xref: /titanic_44/usr/src/lib/libnsl/rpc/auth_des.c (revision 61961e0f20c7637a3846bb39786bb9dffa91dfb9) 
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
57c478bd9Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
67c478bd9Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
77c478bd9Sstevel@tonic-gate  * with the License.
87c478bd9Sstevel@tonic-gate  *
97c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
107c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
117c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
127c478bd9Sstevel@tonic-gate  * and limitations under the License.
137c478bd9Sstevel@tonic-gate  *
147c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
157c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
167c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
177c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
187c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
197c478bd9Sstevel@tonic-gate  *
207c478bd9Sstevel@tonic-gate  * CDDL HEADER END
21*61961e0fSrobinson  */
22*61961e0fSrobinson 
23*61961e0fSrobinson /*
24*61961e0fSrobinson  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
257c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
267c478bd9Sstevel@tonic-gate  */
277c478bd9Sstevel@tonic-gate /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
287c478bd9Sstevel@tonic-gate /* All Rights Reserved */
297c478bd9Sstevel@tonic-gate /*
307c478bd9Sstevel@tonic-gate  * Portions of this source code were derived from Berkeley
317c478bd9Sstevel@tonic-gate  * 4.3 BSD under license from the Regents of the University of
327c478bd9Sstevel@tonic-gate  * California.
337c478bd9Sstevel@tonic-gate  */
347c478bd9Sstevel@tonic-gate 
357c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
367c478bd9Sstevel@tonic-gate 
377c478bd9Sstevel@tonic-gate /*
387c478bd9Sstevel@tonic-gate  * auth_des.c, client-side implementation of DES authentication
397c478bd9Sstevel@tonic-gate  *
407c478bd9Sstevel@tonic-gate  */
417c478bd9Sstevel@tonic-gate 
427c478bd9Sstevel@tonic-gate #include "mt.h"
437c478bd9Sstevel@tonic-gate #include "rpc_mt.h"
447c478bd9Sstevel@tonic-gate #include <rpc/rpc.h>
457c478bd9Sstevel@tonic-gate #include <rpc/des_crypt.h>
467c478bd9Sstevel@tonic-gate #include <syslog.h>
477c478bd9Sstevel@tonic-gate #include <stdlib.h>
487c478bd9Sstevel@tonic-gate #include <string.h>
497c478bd9Sstevel@tonic-gate #include <synch.h>
507c478bd9Sstevel@tonic-gate #undef NIS
517c478bd9Sstevel@tonic-gate #include <rpcsvc/nis.h>
527c478bd9Sstevel@tonic-gate 
537c478bd9Sstevel@tonic-gate #define	USEC_PER_SEC		1000000
547c478bd9Sstevel@tonic-gate #define	RTIME_TIMEOUT		5	/* seconds to wait for sync */
557c478bd9Sstevel@tonic-gate 
567c478bd9Sstevel@tonic-gate extern bool_t xdr_authdes_cred(XDR *, struct authdes_cred *);
577c478bd9Sstevel@tonic-gate extern bool_t xdr_authdes_verf(XDR *, struct authdes_verf *);
58*61961e0fSrobinson extern int key_encryptsession_pk(const char *, netobj *, des_block *);
597c478bd9Sstevel@tonic-gate 
607c478bd9Sstevel@tonic-gate extern bool_t __rpc_get_time_offset(struct timeval *, nis_server *, char *,
617c478bd9Sstevel@tonic-gate 						char **, char **);
62*61961e0fSrobinson static struct auth_ops *authdes_ops(void);
63*61961e0fSrobinson static bool_t authdes_refresh(AUTH *, void *);
647c478bd9Sstevel@tonic-gate 
657c478bd9Sstevel@tonic-gate /*
667c478bd9Sstevel@tonic-gate  * This struct is pointed to by the ah_private field of an "AUTH *"
677c478bd9Sstevel@tonic-gate  */
687c478bd9Sstevel@tonic-gate struct ad_private {
697c478bd9Sstevel@tonic-gate 	char *ad_fullname;		/* client's full name */
