/*
* Decrypt secret key using passwd
* The secret key is passed and returned in hex notation.
* Once again, the length is a multiple of 16 hex digits
*/
int
xdecrypt(char *secret, char *passwd)
{
char key[8];
char ivec[8];
char *buf;
int err;
int len;
len = strlen(secret) / 2;
if ((buf = malloc((unsigned)len)) == NULL)
return(0);
hex2bin(len, secret, buf);
passwd2des(passwd, key);
bzero(ivec, 8);
err = cbc_crypt(key, buf, len, DES_DECRYPT | DES_HW, ivec);
if (DES_FAILED(err)) {
free(buf);
return (0);
}
bin2hex(len, (unsigned char *) buf, secret);
free(buf);
return (1);
}
/*
* Decrypt secret key using passwd
* The secret key is passed and returned in hex notation.
* Once again, the length is a multiple of 16 hex digits
*/
int
xdecrypt (char *secret, char *passwd)
{
char key[8];
char ivec[8];
char *buf;
int err;
int len;
len = strlen (secret) / 2;
buf = malloc ((unsigned) len);
hex2bin (len, secret, buf);
passwd2des_internal (passwd, key);
memset (ivec, 0, 8);
err = cbc_crypt (key, buf, len, DES_DECRYPT | DES_HW, ivec);
if (DES_FAILED (err))
{
free (buf);
return 0;
}
bin2hex (len, (unsigned char *) buf, secret);
free (buf);
return 1;
}
/*
* encrypt/decrypt R (val) and password (str)
* return FALSE on failure and TRUE on success
*/
bool_t
__npd_cbc_crypt(
uint32_t *val,
char *str,
unsigned int strsize,
npd_newpass *buf,
unsigned int bufsize,
unsigned int mode,
des_block *deskey)
{
int status, i;
int32_t *ixdr;
des_block ivec;
if (bufsize > MAX_KEY_CRYPT_LEN)
return (FALSE);
ivec.key.low = ivec.key.high = 0;
ixdr = (int32_t *)buf;
if (mode == DES_ENCRYPT) {
if ((strsize + 4) > bufsize)
return (FALSE);
IXDR_PUT_U_INT32(ixdr, *val);
(void) strcpy((char *)buf->pass, str);
for (i = strsize; i < __NPD_MAXPASSBYTES; i++)
buf->pass[i] = '\0';
status = cbc_crypt((char *)deskey, (char *)buf,
bufsize, mode | DES_HW, (char *)&ivec);
if (DES_FAILED(status))
return (FALSE);
} else {
status = cbc_crypt((char *)deskey, (char *)buf,
bufsize, mode | DES_HW, (char *)&ivec);
if (DES_FAILED(status))
return (FALSE);
*val = IXDR_GET_U_INT32(ixdr);
if (strlen((char *)buf->pass) > strsize)
return (FALSE);
(void) strcpy(str, (char *)buf->pass);
}
return (TRUE);
}
static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
u8 *iv, void *control_word, u32 count)
{
u32 initial = count & (cbc_fetch_blocks - 1);
if (count < cbc_fetch_blocks)
return cbc_crypt(input, output, key, iv, control_word, count);
if (initial)
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
: "+S" (input), "+D" (output), "+a" (iv)
: "d" (control_word), "b" (key), "c" (count));
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
: "+S" (input), "+D" (output), "+a" (iv)
: "d" (control_word), "b" (key), "c" (count-initial));
return iv;
}
/*
* 2. Marshal
*/
static bool_t
authdes_marshal(AUTH *auth, XDR *xdrs)
{
/* LINTED pointer alignment */
struct ad_private *ad = AUTH_PRIVATE(auth);
struct authdes_cred *cred = &ad->ad_cred;
struct authdes_verf *verf = &ad->ad_verf;
des_block cryptbuf[2];
des_block ivec;
int status;
int len;
rpc_inline_t *ixdr;
/*
* Figure out the "time", accounting for any time difference
* with the server if necessary.
*/
(void)gettimeofday(&ad->ad_timestamp, NULL);
ad->ad_timestamp.tv_sec += ad->ad_timediff.tv_sec;
ad->ad_timestamp.tv_usec += ad->ad_timediff.tv_usec;
while (ad->ad_timestamp.tv_usec >= USEC_PER_SEC) {
ad->ad_timestamp.tv_usec -= USEC_PER_SEC;
ad->ad_timestamp.tv_sec++;
}
/*
* XDR the timestamp and possibly some other things, then
* encrypt them.
*/
ixdr = (rpc_inline_t *)cryptbuf;
IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_sec);
IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_usec);
if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
IXDR_PUT_U_INT32(ixdr, ad->ad_window);
IXDR_PUT_U_INT32(ixdr, ad->ad_window - 1);
ivec.key.high = ivec.key.low = 0;
status = cbc_crypt((char *)&auth->ah_key, (char *)cryptbuf,
(u_int) 2 * sizeof (des_block),
DES_ENCRYPT | DES_HW, (char *)&ivec);
} else {
status = ecb_crypt((char *)&auth->ah_key, (char *)cryptbuf,
(u_int) sizeof (des_block),
DES_ENCRYPT | DES_HW);
}
if (DES_FAILED(status)) {
syslog(LOG_ERR, "authdes_marshal: DES encryption failure");
return (FALSE);
}
ad->ad_verf.adv_xtimestamp = cryptbuf[0];
if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high;
ad->ad_verf.adv_winverf = cryptbuf[1].key.low;
} else {
ad->ad_cred.adc_nickname = ad->ad_nickname;
ad->ad_verf.adv_winverf = 0;
}
/*
* Serialize the credential and verifier into opaque
* authentication data.
