1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 28*7c478bd9Sstevel@tonic-gate /* All Rights Reserved */ 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate /* 31*7c478bd9Sstevel@tonic-gate * Portions of this source code were derived from Berkeley 4.3 BSD 32*7c478bd9Sstevel@tonic-gate * under license from the Regents of the University of California. 33*7c478bd9Sstevel@tonic-gate */ 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 36*7c478bd9Sstevel@tonic-gate 37*7c478bd9Sstevel@tonic-gate /* 38*7c478bd9Sstevel@tonic-gate * auth_des.c, client-side implementation of DES authentication 39*7c478bd9Sstevel@tonic-gate */ 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate #include <sys/types.h> 42*7c478bd9Sstevel@tonic-gate #include <sys/t_lock.h> 43*7c478bd9Sstevel@tonic-gate #include <sys/time.h> 44*7c478bd9Sstevel@tonic-gate #include <sys/systm.h> 45*7c478bd9Sstevel@tonic-gate #include <sys/socket.h> 46*7c478bd9Sstevel@tonic-gate #include <sys/tiuser.h> 47*7c478bd9Sstevel@tonic-gate #include <sys/errno.h> 48*7c478bd9Sstevel@tonic-gate #include <rpc/des_crypt.h> 49*7c478bd9Sstevel@tonic-gate #include <rpc/types.h> 50*7c478bd9Sstevel@tonic-gate #include <rpc/auth.h> 51*7c478bd9Sstevel@tonic-gate #include <rpc/auth_des.h> 52*7c478bd9Sstevel@tonic-gate #include <rpc/xdr.h> 53*7c478bd9Sstevel@tonic-gate #include <rpc/clnt.h> 54*7c478bd9Sstevel@tonic-gate #include <rpc/rpc_msg.h> 55*7c478bd9Sstevel@tonic-gate #include <netinet/in.h> /* XXX: just to get htonl() and ntohl() */ 56*7c478bd9Sstevel@tonic-gate #include <sys/cmn_err.h> 57*7c478bd9Sstevel@tonic-gate #include <sys/debug.h> 58*7c478bd9Sstevel@tonic-gate 59*7c478bd9Sstevel@tonic-gate #define MILLION 1000000 60*7c478bd9Sstevel@tonic-gate #define RTIME_TIMEOUT 5 /* seconds to wait for sync */ 61*7c478bd9Sstevel@tonic-gate 62*7c478bd9Sstevel@tonic-gate #define AUTH_PRIVATE(auth) (struct ad_private *)auth->ah_private 63*7c478bd9Sstevel@tonic-gate #define ALLOC(object_type) (object_type *) mem_alloc(sizeof (object_type)) 64*7c478bd9Sstevel@tonic-gate #define FREE(ptr, size) mem_free((char *)(ptr), (int)size) 65*7c478bd9Sstevel@tonic-gate #define ATTEMPT(xdr_op) if (!(xdr_op))\ 66*7c478bd9Sstevel@tonic-gate return (FALSE) 67*7c478bd9Sstevel@tonic-gate 68*7c478bd9Sstevel@tonic-gate #define gettimeofday(tvp, tzp) uniqtime(tvp) 69*7c478bd9Sstevel@tonic-gate 70*7c478bd9Sstevel@tonic-gate static void authdes_nextverf(AUTH *); 71*7c478bd9Sstevel@tonic-gate static bool_t authdes_marshal(AUTH *, XDR *, struct cred *); 72*7c478bd9Sstevel@tonic-gate static bool_t authdes_validate(AUTH *, struct opaque_auth *); 73*7c478bd9Sstevel@tonic-gate static bool_t authdes_refresh(AUTH *, struct rpc_msg *, cred_t *); 74*7c478bd9Sstevel@tonic-gate static void authdes_destroy(AUTH *); 75*7c478bd9Sstevel@tonic-gate static bool_t synchronize(struct knetconfig *, struct netbuf *, 76*7c478bd9Sstevel@tonic-gate int, struct timeval *); 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate static struct auth_ops *authdes_ops(void); 79*7c478bd9Sstevel@tonic-gate 80*7c478bd9Sstevel@tonic-gate /* 