17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 57c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 67c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 77c478bd9Sstevel@tonic-gate * with the License. 87c478bd9Sstevel@tonic-gate * 97c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate * and limitations under the License. 137c478bd9Sstevel@tonic-gate * 147c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate * 207c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*61961e0fSrobinson */ 22*61961e0fSrobinson 23*61961e0fSrobinson /* 24*61961e0fSrobinson * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 257c478bd9Sstevel@tonic-gate * Use is subject to license terms. 267c478bd9Sstevel@tonic-gate */ 277c478bd9Sstevel@tonic-gate /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 287c478bd9Sstevel@tonic-gate /* All Rights Reserved */ 297c478bd9Sstevel@tonic-gate /* 307c478bd9Sstevel@tonic-gate * Portions of this source code were derived from Berkeley 317c478bd9Sstevel@tonic-gate * 4.3 BSD under license from the Regents of the University of 327c478bd9Sstevel@tonic-gate * California. 337c478bd9Sstevel@tonic-gate */ 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate /* 387c478bd9Sstevel@tonic-gate * auth_des.c, client-side implementation of DES authentication 397c478bd9Sstevel@tonic-gate * 407c478bd9Sstevel@tonic-gate */ 417c478bd9Sstevel@tonic-gate 427c478bd9Sstevel@tonic-gate #include "mt.h" 437c478bd9Sstevel@tonic-gate #include "rpc_mt.h" 447c478bd9Sstevel@tonic-gate #include <rpc/rpc.h> 457c478bd9Sstevel@tonic-gate #include <rpc/des_crypt.h> 467c478bd9Sstevel@tonic-gate #include <syslog.h> 477c478bd9Sstevel@tonic-gate #include <stdlib.h> 487c478bd9Sstevel@tonic-gate #include <string.h> 497c478bd9Sstevel@tonic-gate #include <synch.h> 507c478bd9Sstevel@tonic-gate #undef NIS 517c478bd9Sstevel@tonic-gate #include <rpcsvc/nis.h> 527c478bd9Sstevel@tonic-gate 537c478bd9Sstevel@tonic-gate #define USEC_PER_SEC 1000000 547c478bd9Sstevel@tonic-gate #define RTIME_TIMEOUT 5 /* seconds to wait for sync */ 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate extern bool_t xdr_authdes_cred(XDR *, struct authdes_cred *); 577c478bd9Sstevel@tonic-gate extern bool_t xdr_authdes_verf(XDR *, struct authdes_verf *); 58*61961e0fSrobinson extern int key_encryptsession_pk(const char *, netobj *, des_block *); 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate extern bool_t __rpc_get_time_offset(struct timeval *, nis_server *, char *, 617c478bd9Sstevel@tonic-gate char **, char **); 62*61961e0fSrobinson static struct auth_ops *authdes_ops(void); 63*61961e0fSrobinson static bool_t authdes_refresh(AUTH *, void *); 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate /* 667c478bd9Sstevel@tonic-gate * This struct is pointed to by the ah_private field of an "AUTH *" 677c478bd9Sstevel@tonic-gate */ 687c478bd9Sstevel@tonic-gate struct ad_private { 697c478bd9Sstevel@tonic-gate char *ad_fullname; /* client's full name */ 707c478bd9Sstevel@tonic-gate uint_t ad_fullnamelen; /* length of name, rounded up */ 717c478bd9Sstevel@tonic-gate