[Indigo]<Cedar5.3>RPC>RPCSecurity.mesa!1

RPC: Authentication and security facilities

RPCSecurity.mesa

Andrew Birrell September 7, 1983 4:33 pm

DIRECTORY

BasicTime USING[ earliestGMT, GetClockPulses, Now, Period ],

BufferDefs USING[ PupBuffer ],

ConvertUnsafe USING[ ToRope ],

DESFace,

GVNames USING[ AuthenticateKey, CheckStamp ],

PrincOpsUtils USING[ IsBound, LongCOPY ],

PrincOps USING[ PsbNull ],

PupDefs USING[ AnyLocalPupAddress, PupRouterSendThis, ReturnFreePupBuffer],

PupTypes USING[ PupAddress ],

Rope USING[ Flatten, Length, Text ],

RPC USING[ AuthenticateFailed, Conversation, ConversationLevel, EncryptionKey, maxPrincipalLength, Principal, SecurityLevel, unencrypted ],

RPCInternal USING[ Authenticator, AuthenticatorObject, ConversationObject ],

RPCLupine USING[ DataLength, Dispatcher, GetStubPkt, Header, pktOverhead, RPCPkt, StubPkt ],

RPCPkt USING[ CallCount, ConnectionID, ConversationID, DispatcherDetails, Header, Machine, PktConversationID, PktExchange, PktID, pktLengthOverhead, SetupResponse ],

RPCPrivate USING[ rpcSocket, ReturnBuffer ];

RPCSecurity: MONITOR

IMPORTS BasicTime, ConvertUnsafe, DESFace, GVNames, PrincOpsUtils, PupDefs, Rope, RPC, RPCLupine, RPCPkt, RPCPrivate

EXPORTS RPC--encryption stuff--, RPCInternal--GetAuthenticator--, RPCLupine

SHARES RPCLupine =

BEGIN

Header: PUBLIC TYPE = RPCPkt.Header;

ConcreteHeader: PROC[abstract: LONG POINTER TO RPCLupine.Header]

RETURNS[LONG POINTER TO Header] = INLINE

{ RETURN[ abstract ] };

GiveBackBuffer: PROC[b: BufferDefs.PupBuffer] =

NOTE: calls of this must be made outside our monitor, because

RPCPrivate.ReturnBuffer acquires the EthernetDriver monitor,

and the EthernetDriver may call EnqueueRecvd which acquires

our monitor!

IF PrincOpsUtils.IsBound[RPCPrivate.ReturnBuffer]

THEN RPCPrivate.ReturnBuffer

ELSE PupDefs.ReturnFreePupBuffer;

CopyPrincipal: PROC[from: RPC.Principal, to: LONG POINTER] =

BEGIN

flat: Rope.Text = Rope.Flatten[from];

text: LONG POINTER TO TEXT = LOOPHOLE[flat];

PrincOpsUtils.LongCOPY[from: LOOPHOLE[text], to: to, nwords: SIZE[StringBody[text.length]]];

END;

-- ******** Conversation management ******** --

ConversationID: PUBLIC TYPE = RPCPkt.ConversationID;

ConversationObject: PUBLIC TYPE = RPCInternal.ConversationObject;

Conversation: TYPE = REF ConversationObject;

lastConversation: ConversationID;

firstConversation: PUBLIC RPCPkt.PktConversationID;

GenerateConversation: PUBLIC SAFE PROC RETURNS[conversation: Conversation] = TRUSTED

{ RETURN[EntryGenerate[none, , NIL, NIL, DESFace.nullKey, NIL]] };

EntryGenerate: ENTRY PROC[ level: RPC.SecurityLevel,

iv: DESFace.IV,

originator, responder: RPC.Principal,

convKey: DESFace.Key,

auth: RPCInternal.Authenticator]

RETURNS[ conversation: Conversation ] =

BEGIN

lastConversation.count.ls ← lastConversation.count.ls+1;

IF lastConversation.count.ls = 0

THEN lastConversation.count.ms ← lastConversation.count.ms+1;

conversation ← AddConversation[lastConversation,

level, iv, originator, responder,

convKey, auth];

