NAME
authdial, passtokey, nvcsum, readnvram, readcons, convT2M, convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M, convM2PR, _asgetticket, _asrequest, _asgetresp, _asrdresp, _asgetpakkey, authpak_hash, authpak_new, authpak_finish – routines for communicating with authentication servers |
SYNOPSIS
#include <u.h> #include <libc.h> #include <authsrv.h> int authdial(char *netroot, char *ad); void passtokey(Authkey *key, char *password) uchar nvcsum(void *mem, int len) int readnvram(Nvrsafe *nv, int flag); char* readcons(char *prompt, char *def, int raw); int convT2M(Ticket *t, char *msg, int len, Authkey *key) int convM2T(char *msg, int len, Ticket *t, Authkey *key) int convA2M(Authenticator *a, char *msg, int len, Ticket *t) int convM2A(char *msg, int len, Authenticator *a, Ticket *t) int convTR2M(Ticketreq *tr, char *msg, int len) int convM2TR(char *msg, int len, Ticketreq *tr) int convPR2M(Passwordreq *pr, char *msg, int len, Ticket *t) int convM2PR(char *msg, int len, Passwordreq *pr, Ticket *t) int _asgetticket(int fd, Ticketreq *tr, char *buf, int len) int _asrequest(int fd, Ticketreq *tr) int _asgetresp(int fd, Ticket *t, Authenticator *a, Authkey *key) int _asrdresp(int fd, char *buf, int len) int _asgetpakkey(int fd, Ticketreq *tr, Authkey *a) void authpak_hash(Authkey *k, char *u) void authpak_new(PAKpriv *p, Authkey *k, uchar y[PAKYLEN], int isclient)
int authpak_finish(PAKpriv *p, Authkey *k, uchar y[PAKYLEN]) |
DESCRIPTION
Authdial dials an authentication server over the network rooted
at net, default /net. The authentication domain, ad, specifies
which server to call. If ad is non–nil, the connection server cs
(see ndb(8)) is queried for an entry which contains authdom=ad
or dom=ad, the former having precedence, and which also
contains an auth attribute. If it finds neither, it tries p9auth.ad
in DNS as the authentication server. The string dialed is then
netroot!server!ticket where server is the value of the auth attribute.
If no entry is found, the error string is set to ``no authentication
server found'' and –1 is returned. If authdom is nil, the
string netroot!$auth!ticket is used to make the call. Passtokey converts password into a set of cryptographic keys and stores them in the Authkey structure key. Readnvram reads authentication information into the structure:
struct Nvrsafe On Sparc, MIPS, and SGI machines this information is in non–volatile ram, accessible in the file #r/nvram. On x86s and Alphas readnvram successively opens the following areas stopping with the first to succeed:
– the partition named by the $nvram environment variable (commonly
set via plan9.ini(8)) The nvcsums of the fields machkey, authid, and authdom must match their respective checksum or that field is zeroed. If flag is NVwrite or at least one checksum fails and flag is NVwriteonerr, readnvram will prompt for new values on #c/cons and then write them back to the storage area. If flag is NVwritemem, readnvram will write the values in *nv back to the storage area. The readcons function prompts the user for a string on the console with a possible default response. The prompt argument points to a string describing what is asked for. The def argument is the default that will be suggested and returned when the user hits enter without tying anything. When raw is non–zero, echo will be disabled on the console. This is used for password prompts. The users anwer is returned as a malloc(2) allocated string. On error, nil is returned. ConvT2M, convA2M, convTR2M, and convPR2M convert tickets, authenticators, ticket requests, and password change request structures into transmittable messages. ConvM2T, convM2A, convM2TR, and convM2PR are used to convert them back. Key is used for encrypting the message before transmission and decrypting after reception. ConvA2M, convM2A, convPR2M and convM2PR encrypt/decrypt the message with the random ticket key. The routine _asgetticket sends a ticket request tr returning the two encrypted tickets in buf. The routine _asrequest encodes the ticket request tr and sends it not waiting for a response. After sending a request, _asgetresp can be used to receive the response containing a ticket and an optional authenticator and decrypts the ticket and authenticator using key. The routine _asrdresp receives either a character array or an error string. On error, it sets errstr and returns –1. If successful, it returns the number of bytes received. Authpak_hash prepares a Authkey structure for a password authenticated key exchange (see authsrv(6)) by calculating the pakhash from a user's aeskey and id u. The fuction hashes the password derived aeskey and user id together using hmac_sha256 and maps the result into two elliptic curve points PN/PM on the Ed448–goldielocks curve using elligator2. Authpak_new generates a new elliptic curve diffie–hellman key pair for a password authenticated key exchange from a previously hashed Authkey structure k. The randomly generated private key is returned in the PAKpriv structure passed in p, while the pakhash encrypted public key is returned in y. Authpak_finish completes a password authenticated key exchange, taking the other sides pakhash encrypted public key y and our private key p returning the shared secret pakkey in the Authkey structure k. The function returns zero on success or non–zero on failure (malformed public key).
The function _asgetpakkey establishes a new shared pakkey between
the us and the authentication server for ticket encryption; using
the functions above; taking a previously hashed Authkey a and
Ticketreq tr and returns the shared pakkey in the Authkey structure.
It is usually called before _asrequest right after
authdial to negotiate bruteforce resistant ticket encryption for
the ticket request that follows (see authsrv(6)). Returns zero
on success, or non–zero on error (authenticatoin server does not
support the AuthPAK request or when we got a malformed public
key). |
SOURCE
/sys/src/libauthsrv |
SEE ALSO
passwd(1), cons(3), dial(2), authsrv(6), |
DIAGNOSTICS
These routines set errstr. Integer–valued functions return –1 on
error. |