char *ad_servername; /* server's full name */ 727c478bd9Sstevel@tonic-gate size_t ad_servernamelen; /* length of name, rounded up */ 737c478bd9Sstevel@tonic-gate uint_t ad_window; /* client specified window */ 747c478bd9Sstevel@tonic-gate bool_t ad_dosync; /* synchronize? */ 757c478bd9Sstevel@tonic-gate char *ad_timehost; /* remote host to sync with */ 767c478bd9Sstevel@tonic-gate struct timeval ad_timediff; /* server's time - client's time */ 777c478bd9Sstevel@tonic-gate uint_t ad_nickname; /* server's nickname for client */ 787c478bd9Sstevel@tonic-gate struct authdes_cred ad_cred; /* storage for credential */ 797c478bd9Sstevel@tonic-gate struct authdes_verf ad_verf; /* storage for verifier */ 807c478bd9Sstevel@tonic-gate struct timeval ad_timestamp; /* timestamp sent */ 817c478bd9Sstevel@tonic-gate des_block ad_xkey; /* encrypted conversation key */ 827c478bd9Sstevel@tonic-gate uchar_t ad_pkey[1024]; /* Servers actual public key */ 837c478bd9Sstevel@tonic-gate char *ad_netid; /* Timehost netid */ 847c478bd9Sstevel@tonic-gate char *ad_uaddr; /* Timehost uaddr */ 857c478bd9Sstevel@tonic-gate nis_server *ad_nis_srvr; /* NIS+ server struct */ 867c478bd9Sstevel@tonic-gate }; 877c478bd9Sstevel@tonic-gate 88*61961e0fSrobinson extern AUTH *authdes_pk_seccreate(const char *, netobj *, uint_t, const char *, 897c478bd9Sstevel@tonic-gate const des_block *, nis_server *); 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate /* 927c478bd9Sstevel@tonic-gate * documented version of authdes_seccreate 937c478bd9Sstevel@tonic-gate */ 947c478bd9Sstevel@tonic-gate /* 957c478bd9Sstevel@tonic-gate * servername: network name of server 967c478bd9Sstevel@tonic-gate * win: time to live 977c478bd9Sstevel@tonic-gate * timehost: optional hostname to sync with 987c478bd9Sstevel@tonic-gate * ckey: optional conversation key to use 997c478bd9Sstevel@tonic-gate */ 1007c478bd9Sstevel@tonic-gate 1017c478bd9Sstevel@tonic-gate AUTH * 1027c478bd9Sstevel@tonic-gate authdes_seccreate(const char *servername, const uint_t win, 1037c478bd9Sstevel@tonic-gate const char *timehost, const des_block *ckey) 1047c478bd9Sstevel@tonic-gate { 1057c478bd9Sstevel@tonic-gate uchar_t pkey_data[1024]; 1067c478bd9Sstevel@tonic-gate netobj pkey; 1077c478bd9Sstevel@tonic-gate 1087c478bd9Sstevel@tonic-gate if (!getpublickey(servername, (char *)pkey_data)) { 1097c478bd9Sstevel@tonic-gate syslog(LOG_ERR, 1107c478bd9Sstevel@tonic-gate "authdes_seccreate: no public key found for %s", 1117c478bd9Sstevel@tonic-gate servername); 1127c478bd9Sstevel@tonic-gate 1137c478bd9Sstevel@tonic-gate return (NULL); 1147c478bd9Sstevel@tonic-gate } 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate pkey.n_bytes = (char *)pkey_data; 1177c478bd9Sstevel@tonic-gate pkey.n_len = (uint_t)strlen((char *)pkey_data) + 1; 118*61961e0fSrobinson return (authdes_pk_seccreate(servername, &pkey, win, timehost, 119*61961e0fSrobinson ckey, NULL)); 1207c478bd9Sstevel@tonic-gate } 1217c478bd9Sstevel@tonic-gate 1227c478bd9Sstevel@tonic-gate /* 1237c478bd9Sstevel@tonic-gate * Slightly modified version of authdes_seccreate which takes the public key 1247c478bd9Sstevel@tonic-gate * of the server principal as an argument. This spares us a call to 1257c478bd9Sstevel@tonic-gate * getpublickey() which in the nameserver context can cause a deadlock. 