END;

AuthenticatorLayout: TYPE = MACHINE DEPENDENT RECORD[

Contents of an authenticator when it's not encrypted

ky(0): DESFace.Key,

kySpare(4): DESFace.Key, -- space for larger keys! --

ck(8): DESFace.Key,

ckSpare(12): DESFace.Key, -- space for larger keys! --

time(16): LONG CARDINAL,

a(18): StringBody

];

BadConversationLevel: ERROR = CODE;

StartConversation: PUBLIC SAFE PROC[caller: RPC.Principal,

key: RPC.EncryptionKey,

callee: RPC.Principal,

level: RPC.ConversationLevel]

RETURNS[conversation: Conversation] = TRUSTED

BEGIN

authenticator: RPCInternal.Authenticator;

convKey: DESFace.Key;

iv: DESFace.IV;

IF level NOT IN RPC.ConversationLevel THEN ERROR BadConversationLevel[];

[authenticator, convKey, iv] ← Authenticate[caller, key, callee];

RETURN[ EntryGenerate[level, iv, caller, callee, convKey, authenticator] ]

END;

Authenticate: PROC[caller: RPC.Principal, key: RPC.EncryptionKey,

callee: RPC.Principal]

RETURNS[ authenticator: RPCInternal.Authenticator,

convKey: DESFace.Key,

iv: DESFace.IV] =

BEGIN

-- TEMP: This entire procedure should use a secure R-Server protocol! --

nBlks: CARDINAL = ( SIZE[AuthenticatorLayout] -

SIZE[StringBody[0]] +

SIZE[StringBody[caller.Length[]]] +

SIZE[DESFace.Block]-1 --rounding-- ) / SIZE[DESFace.Block];

IF caller.Length[] > RPC.maxPrincipalLength THEN ERROR RPC.AuthenticateFailed[badCaller];

IF callee.Length[] > RPC.maxPrincipalLength THEN ERROR RPC.AuthenticateFailed[badCallee];

SELECT GVNames.AuthenticateKey[caller, key] FROM

group, notFound => ERROR RPC.AuthenticateFailed[badCaller];

allDown => ERROR RPC.AuthenticateFailed[communications];

badPwd => ERROR RPC.AuthenticateFailed[badKey];

ENDCASE => NULL;

SELECT GVNames.CheckStamp[callee] FROM

group, notFound => ERROR RPC.AuthenticateFailed[badCallee];

allDown => ERROR RPC.AuthenticateFailed[communications];

ENDCASE => NULL;

iv ← DESFace.GetRandomIV[];

authenticator ← NEW[RPCInternal.AuthenticatorObject[nBlks]];

BEGIN

-- TEMP: construct authenticator in clear ourselves! --

kb: DESFace.Key ← DESFace.nullKey -- !!! --;

authRec: LONG POINTER TO AuthenticatorLayout = LOOPHOLE[@authenticator[0]];

authRec.ky ← DESFace.GetRandomKey[];

authRec.ck ← convKey ← DESFace.GetRandomKey[];

authRec.time ← 0;

CopyPrincipal[from: caller, to: @(authRec.a)];

DESFace.CorrectParity[@kb];

DESFace.EncryptBlock[key: kb,

from: LOOPHOLE[@authRec.ck],

to: LOOPHOLE[@authRec.ck] ];

DESFace.CBCCheckEncrypt[key: authRec.ky,

nBlks: nBlks-2,

from: LOOPHOLE[@authRec.ck],

to: LOOPHOLE[@authRec.ck],

seed: [0,0,0,0] ];

DESFace.EncryptBlock[key: kb,

from: LOOPHOLE[@authRec.ky],

to: LOOPHOLE[@authRec.ky] ];

END;

ConvHashKey: TYPE = [0..127];

conversations: REF ARRAY ConvHashKey OF Conversation =

NEW[ARRAY ConvHashKey OF Conversation ← ALL[NIL]];

InconsistentHashTable: ERROR = CODE;