707c478bd9Sstevel@tonic-gate 	uint_t ad_fullnamelen;		/* length of name, rounded up */
717c478bd9Sstevel@tonic-gate 	char *ad_servername;		/* server's full name */
727c478bd9Sstevel@tonic-gate 	size_t ad_servernamelen;	/* length of name, rounded up */
737c478bd9Sstevel@tonic-gate 	uint_t ad_window;		/* client specified window */
747c478bd9Sstevel@tonic-gate 	bool_t ad_dosync;		/* synchronize? */
757c478bd9Sstevel@tonic-gate 	char *ad_timehost;		/* remote host to sync with */
767c478bd9Sstevel@tonic-gate 	struct timeval ad_timediff;	/* server's time - client's time */
777c478bd9Sstevel@tonic-gate 	uint_t ad_nickname;		/* server's nickname for client */
787c478bd9Sstevel@tonic-gate 	struct authdes_cred ad_cred;	/* storage for credential */
797c478bd9Sstevel@tonic-gate 	struct authdes_verf ad_verf;	/* storage for verifier */
807c478bd9Sstevel@tonic-gate 	struct timeval ad_timestamp;	/* timestamp sent */
817c478bd9Sstevel@tonic-gate 	des_block ad_xkey;		/* encrypted conversation key */
827c478bd9Sstevel@tonic-gate 	uchar_t ad_pkey[1024];		/* Servers actual public key */
837c478bd9Sstevel@tonic-gate 	char *ad_netid;			/* Timehost netid */
847c478bd9Sstevel@tonic-gate 	char *ad_uaddr;			/* Timehost uaddr */
857c478bd9Sstevel@tonic-gate 	nis_server *ad_nis_srvr;	/* NIS+ server struct */
867c478bd9Sstevel@tonic-gate };
877c478bd9Sstevel@tonic-gate 
88*61961e0fSrobinson extern AUTH *authdes_pk_seccreate(const char *, netobj *, uint_t, const char *,
897c478bd9Sstevel@tonic-gate 				const des_block *, nis_server *);
907c478bd9Sstevel@tonic-gate 
917c478bd9Sstevel@tonic-gate /*
927c478bd9Sstevel@tonic-gate  * documented version of authdes_seccreate
937c478bd9Sstevel@tonic-gate  */
947c478bd9Sstevel@tonic-gate /*
957c478bd9Sstevel@tonic-gate  *	servername: 	network name of server
967c478bd9Sstevel@tonic-gate  *	win:		time to live
977c478bd9Sstevel@tonic-gate  *	timehost:	optional hostname to sync with
987c478bd9Sstevel@tonic-gate  *	ckey:		optional conversation key to use
997c478bd9Sstevel@tonic-gate  */
1007c478bd9Sstevel@tonic-gate 
1017c478bd9Sstevel@tonic-gate AUTH *
authdes_seccreate(const char * servername,const uint_t win,const char * timehost,const des_block * ckey)1027c478bd9Sstevel@tonic-gate authdes_seccreate(const char *servername, const uint_t win,
1037c478bd9Sstevel@tonic-gate 	const char *timehost, const des_block *ckey)
1047c478bd9Sstevel@tonic-gate {
1057c478bd9Sstevel@tonic-gate 	uchar_t	pkey_data[1024];
1067c478bd9Sstevel@tonic-gate 	netobj	pkey;
1077c478bd9Sstevel@tonic-gate 
1087c478bd9Sstevel@tonic-gate 	if (!getpublickey(servername, (char *)pkey_data)) {
1097c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR,
1107c478bd9Sstevel@tonic-gate 			"authdes_seccreate: no public key found for %s",
1117c478bd9Sstevel@tonic-gate 			servername);
1127c478bd9Sstevel@tonic-gate 
1137c478bd9Sstevel@tonic-gate 		return (NULL);
1147c478bd9Sstevel@tonic-gate 	}
1157c478bd9Sstevel@tonic-gate 
1167c478bd9Sstevel@tonic-gate 	pkey.n_bytes = (char *)pkey_data;
1177c478bd9Sstevel@tonic-gate 	pkey.n_len = (uint_t)strlen((char *)pkey_data) + 1;
118*61961e0fSrobinson 	return (authdes_pk_seccreate(servername, &pkey, win, timehost,
119*61961e0fSrobinson 					ckey, NULL));
1207c478bd9Sstevel@tonic-gate }
1217c478bd9Sstevel@tonic-gate 
1227c478bd9Sstevel@tonic-gate /*
1237c478bd9Sstevel@tonic-gate  * Slightly modified version of authdes_seccreate which takes the public key
1247c478bd9Sstevel@tonic-gate  * of the server principal as an argument. This spares us a call to
1257c478bd9Sstevel@tonic-gate  * getpublickey() which in the nameserver context can cause a deadlock.