1267c478bd9Sstevel@tonic-gate */ 1277c478bd9Sstevel@tonic-gate 1287c478bd9Sstevel@tonic-gate AUTH * 1297c478bd9Sstevel@tonic-gate authdes_pk_seccreate(const char *servername, netobj *pkey, uint_t window, 1307c478bd9Sstevel@tonic-gate const char *timehost, const des_block *ckey, nis_server *srvr) 1317c478bd9Sstevel@tonic-gate { 1327c478bd9Sstevel@tonic-gate AUTH *auth; 1337c478bd9Sstevel@tonic-gate struct ad_private *ad; 1347c478bd9Sstevel@tonic-gate char namebuf[MAXNETNAMELEN+1]; 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate /* 1377c478bd9Sstevel@tonic-gate * Allocate everything now 1387c478bd9Sstevel@tonic-gate */ 139*61961e0fSrobinson auth = malloc(sizeof (AUTH)); 1407c478bd9Sstevel@tonic-gate if (auth == NULL) { 1417c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_pk_seccreate: out of memory"); 1427c478bd9Sstevel@tonic-gate return (NULL); 1437c478bd9Sstevel@tonic-gate } 144*61961e0fSrobinson ad = malloc(sizeof (struct ad_private)); 1457c478bd9Sstevel@tonic-gate if (ad == NULL) { 1467c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_pk_seccreate: out of memory"); 1477c478bd9Sstevel@tonic-gate goto failed; 1487c478bd9Sstevel@tonic-gate } 1497c478bd9Sstevel@tonic-gate ad->ad_fullname = ad->ad_servername = NULL; /* Sanity reasons */ 1507c478bd9Sstevel@tonic-gate ad->ad_timehost = NULL; 1517c478bd9Sstevel@tonic-gate ad->ad_netid = NULL; 1527c478bd9Sstevel@tonic-gate ad->ad_uaddr = NULL; 1537c478bd9Sstevel@tonic-gate ad->ad_nis_srvr = NULL; 1547c478bd9Sstevel@tonic-gate ad->ad_timediff.tv_sec = 0; 1557c478bd9Sstevel@tonic-gate ad->ad_timediff.tv_usec = 0; 156*61961e0fSrobinson (void) memcpy(ad->ad_pkey, pkey->n_bytes, pkey->n_len); 1577c478bd9Sstevel@tonic-gate if (!getnetname(namebuf)) 1587c478bd9Sstevel@tonic-gate goto failed; 1597c478bd9Sstevel@tonic-gate ad->ad_fullnamelen = RNDUP((uint_t)strlen(namebuf)); 160*61961e0fSrobinson ad->ad_fullname = malloc(ad->ad_fullnamelen + 1); 1617c478bd9Sstevel@tonic-gate ad->ad_servernamelen = strlen(servername); 162*61961e0fSrobinson ad->ad_servername = malloc(ad->ad_servernamelen + 1); 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate if (ad->ad_fullname == NULL || ad->ad_servername == NULL) { 1657c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_seccreate: out of memory"); 1667c478bd9Sstevel@tonic-gate goto failed; 1677c478bd9Sstevel@tonic-gate } 1687c478bd9Sstevel@tonic-gate if (timehost != NULL) { 169*61961e0fSrobinson ad->ad_timehost = malloc(strlen(timehost) + 1); 1707c478bd9Sstevel@tonic-gate if (ad->ad_timehost == NULL) { 1717c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_seccreate: out of memory"); 1727c478bd9Sstevel@tonic-gate goto failed; 1737c478bd9Sstevel@tonic-gate } 174*61961e0fSrobinson (void) memcpy(ad->ad_timehost, timehost, strlen(timehost) + 1); 1757c478bd9Sstevel@tonic-gate ad->ad_dosync = TRUE; 1767c478bd9Sstevel@tonic-gate } else if (srvr != NULL) { 1777c478bd9Sstevel@tonic-gate ad->ad_nis_srvr = srvr; /* transient */ 1787c478bd9Sstevel@tonic-gate ad->ad_dosync = TRUE; 1797c478bd9Sstevel@tonic-gate } else { 1807c478bd9Sstevel@tonic-gate ad->ad_dosync = FALSE; 1817c478bd9Sstevel@tonic-gate } 182*61961e0fSrobinson (void) memcpy(ad->ad_fullname, namebuf, ad->ad_fullnamelen + 1); 183*61961e0fSrobinson (void) memcpy(ad->ad_servername, servername, ad->ad_servernamelen + 1); 1847c478bd9Sstevel@tonic-gate ad->ad_window = window; 1857c478bd9Sstevel@tonic-gate if (ckey == NULL) { 1867c478bd9Sstevel@tonic-gate if (key_gendes(&auth->ah_key) < 0) { 1877c478bd9Sstevel@tonic-gate syslog(LOG_ERR, 1887c478bd9Sstevel@tonic-gate "authdes_seccreate: keyserv(1m) is unable to generate session key"); 1897c478bd9Sstevel@tonic-gate goto failed; 1907c478bd9Sstevel@tonic-gate } 1917c478bd9Sstevel@tonic-gate } else 1927c478bd9Sstevel@tonic-gate auth->ah_key = *ckey; 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate /* 1957c478bd9Sstevel@tonic-gate * Set up auth handle 1967c478bd9Sstevel@tonic-gate */ 1977c478bd9Sstevel@tonic-gate auth->ah_cred.oa_flavor = AUTH_DES; 1987c478bd9Sstevel@tonic-gate auth->ah_verf.oa_flavor = AUTH_DES; 1997c478bd9Sstevel@tonic-gate auth->ah_ops = authdes_ops(); 2007c478bd9Sstevel@tonic-gate auth->ah_private = (caddr_t)ad; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate if (!authdes_refresh(auth, NULL)) { 2037c478bd9Sstevel@tonic-gate goto failed; 2047c478bd9Sstevel@tonic-gate } 2057c478bd9Sstevel@tonic-gate ad->ad_nis_srvr = NULL; /* not needed any longer */ 2067c478bd9Sstevel@tonic-gate return (auth); 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate failed: 2097c478bd9Sstevel@tonic-gate if (auth) 210*61961e0fSrobinson free(auth); 2117c478bd9Sstevel@tonic-gate if (ad) { 2127c478bd9Sstevel@tonic-gate if (ad->ad_fullname) 213*61961e0fSrobinson free(ad->ad_fullname); 2147c478bd9Sstevel@tonic-gate if (ad->ad_servername) 215*61961e0fSrobinson free(ad->ad_servername); 2167c478bd9Sstevel@tonic-gate if (ad->ad_timehost) 217*61961e0fSrobinson free(ad->ad_timehost); 2187c478bd9Sstevel@tonic-gate if (ad->ad_netid) 219*61961e0fSrobinson free(ad->ad_netid); 2207c478bd9Sstevel@tonic-gate if (ad->ad_uaddr) 221*61961e0fSrobinson free(ad->ad_uaddr); 222*61961e0fSrobinson free(ad); 2237c478bd9Sstevel@tonic-gate } 2247c478bd9Sstevel@tonic-gate return (NULL); 2257c478bd9Sstevel@tonic-gate } 2267c478bd9Sstevel@tonic-gate 2277c478bd9Sstevel@tonic-gate /* 2287c478bd9Sstevel@tonic-gate * Implement the five authentication operations 2297c478bd9Sstevel@tonic-gate */ 2307c478bd9Sstevel@tonic-gate 2317c478bd9Sstevel@tonic-gate /* 2327c478bd9Sstevel@tonic-gate * 1. Next Verifier 2337c478bd9Sstevel@tonic-gate */ 2347c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 2357c478bd9Sstevel@tonic-gate static void 2367c478bd9Sstevel@tonic-gate authdes_nextverf(AUTH *auth) 2377c478bd9Sstevel@tonic-gate { 2387c478bd9Sstevel@tonic-gate /* what the heck am I supposed to do??? */ 2397c478bd9Sstevel@tonic-gate } 2407c478bd9Sstevel@tonic-gate 