EntryAddConversation: ENTRY PROC[ id: ConversationID,

level: RPC.SecurityLevel,

iv: DESFace.IV,

originator, responder: RPC.Principal,

convKey: DESFace.Key,

auth: RPCInternal.Authenticator]

RETURNS[ conversation: Conversation ] = INLINE

{ RETURN[AddConversation[id, level, iv, originator, responder, convKey, auth]] };

AddConversation: INTERNAL PROC[ id: ConversationID,

level: RPC.SecurityLevel,

iv: DESFace.IV,

originator, responder: RPC.Principal,

convKey: DESFace.Key,

auth: RPCInternal.Authenticator]

RETURNS[ conversation: Conversation ] =

BEGIN

hash: ConvHashKey = id.count.ls MOD SUCC[LAST[ConvHashKey]];

prev: Conversation ← NIL;

conversation ← conversations[hash];

DO SELECT TRUE FROM

conversation = NIL =>

BEGIN

conversation ← NEW[ConversationObject ←

[ NIL,

id,

level,

convKey,

iv,

originator,

responder,

auth] ];

IF prev = NIL

THEN conversations[hash] ← conversation

ELSE prev.next ← conversation;

EXIT;

END;

conversation.id = id =>

{ EXIT -- already there --};

ENDCASE => { prev ← conversation; conversation ← conversation.next };

ENDLOOP;

END;

UnknownConversation: ERROR = CODE;

EndConversation: PUBLIC ENTRY SAFE PROC[conversation: Conversation] = TRUSTED

BEGIN

hash: ConvHashKey = conversation.id.count.ls MOD SUCC[LAST[ConvHashKey]];

prev: Conversation ← NIL;

old: Conversation ← conversations[hash];

IF conversation.id.originator # myHost THEN RETURN WITH ERROR UnknownConversation[];

DO SELECT TRUE FROM

old = NIL => RETURN WITH ERROR UnknownConversation[];

old = conversation =>

BEGIN

IF prev = NIL

THEN conversations[hash] ← conversation.next

ELSE prev.next ← conversation.next;

EXIT;

END;

ENDCASE => { prev ← old; old ← old.next };

ENDLOOP;

END;

InvalidateConversations: INTERNAL PROC =

BEGIN

Invalidate conversations for which we are the originator, such that client will get an error if he uses them.

FOR hash: ConvHashKey IN ConvHashKey

DO FOR conversation: Conversation ← conversations[hash], conversation.next

UNTIL conversation = NIL

DO IF conversation.id.originator = myHost THEN conversation.id.originator ← [[0],[0]];

ENDLOOP;

END;

GetConversationID: PUBLIC ENTRY SAFE PROC[conversation: Conversation]

RETURNS[id: ConversationID] = TRUSTED

{ RETURN[ IF conversation = NIL

THEN [[[0],[0]],[0,0]]

ELSE conversation.id ] };

GetCaller: PUBLIC ENTRY SAFE PROC[conversation: Conversation]

RETURNS[ RPC.Principal ] = TRUSTED

{ RETURN[ IF conversation = NIL THEN NIL ELSE conversation.originator ] };

GetLevel: PUBLIC ENTRY SAFE PROC[conversation: Conversation]

RETURNS[ level: RPC.SecurityLevel ] = TRUSTED

{ RETURN[ IF conversation = NIL THEN none ELSE conversation.level ] };

-- ******** Packet encryption and decryption ******** --

encryptedHeaderLength: CARDINAL =

SIZE[RPCPkt.PktID] + SIZE[RPCPkt.DispatcherDetails];

Check: TYPE = LONG CARDINAL; -- cipher checksum at end of packet --

-- bottom 2 bits indicate block rounding; remaining 30 bits should be 0 --

EncryptPkt: PUBLIC PROC[pkt: RPCLupine.RPCPkt, l: RPCLupine.DataLength]

RETURNS[CARDINAL] =

BEGIN

header: LONG POINTER TO RPCPkt.Header = @pkt.header;

conv: Conversation = pkt.convHandle;

