shithub: purgatorio

ref: 6042bb8adffe111049edfcb8b2eb1ad84814ed69
dir: /module/auth9.m/

View raw version
Auth9: module
{
	PATH:	con "/dis/lib/auth9.dis";

	#
	# plan 9 authentication
	#

	ANAMELEN: con 	28; # maximum size of name in previous proto
	AERRLEN: con 	64; # maximum size of errstr in previous proto
	DOMLEN: con 		48; # length of an authentication domain name
	DESKEYLEN: con 	7; # length of a des key for encrypt/decrypt
	CHALLEN: con 	8; # length of a plan9 sk1 challenge
	NETCHLEN: con 	16; # max network challenge length (used in AS protocol)
	SECRETLEN: con 	32; # max length of a secret

	# encryption numberings (anti-replay)
	AuthTreq: con 1; 	# ticket request
	AuthChal: con 2; 	# challenge box request
	AuthPass: con 3; 	# change password
	AuthOK: con 4; 	# fixed length reply follows
	AuthErr: con 5; 	# error follows
	AuthMod: con 6; 	# modify user
	AuthApop: con 7; 	# apop authentication for pop3
	AuthOKvar: con 9; 	# variable length reply follows
	AuthChap: con 10; 	# chap authentication for ppp
	AuthMSchap: con 11; 	# MS chap authentication for ppp
	AuthCram: con 12; 	# CRAM verification for IMAP (RFC2195 & rfc2104)
	AuthHttp: con 13; 	# http domain login
	AuthVNC: con 14; 	# VNC server login (deprecated)


	AuthTs: con 64;	# ticket encrypted with server's key
	AuthTc: con 65;	# ticket encrypted with client's key
	AuthAs: con 66;	# server generated authenticator
	AuthAc: con 67;	# client generated authenticator
	AuthTp: con 68;	# ticket encrypted with client's key for password change
	AuthHr: con 69;	# http reply

	Ticketreq: adt {
		rtype: int;
		authid: string;	# [ANAMELEN]	server's encryption id
		authdom: string;	# [DOMLEN]	server's authentication domain
		chal:	array of byte; # [CHALLEN]	challenge from server
		hostid: string;	# [ANAMELEN]		host's encryption id
		uid: string;	# [ANAMELEN]	uid of requesting user on host

		pack:	fn(t: self ref Ticketreq): array of byte;
		unpack:	fn(a: array of byte): (int, ref Ticketreq);
	};
		TICKREQLEN: con	3*ANAMELEN+CHALLEN+DOMLEN+1;

	Ticket: adt {
		num: int;	# replay protection
		chal:	array of byte;	# [CHALLEN]	server challenge
		cuid: string;	# [ANAMELEN]	uid on client
		suid: string;	# [ANAMELEN]	uid on server
		key:	array of byte;	# [DESKEYLEN]	nonce DES key

		pack:	fn(t: self ref Ticket, key: array of byte): array of byte;
		unpack:	fn(a: array of byte, key: array of byte): (int, ref Ticket);
	};
		TICKETLEN: con CHALLEN+2*ANAMELEN+DESKEYLEN+1;

	Authenticator: adt {
		num: int;			# replay protection
		chal: array of byte;	# [CHALLEN]
		id:	int;			# authenticator id, ++'d with each auth

		pack:	fn(f: self ref Authenticator, key: array of byte): array of byte;
		unpack:	fn(a: array of byte, key: array of byte): (int, ref Authenticator);
	};
		AUTHENTLEN: con CHALLEN+4+1;

	Passwordreq: adt {
		num: int;
		old:	array of byte;	# [ANAMELEN]
		new:	array of byte;	# [ANAMELEN]
		changesecret:	int;
		secret:	array of byte; # [SECRETLEN]	new secret

		pack:	fn(f: self ref Passwordreq, key: array of byte): array of byte;
		unpack:	fn(a: array of byte, key: array of byte): (int, ref Passwordreq);
	};
	PASSREQLEN: con	2*ANAMELEN+1+1+SECRETLEN;

	# secure ID and Plan 9 auth key/request/reply encryption
	netcrypt:	fn(key: array of byte, chal: string): string;
	passtokey:	fn(pw: string): array of byte;
	des56to64:	fn(a: array of byte): array of byte;
	encrypt:	fn(key: array of byte, data: array of byte, n: int);
	decrypt:	fn(key: array of byte, data: array of byte, n: int);

	# dial auth server
#	authdial(netroot: string, authdom: string): ref Sys->FD;

	# exchange messages with auth server
	_asgetticket:	fn(fd: ref Sys->FD, tr: ref Ticketreq, key: array of byte): (ref Ticket, array of byte);
	_asrdresp:	fn(fd: ref Sys->FD, n: int): array of byte;

	init:	fn();
};