2 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3 * unrestricted use provided that this legend is included on all tape
4 * media and as a part of the software program in whole or part. Users
5 * may copy or modify Sun RPC without charge, but are not authorized
6 * to license or distribute it to anyone else except as part of a product or
7 * program developed by the user.
9 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
13 * Sun RPC is provided with no support and without any obligation on the
14 * part of Sun Microsystems, Inc. to assist in its use, correction,
15 * modification or enhancement.
17 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19 * OR ANY PART THEREOF.
21 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22 * or profits or other special, indirect and consequential damages, even if
23 * Sun has been advised of the possibility of such damages.
25 * Sun Microsystems, Inc.
27 * Mountain View, California 94043
30 * Copyright (c) 1988 by Sun Microsystems, Inc.
33 * auth_des.c, client-side implementation of DES authentication
37 #include <rpc/des_crypt.h>
38 #include <rpc/types.h>
40 #include <rpc/auth_des.h>
42 #include <netinet/in.h> /* XXX: just to get htonl() and ntohl() */
43 #include <sys/socket.h>
45 #define MILLION 1000000L
46 #define RTIME_TIMEOUT 5 /* seconds to wait for sync */
48 #define AUTH_PRIVATE(auth) (struct ad_private *) auth->ah_private
49 #define ALLOC(object_type) (object_type *) mem_alloc(sizeof(object_type))
50 #define FREE(ptr, size) mem_free((char *)(ptr), (int) size)
51 #define ATTEMPT(xdr_op) if (!(xdr_op)) return (FALSE)
53 #define debug(msg) /* printf("%s\n", msg) */
55 extern bool_t
INTUSE(xdr_authdes_cred
) (XDR
*, struct authdes_cred
*);
56 extern bool_t
INTUSE(xdr_authdes_verf
) (XDR
*, struct authdes_verf
*);
59 * DES authenticator operations vector
61 static void authdes_nextverf (AUTH
*);
62 static bool_t
authdes_marshal (AUTH
*, XDR
*);
63 static bool_t
authdes_validate (AUTH
*, struct opaque_auth
*);
64 static bool_t
authdes_refresh (AUTH
*);
65 static void authdes_destroy (AUTH
*);
66 static bool_t
synchronize (struct sockaddr
*, struct rpc_timeval
*)
69 static const struct auth_ops authdes_ops
= {
79 * This struct is pointed to by the ah_private field of an "AUTH *"
82 char *ad_fullname
; /* client's full name */
83 u_int ad_fullnamelen
; /* length of name, rounded up */
84 char *ad_servername
; /* server's full name */
85 u_int ad_servernamelen
; /* length of name, rounded up */
86 uint32_t ad_window
; /* client specified window */
87 bool_t ad_dosync
; /* synchronize? */
88 struct sockaddr ad_syncaddr
; /* remote host to synch with */
89 struct rpc_timeval ad_timediff
; /* server's time - client's time */
90 uint32_t ad_nickname
; /* server's nickname for client */
91 struct authdes_cred ad_cred
; /* storage for credential */
92 struct authdes_verf ad_verf
; /* storage for verifier */
93 struct rpc_timeval ad_timestamp
; /* timestamp sent */
94 des_block ad_xkey
; /* encrypted conversation key */
95 u_char ad_pkey
[1024]; /* Servers actual public key */
100 * Create the client des authentication object
103 authdes_create (const char *servername
, u_int window
,
104 struct sockaddr
*syncaddr
, des_block
*ckey
)
105 /* servername - network name of server */
106 /* window - time to live */
107 /* syncaddr - optional addr of host to sync with */
108 /* ckey - optional conversation key to use */
110 char pkey_data
[1024];
113 if (!getpublickey (servername
, pkey_data
))
116 pkey
.n_bytes
= pkey_data
;
117 pkey
.n_len
= strlen (pkey_data
) + 1;
118 return INTUSE(authdes_pk_create
) (servername
, &pkey
, window
, syncaddr
, ckey
);
122 authdes_pk_create (const char *servername
, netobj
*pkey
, u_int window
,
123 struct sockaddr
