AUTHSRV(2) AUTHSRV(2)
NAME
authdial, passtokey, nvcsum, readnvram, readcons, convT2M,
convM2T, convTR2M, convM2TR, convA2M, convM2A, convPR2M,
convM2PR, _asgetticket, _asrequest, _asgetresp, _asrdresp,
_asgetpakkey, authpak_hash, authpak_new, authpak_finish -
routines for communicating with authentication servers
SYNOPSIS
#include <u.h>
#include <libc.h>
#include <authsrv.h>
int authdial(char *netroot, char *ad);
void passtokey(Authkey *key, char *password)
uchar nvcsum(void *mem, int len)
int readnvram(Nvrsafe *nv, int flag);
char* readcons(char *prompt, char *def, int raw);
int convT2M(Ticket *t, char *msg, int len, Authkey *key)
int convM2T(char *msg, int len, Ticket *t, Authkey *key)
int convA2M(Authenticator *a, char *msg, int len, Ticket
*t)
int convM2A(char *msg, int len, Authenticator *a, Ticket
*t)
int convTR2M(Ticketreq *tr, char *msg, int len)
int convM2TR(char *msg, int len, Ticketreq *tr)
int convPR2M(Passwordreq *pr, char *msg, int len, Ticket
*t)
int convM2PR(char *msg, int len, Passwordreq *pr, Ticket
*t)
int _asgetticket(int fd, Ticketreq *tr, char *buf, int
len)
int _asrequest(int fd, Ticketreq *tr)
int _asgetresp(int fd, Ticket *t, Authenticator *a,
Authkey *key)
Page 1 Plan 9 (printed 11/6/25)
AUTHSRV(2) AUTHSRV(2)
int _asrdresp(int fd, char *buf, int len)
int _asgetpakkey(int fd, Ticketreq *tr, Authkey *a)
void authpak_hash(Authkey *k, char *u)
void authpak_new(PAKpriv *p, Authkey *k, uchar
y[PAKYLEN], int isclient)
int authpak_finish(PAKpriv *p, Authkey *k, uchar
y[PAKYLEN])
DESCRIPTION
Authdial dials an authentication server over the network
rooted at net, default /net. The authentication domain, ad,
specifies which server to call. If ad is non-nil, the con-
nection server cs (see ndb(8)) is queried for an entry which
contains authdom=ad or dom=ad, the former having precedence,
and which also contains an auth attribute. If it finds nei-
ther, it tries p9auth.ad in DNS as the authentication
server. The string dialed is then netroot!server!ticket
where server is the value of the auth attribute. If no
entry is found, the error string is set to ``no authentica-
tion server found'' and -1 is returned. If authdom is nil,
the string netroot!$auth!ticket is used to make the call.
Passtokey converts password into a set of cryptographic keys
and stores them in the Authkey structure key.
Readnvram reads authentication information into the struc-
ture:
struct Nvrsafe
{
char machkey[DESKEYLEN];/* was file server's authid's des key */
uchar machsum;
char authkey[DESKEYLEN];/* authid's des key from password */
uchar authsum;
/*
* file server config string of device holding full configuration;
* secstore key on non-file-servers.
*/
char config[CONFIGLEN];
uchar configsum;
char authid[ANAMELEN];/* auth userid, e.g., bootes */
uchar authidsum;
char authdom[DOMLEN]; /* auth domain, e.g., cs.bell-labs.com */
uchar authdomsum;
uchar aesmachkey[AESKEYLEN];
uchar aesmachsum;
};
Page 2 Plan 9 (printed 11/6/25)
AUTHSRV(2) AUTHSRV(2)
On Sparc, MIPS, and SGI machines this information is in
non-volatile ram, accessible in the file #r/nvram. On x86s
and Alphas readnvram successively opens the following areas
stopping with the first to succeed:
- the partition named by the $nvram environment variable
(commonly set via plan9.ini(8))
- the partition #S/sdC0/nvram
- a file called plan9.nvr in the partition #S/sdC0/9fat
- the partition #S/sd00/nvram
- a file called plan9.nvr in the partition #S/sd00/9fat
- a file called plan9.nvr on a DOS floppy in drive 0
- a file called plan9.nvr on a DOS floppy in drive 1
The nvcsums of the fields machkey, authid, and authdom must
match their respective checksum or that field is zeroed. If
flag is NVwrite or at least one checksum fails and flag is
NVwriteonerr, readnvram will prompt for new values on
#c/cons and then write them back to the storage area. If
flag is NVwritemem, readnvram will write the values in *nv
back to the storage area.
The readcons function prompts the user for a string on the
console with a possible default response. The prompt argu-
ment points to a string describing what is asked for. The
def argument is the default that will be suggested and
returned when the user hits enter without tying anything.
When raw is non-zero, echo will be disabled on the console.
This is used for password prompts. The users anwer is
returned as a malloc(2) allocated string. On error, nil is
returned.
ConvT2M, convA2M, convTR2M, and convPR2M convert tickets,
authenticators, ticket requests, and password change request
structures into transmittable messages. ConvM2T, convM2A,
convM2TR, and convM2PR are used to convert them back. Key
is used for encrypting the message before transmission and
decrypting after reception. ConvA2M, convM2A, convPR2M and
convM2PR encrypt/decrypt the message with the random ticket
key.
The routine _asgetticket sends a ticket request tr returning
the two encrypted tickets in buf. The routine _asrequest
encodes the ticket request tr and sends it not waiting for a
response. After sending a request, _asgetresp can be used
to receive the response containing a ticket and an optional
authenticator and decrypts the ticket and authenticator
using key. The routine _asrdresp receives either a character
array or an error string. On error, it sets errstr and
returns -1. If successful, it returns the number of bytes
received.
Page 3 Plan 9 (printed 11/6/25)
AUTHSRV(2) AUTHSRV(2)
Authpak_hash prepares a Authkey structure for a password
authenticated key exchange (see authsrv(6)) by calculating
the pakhash from a user's aeskey and id u. The fuction
hashes the password derived aeskey and user id together
using hmac_sha256 and maps the result into two elliptic
curve points PN/PM on the Ed448-goldielocks curve using
elligator2.
Authpak_new generates a new elliptic curve diffie-hellman
key pair for a password authenticated key exchange from a
previously hashed Authkey structure k. The randomly gener-
ated private key is returned in the PAKpriv structure passed
in p, while the pakhash encrypted public key is returned in
y.
Authpak_finish completes a password authenticated key
exchange, taking the other sides pakhash encrypted public
key y and our private key p returning the shared secret pak-
key in the Authkey structure k. The function returns zero on
success or non-zero on failure (malformed public key).
The function _asgetpakkey establishes a new shared pakkey
between the us and the authentication server for ticket
encryption; using the functions above; taking a previously
hashed Authkey a and Ticketreq tr and returns the shared
pakkey in the Authkey structure. It is usually called before
_asrequest right after authdial to negotiate bruteforce
resistant ticket encryption for the ticket request that fol-
lows (see authsrv(6)). Returns zero on success, or non-zero
on error (authenticatoin server does not support the AuthPAK
request or when we got a malformed public key).
SOURCE
/sys/src/libauthsrv
SEE ALSO
passwd(1), cons(3), dial(2), authsrv(6),
DIAGNOSTICS
These routines set errstr. Integer-valued functions return
-1 on error.
Page 4 Plan 9 (printed 11/6/25)