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate /* 2437c478bd9Sstevel@tonic-gate * 2. Marshal 2447c478bd9Sstevel@tonic-gate */ 2457c478bd9Sstevel@tonic-gate static bool_t 2467c478bd9Sstevel@tonic-gate authdes_marshal(AUTH *auth, XDR *xdrs) 2477c478bd9Sstevel@tonic-gate { 2487c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 249*61961e0fSrobinson struct ad_private *ad = (struct ad_private *)auth->ah_private; 2507c478bd9Sstevel@tonic-gate struct authdes_cred *cred = &ad->ad_cred; 2517c478bd9Sstevel@tonic-gate struct authdes_verf *verf = &ad->ad_verf; 2527c478bd9Sstevel@tonic-gate des_block cryptbuf[2]; 2537c478bd9Sstevel@tonic-gate des_block ivec; 2547c478bd9Sstevel@tonic-gate int status; 2557c478bd9Sstevel@tonic-gate int len; 2567c478bd9Sstevel@tonic-gate rpc_inline_t *ixdr; 2577c478bd9Sstevel@tonic-gate 2587c478bd9Sstevel@tonic-gate /* 2597c478bd9Sstevel@tonic-gate * Figure out the "time", accounting for any time difference 2607c478bd9Sstevel@tonic-gate * with the server if necessary. 2617c478bd9Sstevel@tonic-gate */ 262*61961e0fSrobinson (void) gettimeofday(&ad->ad_timestamp, NULL); 2637c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_sec += ad->ad_timediff.tv_sec; 2647c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_usec += ad->ad_timediff.tv_usec; 2657c478bd9Sstevel@tonic-gate while (ad->ad_timestamp.tv_usec >= USEC_PER_SEC) { 2667c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_usec -= USEC_PER_SEC; 2677c478bd9Sstevel@tonic-gate ad->ad_timestamp.tv_sec++; 2687c478bd9Sstevel@tonic-gate } 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gate /* 2717c478bd9Sstevel@tonic-gate * XDR the timestamp and possibly some other things, then 2727c478bd9Sstevel@tonic-gate * encrypt them. 2737c478bd9Sstevel@tonic-gate */ 2747c478bd9Sstevel@tonic-gate ixdr = (rpc_inline_t *)cryptbuf; 2757c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_sec); 2767c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_usec); 2777c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 2787c478bd9Sstevel@tonic-gate IXDR_PUT_U_INT32(ixdr, ad->ad_window); 2797c478bd9Sstevel@tonic-gate IXDR_PUT_U_INT32(ixdr, ad->ad_window - 1); 2807c478bd9Sstevel@tonic-gate ivec.key.high = ivec.key.low = 0; 2817c478bd9Sstevel@tonic-gate status = cbc_crypt((char *)&auth->ah_key, (char *)cryptbuf, 2827c478bd9Sstevel@tonic-gate 2 * sizeof (des_block), 2837c478bd9Sstevel@tonic-gate DES_ENCRYPT | DES_HW, (char *)&ivec); 2847c478bd9Sstevel@tonic-gate } else { 2857c478bd9Sstevel@tonic-gate status = ecb_crypt((char *)&auth->ah_key, (char *)cryptbuf, 2867c478bd9Sstevel@tonic-gate sizeof (des_block), 2877c478bd9Sstevel@tonic-gate DES_ENCRYPT | DES_HW); 2887c478bd9Sstevel@tonic-gate } 2897c478bd9Sstevel@tonic-gate if (DES_FAILED(status)) { 2907c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_marshal: DES encryption failure"); 2917c478bd9Sstevel@tonic-gate return (FALSE); 2927c478bd9Sstevel@tonic-gate } 2937c478bd9Sstevel@tonic-gate ad->ad_verf.adv_xtimestamp = cryptbuf[0]; 2947c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 2957c478bd9Sstevel@tonic-gate ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high; 2967c478bd9Sstevel@tonic-gate ad->ad_verf.adv_winverf = cryptbuf[1].key.low; 2977c478bd9Sstevel@tonic-gate } else { 2987c478bd9Sstevel@tonic-gate ad->ad_cred.adc_nickname = ad->ad_nickname; 2997c478bd9Sstevel@tonic-gate ad->ad_verf.adv_winverf = 0; 3007c478bd9Sstevel@tonic-gate } 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gate /* 3037c478bd9Sstevel@tonic-gate * Serialize the credential and verifier into opaque 3047c478bd9Sstevel@tonic-gate * authentication data. 3057c478bd9Sstevel@tonic-gate */ 3067c478bd9Sstevel@tonic-gate if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { 3077c478bd9Sstevel@tonic-gate len = ((1 + 1 + 2 + 1)*BYTES_PER_XDR_UNIT + ad->ad_fullnamelen); 3087c478bd9Sstevel@tonic-gate } else { 3097c478bd9Sstevel@tonic-gate len = (1 + 1)*BYTES_PER_XDR_UNIT; 3107c478bd9Sstevel@tonic-gate } 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate if (ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT)) { 3137c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, AUTH_DES); 3147c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, len); 3157c478bd9Sstevel@tonic-gate } else { 316*61961e0fSrobinson if (!xdr_putint32(xdrs, (int *)&auth->ah_cred.oa_flavor)) 317*61961e0fSrobinson return (FALSE); 318*61961e0fSrobinson if (!xdr_putint32(xdrs, &len)) 319*61961e0fSrobinson return (FALSE); 3207c478bd9Sstevel@tonic-gate } 321*61961e0fSrobinson if (!xdr_authdes_cred(xdrs, cred)) 322*61961e0fSrobinson return (FALSE); 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gate len = (2 + 1)*BYTES_PER_XDR_UNIT; 3257c478bd9Sstevel@tonic-gate if (ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT)) { 3267c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, AUTH_DES); 3277c478bd9Sstevel@tonic-gate IXDR_PUT_INT32(ixdr, len); 3287c478bd9Sstevel@tonic-gate } else { 329*61961e0fSrobinson if (!xdr_putint32(xdrs, (int *)&auth->ah_verf.oa_flavor)) 330*61961e0fSrobinson return (FALSE); 331*61961e0fSrobinson if (!xdr_putint32(xdrs, &len)) 332*61961e0fSrobinson return (FALSE); 3337c478bd9Sstevel@tonic-gate } 334*61961e0fSrobinson return (xdr_authdes_verf(xdrs, verf)); 3357c478bd9Sstevel@tonic-gate } 3367c478bd9Sstevel@tonic-gate 3377c478bd9Sstevel@tonic-gate 3387c478bd9Sstevel@tonic-gate /* 3397c478bd9Sstevel@tonic-gate * 3. Validate 3407c478bd9Sstevel@tonic-gate */ 3417c478bd9Sstevel@tonic-gate static bool_t 3427c478bd9Sstevel@tonic-gate authdes_validate(AUTH *auth, struct opaque_auth *rverf) 3437c478bd9Sstevel@tonic-gate { 3447c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 345*61961e0fSrobinson struct ad_private *ad = (struct ad_private *)auth->ah_private; 3467c478bd9Sstevel@tonic-gate struct authdes_verf verf; 3477c478bd9Sstevel@tonic-gate int status; 3487c478bd9Sstevel@tonic-gate uint32_t *ixdr; 3497c478bd9Sstevel@tonic-gate des_block buf; 3507c478bd9Sstevel@tonic-gate 351*61961e0fSrobinson if (rverf->oa_length != (2 + 1) * BYTES_PER_XDR_UNIT) 3527c478bd9Sstevel@tonic-gate return (FALSE); 3537c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 3547c478bd9Sstevel@tonic-gate