*syncaddr
, des_block
*ckey
)
126 struct ad_private
*ad
;
127 char namebuf
[MAXNETNAMELEN
+ 1];
130 * Allocate everything now
133 ad
= ALLOC (struct ad_private
);
135 if (auth
== NULL
|| ad
== NULL
)
137 debug ("authdes_create: out of memory");
141 memset (ad
, 0, sizeof (struct ad_private
));
142 memcpy (ad
->ad_pkey
, pkey
->n_bytes
, pkey
->n_len
);
143 if (!getnetname (namebuf
))
145 ad
->ad_fullnamelen
= RNDUP (strlen (namebuf
));
146 ad
->ad_fullname
= mem_alloc (ad
->ad_fullnamelen
+ 1);
148 ad
->ad_servernamelen
= strlen (servername
);
149 ad
->ad_servername
= mem_alloc (ad
->ad_servernamelen
+ 1);
151 if (ad
->ad_fullname
== NULL
|| ad
->ad_servername
== NULL
)
153 debug ("authdes_create: out of memory");
158 * Set up private data
160 memcpy (ad
->ad_fullname
, namebuf
, ad
->ad_fullnamelen
+ 1);
161 memcpy (ad
->ad_servername
, servername
, ad
->ad_servernamelen
+ 1);
162 ad
->ad_timediff
.tv_sec
= ad
->ad_timediff
.tv_usec
= 0;
163 if (syncaddr
!= NULL
)
165 ad
->ad_syncaddr
= *syncaddr
;
166 ad
->ad_dosync
= TRUE
;
169 ad
->ad_dosync
= FALSE
;
171 ad
->ad_window
= window
;
174 if (key_gendes (&auth
->ah_key
) < 0)
176 debug ("authdes_create: unable to gen conversation key");
181 auth
->ah_key
= *ckey
;
186 auth
->ah_cred
.oa_flavor
= AUTH_DES
;
187 auth
->ah_verf
.oa_flavor
= AUTH_DES
;
188 auth
->ah_ops
= (struct auth_ops
*) &authdes_ops
;
189 auth
->ah_private
= (caddr_t
) ad
;
191 if (!authdes_refresh (auth
))
198 FREE (auth
, sizeof (AUTH
));
201 if (ad
->ad_fullname
!= NULL
)
202 FREE (ad
->ad_fullname
, ad
->ad_fullnamelen
+ 1);
203 if (ad
->ad_servername
!= NULL
)
204 FREE (ad
->ad_servername
, ad
->ad_servernamelen
+ 1);
205 FREE (ad
, sizeof (struct ad_private
));
209 INTDEF(authdes_pk_create
)
212 * Implement the five authentication operations
221 authdes_nextverf (AUTH
*auth
)
223 /* what the heck am I supposed to do??? */
232 authdes_marshal (AUTH
*auth
, XDR
*xdrs
)
234 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
235 struct authdes_cred
*cred
= &ad
->ad_cred
;
236 struct authdes_verf
*verf
= &ad
->ad_verf
;
237 des_block cryptbuf
[2];
241 register int32_t *ixdr
;
245 * Figure out the "time", accounting for any time difference
246 * with the server if necessary.
248 __gettimeofday (&tval
, (struct timezone
*) NULL
);
249 ad
->ad_timestamp
.tv_sec
= tval
.tv_sec
+ ad
->ad_timediff
.tv_sec
;
250 ad
->ad_timestamp
.tv_usec
= tval
.tv_usec
+ ad
->ad_timediff
.tv_usec
;
251 if (ad
->ad_timestamp
.tv_usec
>= MILLION
)
253 ad
->ad_timestamp
.tv_usec
-= MILLION
;
254 ad
->ad_timestamp
.tv_sec
+= 1;
258 * XDR the timestamp and possibly some other things, then
260 * XXX We have a real Year 2038 problem here.
262 ixdr
= (int32_t *) cryptbuf
;
263 IXDR_PUT_INT32 (ixdr
, ad
->ad_timestamp
.tv_sec
);
264 IXDR_PUT_INT32 (ixdr
, ad
->ad_timestamp
.tv_usec
);
265 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
267 IXDR_PUT_U_INT32 (ixdr
, ad
->ad_window
);
268 IXDR_PUT_U_INT32 (ixdr
, ad
->ad_window
- 1);
269 ivec
.key
.high
= ivec
.key
.low
= 0;
270 status
= cbc_crypt ((char *) &auth
->ah_key
, (char *) cryptbuf
,
271 2 * sizeof (des_block
), DES_ENCRYPT
| DES_HW
, (char *) &ivec
);
274 status
= ecb_crypt ((char *) &auth
->ah_key
, (char *) cryptbuf
,
275 sizeof (des_block
), DES_ENCRYPT
| DES_HW
);
277 if (DES_FAILED (status
))
279 debug ("authdes_marshal: DES encryption failure");
282 ad
->ad_verf
.adv_xtimestamp
= cryptbuf
[0];
283 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
285 ad
->ad_cred
.adc_fullname
.window
= cryptbuf
[1].key
.high
;
286 ad
->ad_verf
.adv_winverf
= cryptbuf
[1].key
.low
;
290 ad
->ad_cred
.adc_nickname
= ad
->ad_nickname
;
291 ad
->ad_verf
.adv_winverf
= 0;
295 * Serialize the credential and verifier into opaque
296 * authentication data.