81*7c478bd9Sstevel@tonic-gate * This struct is pointed to by the ah_private field of an "AUTH *" 82*7c478bd9Sstevel@tonic-gate */ 83*7c478bd9Sstevel@tonic-gate struct ad_private { 84*7c478bd9Sstevel@tonic-gate char *ad_fullname; /* client's full name */ 85*7c478bd9Sstevel@tonic-gate uint_t ad_fullnamelen; /* length of name, rounded up */ 86*7c478bd9Sstevel@tonic-gate char *ad_servername; /* server's full name */ 87*7c478bd9Sstevel@tonic-gate uint_t ad_servernamelen; /* length of name, rounded up */ 88*7c478bd9Sstevel@tonic-gate uint_t ad_window; /* client specified window */ 89*7c478bd9Sstevel@tonic-gate bool_t ad_dosync; /* synchronize? */ 90*7c478bd9Sstevel@tonic-gate struct netbuf ad_syncaddr; /* remote host to synch with */ 91*7c478bd9Sstevel@tonic-gate struct knetconfig ad_synconfig; /* netconfig for the synch host */ 92*7c478bd9Sstevel@tonic-gate int ad_calltype; /* use rpc or straight call for sync */ 93*7c478bd9Sstevel@tonic-gate struct timeval ad_timediff; /* server's time - client's time */ 94*7c478bd9Sstevel@tonic-gate uint32_t ad_nickname; /* server's nickname for client */ 95*7c478bd9Sstevel@tonic-gate struct authdes_cred ad_cred; /* storage for credential */ 96*7c478bd9Sstevel@tonic-gate struct authdes_verf ad_verf; /* storage for verifier */ 97*7c478bd9Sstevel@tonic-gate struct timeval ad_timestamp; /* timestamp sent */ 98*7c478bd9Sstevel@tonic-gate des_block ad_xkey; /* encrypted conversation key */ 99*7c478bd9Sstevel@tonic-gate }; 100*7c478bd9Sstevel@tonic-gate 101*7c478bd9Sstevel@tonic-gate 102*7c478bd9Sstevel@tonic-gate /* 103*7c478bd9Sstevel@tonic-gate * Create the client des authentication object 104*7c478bd9Sstevel@tonic-gate */ 105*7c478bd9Sstevel@tonic-gate /* ARGSUSED */ 106*7c478bd9Sstevel@tonic-gate int 107*7c478bd9Sstevel@tonic-gate authdes_create(char *servername, uint_t window, struct netbuf *syncaddr, 108*7c478bd9Sstevel@tonic-gate struct knetconfig *synconfig, des_block *ckey, int calltype, 109*7c478bd9Sstevel@tonic-gate AUTH **retauth) 110*7c478bd9Sstevel@tonic-gate { 111*7c478bd9Sstevel@tonic-gate AUTH *auth; 112*7c478bd9Sstevel@tonic-gate struct ad_private *ad; 113*7c478bd9Sstevel@tonic-gate char namebuf[MAXNETNAMELEN+1]; 114*7c478bd9Sstevel@tonic-gate int error = 0; 115*7c478bd9Sstevel@tonic-gate enum clnt_stat stat; 116*7c478bd9Sstevel@tonic-gate 117*7c478bd9Sstevel@tonic-gate if (retauth == NULL) 118*7c478bd9Sstevel@tonic-gate return (EINVAL); 119*7c478bd9Sstevel@tonic-gate 120*7c478bd9Sstevel@tonic-gate *retauth = NULL; 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate /* 123*7c478bd9Sstevel@tonic-gate * Allocate everything now 124*7c478bd9Sstevel@tonic-gate */ 125*7c478bd9Sstevel@tonic-gate auth = ALLOC(AUTH); 126*7c478bd9Sstevel@tonic-gate ad = ALLOC(struct ad_private); 127*7c478bd9Sstevel@tonic-gate bzero(ad, sizeof (struct ad_private)); 128*7c478bd9Sstevel@tonic-gate if ((stat = kgetnetname(namebuf)) != 0) { 129*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, 130*7c478bd9Sstevel@tonic-gate "authdes_create: unable to get client's netname: %s (error %d)", 131*7c478bd9Sstevel@tonic-gate