1267c478bd9Sstevel@tonic-gate  */
1277c478bd9Sstevel@tonic-gate 
1287c478bd9Sstevel@tonic-gate AUTH *
authdes_pk_seccreate(const char * servername,netobj * pkey,uint_t window,const char * timehost,const des_block * ckey,nis_server * srvr)1297c478bd9Sstevel@tonic-gate authdes_pk_seccreate(const char *servername, netobj *pkey, uint_t window,
1307c478bd9Sstevel@tonic-gate 	const char *timehost, const des_block *ckey, nis_server *srvr)
1317c478bd9Sstevel@tonic-gate {
1327c478bd9Sstevel@tonic-gate 	AUTH *auth;
1337c478bd9Sstevel@tonic-gate 	struct ad_private *ad;
1347c478bd9Sstevel@tonic-gate 	char namebuf[MAXNETNAMELEN+1];
1357c478bd9Sstevel@tonic-gate 
1367c478bd9Sstevel@tonic-gate 	/*
1377c478bd9Sstevel@tonic-gate 	 * Allocate everything now
1387c478bd9Sstevel@tonic-gate 	 */
139*61961e0fSrobinson 	auth = malloc(sizeof (AUTH));
1407c478bd9Sstevel@tonic-gate 	if (auth == NULL) {
1417c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "authdes_pk_seccreate: out of memory");
1427c478bd9Sstevel@tonic-gate 		return (NULL);
1437c478bd9Sstevel@tonic-gate 	}
144*61961e0fSrobinson 	ad = malloc(sizeof (struct ad_private));
1457c478bd9Sstevel@tonic-gate 	if (ad == NULL) {
1467c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "authdes_pk_seccreate: out of memory");
1477c478bd9Sstevel@tonic-gate 		goto failed;
1487c478bd9Sstevel@tonic-gate 	}
1497c478bd9Sstevel@tonic-gate 	ad->ad_fullname = ad->ad_servername = NULL; /* Sanity reasons */
1507c478bd9Sstevel@tonic-gate 	ad->ad_timehost = NULL;
1517c478bd9Sstevel@tonic-gate 	ad->ad_netid = NULL;
1527c478bd9Sstevel@tonic-gate 	ad->ad_uaddr = NULL;
1537c478bd9Sstevel@tonic-gate 	ad->ad_nis_srvr = NULL;
1547c478bd9Sstevel@tonic-gate 	ad->ad_timediff.tv_sec = 0;
1557c478bd9Sstevel@tonic-gate 	ad->ad_timediff.tv_usec = 0;
156*61961e0fSrobinson 	(void) memcpy(ad->ad_pkey, pkey->n_bytes, pkey->n_len);
1577c478bd9Sstevel@tonic-gate 	if (!getnetname(namebuf))
1587c478bd9Sstevel@tonic-gate 		goto failed;
1597c478bd9Sstevel@tonic-gate 	ad->ad_fullnamelen = RNDUP((uint_t)strlen(namebuf));
160*61961e0fSrobinson 	ad->ad_fullname = malloc(ad->ad_fullnamelen + 1);
1617c478bd9Sstevel@tonic-gate 	ad->ad_servernamelen = strlen(servername);
162*61961e0fSrobinson 	ad->ad_servername = malloc(ad->ad_servernamelen + 1);
1637c478bd9Sstevel@tonic-gate 
1647c478bd9Sstevel@tonic-gate 	if (ad->ad_fullname == NULL || ad->ad_servername == NULL) {
1657c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "authdes_seccreate: out of memory");
1667c478bd9Sstevel@tonic-gate 		goto failed;
1677c478bd9Sstevel@tonic-gate 	}
1687c478bd9Sstevel@tonic-gate 	if (timehost != NULL) {
169*61961e0fSrobinson 		ad->ad_timehost = malloc(strlen(timehost) + 1);
1707c478bd9Sstevel@tonic-gate 		if (ad->ad_timehost == NULL) {
1717c478bd9Sstevel@tonic-gate 			syslog(LOG_ERR, "authdes_seccreate: out of memory");
1727c478bd9Sstevel@tonic-gate 			goto failed;
1737c478bd9Sstevel@tonic-gate 		}
174*61961e0fSrobinson 		(void) memcpy(ad->ad_timehost, timehost, strlen(timehost) + 1);
1757c478bd9Sstevel@tonic-gate 		ad->ad_dosync = TRUE;
1767c478bd9Sstevel@tonic-gate 	} else if (srvr != NULL) {
1777c478bd9Sstevel@tonic-gate 		ad->ad_nis_srvr = srvr;	/* transient */
1787c478bd9Sstevel@tonic-gate 		ad->ad_dosync = TRUE;
1797c478bd9Sstevel@tonic-gate 	} else {
1807c478bd9Sstevel@tonic-gate 		ad->ad_dosync = FALSE;
1817c478bd9Sstevel@tonic-gate 	}
182*61961e0fSrobinson 	(void) memcpy(ad->ad_fullname, namebuf, ad->ad_fullnamelen + 1);
183*61961e0fSrobinson 	(void) memcpy(ad->ad_servername, servername, ad->ad_servernamelen + 1);
1847c478bd9Sstevel@tonic-gate 	ad->ad_window = window;
1857c478bd9Sstevel@tonic-gate 	if (ckey == NULL) {