IF conv # NIL AND conv.level # none AND conv.level # authOnly

THEN BEGIN

words: CARDINAL = l -- stub data words -- +

encryptedHeaderLength +

SIZE[Check];

nBlks: CARDINAL = (words + SIZE[DESFace.Block]-1 -- round up --)

/ SIZE[DESFace.Block];

blocks: DESFace.Blocks = LOOPHOLE[@header.pktID];

checkPtr: LONG POINTER TO Check =

LOOPHOLE[@blocks[nBlks] - SIZE[Check]];

checkPtr^ ← nBlks * SIZE[DESFace.Block] - words;

SELECT conv.level FROM

ECB => DESFace.ECBEncrypt[conv.key, nBlks,

blocks,

blocks];

CBC => DESFace.CBCEncrypt[conv.key, nBlks,

blocks,

conv.iv];

CBCCheck => DESFace.CBCCheckEncrypt[conv.key, nBlks,

blocks,

conv.iv];

ENDCASE => ERROR;

RETURN[nBlks * SIZE[DESFace.Block] -

encryptedHeaderLength +

RPCPkt.pktLengthOverhead]

END

ELSE RETURN[l + RPCPkt.pktLengthOverhead]

END;

DecryptPkt: PUBLIC PROC[header: LONG POINTER TO RPCPkt.Header,

convHandle: Conversation]

RETURNS[ok: BOOLEAN, l: RPCLupine.DataLength] =

BEGIN

ok ← TRUE;

IF convHandle # NIL AND convHandle.level # none AND convHandle.level # authOnly

THEN BEGIN

nBlks: CARDINAL = (header.length - RPCPkt.pktLengthOverhead +

encryptedHeaderLength)

/ SIZE[DESFace.Block];

blocks: DESFace.Blocks = LOOPHOLE[@header.pktID];

checkPtr: LONG POINTER TO Check =

LOOPHOLE[@blocks[nBlks] - SIZE[Check]];

SELECT convHandle.level FROM

ECB => DESFace.ECBDecrypt[convHandle.key, nBlks,

blocks,

blocks];

CBC => DESFace.CBCDecrypt[convHandle.key, nBlks,

blocks,

convHandle.iv];

CBCCheck => DESFace.CBCCheckDecrypt[convHandle.key, nBlks,

blocks,

convHandle.iv];

ENDCASE => ERROR;

IF checkPtr^ IN [0..SIZE[DESFace.Block])

THEN l ← nBlks * SIZE[DESFace.Block] -

checkPtr^ -

SIZE[Check] -

encryptedHeaderLength

ELSE ok ← FALSE;

END

ELSE l ← header.length - RPCPkt.pktLengthOverhead;

END;

-- ******** Requests-For-Authenticator's (RFA's) ******** --

RFARequest: TYPE = MACHINE DEPENDENT RECORD[

conversationID, {pktID}CK, nonceID

callerConv(0): RPCPkt.PktConversationID,

callerPktID(2): RPCPkt.PktID -- still encrypted --,

nonceID(6): LONG CARDINAL -- nominated by requester --];

RFAResponse: TYPE = MACHINE DEPENDENT RECORD[

{iv, connectionID, callCount, nonceID+1}CK,

null, authScheme, authLength, authenticator, callee.

The initial part is encrypted with CBC using a zero IV.

iv(0): DESFace.IV,

connection(4): RPCPkt.ConnectionID,

call(8): RPCPkt.CallCount,

nonceID(10): LONG CARDINAL,

-- ends here if callee originated the conversation --

level(12): RPC.SecurityLevel,

-- ends here if level = none --

authLength(13): CARDINAL, -- length of authenticator (words) --

authenticator(14): AuthenticatorLayout

-- followed by Callee principal name --

];

responseCKBlocks: CARDINAL = 12 / SIZE[DESFace.Block];

Size of {iv, connectionID, callCount, nonceID+1}

rfaDataLength: RPCLupine.DataLength = SIZE[RFAResponse] - SIZE[StringBody[0]] +

2 * SIZE[StringBody[RPC.maxPrincipalLength]];

myHost: RPCPkt.Machine;

GetConnectionState: PUBLIC PROC[ decrypted: BOOLEAN,

callPkt: RPCLupine.RPCPkt]

RETURNS[ ok: BOOLEAN,

id: RPCPkt.ConnectionID,

call: RPCPkt.CallCount,

conv: Conversation,

l: RPCLupine.DataLength] =

BEGIN

The RFA packet looks a lot like the first packet of a new call.