clnt_sperrno(stat), stat); 132*7c478bd9Sstevel@tonic-gate goto failed; 133*7c478bd9Sstevel@tonic-gate } 134*7c478bd9Sstevel@tonic-gate 135*7c478bd9Sstevel@tonic-gate ad->ad_fullnamelen = (uint_t)RNDUP(strlen(namebuf)); 136*7c478bd9Sstevel@tonic-gate ad->ad_fullname = mem_alloc(ad->ad_fullnamelen + 1); 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate ad->ad_servernamelen = (uint_t)strlen(servername); 139*7c478bd9Sstevel@tonic-gate ad->ad_servername = mem_alloc(ad->ad_servernamelen + 1); 140*7c478bd9Sstevel@tonic-gate 141*7c478bd9Sstevel@tonic-gate if (auth == NULL || ad == NULL || ad->ad_fullname == NULL || 142*7c478bd9Sstevel@tonic-gate ad->ad_servername == NULL) { 143*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, "authdes_create: out of memory"); 144*7c478bd9Sstevel@tonic-gate error = ENOMEM; 145*7c478bd9Sstevel@tonic-gate goto failed; 146*7c478bd9Sstevel@tonic-gate } 147*7c478bd9Sstevel@tonic-gate 148*7c478bd9Sstevel@tonic-gate /* 149*7c478bd9Sstevel@tonic-gate * Set up private data 150*7c478bd9Sstevel@tonic-gate */ 151*7c478bd9Sstevel@tonic-gate bcopy(namebuf, ad->ad_fullname, ad->ad_fullnamelen + 1); 152*7c478bd9Sstevel@tonic-gate bcopy(servername, ad->ad_servername, ad->ad_servernamelen + 1); 153*7c478bd9Sstevel@tonic-gate if (syncaddr != NULL) { 154*7c478bd9Sstevel@tonic-gate ad->ad_syncaddr = *syncaddr; 155*7c478bd9Sstevel@tonic-gate ad->ad_synconfig = *synconfig; 156*7c478bd9Sstevel@tonic-gate ad->ad_dosync = TRUE; 157*7c478bd9Sstevel@tonic-gate ad->ad_calltype = calltype; 158*7c478bd9Sstevel@tonic-gate } else { 159*7c478bd9Sstevel@tonic-gate ad->ad_timediff.tv_sec = 0; 160*7c478bd9Sstevel@tonic-gate ad->ad_timediff.tv_usec = 0; 161*7c478bd9Sstevel@tonic-gate ad->ad_dosync = FALSE; 162*7c478bd9Sstevel@tonic-gate } 163*7c478bd9Sstevel@tonic-gate ad->ad_window = window; 164*7c478bd9Sstevel@tonic-gate if (ckey == NULL) { 165*7c478bd9Sstevel@tonic-gate if ((stat = key_gendes(&auth->ah_key)) != RPC_SUCCESS) { 166*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, 167*7c478bd9Sstevel@tonic-gate "authdes_create: unable to gen conversation key: %s (error %d)", 168*7c478bd9Sstevel@tonic-gate clnt_sperrno(stat), stat); 169*7c478bd9Sstevel@tonic-gate if (stat == RPC_INTR) 170*7c478bd9Sstevel@tonic-gate error = EINTR; 171*7c478bd9Sstevel@tonic-gate else if (stat == RPC_TIMEDOUT) 172*7c478bd9Sstevel@tonic-gate error = ETIMEDOUT; 173*7c478bd9Sstevel@tonic-gate else 174*7c478bd9Sstevel@tonic-gate error = EINVAL; /* XXX */ 175*7c478bd9Sstevel@tonic-gate goto failed; 176*7c478bd9Sstevel@tonic-gate } 177*7c478bd9Sstevel@tonic-gate } else 178*7c478bd9Sstevel@tonic-gate auth->ah_key = *ckey; 179*7c478bd9Sstevel@tonic-gate 180*7c478bd9Sstevel@tonic-gate /* 181*7c478bd9Sstevel@tonic-gate * Set up auth handle 182*7c478bd9Sstevel@tonic-gate */ 183*7c478bd9Sstevel@tonic-gate auth->ah_cred.oa_flavor = AUTH_DES; 184*7c478bd9Sstevel@tonic-gate auth->ah_verf.oa_flavor = AUTH_DES; 185*7c478bd9Sstevel@tonic-gate auth->ah_ops = authdes_ops(); 186*7c478bd9Sstevel@tonic-gate auth->ah_private = (caddr_t)ad; 187*7c478bd9Sstevel@tonic-gate 