1867c478bd9Sstevel@tonic-gate 		if (key_gendes(&auth->ah_key) < 0) {
1877c478bd9Sstevel@tonic-gate 			syslog(LOG_ERR,
1887c478bd9Sstevel@tonic-gate 	"authdes_seccreate: keyserv(1m) is unable to generate session key");
1897c478bd9Sstevel@tonic-gate 			goto failed;
1907c478bd9Sstevel@tonic-gate 		}
1917c478bd9Sstevel@tonic-gate 	} else
1927c478bd9Sstevel@tonic-gate 		auth->ah_key = *ckey;
1937c478bd9Sstevel@tonic-gate 
1947c478bd9Sstevel@tonic-gate 	/*
1957c478bd9Sstevel@tonic-gate 	 * Set up auth handle
1967c478bd9Sstevel@tonic-gate 	 */
1977c478bd9Sstevel@tonic-gate 	auth->ah_cred.oa_flavor = AUTH_DES;
1987c478bd9Sstevel@tonic-gate 	auth->ah_verf.oa_flavor = AUTH_DES;
1997c478bd9Sstevel@tonic-gate 	auth->ah_ops = authdes_ops();
2007c478bd9Sstevel@tonic-gate 	auth->ah_private = (caddr_t)ad;
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate 	if (!authdes_refresh(auth, NULL)) {
2037c478bd9Sstevel@tonic-gate 		goto failed;
2047c478bd9Sstevel@tonic-gate 	}
2057c478bd9Sstevel@tonic-gate 	ad->ad_nis_srvr = NULL; /* not needed any longer */
2067c478bd9Sstevel@tonic-gate 	return (auth);
2077c478bd9Sstevel@tonic-gate 
2087c478bd9Sstevel@tonic-gate failed:
2097c478bd9Sstevel@tonic-gate 	if (auth)
210*61961e0fSrobinson 		free(auth);
2117c478bd9Sstevel@tonic-gate 	if (ad) {
2127c478bd9Sstevel@tonic-gate 		if (ad->ad_fullname)
213*61961e0fSrobinson 			free(ad->ad_fullname);
2147c478bd9Sstevel@tonic-gate 		if (ad->ad_servername)
215*61961e0fSrobinson 			free(ad->ad_servername);
2167c478bd9Sstevel@tonic-gate 		if (ad->ad_timehost)
217*61961e0fSrobinson 			free(ad->ad_timehost);
2187c478bd9Sstevel@tonic-gate 		if (ad->ad_netid)
219*61961e0fSrobinson 			free(ad->ad_netid);
2207c478bd9Sstevel@tonic-gate 		if (ad->ad_uaddr)
221*61961e0fSrobinson 			free(ad->ad_uaddr);
222*61961e0fSrobinson 		free(ad);
2237c478bd9Sstevel@tonic-gate 	}
2247c478bd9Sstevel@tonic-gate 	return (NULL);
2257c478bd9Sstevel@tonic-gate }
2267c478bd9Sstevel@tonic-gate 
2277c478bd9Sstevel@tonic-gate /*
2287c478bd9Sstevel@tonic-gate  * Implement the five authentication operations
2297c478bd9Sstevel@tonic-gate  */
2307c478bd9Sstevel@tonic-gate 
2317c478bd9Sstevel@tonic-gate /*
2327c478bd9Sstevel@tonic-gate  * 1. Next Verifier
2337c478bd9Sstevel@tonic-gate  */
2347c478bd9Sstevel@tonic-gate /*ARGSUSED*/
2357c478bd9Sstevel@tonic-gate static void
authdes_nextverf(AUTH * auth)2367c478bd9Sstevel@tonic-gate authdes_nextverf(AUTH *auth)
2377c478bd9Sstevel@tonic-gate {
2387c478bd9Sstevel@tonic-gate 	/* what the heck am I supposed to do??? */
2397c478bd9Sstevel@tonic-gate }
2407c478bd9Sstevel@tonic-gate 
2417c478bd9Sstevel@tonic-gate 
2427c478bd9Sstevel@tonic-gate /*
2437c478bd9Sstevel@tonic-gate  * 2. Marshal
2447c478bd9Sstevel@tonic-gate  */
2457c478bd9Sstevel@tonic-gate static bool_t
authdes_marshal(AUTH * auth,XDR * xdrs)2467c478bd9Sstevel@tonic-gate authdes_marshal(AUTH *auth, XDR *xdrs)
2477c478bd9Sstevel@tonic-gate {
2487c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
249*61961e0fSrobinson 	struct ad_private *ad = (struct ad_private *)auth->ah_private;
2507c478bd9Sstevel@tonic-gate 	struct authdes_cred *cred = &ad->ad_cred;
2517c478bd9Sstevel@tonic-gate 	struct authdes_verf *verf = &ad->ad_verf;
2527c478bd9Sstevel@tonic-gate 	des_block cryptbuf[2];
2537c478bd9Sstevel@tonic-gate 	des_block ivec;
2547c478bd9Sstevel@tonic-gate 	int status;
2557c478bd9Sstevel@tonic-gate 	int len;
2567c478bd9Sstevel@tonic-gate 	rpc_inline_t *ixdr;
2577c478bd9Sstevel@tonic-gate 
2587c478bd9Sstevel@tonic-gate 	/*
2597c478bd9Sstevel@tonic-gate 	 * Figure out the "time", accounting for any time difference
2607c478bd9Sstevel@tonic-gate 	 * with the server if necessary.
