Article delegate-en/3478 of [1-4224] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3474@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] MASTER authentication (Re: delegate article 3443)
01 Sep 2006 07:40:04 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project 
Hi,

On 08/30/06(22:13) you Martin Papadopoulos <payeabdyi-mxhgu462z33w.ml@delegate.org> wrote
in <_A3474@delegate-en.ML_>
 |at least for the scenario authorizing delegate master process , the
 |authorization does not function
 |for the sockmux scenario it does work however .

It seems that I forgot not to have implemented the feature because I
thoght it must be implemented for long time since the begining ;)
Indeed, authentication with master DeleGate (AUTHORIZER + MYAUTH with
MASTER) have worked for HTTP, but not for other protocols.
I prototyped it as the enclosed patch.  It can be used as follows:

 % delegated -P8888 SERVER=delegate AUTHORIZER="-list{user:pass}:delegate"
 % delegated -P8080 SERVER=ftp MASTER=host:8888 MYAUTH=user:pass:delegate

The user:pass pair is sent from DeleGate to MASTER-DeleGate encrypted with
"Credhy" generating the encryption key using Deffie-Hellman algorithm.
Since I'm under perparation in the release of 9.2.4, the modification will
be included after 9.2.5.
The patched version of service.c for 9.2.4 is at pub/DeleGate/tmp/service.c

Cheers,
Yutaka
--
  9 9   Yutaka Sato <pfqcabdyi-mxhgu462z33w.ml@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** ../arc/delegate9.2.4-pre20/src/service.c	Fri Aug 18 11:54:44 2006
--- src/service.c	Fri Sep  1 16:16:01 2006
***************
*** 725,730 ****
--- 725,815 ----
   * and sending it is halmful for the client.
   */
  
+ #include "credhy.h"
+ int hextoStr(PCStr(hex),PVStr(bin),int siz);
+ static Credhy cKey;
+ static int DHKEYwithCL;
+ static void sendDHkey(FILE *tc){
+ 	int klen;
+ 	CStr(key,1024);
+ 	CStr(xkey,1024);
+ 
+ 	CredhyInit(&cKey,0);
+ 	cKey.k_flags |= CR_AKFIRST | CR_CRC32;
+ 	klen = CredhyGenerateKey(&cKey,AVStr(key),sizeof(key));
+ 	strtoHex(key,klen,AVStr(xkey),sizeof(xkey));
+ 	fprintf(tc,"DHKEY %s\r\n",xkey);
+ 	fflush(tc);
+ }
+ static void recvDHkey(PCStr(pkey)){
+ 	CStr(xkey,512);
+ 	CStr(key,512);
+ 
+ 	truncVStr(xkey);
+ 	Xsscanf(pkey,"%s",AVStr(xkey));
+ 	hextoStr(xkey,AVStr(key),sizeof(key));
+ 	if( CredhyAgreedKey(&cKey,key) != 0 ){
+ 		sv1log(">>>> DHKEY -- CANT GET AGREED KEY\n");
+ 	}
+ }
+ static void sendAUTH(Connection *Conn,FILE *ts,PCStr(auth)){
+ 	CStr(xauth,256);
+ 	if( cKey.k_leng == 0 ){
+ 		return;
+ 	}
+ 	CredhyAencrypt(&cKey,auth,AVStr(xauth),sizeof(xauth));
+ 	fprintf(ts,"AUTH CREDHY %s\r\n",xauth);
+ 	fflush(ts);
+ }
+ static int recvAUTH(Connection *Conn,PCStr(name),PCStr(value),AuthInfo *ident){
+ 	CStr(atype,128);
+ 	CStr(xauth,256);
+ 	CStr(auth,256);
+ 
+ 	if( !strcaseeq(name,"AUTH") )
+ 		return 0;
+ 
+ 	truncVStr(xauth);
+ 	Xsscanf(value,"%s %s",AVStr(atype),AVStr(xauth));
+ 	truncVStr(auth);
+ 	CredhyAdecrypt(&cKey,xauth,AVStr(auth),sizeof(auth));
+ 	Xsscanf(auth,"%[^:]:%[^\n]",AVStr(ident->i_user),AVStr(ident->i_pass));
+ 	return 1;
+ }
+ static void getAuthXM(Connection *Conn,PVStr(myauth),int mx,int msock){
+ 	Port sv = Conn->sv;
+ 	VAddr master;
+ 
+ 	strcpy(REAL_PROTO,"delegate");
+ 	if( VA_getpeerNAME(msock,&master) ){
+ 		strcpy(REAL_HOST,master.a_name);
+ 		REAL_PORT = master.a_port;
+ 	}
+ 	get_MYAUTH(Conn,AVStr(myauth),"delegate",DST_HOST,DST_PORT);
+ 	Conn->sv = sv;
+ }
+ int doAuthX(Connection *Conn,AuthInfo *ident);
+ static int doAuthXM(Connection *Conn,int clsock,AuthInfo *ident){
+ 	Port sv = Conn->sv;
+ 	int sfc = FromC;
+ 	int wa;
+ 
+ 	strcpy(REAL_PROTO,"delegate");
+ 	strcpy(REAL_HOST,"-"); /* MASTER DeleGate itself */
+ 	REAL_PORT = -1; /* to avoid "already authrorized" in doAUTH0() */
+ 	FromC = clsock; /* referred in Identify() */
+ 	if( wa = CTX_withAuth(Conn) ){
+ 		if( ident != NULL ){
+ 			if( doAuthX(Conn,ident) < 0 ){
+ 				wa = -1;
+ 			}
+ 		}
+ 	}
+ 	FromC = sfc;
+ 	Conn->sv = sv;
+ 	return wa;
+ }
+ 
  static void returnHELO(Connection *Conn,FILE *tc);
  static void gotHELLO(Connection *Conn,FILE *tc,PCStr(fieldname),PCStr(value))
  {	CStr(version,64);
***************
*** 734,744 ****
--- 819,840 ----
  	cp = wordScan(value,version); lineScan(cp,control);
  	sv1mlog("CLIENT says: %s %s [%s]\n",fieldname,version,control);
  