298 if (ad
->ad_cred
.adc_namekind
== ADN_FULLNAME
)
299 len
= ((1 + 1 + 2 + 1) * BYTES_PER_XDR_UNIT
+ ad
->ad_fullnamelen
);
301 len
= (1 + 1) * BYTES_PER_XDR_UNIT
;
303 if ((ixdr
= xdr_inline (xdrs
, 2 * BYTES_PER_XDR_UNIT
)) != NULL
)
305 IXDR_PUT_INT32 (ixdr
, AUTH_DES
);
306 IXDR_PUT_U_INT32 (ixdr
, len
);
310 ATTEMPT (xdr_putint32 (xdrs
, &auth
->ah_cred
.oa_flavor
));
311 ATTEMPT (xdr_putint32 (xdrs
, &len
));
313 ATTEMPT (INTUSE(xdr_authdes_cred
) (xdrs
, cred
));
315 len
= (2 + 1) * BYTES_PER_XDR_UNIT
;
316 if ((ixdr
= xdr_inline (xdrs
, 2 * BYTES_PER_XDR_UNIT
)) != NULL
)
318 IXDR_PUT_INT32 (ixdr
, AUTH_DES
);
319 IXDR_PUT_U_INT32 (ixdr
, len
);
323 ATTEMPT (xdr_putint32 (xdrs
, &auth
->ah_verf
.oa_flavor
));
324 ATTEMPT (xdr_putint32 (xdrs
, &len
));
326 ATTEMPT (INTUSE(xdr_authdes_verf
) (xdrs
, verf
));
336 authdes_validate (AUTH
*auth
, struct opaque_auth
*rverf
)
338 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
339 struct authdes_verf verf
;
341 register uint32_t *ixdr
;
343 if (rverf
->oa_length
!= (2 + 1) * BYTES_PER_XDR_UNIT
)
346 ixdr
= (uint32_t *) rverf
->oa_base
;
347 verf
.adv_xtimestamp
.key
.high
= *ixdr
++;
348 verf
.adv_xtimestamp
.key
.low
= *ixdr
++;
349 verf
.adv_int_u
= *ixdr
++; /* nickname not XDR'd ! */
352 * Decrypt the timestamp
354 status
= ecb_crypt ((char *) &auth
->ah_key
, (char *) &verf
.adv_xtimestamp
,
355 sizeof (des_block
), DES_DECRYPT
| DES_HW
);
357 if (DES_FAILED (status
))
359 debug ("authdes_validate: DES decryption failure");
364 * xdr the decrypted timestamp
366 ixdr
= (uint32_t *) verf
.adv_xtimestamp
.c
;
367 verf
.adv_timestamp
.tv_sec
= IXDR_GET_U_INT32 (ixdr
) + 1;
368 verf
.adv_timestamp
.tv_usec
= IXDR_GET_U_INT32 (ixdr
);
373 if (memcmp ((char *) &ad
->ad_timestamp
, (char *) &verf
.adv_timestamp
,
374 sizeof (struct rpc_timeval
)) != 0)
376 debug ("authdes_validate: verifier mismatch\n");
381 * We have a nickname now, let's use it
383 ad
->ad_nickname
= verf
.adv_nickname
;
384 ad
->ad_cred
.adc_namekind
= ADN_NICKNAME
;
392 authdes_refresh (AUTH
*auth
)
395 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
396 struct authdes_cred
*cred
= &ad
->ad_cred
;
398 if (ad
->ad_dosync
&& !synchronize (&ad
->ad_syncaddr
, &ad
->ad_timediff
))
401 * Hope the clocks are synced!
403 ad
->ad_timediff
.tv_sec
= ad
->ad_timediff
.tv_usec
= 0;
404 debug ("authdes_refresh: unable to synchronize with server");
406 ad
->ad_xkey
= auth
->ah_key
;
407 pkey
.n_bytes
= (char *) (ad
->ad_pkey
);
408 pkey
.n_len
= strlen ((char *) ad
->ad_pkey
) + 1;
409 if (key_encryptsession_pk (ad
->ad_servername
, &pkey
, &ad
->ad_xkey
) < 0)
411 debug ("authdes_create: unable to encrypt conversation key");
414 cred
->adc_fullname
.key
= ad
->ad_xkey
;
415 cred
->adc_namekind
= ADN_FULLNAME
;
416 cred
->adc_fullname
.name
= ad
->ad_fullname
;
424 authdes_destroy (AUTH
*auth
)
426 struct ad_private
*ad
= AUTH_PRIVATE (auth
);
428 FREE (ad
->ad_fullname
, ad
->ad_fullnamelen
+ 1);
429 FREE (ad
->ad_servername
, ad
->ad_servernamelen
+ 1);
430 FREE (ad
, sizeof (struct ad_private
));
431 FREE (auth
, sizeof (AUTH
));
435 * Synchronize with the server at the given address, that is,
436 * adjust timep to reflect the delta between our clocks
440 synchronize (struct sockaddr
*syncaddr
, struct rpc_timeval
*timep
)
442 struct timeval mytime
;
443 struct rpc_timeval timeout
;
445 timeout
.tv_sec
= RTIME_TIMEOUT
;
447 if (rtime ((struct sockaddr_in
*) syncaddr
, timep
, &timeout
) < 0)
450 __gettimeofday (&mytime
, (struct timezone
*) NULL
);
451 timep
->tv_sec
-= mytime
.tv_sec
;
452 if (mytime
.tv_usec
> timep
->tv_usec
)
455 timep
->tv_usec
+= MILLION
;
457 timep
->tv_usec
-= mytime
.tv_usec
;