2617c478bd9Sstevel@tonic-gate 	 */
262*61961e0fSrobinson 	(void) gettimeofday(&ad->ad_timestamp, NULL);
2637c478bd9Sstevel@tonic-gate 	ad->ad_timestamp.tv_sec += ad->ad_timediff.tv_sec;
2647c478bd9Sstevel@tonic-gate 	ad->ad_timestamp.tv_usec += ad->ad_timediff.tv_usec;
2657c478bd9Sstevel@tonic-gate 	while (ad->ad_timestamp.tv_usec >= USEC_PER_SEC) {
2667c478bd9Sstevel@tonic-gate 		ad->ad_timestamp.tv_usec -= USEC_PER_SEC;
2677c478bd9Sstevel@tonic-gate 		ad->ad_timestamp.tv_sec++;
2687c478bd9Sstevel@tonic-gate 	}
2697c478bd9Sstevel@tonic-gate 
2707c478bd9Sstevel@tonic-gate 	/*
2717c478bd9Sstevel@tonic-gate 	 * XDR the timestamp and possibly some other things, then
2727c478bd9Sstevel@tonic-gate 	 * encrypt them.
2737c478bd9Sstevel@tonic-gate 	 */
2747c478bd9Sstevel@tonic-gate 	ixdr = (rpc_inline_t *)cryptbuf;
2757c478bd9Sstevel@tonic-gate 	IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_sec);
2767c478bd9Sstevel@tonic-gate 	IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_usec);
2777c478bd9Sstevel@tonic-gate 	if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
2787c478bd9Sstevel@tonic-gate 		IXDR_PUT_U_INT32(ixdr, ad->ad_window);
2797c478bd9Sstevel@tonic-gate 		IXDR_PUT_U_INT32(ixdr, ad->ad_window - 1);
2807c478bd9Sstevel@tonic-gate 		ivec.key.high = ivec.key.low = 0;
2817c478bd9Sstevel@tonic-gate 		status = cbc_crypt((char *)&auth->ah_key, (char *)cryptbuf,
2827c478bd9Sstevel@tonic-gate 				2 * sizeof (des_block),
2837c478bd9Sstevel@tonic-gate 				DES_ENCRYPT | DES_HW, (char *)&ivec);
2847c478bd9Sstevel@tonic-gate 	} else {
2857c478bd9Sstevel@tonic-gate 		status = ecb_crypt((char *)&auth->ah_key, (char *)cryptbuf,
2867c478bd9Sstevel@tonic-gate 				sizeof (des_block),
2877c478bd9Sstevel@tonic-gate 				DES_ENCRYPT | DES_HW);
2887c478bd9Sstevel@tonic-gate 	}
2897c478bd9Sstevel@tonic-gate 	if (DES_FAILED(status)) {
2907c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "authdes_marshal: DES encryption failure");
2917c478bd9Sstevel@tonic-gate 		return (FALSE);
2927c478bd9Sstevel@tonic-gate 	}
2937c478bd9Sstevel@tonic-gate 	ad->ad_verf.adv_xtimestamp = cryptbuf[0];
2947c478bd9Sstevel@tonic-gate 	if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
2957c478bd9Sstevel@tonic-gate 		ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high;
2967c478bd9Sstevel@tonic-gate 		ad->ad_verf.adv_winverf = cryptbuf[1].key.low;
2977c478bd9Sstevel@tonic-gate 	} else {
2987c478bd9Sstevel@tonic-gate 		ad->ad_cred.adc_nickname = ad->ad_nickname;
2997c478bd9Sstevel@tonic-gate 		ad->ad_verf.adv_winverf = 0;
3007c478bd9Sstevel@tonic-gate 	}
3017c478bd9Sstevel@tonic-gate 
3027c478bd9Sstevel@tonic-gate 	/*
3037c478bd9Sstevel@tonic-gate 	 * Serialize the credential and verifier into opaque
3047c478bd9Sstevel@tonic-gate 	 * authentication data.
