1 #if defined(LIBC_SCCS) && !defined(lint)
2 static char sccsid
[] = "@(#)auth_des.c 2.2 88/07/29 4.0 RPCSRC; from 1.9 88/02/08 SMI";
5 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
6 * unrestricted use provided that this legend is included on all tape
7 * media and as a part of the software program in whole or part. Users
8 * may copy or modify Sun RPC without charge, but are not authorized
9 * to license or distribute it to anyone else except as part of a product or
10 * program developed by the user.
12 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
13 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
14 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
16 * Sun RPC is provided with no support and without any obligation on the
17 * part of Sun Microsystems, Inc. to assist in its use, correction,
18 * modification or enhancement.
20 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
21 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
22 * OR ANY PART THEREOF.
24 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
25 * or profits or other special, indirect and consequential damages, even if
26 * Sun has been advised of the possibility of such damages.
28 * Sun Microsystems, Inc.
30 * Mountain View, California 94043
33 * Copyright (c) 1988 by Sun Microsystems, Inc.
36 * auth_des.c, client-side implementation of DES authentication
40 #include <rpc/des_crypt.h>
41 #include <rpc/types.h>
43 #include <rpc/auth_des.h>
45 #include <netinet/in.h> /* XXX: just to get htonl() and ntohl() */
46 #include <sys/socket.h>
48 #define MILLION 1000000L
49 #define RTIME_TIMEOUT 5 /* seconds to wait for sync */
51 #define AUTH_PRIVATE(auth) (struct ad_private *) auth->ah_private
52 #define ALLOC(object_type) (object_type *) mem_alloc(sizeof(object_type))
53 #define FREE(ptr, size) mem_free((char *)(ptr), (int) size)
54 #define ATTEMPT(xdr_op) if (!(xdr_op)) return (FALSE)
56 #define debug(msg) /* printf("%s\n", msg) */
58 extern int rtime (struct sockaddr_in
*, struct timeval
*, struct timeval
*);
59 extern bool_t
xdr_authdes_cred (XDR
*, struct authdes_cred
*);
60 extern bool_t
xdr_authdes_verf (XDR
*, struct authdes_verf
*);
63 * DES authenticator operations vector
65 static void authdes_nextverf (AUTH
*);
66 static bool_t
authdes_marshal (AUTH
*, XDR
*);
67 static bool_t
authdes_validate (AUTH
*, struct opaque_auth
*);
68 static bool_t
authdes_refresh (AUTH
*);
69 static void authdes_destroy (AUTH
*);
70 static bool_t
synchronize (struct sockaddr
*, struct timeval
*)
73 static struct auth_ops authdes_ops
= {
83 * This struct is pointed to by the ah_private field of an "AUTH *"
86 char *ad_fullname
; /* client's full name */
87 u_int ad_fullnamelen
; /* length of name, rounded up */
88 char *ad_servername
; /* server's full name */
89 u_int ad_servernamelen
; /* length of name, rounded up */
90 uint32_t ad_window
; /* client specified window */
91 bool_t ad_dosync
; /* synchronize? */
92 struct sockaddr ad_syncaddr
; /* remote host to synch with */
93 struct timeval ad_timediff
; /* server's time - client's time */
94 u_long ad_nickname
; /* server's nickname for client */
95 struct authdes_cred ad_cred
; /* storage for credential */
96 struct authdes_verf ad_verf
; /* storage for verifier */
97 struct timeval ad_timestamp
; /* timestamp sent */
98 des_block ad_xkey
; /* encrypted conversation key */
99 u_char ad_pkey
[1024]; /* Servers actual public key */
104 * Create the client des authentication object
107 authdes_create (const char *servername
, u_int window
,
108 struct sockaddr
*syncaddr
, des_block
*ckey
)
109 /* servername - network name of server */
110 /* window - time to live */
111 /* syncaddr - optional addr of host to sync with */
112 /* ckey - optional conversation key to use */
114 u_char pkey_data
[1024];
117 if (!getpublickey (servername
, pkey_data
))
120 pkey
.n_bytes