ixdr = (uint32_t *)rverf->oa_base; 3557c478bd9Sstevel@tonic-gate buf.key.high = (uint32_t)*ixdr++; 3567c478bd9Sstevel@tonic-gate buf.key.low = (uint32_t)*ixdr++; 3577c478bd9Sstevel@tonic-gate verf.adv_int_u = (uint32_t)*ixdr++; 3587c478bd9Sstevel@tonic-gate 3597c478bd9Sstevel@tonic-gate /* 3607c478bd9Sstevel@tonic-gate * Decrypt the timestamp 3617c478bd9Sstevel@tonic-gate */ 3627c478bd9Sstevel@tonic-gate status = ecb_crypt((char *)&auth->ah_key, (char *)&buf, 3637c478bd9Sstevel@tonic-gate sizeof (des_block), DES_DECRYPT | DES_HW); 3647c478bd9Sstevel@tonic-gate 3657c478bd9Sstevel@tonic-gate if (DES_FAILED(status)) { 3667c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "authdes_validate: DES decryption failure"); 3677c478bd9Sstevel@tonic-gate return (FALSE); 3687c478bd9Sstevel@tonic-gate } 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gate /* 3717c478bd9Sstevel@tonic-gate * xdr the decrypted timestamp 3727c478bd9Sstevel@tonic-gate */ 3737c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 3747c478bd9Sstevel@tonic-gate ixdr = (uint32_t *)buf.c; 3757c478bd9Sstevel@tonic-gate verf.adv_timestamp.tv_sec = IXDR_GET_INT32(ixdr) + 1; 3767c478bd9Sstevel@tonic-gate verf.adv_timestamp.tv_usec = IXDR_GET_INT32(ixdr); 3777c478bd9Sstevel@tonic-gate 3787c478bd9Sstevel@tonic-gate /* 3797c478bd9Sstevel@tonic-gate * validate 3807c478bd9Sstevel@tonic-gate */ 381*61961e0fSrobinson if (memcmp(&ad->ad_timestamp, &verf.adv_timestamp, 3827c478bd9Sstevel@tonic-gate sizeof (struct timeval)) != 0) { 3837c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "authdes_validate: verifier mismatch"); 3847c478bd9Sstevel@tonic-gate return (FALSE); 3857c478bd9Sstevel@tonic-gate } 3867c478bd9Sstevel@tonic-gate 3877c478bd9Sstevel@tonic-gate /* 3887c478bd9Sstevel@tonic-gate * We have a nickname now, let's use it 3897c478bd9Sstevel@tonic-gate */ 3907c478bd9Sstevel@tonic-gate ad->ad_nickname = verf.adv_nickname; 3917c478bd9Sstevel@tonic-gate ad->ad_cred.adc_namekind = ADN_NICKNAME; 3927c478bd9Sstevel@tonic-gate return (TRUE); 3937c478bd9Sstevel@tonic-gate } 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate /* 3967c478bd9Sstevel@tonic-gate * 4. Refresh 3977c478bd9Sstevel@tonic-gate */ 3987c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 3997c478bd9Sstevel@tonic-gate static bool_t 4007c478bd9Sstevel@tonic-gate authdes_refresh(AUTH *auth, void *dummy) 4017c478bd9Sstevel@tonic-gate { 4027c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 403*61961e0fSrobinson struct ad_private *ad = (struct ad_private *)auth->ah_private; 4047c478bd9Sstevel@tonic-gate struct authdes_cred *cred = &ad->ad_cred; 4057c478bd9Sstevel@tonic-gate int ok; 4067c478bd9Sstevel@tonic-gate netobj pkey; 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gate if (ad->ad_dosync) { 4097c478bd9Sstevel@tonic-gate ok = __rpc_get_time_offset(&ad->ad_timediff, ad->ad_nis_srvr, 4107c478bd9Sstevel@tonic-gate ad->ad_timehost, &(ad->ad_uaddr), 4117c478bd9Sstevel@tonic-gate &(ad->ad_netid)); 4127c478bd9Sstevel@tonic-gate if (!ok) { 4137c478bd9Sstevel@tonic-gate /* 4147c478bd9Sstevel@tonic-gate * Hope the clocks are synced! 