The response, a data packet, will look a lot like the result of

this call.

callHeader: LONG POINTER TO Header = @callPkt.header;

rfaPktSpace: ARRAY [1..rfaDataLength + RPCLupine.pktOverhead] OF WORD;

rfaPkt: RPCLupine.StubPkt = RPCLupine.GetStubPkt[@rfaPktSpace];

myNonceID: LONG CARDINAL = BasicTime.GetClockPulses[];

request: LONG POINTER TO RFARequest = LOOPHOLE[LONG[@(rfaPkt[0])]];

response: LONG POINTER TO RFAResponse = LOOPHOLE[LONG[@(rfaPkt[0])]];

rfaHeader: LONG POINTER TO Header = @rfaPkt.header;

request.callerConv ← callHeader.conv;

request.callerPktID ← callHeader.pktID; --still encrypted--

request.nonceID ← myNonceID;

rfaPkt.convHandle ← RPC.unencrypted;

rfaHeader^ ← ConcreteHeader[@callPkt.header]^;

RPCPkt.SetupResponse[rfaHeader];

rfaHeader.conv ← firstConversation;

rfaHeader.pktID.activity ← 0;

-- rfaHeader.pktID.callSeq will be set by PktExchange --

rfaHeader.pktID.pktSeq ← 0;

BEGIN

responseLength: RPCLupine.DataLength ←

RPCPkt.PktExchange[rfaPkt, SIZE[RFARequest], rfaDataLength, authReq].newLength;

IF responseLength < SIZE[RFAResponse] - SIZE[AuthenticatorLayout]

THEN { ok ← FALSE; RETURN };

END;

IF response.level = none

THEN { l ← callHeader.length - RPCPkt.pktLengthOverhead; conv ← NIL }

ELSE BEGIN

response = {IV,cond,call,nonce}CK,,{KY}KB,{{CK}KB,time,A}KY

--TEMP-- kb: DESFace.Key ← DESFace.nullKey -- !!! --;

DESFace.CorrectParity[@kb];

DESFace.DecryptBlock[key: kb,

from: LOOPHOLE[@response.authenticator.ky],

to: LOOPHOLE[@response.authenticator.ky] ];

DESFace.CBCCheckDecrypt[key: response.authenticator.ky,

nBlks: response.authLength/SIZE[DESFace.Block] - 2,

from: LOOPHOLE[@response.authenticator.ck],

to: LOOPHOLE[@response.authenticator.ck],

seed: [0,0,0,0] ];

DESFace.DecryptBlock[key: kb,

from: LOOPHOLE[@response.authenticator.ck],

to: LOOPHOLE[@response.authenticator.ck] ];

DESFace.CBCCheckDecrypt[key: response.authenticator.ck,

nBlks: responseCKBlocks,

from: LOOPHOLE[response],

to: LOOPHOLE[response],

seed: [0,0,0,0] ];

conv ← EntryAddConversation[

-- Construct a ConversationID from a PktConversationID --

[IF response.connection.conv.originator = caller

THEN response.connection.caller

ELSE myHost,

[response.connection.conv.ls, response.connection.conv.ms]],

response.level,

response.iv,

ConvertUnsafe.ToRope[@response.authenticator.a],

NIL,

response.authenticator.ck,

NIL ];

callPkt.convHandle ← conv;

IF NOT decrypted

THEN BEGIN

ok: BOOLEAN;

[ok, l] ← DecryptPkt[callHeader, conv];

IF NOT ok THEN { ok ← FALSE; RETURN };

END;

correctness of nonceID means he knows CK.