3057c478bd9Sstevel@tonic-gate 	 */
3067c478bd9Sstevel@tonic-gate 	if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
3077c478bd9Sstevel@tonic-gate 		len = ((1 + 1 + 2 + 1)*BYTES_PER_XDR_UNIT + ad->ad_fullnamelen);
3087c478bd9Sstevel@tonic-gate 	} else {
3097c478bd9Sstevel@tonic-gate 		len = (1 + 1)*BYTES_PER_XDR_UNIT;
3107c478bd9Sstevel@tonic-gate 	}
3117c478bd9Sstevel@tonic-gate 
3127c478bd9Sstevel@tonic-gate 	if (ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT)) {
3137c478bd9Sstevel@tonic-gate 		IXDR_PUT_INT32(ixdr, AUTH_DES);
3147c478bd9Sstevel@tonic-gate 		IXDR_PUT_INT32(ixdr, len);
3157c478bd9Sstevel@tonic-gate 	} else {
316*61961e0fSrobinson 		if (!xdr_putint32(xdrs, (int *)&auth->ah_cred.oa_flavor))
317*61961e0fSrobinson 			return (FALSE);
318*61961e0fSrobinson 		if (!xdr_putint32(xdrs, &len))
319*61961e0fSrobinson 			return (FALSE);
3207c478bd9Sstevel@tonic-gate 	}
321*61961e0fSrobinson 	if (!xdr_authdes_cred(xdrs, cred))
322*61961e0fSrobinson 		return (FALSE);
3237c478bd9Sstevel@tonic-gate 
3247c478bd9Sstevel@tonic-gate 	len = (2 + 1)*BYTES_PER_XDR_UNIT;
3257c478bd9Sstevel@tonic-gate 	if (ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT)) {
3267c478bd9Sstevel@tonic-gate 		IXDR_PUT_INT32(ixdr, AUTH_DES);
3277c478bd9Sstevel@tonic-gate 		IXDR_PUT_INT32(ixdr, len);
3287c478bd9Sstevel@tonic-gate 	} else {
329*61961e0fSrobinson 		if (!xdr_putint32(xdrs, (int *)&auth->ah_verf.oa_flavor))
330*61961e0fSrobinson 			return (FALSE);
331*61961e0fSrobinson 		if (!xdr_putint32(xdrs, &len))
332*61961e0fSrobinson 			return (FALSE);
3337c478bd9Sstevel@tonic-gate 	}
334*61961e0fSrobinson 	return (xdr_authdes_verf(xdrs, verf));
3357c478bd9Sstevel@tonic-gate }
3367c478bd9Sstevel@tonic-gate 
3377c478bd9Sstevel@tonic-gate 
3387c478bd9Sstevel@tonic-gate /*
3397c478bd9Sstevel@tonic-gate  * 3. Validate
3407c478bd9Sstevel@tonic-gate  */
3417c478bd9Sstevel@tonic-gate static bool_t
authdes_validate(AUTH * auth,struct opaque_auth * rverf)3427c478bd9Sstevel@tonic-gate authdes_validate(AUTH *auth, struct opaque_auth *rverf)
3437c478bd9Sstevel@tonic-gate {
3447c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
345*61961e0fSrobinson 	struct ad_private *ad = (struct ad_private *)auth->ah_private;
3467c478bd9Sstevel@tonic-gate 	struct authdes_verf verf;
3477c478bd9Sstevel@tonic-gate 	int status;
3487c478bd9Sstevel@tonic-gate 	uint32_t *ixdr;
3497c478bd9Sstevel@tonic-gate 	des_block buf;
3507c478bd9Sstevel@tonic-gate 
351*61961e0fSrobinson 	if (rverf->oa_length != (2 + 1) * BYTES_PER_XDR_UNIT)
3527c478bd9Sstevel@tonic-gate 		return (FALSE);
3537c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
3547c478bd9Sstevel@tonic-gate 	ixdr = (uint32_t *)rverf->oa_base;
3557c478bd9Sstevel@tonic-gate 	buf.key.high = (uint32_t)*ixdr++;
3567c478bd9Sstevel@tonic-gate 	buf.key.low = (uint32_t)*ixdr++;
3577c478bd9Sstevel@tonic-gate 	verf.adv_int_u = (uint32_t)*ixdr++;
3587c478bd9Sstevel@tonic-gate 
3597c478bd9Sstevel@tonic-gate 	/*
