%.2ux)\n", t.num);
275 print("\tauth server and you do not agree on key for %s@%s\n", tr.hostid, dom);
278 if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
279 print("\tbad challenge1 from auth server got %.*H wanted %.*H\n",
280 sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
281 print("\tauth server is rogue\n");
285 convM2T(tbuf+m, n-m, &t, &booteskey);
287 print("\tcannot decrypt ticket2 from auth server (bad t.num=0x%.2ux)\n", t.num);
288 print("\tauth server and you do not agree on key for %s@%s\n", tr.authid, dom);
291 if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
292 print("\tbad challenge2 from auth server got %.*H wanted %.*H\n",
293 sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
294 print("\tauth server is rogue\n");
297 print("\tticket request using %s@%s key succeeded\n", tr.authid, dom);
300 /* try p9sk1 exchange with local factotum to test that key is right */
304 * try p9sk1 exchange with factotum on
305 * auth server (assumes running cpu service)
306 * to test that bootes key is right over there
311 main(int argc, char **argv)
314 fmtinstall('A', _attrfmt);
315 fmtinstall('H', encodefmt);