*/
if (ad->ad_cred.adc_namekind == ADN_FULLNAME) {
len = ((1 + 1 + 2 + 1)*BYTES_PER_XDR_UNIT + ad->ad_fullnamelen);
} else {
len = (1 + 1)*BYTES_PER_XDR_UNIT;
}
if ((ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT))) {
IXDR_PUT_INT32(ixdr, AUTH_DES);
IXDR_PUT_INT32(ixdr, len);
} else {
ATTEMPT(xdr_putint32(xdrs, (int *)&auth->ah_cred.oa_flavor));
ATTEMPT(xdr_putint32(xdrs, &len));
}
ATTEMPT(xdr_authdes_cred(xdrs, cred));
len = (2 + 1)*BYTES_PER_XDR_UNIT;
if ((ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT))) {
IXDR_PUT_INT32(ixdr, AUTH_DES);
IXDR_PUT_INT32(ixdr, len);
} else {
ATTEMPT(xdr_putint32(xdrs, (int *)&auth->ah_verf.oa_flavor));
ATTEMPT(xdr_putint32(xdrs, &len));
}
ATTEMPT(xdr_authdes_verf(xdrs, verf));
return (TRUE);
}
/*
* 2. Marshal
*/
static bool_t
authdes_marshal (AUTH *auth, XDR *xdrs)
{
struct ad_private *ad = AUTH_PRIVATE (auth);
struct authdes_cred *cred = &ad->ad_cred;
struct authdes_verf *verf = &ad->ad_verf;
des_block cryptbuf[2];
des_block ivec;
int status;
int len;
register int32_t *ixdr;
struct timeval tval;
/*
* Figure out the "time", accounting for any time difference
* with the server if necessary.
*/
__gettimeofday (&tval, (struct timezone *) NULL);
ad->ad_timestamp.tv_sec = tval.tv_sec + ad->ad_timediff.tv_sec;
ad->ad_timestamp.tv_usec = tval.tv_usec + ad->ad_timediff.tv_usec;
if (ad->ad_timestamp.tv_usec >= MILLION)
{
ad->ad_timestamp.tv_usec -= MILLION;
ad->ad_timestamp.tv_sec += 1;
}
/*
* XDR the timestamp and possibly some other things, then
* encrypt them.
* XXX We have a real Year 2038 problem here.
*/
ixdr = (int32_t *) cryptbuf;
IXDR_PUT_INT32 (ixdr, ad->ad_timestamp.tv_sec);
IXDR_PUT_INT32 (ixdr, ad->ad_timestamp.tv_usec);
if (ad->ad_cred.adc_namekind == ADN_FULLNAME)
{
IXDR_PUT_U_INT32 (ixdr, ad->ad_window);
IXDR_PUT_U_INT32 (ixdr, ad->ad_window - 1);
ivec.key.high = ivec.key.low = 0;
status = cbc_crypt ((char *) &auth->ah_key, (char *) cryptbuf,
2 * sizeof (des_block), DES_ENCRYPT | DES_HW, (char *) &ivec);
}
else
status = ecb_crypt ((char *) &auth->ah_key, (char *) cryptbuf,
sizeof (des_block), DES_ENCRYPT | DES_HW);
if (DES_FAILED (status))
{
debug ("authdes_marshal: DES encryption failure");
return FALSE;
}
ad->ad_verf.adv_xtimestamp = cryptbuf[0];
if (ad->ad_cred.adc_namekind == ADN_FULLNAME)
{
ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high;
ad->ad_verf.adv_winverf = cryptbuf[1].key.low;
}
else
{
ad->ad_cred.adc_nickname = ad->ad_nickname;
ad->ad_verf.adv_winverf = 0;
}
/*
* Serialize the credential and verifier into opaque
* authentication data.
*/
if (ad->ad_cred.adc_namekind == ADN_FULLNAME)
len = ((1 + 1 + 2 + 1) * BYTES_PER_XDR_UNIT + ad->ad_fullnamelen);
else
len = (1 + 1) * BYTES_PER_XDR_UNIT;
if ((ixdr = xdr_inline (xdrs, 2 * BYTES_PER_XDR_UNIT)) != NULL)
{
IXDR_PUT_INT32 (ixdr, AUTH_DES);
IXDR_PUT_U_INT32 (ixdr, len);
}
else
{
ATTEMPT (xdr_putint32 (xdrs, &auth->ah_cred.oa_flavor));
ATTEMPT (xdr_putint32 (xdrs, &len));
}
ATTEMPT (xdr_authdes_cred (xdrs, cred));
len = (2 + 1) * BYTES_PER_XDR_UNIT;
if ((ixdr = xdr_inline (xdrs, 2 * BYTES_PER_XDR_UNIT)) != NULL)
{
IXDR_PUT_INT32 (ixdr, AUTH_DES);
IXDR_PUT_U_INT32 (ixdr, len);
}
else
{
ATTEMPT (xdr_putint32 (xdrs, &auth->ah_verf.oa_flavor));
ATTEMPT (xdr_putint32 (xdrs, &len));
}
ATTEMPT (xdr_authdes_verf (xdrs, verf));
return TRUE;
}