3607c478bd9Sstevel@tonic-gate 	 * Decrypt the timestamp
3617c478bd9Sstevel@tonic-gate 	 */
3627c478bd9Sstevel@tonic-gate 	status = ecb_crypt((char *)&auth->ah_key, (char *)&buf,
3637c478bd9Sstevel@tonic-gate 		sizeof (des_block), DES_DECRYPT | DES_HW);
3647c478bd9Sstevel@tonic-gate 
3657c478bd9Sstevel@tonic-gate 	if (DES_FAILED(status)) {
3667c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "authdes_validate: DES decryption failure");
3677c478bd9Sstevel@tonic-gate 		return (FALSE);
3687c478bd9Sstevel@tonic-gate 	}
3697c478bd9Sstevel@tonic-gate 
3707c478bd9Sstevel@tonic-gate 	/*
3717c478bd9Sstevel@tonic-gate 	 * xdr the decrypted timestamp
3727c478bd9Sstevel@tonic-gate 	 */
3737c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
3747c478bd9Sstevel@tonic-gate 	ixdr = (uint32_t *)buf.c;
3757c478bd9Sstevel@tonic-gate 	verf.adv_timestamp.tv_sec = IXDR_GET_INT32(ixdr) + 1;
3767c478bd9Sstevel@tonic-gate 	verf.adv_timestamp.tv_usec = IXDR_GET_INT32(ixdr);
3777c478bd9Sstevel@tonic-gate 
3787c478bd9Sstevel@tonic-gate 	/*
3797c478bd9Sstevel@tonic-gate 	 * validate
3807c478bd9Sstevel@tonic-gate 	 */
381*61961e0fSrobinson 	if (memcmp(&ad->ad_timestamp, &verf.adv_timestamp,
3827c478bd9Sstevel@tonic-gate 		sizeof (struct timeval)) != 0) {
3837c478bd9Sstevel@tonic-gate 		syslog(LOG_DEBUG, "authdes_validate: verifier mismatch");
3847c478bd9Sstevel@tonic-gate 		return (FALSE);
3857c478bd9Sstevel@tonic-gate 	}
3867c478bd9Sstevel@tonic-gate 
3877c478bd9Sstevel@tonic-gate 	/*
3887c478bd9Sstevel@tonic-gate 	 * We have a nickname now, let's use it
3897c478bd9Sstevel@tonic-gate 	 */
3907c478bd9Sstevel@tonic-gate 	ad->ad_nickname = verf.adv_nickname;
3917c478bd9Sstevel@tonic-gate 	ad->ad_cred.adc_namekind = ADN_NICKNAME;
3927c478bd9Sstevel@tonic-gate 	return (TRUE);
3937c478bd9Sstevel@tonic-gate }
3947c478bd9Sstevel@tonic-gate 
3957c478bd9Sstevel@tonic-gate /*
3967c478bd9Sstevel@tonic-gate  * 4. Refresh
3977c478bd9Sstevel@tonic-gate  */
3987c478bd9Sstevel@tonic-gate /*ARGSUSED*/
3997c478bd9Sstevel@tonic-gate static bool_t
authdes_refresh(AUTH * auth,void * dummy)4007c478bd9Sstevel@tonic-gate authdes_refresh(AUTH *auth, void *dummy)
4017c478bd9Sstevel@tonic-gate {
4027c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
403*61961e0fSrobinson 	struct ad_private *ad = (struct ad_private *)auth->ah_private;
4047c478bd9Sstevel@tonic-gate 	struct authdes_cred *cred = &ad->ad_cred;
4057c478bd9Sstevel@tonic-gate 	int		ok;
4067c478bd9Sstevel@tonic-gate 	netobj		pkey;
4077c478bd9Sstevel@tonic-gate 
4087c478bd9Sstevel@tonic-gate 	if (ad->ad_dosync) {
4097c478bd9Sstevel@tonic-gate 		ok = __rpc_get_time_offset(&ad->ad_timediff, ad->ad_nis_srvr,
4107c478bd9Sstevel@tonic-gate 					    ad->ad_timehost, &(ad->ad_uaddr),
4117c478bd9Sstevel@tonic-gate 					    &(ad->ad_netid));
4127c478bd9Sstevel@tonic-gate 		if (!ok) {
4137c478bd9Sstevel@tonic-gate 			/*
4147c478bd9Sstevel@tonic-gate 			 * Hope the clocks are synced!