4157c478bd9Sstevel@tonic-gate */ 4167c478bd9Sstevel@tonic-gate ad->ad_dosync = 0; 4177c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, 4187c478bd9Sstevel@tonic-gate "authdes_refresh: unable to synchronize clock"); 4197c478bd9Sstevel@tonic-gate } 4207c478bd9Sstevel@tonic-gate } 4217c478bd9Sstevel@tonic-gate ad->ad_xkey = auth->ah_key; 4227c478bd9Sstevel@tonic-gate pkey.n_bytes = (char *)(ad->ad_pkey); 4237c478bd9Sstevel@tonic-gate pkey.n_len = (uint_t)strlen((char *)ad->ad_pkey) + 1; 4247c478bd9Sstevel@tonic-gate if (key_encryptsession_pk(ad->ad_servername, &pkey, &ad->ad_xkey) < 0) { 4257c478bd9Sstevel@tonic-gate syslog(LOG_INFO, 4267c478bd9Sstevel@tonic-gate "authdes_refresh: keyserv(1m) is unable to encrypt session key"); 4277c478bd9Sstevel@tonic-gate return (FALSE); 4287c478bd9Sstevel@tonic-gate } 4297c478bd9Sstevel@tonic-gate cred->adc_fullname.key = ad->ad_xkey; 4307c478bd9Sstevel@tonic-gate cred->adc_namekind = ADN_FULLNAME; 4317c478bd9Sstevel@tonic-gate cred->adc_fullname.name = ad->ad_fullname; 4327c478bd9Sstevel@tonic-gate return (TRUE); 4337c478bd9Sstevel@tonic-gate } 4347c478bd9Sstevel@tonic-gate 4357c478bd9Sstevel@tonic-gate 4367c478bd9Sstevel@tonic-gate /* 4377c478bd9Sstevel@tonic-gate * 5. Destroy 4387c478bd9Sstevel@tonic-gate */ 4397c478bd9Sstevel@tonic-gate static void 4407c478bd9Sstevel@tonic-gate authdes_destroy(AUTH *auth) 4417c478bd9Sstevel@tonic-gate { 4427c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 443*61961e0fSrobinson struct ad_private *ad = (struct ad_private *)auth->ah_private; 4447c478bd9Sstevel@tonic-gate 445*61961e0fSrobinson free(ad->ad_fullname); 446*61961e0fSrobinson free(ad->ad_servername); 4477c478bd9Sstevel@tonic-gate if (ad->ad_timehost) 448*61961e0fSrobinson free(ad->ad_timehost); 4497c478bd9Sstevel@tonic-gate if (ad->ad_netid) 450*61961e0fSrobinson free(ad->ad_netid); 4517c478bd9Sstevel@tonic-gate if (ad->ad_uaddr) 452*61961e0fSrobinson free(ad->ad_uaddr); 453*61961e0fSrobinson free(ad); 454*61961e0fSrobinson free(auth); 4557c478bd9Sstevel@tonic-gate } 4567c478bd9Sstevel@tonic-gate 4577c478bd9Sstevel@tonic-gate static struct auth_ops * 4587c478bd9Sstevel@tonic-gate authdes_ops(void) 4597c478bd9Sstevel@tonic-gate { 4607c478bd9Sstevel@tonic-gate static struct auth_ops ops; 4617c478bd9Sstevel@tonic-gate extern mutex_t ops_lock; 4627c478bd9Sstevel@tonic-gate 4637c478bd9Sstevel@tonic-gate /* VARIABLES PROTECTED BY ops_lock: ops */ 4647c478bd9Sstevel@tonic-gate 465*61961e0fSrobinson (void) mutex_lock(&ops_lock); 4667c478bd9Sstevel@tonic-gate if (ops.ah_nextverf == NULL) { 4677c478bd9Sstevel@tonic-gate ops.ah_nextverf = authdes_nextverf; 4687c478bd9Sstevel@tonic-gate ops.ah_marshal = authdes_marshal; 4697c478bd9Sstevel@tonic-gate ops.ah_validate = authdes_validate; 4707c478bd9Sstevel@tonic-gate ops.ah_refresh = authdes_refresh; 4717c478bd9Sstevel@tonic-gate ops.ah_destroy = authdes_destroy; 4727c478bd9Sstevel@tonic-gate } 473*61961e0fSrobinson (void) mutex_unlock(&ops_lock); 4747c478bd9Sstevel@tonic-gate return (&ops); 4757c478bd9Sstevel@tonic-gate } 476