188*7c478bd9Sstevel@tonic-gate if (!authdes_refresh(auth, NULL, CRED())) 189*7c478bd9Sstevel@tonic-gate goto failed; 190*7c478bd9Sstevel@tonic-gate 191*7c478bd9Sstevel@tonic-gate *retauth = auth; 192*7c478bd9Sstevel@tonic-gate return (0); 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate failed: 195*7c478bd9Sstevel@tonic-gate if (ad != NULL && ad->ad_fullname != NULL) 196*7c478bd9Sstevel@tonic-gate FREE(ad->ad_fullname, ad->ad_fullnamelen + 1); 197*7c478bd9Sstevel@tonic-gate if (ad != NULL && ad->ad_servername != NULL) 198*7c478bd9Sstevel@tonic-gate FREE(ad->ad_servername, ad->ad_servernamelen + 1); 199*7c478bd9Sstevel@tonic-gate if (ad != NULL) 200*7c478bd9Sstevel@tonic-gate FREE(ad, sizeof (struct ad_private)); 201*7c478bd9Sstevel@tonic-gate if (auth != NULL) 202*7c478bd9Sstevel@tonic-gate FREE(auth, sizeof (AUTH)); 203*7c478bd9Sstevel@tonic-gate return ((error == 0) ? EINVAL : error); /* XXX */ 204*7c478bd9Sstevel@tonic-gate } 205*7c478bd9Sstevel@tonic-gate 206*7c478bd9Sstevel@tonic-gate /* 207*7c478bd9Sstevel@tonic-gate * Implement the five authentication operations 208*7c478bd9Sstevel@tonic-gate */ 209*7c478bd9Sstevel@tonic-gate 210*7c478bd9Sstevel@tonic-gate /* 211*7c478bd9Sstevel@tonic-gate * 1. Next Verifier 212*7c478bd9Sstevel@tonic-gate */ 213*7c478bd9Sstevel@tonic-gate /* ARGSUSED */ 214*7c478bd9Sstevel@tonic-gate static void 215*7c478bd9Sstevel@tonic-gate authdes_nextverf(AUTH *auth) 216*7c478bd9Sstevel@tonic-gate { 217*7c478bd9Sstevel@tonic-gate /* what the heck am I supposed to do??? */ 218*7c478bd9Sstevel@tonic-gate } 219*7c478bd9Sstevel@tonic-gate 220*7c478bd9Sstevel@tonic-gate /* 221*7c478bd9Sstevel@tonic-gate * 2. Marshal 222*7c478bd9Sstevel@tonic-gate */ 223*7c478bd9Sstevel@tonic-gate /* ARGSUSED */ 224*7c478bd9Sstevel@tonic-gate static bool_t 225*7c478bd9Sstevel@tonic-gate authdes_marshal(AUTH *auth, XDR *xdrs, struct cred *cr) 226*7c478bd9Sstevel@tonic-gate { 227*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 228*7c478bd9Sstevel@tonic-gate struct ad_private *ad = AUTH_PRIVATE(auth); 229*7c478bd9Sstevel@tonic-gate struct authdes_cred *cred = &ad->ad_cred; 230*7c478bd9Sstevel@tonic-gate struct authdes_verf *verf = &ad->ad_verf; 231*7c478bd9Sstevel@tonic-gate des_block cryptbuf[2]; 232*7c478bd9Sstevel@tonic-gate des_block ivec; 233*7c478bd9Sstevel@tonic-gate int status; 234*7c478bd9Sstevel@tonic-gate int len; 235*7c478bd9Sstevel@tonic-gate int32_t *ixdr; 236*7c478bd9Sstevel@tonic-gate 237*7c478bd9Sstevel@tonic-gate /* 238*7c478bd9Sstevel@tonic-gate * Figure out the "time", accounting for any time difference 239*7c478bd9Sstevel@tonic-gate * with the server if necessary. 