4157c478bd9Sstevel@tonic-gate 			 */
4167c478bd9Sstevel@tonic-gate 			ad->ad_dosync = 0;
4177c478bd9Sstevel@tonic-gate 			syslog(LOG_DEBUG,
4187c478bd9Sstevel@tonic-gate 		    "authdes_refresh: unable to synchronize clock");
4197c478bd9Sstevel@tonic-gate 		}
4207c478bd9Sstevel@tonic-gate 	}
4217c478bd9Sstevel@tonic-gate 	ad->ad_xkey = auth->ah_key;
4227c478bd9Sstevel@tonic-gate 	pkey.n_bytes = (char *)(ad->ad_pkey);
4237c478bd9Sstevel@tonic-gate 	pkey.n_len = (uint_t)strlen((char *)ad->ad_pkey) + 1;
4247c478bd9Sstevel@tonic-gate 	if (key_encryptsession_pk(ad->ad_servername, &pkey, &ad->ad_xkey) < 0) {
4257c478bd9Sstevel@tonic-gate 		syslog(LOG_INFO,
4267c478bd9Sstevel@tonic-gate 	"authdes_refresh: keyserv(1m) is unable to encrypt session key");
4277c478bd9Sstevel@tonic-gate 		return (FALSE);
4287c478bd9Sstevel@tonic-gate 	}
4297c478bd9Sstevel@tonic-gate 	cred->adc_fullname.key = ad->ad_xkey;
4307c478bd9Sstevel@tonic-gate 	cred->adc_namekind = ADN_FULLNAME;
4317c478bd9Sstevel@tonic-gate 	cred->adc_fullname.name = ad->ad_fullname;
4327c478bd9Sstevel@tonic-gate 	return (TRUE);
4337c478bd9Sstevel@tonic-gate }
4347c478bd9Sstevel@tonic-gate 
4357c478bd9Sstevel@tonic-gate 
4367c478bd9Sstevel@tonic-gate /*
4377c478bd9Sstevel@tonic-gate  * 5. Destroy
4387c478bd9Sstevel@tonic-gate  */
4397c478bd9Sstevel@tonic-gate static void
authdes_destroy(AUTH * auth)4407c478bd9Sstevel@tonic-gate authdes_destroy(AUTH *auth)
4417c478bd9Sstevel@tonic-gate {
4427c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */
443*61961e0fSrobinson 	struct ad_private *ad = (struct ad_private *)auth->ah_private;
4447c478bd9Sstevel@tonic-gate 
445*61961e0fSrobinson 	free(ad->ad_fullname);
446*61961e0fSrobinson 	free(ad->ad_servername);
4477c478bd9Sstevel@tonic-gate 	if (ad->ad_timehost)
448*61961e0fSrobinson 		free(ad->ad_timehost);
4497c478bd9Sstevel@tonic-gate 	if (ad->ad_netid)
450*61961e0fSrobinson 		free(ad->ad_netid);
4517c478bd9Sstevel@tonic-gate 	if (ad->ad_uaddr)
452*61961e0fSrobinson 		free(ad->ad_uaddr);
453*61961e0fSrobinson 	free(ad);
454*61961e0fSrobinson 	free(auth);
4557c478bd9Sstevel@tonic-gate }
4567c478bd9Sstevel@tonic-gate 
4577c478bd9Sstevel@tonic-gate static struct auth_ops *
authdes_ops(void)4587c478bd9Sstevel@tonic-gate authdes_ops(void)
4597c478bd9Sstevel@tonic-gate {
4607c478bd9Sstevel@tonic-gate 	static struct auth_ops ops;
4617c478bd9Sstevel@tonic-gate 	extern mutex_t ops_lock;
4627c478bd9Sstevel@tonic-gate 
4637c478bd9Sstevel@tonic-gate 	/* VARIABLES PROTECTED BY ops_lock: ops */
4647c478bd9Sstevel@tonic-gate 
465*61961e0fSrobinson 	(void) mutex_lock(&ops_lock);
4667c478bd9Sstevel@tonic-gate 	if (ops.ah_nextverf == NULL) {
4677c478bd9Sstevel@tonic-gate 		ops.ah_nextverf = authdes_nextverf;
4687c478bd9Sstevel@tonic-gate 		ops.ah_marshal = authdes_marshal;
4697c478bd9Sstevel@tonic-gate 		ops.ah_validate = authdes_validate;
4707c478bd9Sstevel@tonic-gate 		ops.ah_refresh = authdes_refresh;
4717c478bd9Sstevel@tonic-gate 		ops.ah_destroy = authdes_destroy;
4727c478bd9Sstevel@tonic-gate 	}
473*61961e0fSrobinson 	(void) mutex_unlock(&ops_lock);
4747c478bd9Sstevel@tonic-gate 	return (&ops);
4757c478bd9Sstevel@tonic-gate }
476