+ 	DHKEYwithCL = 0;
+ 	if( streq(control,"DHKEY") ){
+ 		if( doAuthXM(Conn,fileno(tc),NULL) ){
+ 			DHKEYwithCL = 1;
+ 		}
+ 	}
+ 
  	strcpy(ClientVER,version);
  	if( streq(control,"NOACK") )   NoACK = 1; else
  	if( streq(control,"NOSYNC") )  RespNOSYNC = 1;
  
  	returnHELO(Conn,tc);
+ 	if( DHKEYwithCL ){
+ 		sendDHkey(tc);
+ 		DHKEYwithCL = 0;
+ 	}
  }
  static void toclnt(Connection *Conn,FILE *tc,PCStr(fmt),...)
  {	CStr(msg,1024);
***************
*** 773,778 ****
--- 869,877 ----
  		}else{
  			GetHostname(AVStr(host),sizeof(host));
  			sprintf(seed,"<%d.%d@%s>",getpid(),time(0),host);
+ 			if( DHKEYwithCL ){
+ 				strcat(seed,"[DHKEY]");
+ 			}
  			toclnt(Conn,tc,"%s %s %s\r\n",
  				HelloWord(),DELEGATE_ver(),seed);
  			SayHello = 0;
***************
*** 1324,1335 ****
--- 1423,1445 ----
  			do_exit = 1;
  			break;
  		}else
+ 		if( strcaseeq(fieldname,"DHKEY") ){
+ 			recvDHkey(value);
+ 		}else
+ 		if( recvAUTH(Conn,fieldname,value,&ClientAuth) ){
+ 		}else
  		if( obsoletecoms(Conn,&tc,fromC,toC,fieldname,value,&do_exit) ){
  			if( do_exit )
  				break;
  		}else	scan_header(Conn,fromC,fieldname,value);
  	}
  
+ 	if( doAuthXM(Conn,fileno(tc),&ClientAuth) < 0 ){
+ 		returnAckDENIED(Conn,tc,"Auth. error");
+ 		do_exit = 1;
+ 	}
+ 	bzero(&ClientAuth,sizeof(ClientAuth));
+ 
  	return do_exit;
  }
  
***************
*** 1716,1721 ****
--- 1826,1834 ----
  	const char *server;
  	int fsv;
  
+ 	CStr(myauth,256);
+ 	getAuthXM(Conn,AVStr(myauth),mx,msock);
+ 
  	set_keepalive(msock,1);
  
  	ServerFlags |= PF_IS_MASTER;
***************
*** 1729,1734 ****
--- 1842,1851 ----
  	/*
  	set_keepalive(msock,1);
  	*/
+ 	if( myauth[0] ){
+ 		/* should be reused with a session-ID */
+ 		reuse = 0;
+ 	}else
  	reuse = reuseMASTER(Conn,mx,msock,&version,&server);
  
  	if( reuse && strcmp(server,D_SERVER) == 0 ){
***************
*** 1756,1761 ****
--- 1873,1882 ----
  		strcpy(MediatorVer,version);
  		newver = 1;
  	}else{
+ 		if( myauth[0] ){
+ 			fprintf(mfpo,"%s %s DHKEY\r\n",HelloWord(),
+ 				DELEGATE_ver());
+ 		}else
  		fprintf(mfpo,"%s %s\r\n",HelloWord(),DELEGATE_ver());
  		fflush(mfpo);
  		if( 0 < RecvLineTIMEOUT(msock,resp,sizeof(resp),HELLO_TIMEOUT*1000) ){
***************
*** 1764,1775 ****
--- 1885,1907 ----
  			scanHelloVer(Hello,AVStr(MediatorVer));
  			nHello++;
  			newver = 1;
+ 
+ 			if( strstr(resp,"[DHKEY]") )
+ 			if( recvPeekTIMEOUT(msock,AVStr(resp),5) == 5 )
+ 			if( strneq(resp,"DHKEY",5) ){
+ 				CStr(dhk,512);
+ 				RecvLineTIMEOUT(msock,dhk,sizeof(dhk),3*1000);
+ 				sendDHkey(mfpo);
+ 				recvDHkey(dhk+5);
+ 			}
  		}else{
  	sv1log("HELLO negotiation TIMEOUT: OLD version MASTER before 2.0 ?\n");
  			strcpy(MediatorVer,"1");
  			newver = 0;
  		}
  	}
+ 	if( myauth[0] )
+ 		sendAUTH(Conn,mfpo,myauth);
  
  	if( strncmp(D_SERVER,"https:",6) == 0 )
  	if( vercmp(MediatorVer,"3.0.4") < 0 ){
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V