240*7c478bd9Sstevel@tonic-gate */ 241*7c478bd9Sstevel@tonic-gate (void) gettimeofday(&ad->ad_timestamp, (struct timezone *)NULL); 242*7c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_sec += ad->ad_timediff.tv_sec; 243*7c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_usec += ad->ad_timediff.tv_usec; 244*7c478bd9Sstevel@tonic-gate if (ad->ad_timestamp.tv_usec >= MILLION) { 245*7c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_usec -= MILLION; 246*7c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_sec += 1; 247*7c478bd9Sstevel@tonic-gate } 248*7c478bd9Sstevel@tonic-gate 249*7c478bd9Sstevel@tonic-gate /* 250*7c478bd9Sstevel@tonic-gate * XDR the timestamp and possibly some other things, then 251*7c478bd9Sstevel@tonic-gate * encrypt them. 252*7c478bd9Sstevel@tonic-gate */ 253*7c478bd9Sstevel@tonic-gate ixdr = (int32_t *)cryptbuf; 254*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_sec); 255*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_usec); 256*7c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 257*7c478bd9Sstevel@tonic-gate IXDR_PUT_U_INT32(ixdr, ad->ad_window); 258*7c478bd9Sstevel@tonic-gate IXDR_PUT_U_INT32(ixdr, ad->ad_window - 1); 259*7c478bd9Sstevel@tonic-gate ivec.key.high = ivec.key.low = 0; 260*7c478bd9Sstevel@tonic-gate status = cbc_crypt((char *)&auth->ah_key, (char *)cryptbuf, 261*7c478bd9Sstevel@tonic-gate 2 * sizeof (des_block), DES_ENCRYPT, (char *)&ivec); 262*7c478bd9Sstevel@tonic-gate } else { 263*7c478bd9Sstevel@tonic-gate status = ecb_crypt((char *)&auth->ah_key, (char *)cryptbuf, 264*7c478bd9Sstevel@tonic-gate sizeof (des_block), DES_ENCRYPT); 265*7c478bd9Sstevel@tonic-gate } 266*7c478bd9Sstevel@tonic-gate if (DES_FAILED(status)) { 267*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, "authdes_marshal: DES encryption failure"); 268*7c478bd9Sstevel@tonic-gate return (FALSE); 269*7c478bd9Sstevel@tonic-gate } 270*7c478bd9Sstevel@tonic-gate ad->ad_verf.adv_xtimestamp = cryptbuf[0]; 271*7c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 272*7c478bd9Sstevel@tonic-gate ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high; 273*7c478bd9Sstevel@tonic-gate ad->ad_verf.adv_winverf = cryptbuf[1].key.low; 274*7c478bd9Sstevel@tonic-gate } else { 275*7c478bd9Sstevel@tonic-gate ad->ad_cred.adc_nickname = ad->ad_nickname; 276*7c478bd9Sstevel@tonic-gate ad->ad_verf.adv_winverf = 0; 277*7c478bd9Sstevel@tonic-gate } 278*7c478bd9Sstevel@tonic-gate 279*7c478bd9Sstevel@tonic-gate /* 280*7c478bd9Sstevel@tonic-gate * Serialize the credential and verifier into opaque 281*7c478bd9Sstevel@tonic-gate * authentication data. 282*7c478bd9Sstevel@tonic-gate */ 283*7c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 284*7c478bd9Sstevel@tonic-gate len = ((1 + 1 + 2 + 1) * BYTES_PER_XDR_UNIT + 285*7c478bd9Sstevel@tonic-gate ad->ad_fullnamelen); 286*7c478bd9Sstevel@tonic-gate } else 287*7c478bd9Sstevel@tonic-gate len = (1 + 1) * BYTES_PER_XDR_UNIT; 288*7c478bd9Sstevel@tonic-gate 289*7c478bd9Sstevel@tonic-gate if (ixdr = xdr_inline(xdrs, 2 * BYTES_PER_XDR_UNIT)) { 290*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, AUTH_DES); 291*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, len); 292*7c478bd9Sstevel@tonic-gate } else { 293*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_putint32(xdrs, 294*7c478bd9Sstevel@tonic-gate (int32_t *)&auth->ah_cred.oa_flavor)); 295*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_putint32(xdrs, (int32_t *)&len)); 296*7c478bd9Sstevel@tonic-gate } 