= (char *) pkey_data
;
121 pkey
.n_len
= strlen ((char *) pkey_data
) + 1;
122 return authdes_pk_create (servername
, &pkey
, window
, syncaddr
, ckey
);
126 authdes_pk_create (const char *servername
, netobj
*pkey
, u_int window
,
127 struct sockaddr
*syncaddr
, des_block
*ckey
)
130 struct ad_private
*ad
;
131 char namebuf
[MAXNETNAMELEN
+ 1];
134 * Allocate everything now
137 ad
= ALLOC (struct ad_private
);
138 memset (ad
, 0, sizeof (struct ad_private
));
139 memcpy (ad
->ad_pkey
, pkey
->n_bytes
, pkey
->n_len
);
140 if (!getnetname (namebuf
))
142 ad
->ad_fullnamelen
= RNDUP (strlen (namebuf
));
143 ad
->ad_fullname
= mem_alloc (ad
->ad_fullnamelen
+ 1);
145 ad
->ad_servernamelen
= strlen (servername
);
146 ad
->ad_servername
= mem_alloc (ad
->ad_servernamelen
+ 1);
148 if (auth
== NULL
|| ad
== NULL
|| ad
->ad_fullname
== NULL
||
149 ad
->ad_servername
== NULL
)
151 debug ("authdes_create: out of memory");
156 * Set up private data
158 bcopy (namebuf
, ad
->ad_fullname
, ad
->ad_fullnamelen
+ 1);
159 bcopy (servername
, ad
->ad_servername
, ad
->ad_servernamelen
+ 1);
160 ad
->ad_timediff
.tv_sec
= ad
->ad_timediff
.tv_usec
= 0;
161 if (syncaddr
!= NULL
)
163 ad
->ad_syncaddr
= *syncaddr
;
164 ad
->ad_dosync
= TRUE
;
167 ad
->ad_dosync
= FALSE
;
169 ad
->ad_window
= window
;
172 if (key_gendes (&auth
->ah_key
) < 0)
174 debug ("authdes_create: unable to gen conversation key");
179 auth
->ah_key
= *ckey
;
184 auth
->ah_cred
.oa_flavor
= AUTH_DES
;
185 auth
->ah_verf
.oa_flavor
= AUTH_DES
;
186 auth
->ah_ops
= &authdes_ops
;
187 auth
->ah_private
= (caddr_t
) ad
;
189 if (!authdes_refresh (auth
))
196 FREE (auth
, sizeof (AUTH
));
199 if (ad
->ad_fullname
!= NULL
)
200 FREE (ad
->ad_fullname
, ad
->ad_fullnamelen
+ 1);
201 if (ad
->ad_servername
!= NULL
)
202 FREE (ad
->ad_servername
, ad
->ad_servernamelen
+ 1);
203 FREE (ad
, sizeof (struct ad_private
));
209 * Implement the five authentication operations
218 authdes_nextverf (AUTH
* auth
)
220 /* what the heck am I supposed to do??? */
229 authdes_marshal (AUTH
* auth
, XDR
* xdrs
)
231 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
232 struct authdes_cred
*cred
= &ad
->ad_cred
;
233 struct authdes_verf
*verf
= &ad
->ad_verf
;
234 des_block cryptbuf
[2];
241 * Figure out the "time", accounting for any time difference
242 * with the server if necessary.
244 __gettimeofday (&ad
->ad_timestamp
, (struct timezone
*) NULL
);
245 ad
->ad_timestamp
.tv_sec
+= ad
->ad_timediff
.tv_sec
;
246 ad
->ad_timestamp
.tv_usec
+= ad
->ad_timediff
.tv_usec
;
247 if (ad
->ad_timestamp
.tv_usec
>= MILLION
)
249 ad
->ad_timestamp
.tv_usec
-= MILLION
;
250 ad
->ad_timestamp
.tv_sec
+= 1;
254 * XDR the timestamp and possibly some other things, then
256 * XXX We have a real Year 2038 problem here.
258 ixdr
= (long *) cryptbuf
;
259 IXDR_PUT_LONG (ixdr
, ad
->ad_timestamp
.tv_sec
);
260 IXDR_PUT_LONG (ixdr
, ad
->ad_timestamp
.tv_usec
);
261 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
263 IXDR_PUT_U_INT32 (ixdr
, ad
->ad_window
);
264 IXDR_PUT_U_INT32 (ixdr
, ad
->ad_window
- 1);
265 ivec
.key
.high
= ivec
.key
.low
= 0;
266 status
= cbc_crypt ((char *) &auth
->ah_key
, (char *) cryptbuf
,
267 2 * sizeof (des_block
), DES_ENCRYPT
| DES_HW
, (char *) &ivec
);
271 status
= ecb_crypt ((char *) &auth
->ah_key
, (char *) cryptbuf
,
272 sizeof (des_block
), DES_ENCRYPT
| DES_HW
);
274 if (DES_FAILED (status
))
276 debug ("authdes_marshal: DES encryption failure");
279 ad
->ad_verf
.adv_xtimestamp
= cryptbuf
[0];
280 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
282 ad
->ad_cred
.adc_fullname
.window
= cryptbuf
[1].key
.high
;
283 ad
->ad_verf
.adv_winverf
= cryptbuf
[1].key
.low
;
287 ad
->ad_cred
.adc_nickname
= ad
->ad_nickname
;
288 ad
->ad_verf
.adv_winverf
= 0;
292 * Serialize the credential and verifier into opaque
293 * authentication data.