IF response.nonceID # myNonceID+1 THEN { ok ← FALSE; RETURN };

IF response.connection # [

callHeader.conv, callHeader.srceHost, callHeader.pktID.activity]

THEN { ok ← FALSE; RETURN };

IF response.call # callHeader.pktID.callSeq THEN { ok ← FALSE; RETURN };

RETURN[TRUE, response.connection, response.call, conv, l];

END;

ReplyToRFA: PUBLIC PROC[b: BufferDefs.PupBuffer,

callHeader: LONG POINTER TO RPCPkt.Header, -- encrypted --

callPktID: RPCPkt.PktID -- clear --,

convHandle: Conversation]

RETURNS[BOOLEAN] =

BEGIN

-- Remember BufferDefs.PupBuffer's don't look like RPCLupine.RPCPkt's! --

recvdHeader: LONG POINTER TO RPCPkt.Header = LOOPHOLE[@b.pupLength];

-- copy request out of buffer to avoid overwriting our args! --

request: RFARequest = LOOPHOLE[recvdHeader+SIZE[RPCPkt.Header],

LONG POINTER TO RFARequest]^;

response: LONG POINTER TO RFAResponse = LOOPHOLE[recvdHeader+SIZE[RPCPkt.Header]];

used: CARDINAL ← SIZE[RFAResponse] - SIZE[AuthenticatorLayout];

IF request.callerConv # callHeader.conv OR request.callerPktID # callHeader.pktID

THEN { GiveBackBuffer[b]; RETURN[FALSE] };

response.connection ← [callHeader.conv, callHeader.srceHost, callPktID.activity];

response.call ← callPktID.callSeq;

response.nonceID ← request.nonceID+1;

IF callHeader.conv = firstConversation

THEN response.level ← none

ELSE BEGIN

IF callHeader.conv.originator = callee THEN --TEMP--ERROR;

response.level ← convHandle.level;

response.iv ← convHandle.iv;

DESFace.CBCCheckEncrypt[key: convHandle.key,

nBlks: responseCKBlocks,

from: LOOPHOLE[response],

to: LOOPHOLE[response],

seed: [0,0,0,0] ];

response.authLength ← convHandle.authenticator.nBlks * SIZE[DESFace.Block];

PrincOpsUtils.LongCOPY[from: @convHandle.authenticator[0],

to: @response.authenticator,

nwords: response.authLength];

used ← used + response.authLength;

CopyPrincipal[from: convHandle.originator,

to: @response.authenticator+response.authLength];

used ← used + SIZE[StringBody[convHandle.originator.Length[]]];

END;

BEGIN

header: Header ← recvdHeader^;

RPCPkt.SetupResponse[@header];

header.length ← RPCPkt.pktLengthOverhead + used;

header.oddByte ← no;

header.type ← [0,rpc,end,dontAck,data];

header.pktID.pktSeq ← header.pktID.pktSeq+1;

header.srceHost ← myHost;

header.srceSoc ← RPCPrivate.rpcSocket;

header.srcePSB ← PrincOps.PsbNull;

recvdHeader^ ← header;

END;

PupDefs.PupRouterSendThis[b];

RETURN[TRUE]

END;

-- Initialization --

Initialize: ENTRY PROC =

BEGIN

myAddr: PupTypes.PupAddress ←

PupDefs.AnyLocalPupAddress[RPCPrivate.rpcSocket];

now: MACHINE DEPENDENT RECORD[ls: CARDINAL, spare: [0..1], ms: [0..77777B]] =

LOOPHOLE[BasicTime.Period[from: BasicTime.earliestGMT, to: BasicTime.Now[]]];

firstHandle: Conversation;

myHost ← [myAddr.net, myAddr.host];

lastConversation ← [originator: myHost, count:[ls: now.ls, ms: now.ms] ];

Use first available conversationID for unencrypted conversations.

firstHandle ← AddConversation[lastConversation, none, , NIL, NIL,

DESFace.nullKey, NIL];

firstConversation ← [ls: firstHandle.id.count.ls, originator: caller,

ms: firstHandle.id.count.ms];

END;

Restart: ENTRY PROC =

BEGIN

InvalidateConversations[];

END;

DO Initialize[]; STOP; Restart[]; ENDLOOP;

END.