297*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_authdes_cred(xdrs, cred)); 298*7c478bd9Sstevel@tonic-gate 299*7c478bd9Sstevel@tonic-gate len = (2 + 1) * BYTES_PER_XDR_UNIT; 300*7c478bd9Sstevel@tonic-gate if (ixdr = xdr_inline(xdrs, 2 * BYTES_PER_XDR_UNIT)) { 301*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, AUTH_DES); 302*7c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, len); 303*7c478bd9Sstevel@tonic-gate } else { 304*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_putint32(xdrs, 305*7c478bd9Sstevel@tonic-gate (int32_t *)&auth->ah_verf.oa_flavor)); 306*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_putint32(xdrs, (int32_t *)&len)); 307*7c478bd9Sstevel@tonic-gate } 308*7c478bd9Sstevel@tonic-gate ATTEMPT(xdr_authdes_verf(xdrs, verf)); 309*7c478bd9Sstevel@tonic-gate return (TRUE); 310*7c478bd9Sstevel@tonic-gate } 311*7c478bd9Sstevel@tonic-gate 312*7c478bd9Sstevel@tonic-gate /* 313*7c478bd9Sstevel@tonic-gate * 3. Validate 314*7c478bd9Sstevel@tonic-gate */ 315*7c478bd9Sstevel@tonic-gate static bool_t 316*7c478bd9Sstevel@tonic-gate authdes_validate(AUTH *auth, struct opaque_auth *rverf) 317*7c478bd9Sstevel@tonic-gate { 318*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 319*7c478bd9Sstevel@tonic-gate struct ad_private *ad = AUTH_PRIVATE(auth); 320*7c478bd9Sstevel@tonic-gate struct authdes_verf verf; 321*7c478bd9Sstevel@tonic-gate int status; 322*7c478bd9Sstevel@tonic-gate uint32_t *ixdr; 323*7c478bd9Sstevel@tonic-gate des_block buf; 324*7c478bd9Sstevel@tonic-gate 325*7c478bd9Sstevel@tonic-gate if (rverf->oa_length != (2 + 1) * BYTES_PER_XDR_UNIT) 326*7c478bd9Sstevel@tonic-gate return (FALSE); 327*7c478bd9Sstevel@tonic-gate 328*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 329*7c478bd9Sstevel@tonic-gate ixdr = (uint32_t *)rverf->oa_base; 330*7c478bd9Sstevel@tonic-gate buf.key.high = (uint32_t)*ixdr++; 331*7c478bd9Sstevel@tonic-gate buf.key.low = (uint32_t)*ixdr++; 332*7c478bd9Sstevel@tonic-gate verf.adv_int_u = IXDR_GET_U_INT32(ixdr); 333*7c478bd9Sstevel@tonic-gate 334*7c478bd9Sstevel@tonic-gate /* 335*7c478bd9Sstevel@tonic-gate * Decrypt the timestamp 336*7c478bd9Sstevel@tonic-gate */ 337*7c478bd9Sstevel@tonic-gate status = ecb_crypt((char *)&auth->ah_key, (char *)&buf, 338*7c478bd9Sstevel@tonic-gate sizeof (des_block), DES_DECRYPT); 339*7c478bd9Sstevel@tonic-gate 340*7c478bd9Sstevel@tonic-gate if (DES_FAILED(status)) { 341*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, "authdes_validate: DES decryption failure"); 342*7c478bd9Sstevel@tonic-gate return (FALSE); 343*7c478bd9Sstevel@tonic-gate } 344*7c478bd9Sstevel@tonic-gate 345*7c478bd9Sstevel@tonic-gate /* 346*7c478bd9Sstevel@tonic-gate * xdr the decrypted timestamp 347*7c478bd9Sstevel@tonic-gate */ 348*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 349*7c478bd9Sstevel@tonic-gate ixdr = (uint32_t *)buf.c; 350*7c478bd9Sstevel@tonic-gate verf.adv_timestamp.tv_sec = IXDR_GET_INT32(ixdr) + 1; 351*7c478bd9Sstevel@tonic-gate verf.adv_timestamp.tv_usec = IXDR_GET_INT32(ixdr); 352*7c478bd9Sstevel@tonic-gate 353*7c478bd9Sstevel@tonic-gate /* 354*7c478bd9Sstevel@tonic-gate * validate 355*7c478bd9Sstevel@tonic-gate */ 356*7c478bd9Sstevel@tonic-gate if (bcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp, 357*7c478bd9Sstevel@tonic-gate sizeof (struct timeval)) != 0) { 358*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, "authdes_validate: verifier mismatch"); 359*7c478bd9Sstevel@tonic-gate return (FALSE); 360*7c478bd9Sstevel@tonic-gate } 361*7c478bd9Sstevel@tonic-gate 362*7c478bd9Sstevel@tonic-gate /* 363*7c478bd9Sstevel@tonic-gate * We have a nickname now, let's use it 364*7c478bd9Sstevel@tonic-gate */ 365*7c478bd9Sstevel@tonic-gate ad->ad_nickname = verf.adv_nickname; 366*7c478bd9Sstevel@tonic-gate ad->ad_cred.adc_namekind = ADN_NICKNAME; 367*7c478bd9Sstevel@tonic-gate return (TRUE); 368*7c478bd9Sstevel@tonic-gate } 369*7c478bd9Sstevel@tonic-gate 370*7c478bd9Sstevel@tonic-gate /* 371*7c478bd9Sstevel@tonic-gate * 4. Refresh 372*7c478bd9Sstevel@tonic-gate * 373*7c478bd9Sstevel@tonic-gate * msg is a dummy argument here. 374*7c478bd9Sstevel@tonic-gate */ 375*7c478bd9Sstevel@tonic-gate /* ARGSUSED */ 376*7c478bd9Sstevel@tonic-gate static bool_t 377*7c478bd9Sstevel@tonic-gate authdes_refresh(AUTH *auth, struct rpc_msg *msg, cred_t *cr) 378*7c478bd9Sstevel@tonic-gate { 379*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 380*7c478bd9Sstevel@tonic-gate struct ad_private *ad = AUTH_PRIVATE(auth); 381*7c478bd9Sstevel@tonic-gate struct authdes_cred *cred = &ad->ad_cred; 382*7c478bd9Sstevel@tonic-gate enum clnt_stat stat; 383*7c478bd9Sstevel@tonic-gate 384*7c478bd9Sstevel@tonic-gate if (ad->ad_dosync && 385*7c478bd9Sstevel@tonic-gate !synchronize(&ad->ad_synconfig, &ad->ad_syncaddr, 386*7c478bd9Sstevel@tonic-gate ad->ad_calltype, &ad->ad_timediff)) { 387*7c478bd9Sstevel@tonic-gate /* 388*7c478bd9Sstevel@tonic-gate * Hope the clocks are synced! 389*7c478bd9Sstevel@tonic-gate */ 390*7c478bd9Sstevel@tonic-gate timerclear(&ad->ad_timediff); 391*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, 392*7c478bd9Sstevel@tonic-gate "authdes_refresh: unable to synchronize with server %s", ad->ad_servername); 393*7c478bd9Sstevel@tonic-gate } 394*7c478bd9Sstevel@tonic-gate ad->ad_xkey = auth->ah_key; 395*7c478bd9Sstevel@tonic-gate if ((stat = key_encryptsession(ad->ad_servername, &ad->ad_xkey, cr)) != 396*7c478bd9Sstevel@tonic-gate RPC_SUCCESS) { 397*7c478bd9Sstevel@tonic-gate cmn_err(CE_NOTE, 398*7c478bd9Sstevel@tonic-gate "authdes_refresh: unable to encrypt conversation key for user (uid %d): " 399*7c478bd9Sstevel@tonic-gate "%s (error %d)", 400*7c478bd9Sstevel@tonic-gate (int)crgetuid(cr), clnt_sperrno(stat), stat); 401*7c478bd9Sstevel@tonic-gate return (FALSE); 402*7c478bd9Sstevel@tonic-gate } 403*7c478bd9Sstevel@tonic-gate cred->adc_fullname.key = ad->ad_xkey; 404*7c478bd9Sstevel@tonic-gate cred->adc_namekind = ADN_FULLNAME; 405*7c478bd9Sstevel@tonic-gate cred->adc_fullname.name = ad->ad_fullname; 406*7c478bd9Sstevel@tonic-gate return (TRUE); 407*7c478bd9Sstevel@tonic-gate } 408*7c478bd9Sstevel@tonic-gate 409*7c478bd9Sstevel@tonic-gate /* 410*7c478bd9Sstevel@tonic-gate * 5. Destroy 411*7c478bd9Sstevel@tonic-gate */ 412*7c478bd9Sstevel@tonic-gate static void 413*7c478bd9Sstevel@tonic-gate authdes_destroy(AUTH *auth) 414*7c478bd9Sstevel@tonic-gate { 415*7c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 416*7c478bd9Sstevel@tonic-gate struct ad_private *ad = AUTH_PRIVATE(auth); 417*7c478bd9Sstevel@tonic-gate 418*7c478bd9Sstevel@tonic-gate FREE(ad->ad_fullname, ad->ad_fullnamelen + 1); 419*7c478bd9Sstevel@tonic-gate FREE(ad->ad_servername, ad->ad_servernamelen + 1); 420*7c478bd9Sstevel@tonic-gate FREE(ad, sizeof (struct ad_private)); 421*7c478bd9Sstevel@tonic-gate FREE(auth, sizeof (AUTH)); 422*7c478bd9Sstevel@tonic-gate } 423*7c478bd9Sstevel@tonic-gate 424*7c478bd9Sstevel@tonic-gate 425*7c478bd9Sstevel@tonic-gate /* 426*7c478bd9Sstevel@tonic-gate * Synchronize with the server at the given address, that is, 427*7c478bd9Sstevel@tonic-gate * adjust timep to reflect the delta between our clocks 428*7c478bd9Sstevel@tonic-gate */ 429*7c478bd9Sstevel@tonic-gate static bool_t 430*7c478bd9Sstevel@tonic-gate synchronize(struct knetconfig *synconfig, struct netbuf *syncaddr, int calltype, 431*7c478bd9Sstevel@tonic-gate struct timeval *timep) 432*7c478bd9Sstevel@tonic-gate { 433*7c478bd9Sstevel@tonic-gate struct timeval mytime; 434*7c478bd9Sstevel@tonic-gate struct timeval timout; 435*7c478bd9Sstevel@tonic-gate 436*7c478bd9Sstevel@tonic-gate timout.tv_sec = RTIME_TIMEOUT; 437*7c478bd9Sstevel@tonic-gate timout.tv_usec = 0; 438*7c478bd9Sstevel@tonic-gate if (rtime(synconfig, syncaddr, calltype, timep, &timout) < 0) 439*7c478bd9Sstevel@tonic-gate return (FALSE); 440*7c478bd9Sstevel@tonic-gate (void) gettimeofday(&mytime, (struct timezone *)NULL); 441*7c478bd9Sstevel@tonic-gate timep->tv_sec -= mytime.tv_sec; 442*7c478bd9Sstevel@tonic-gate if (mytime.tv_usec > timep->tv_usec) { 443*7c478bd9Sstevel@tonic-gate timep->tv_sec -= 1; 444*7c478bd9Sstevel@tonic-gate timep->tv_usec += MILLION; 445*7c478bd9Sstevel@tonic-gate } 446*7c478bd9Sstevel@tonic-gate timep->tv_usec -= mytime.tv_usec; 447*7c478bd9Sstevel@tonic-gate return (TRUE); 448*7c478bd9Sstevel@tonic-gate } 449*7c478bd9Sstevel@tonic-gate 450*7c478bd9Sstevel@tonic-gate static struct auth_ops * 451*7c478bd9Sstevel@tonic-gate authdes_ops(void) 452*7c478bd9Sstevel@tonic-gate { 453*7c478bd9Sstevel@tonic-gate static struct auth_ops ops; 454*7c478bd9Sstevel@tonic-gate 455*7c478bd9Sstevel@tonic-gate mutex_enter(&authdes_ops_lock); 456*7c478bd9Sstevel@tonic-gate if (ops.ah_nextverf == NULL) { 457*7c478bd9Sstevel@tonic-gate ops.ah_nextverf = authdes_nextverf; 458*7c478bd9Sstevel@tonic-gate ops.ah_marshal = authdes_marshal; 459*7c478bd9Sstevel@tonic-gate ops.ah_validate = authdes_validate; 460*7c478bd9Sstevel@tonic-gate ops.ah_refresh = authdes_refresh; 461*7c478bd9Sstevel@tonic-gate ops.ah_destroy = authdes_destroy; 462*7c478bd9Sstevel@tonic-gate ops.ah_wrap = authany_wrap; 463*7c478bd9Sstevel@tonic-gate ops.ah_unwrap = authany_unwrap; 464*7c478bd9Sstevel@tonic-gate } 465*7c478bd9Sstevel@tonic-gate mutex_exit(&authdes_ops_lock); 466*7c478bd9Sstevel@tonic-gate return (&ops); 467*7c478bd9Sstevel@tonic-gate } 468