295 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
297 len
= ((1 + 1 + 2 + 1) * BYTES_PER_XDR_UNIT
+ ad
->ad_fullnamelen
);
301 len
= (1 + 1) * BYTES_PER_XDR_UNIT
;
304 if ((ixdr
= xdr_inline (xdrs
, 2 * BYTES_PER_XDR_UNIT
)) != NULL
)
306 IXDR_PUT_INT32 (ixdr
, AUTH_DES
);
307 IXDR_PUT_U_INT32 (ixdr
, len
);
311 ATTEMPT (xdr_putint32 (xdrs
, &auth
->ah_cred
.oa_flavor
));
312 ATTEMPT (xdr_putint32 (xdrs
, &len
));
314 ATTEMPT (xdr_authdes_cred (xdrs
, cred
));
316 len
= (2 + 1) * BYTES_PER_XDR_UNIT
;
317 if ((ixdr
= xdr_inline (xdrs
, 2 * BYTES_PER_XDR_UNIT
)) != NULL
)
319 IXDR_PUT_INT32 (ixdr
, AUTH_DES
);
320 IXDR_PUT_U_INT32 (ixdr
, len
);
324 ATTEMPT (xdr_putint32 (xdrs
, &auth
->ah_verf
.oa_flavor
));
325 ATTEMPT (xdr_putint32 (xdrs
, &len
));
327 ATTEMPT (xdr_authdes_verf (xdrs
, verf
));
336 authdes_validate (AUTH
*auth
, struct opaque_auth
*rverf
)
338 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
339 struct authdes_verf verf
;
341 register u_long
*ixdr
;
343 if (rverf
->oa_length
!= (2 + 1) * BYTES_PER_XDR_UNIT
)
346 ixdr
= (u_long
*) rverf
->oa_base
;
347 verf
.adv_xtimestamp
.key
.high
= (u_long
) * ixdr
++;
348 verf
.adv_xtimestamp
.key
.low
= (u_long
) * ixdr
++;
349 verf
.adv_int_u
= (u_long
) * ixdr
++; /* nickname not XDR'd ! */
352 * Decrypt the timestamp
354 status
= ecb_crypt ((char *) &auth
->ah_key
, (char *) &verf
.adv_xtimestamp
,
355 sizeof (des_block
), DES_DECRYPT
| DES_HW
);
357 if (DES_FAILED (status
))
359 debug ("authdes_validate: DES decryption failure");
364 * xdr the decrypted timestamp
366 ixdr
= (u_long
*) verf
.adv_xtimestamp
.c
;
367 verf
.adv_timestamp
.tv_sec
= IXDR_GET_LONG (ixdr
) + 1;
368 verf
.adv_timestamp
.tv_usec
= IXDR_GET_LONG (ixdr
);
373 if (memcmp ((char *) &ad
->ad_timestamp
, (char *) &verf
.adv_timestamp
,
374 sizeof (struct timeval
)) != 0)
376 debug ("authdes_validate: verifier mismatch\n");
381 * We have a nickname now, let's use it
383 ad
->ad_nickname
= verf
.adv_nickname
;
384 ad
->ad_cred
.adc_namekind
= ADN_NICKNAME
;
392 authdes_refresh (AUTH
*auth
)
395 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
396 struct authdes_cred
*cred
= &ad
->ad_cred
;
399 !synchronize (&ad
->ad_syncaddr
, &ad
->ad_timediff
))
402 * Hope the clocks are synced!
404 ad
->ad_timediff
.tv_sec
= ad
->ad_timediff
.tv_usec
= 0;
405 debug ("authdes_refresh: unable to synchronize with server");
407 ad
->ad_xkey
= auth
->ah_key
;
408 pkey
.n_bytes
= (char *) (ad
->ad_pkey
);
409 pkey
.n_len
= strlen ((char *) ad
->ad_pkey
) + 1;
410 if (key_encryptsession_pk (ad
->ad_servername
, &pkey
, &ad
->ad_xkey
) < 0)
412 debug ("authdes_create: unable to encrypt conversation key");
415 cred
->adc_fullname
.key
= ad
->ad_xkey
;
416 cred
->adc_namekind
= ADN_FULLNAME
;
417 cred
->adc_fullname
.name
= ad
->ad_fullname
;
425 authdes_destroy (AUTH
*auth
)
427 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
429 FREE (ad
->ad_fullname
, ad
->ad_fullnamelen
+ 1);
430 FREE (ad
->ad_servername
, ad
->ad_servernamelen
+ 1);
431 FREE (ad
, sizeof (struct ad_private
));
432 FREE (auth
, sizeof (AUTH
));
436 * Synchronize with the server at the given address, that is,
437 * adjust timep to reflect the delta between our clocks
441 synchronize (struct sockaddr
*syncaddr
, struct timeval
*timep
)
443 struct timeval mytime
;
444 struct timeval timeout
;
446 timeout
.tv_sec
= RTIME_TIMEOUT
;
448 if (rtime ((struct sockaddr_in
*) syncaddr
, timep
, &timeout
) < 0)
451 __gettimeofday (&mytime
, (struct timezone
*) NULL
);
452 timep
->tv_sec
-= mytime
.tv_sec
;
453 if (mytime
.tv_usec
> timep
->tv_usec
)
456 timep
->tv_usec
+= MILLION
;
458 timep
->tv_usec
-= mytime
.tv_usec
;