Auth module - authenticated connections

include "sys.m"
include "security.m"
Auth: module
{
	PATH:	con "/dis/lib/auth.dis";
	# level of security
	NOAUTH:     con "noauth";
	NOSSL:      con "nossl";
	CLEAR:      con "clear";
	SHA:        con "sha";
	MD5:        con "md5";
	RC4:        con "rc4";
	SHA_RC4:    con "sha/rc4";
	SHA_DESCBC: con "sha/descbc";
	SHA_DESECB: con "sha/desecb";
	MD5_RC4:    con "md5/rc4";
	MD5_DESCBC: con "md5/descbc";
	MD5_DESECB: con "md5/desecb";
	init: fn(): string;
	server: fn(algs: list of string, 

ai: ref Keyring->Authinfo, fd: ref Sys->FD): 

(ref Sys->FD, string);
	client: fn(alg: string, ai: ref Keyring->Authinfo, 

fd: ref Sys->FD): (ref Sys->FD, string);
};

Description

The client and server functions of the Auth module establish authenticated connections using station to station protocol.

init ()

init: fn(): string;

## returns nil on success; error message on failure.

Before using the other functions of the Auth module, the init() function must be called. The init() function returns nil if successful; otherwise it returns an error message.

server (algs, ai, fd)

server: fn(algs: list of string, 

ai: ref Keyring->Authinfo, fd: ref Sys->FD): 

(ref Sys->FD, string);

## returns (nil, error message) if authentication fails.

The server function authenticates a client connection using one of the algorithms in algs. If successful, server returns a tuple containing a connection file descriptor and a string with information about the connection. If an authenticated connection cannot be established, server returns a tuple that contains a nil file descriptor and an error message.

client (alg, ai, fd)

client: fn(alg: string, ai: ref Keyring->Authinfo, 

fd: ref Sys->FD): (ref Sys->FD, string);

## returns (nil, error message) if authentication fails.

The client function authenticates a connection to a server using the algorithm in alg. If successful, client returns a tuple containing a connection file descriptor and a string with information about the connection. If an authenticated connection cannot be established, client returns a tuple that contains a nil file descriptor and an error message.

parameters

NOAUTH No authentication required.

NOSSL No secure sockets layer (ssl).

CLEAR Establish ssl connection, but send information, but send in the clear.

SHA Use SHA hashing for message digesting.

MD5 Use MD5 hashing for message digesting.

RC4 Use RC4 for encryption.

SHA_RC4 Digest with SHA, encrypt with RC4.

SHA_DESCBC Digest with SHA, encrypt with DES-CBC.

SHA_DESECB Digest with SHA, encrypt with DES-ECB.

MD5_RC4 Digest with MD5, encrypt with RC4.

MD5_DESCBC Digest with MD5, encrypt with DES-CBCubs .

MD5_DESECB Digest with MD5, encrypt with DES-ECB.

NOAUTH	No authentication required.
NOSSL	No secure sockets layer (ssl).
CLEAR	Establish ssl connection, but send information, but send in the clear.
SHA	Use SHA hashing for message digesting.
MD5	Use MD5 hashing for message digesting.
RC4	Use RC4 for encryption.
SHA_RC4	Digest with SHA, encrypt with RC4.
SHA_DESCBC	Digest with SHA, encrypt with DES-CBC.
SHA_DESECB	Digest with SHA, encrypt with DES-ECB.
MD5_RC4	Digest with MD5, encrypt with RC4.
MD5_DESCBC	Digest with MD5, encrypt with DES-CBCubs .
MD5_DESECB	Digest with MD5, encrypt with DES-ECB.

Example - client

This program excerpt (from /appl/cmd/mount.b) illustrates the use of the init and client functions. Note the bind of the SSL device before the client call.

	alg := Auth->NOSSL;
	. . .

	au := load Auth Auth->PATH;
	if(au == nil){
		sys->fprint(stderr, "Error: mount: can't load module 
Auth %r\n");
		exit;
	}
	err := au->init();
	if(err != nil){
		sys->fprint(stderr, "Error: mount: %s\n", err);
		exit;
	}
	# do this before using module auth
	if(sys->bind("#D", "/n/ssl", Sys->MREPL) < 0){
		sys->fprint(stderr, "can't bind #D: %r\n");
		exit;
	}
	fd := ref Sys->FD;
	(fd, err) = au->client(alg, ai, c.dfd);
	if(fd == nil){
		sys->fprint(stderr, "Error: mount: authentication 
failed: %s\n", err);
		exit;
	}

	dir := hd argv;
	ok = sys->mount(fd, dir, flags, "");
	if(ok < 0)
		sys->fprint(stderr, "Error: mount: %r\n");

Example - server

This excerpt (from /lib/styxd.b) illustrates the use of the server function (init was called previous to this excerpt). Note that readauthinfo is called first to get the Authinfo adt to pass to server.

	kr = load Keyring Keyring->PATH;
	ai := kr->readauthinfo("/usr/"+user+"/keyring/default");

	#do this before using auth
	if(sys->bind("#D", "/n/ssl", Sys->MREPL) < 0){
		sys->fprint(stderr, "Error: can't bind #D: %r\n");
		exit;
	}
	if(argv == nil){
		sys->fprint(stderr, "Error: styxd: no algorithm 
list\n");
		exit;
	}
	(fd, info_or_err) := auth->server(argv, ai, stdin);
	if(fd == nil ){
		sys->fprint(stderr, "Error: styxd: %s\n", 
info_or_err);
		exit;
	}
	sys->pctl(sys->FORKNS, nil);
	if(sys->export(fd, sys->EXPASYNC) < 0)
		sys->fprint(stderr, "Error: styxd: file export 
%r\n");