1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26 /*
27 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
28 */
29
30 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
31 /* All Rights Reserved */
32
33 /*
34 * Portions of this source code were derived from Berkeley 4.3 BSD
35 * under license from the Regents of the University of California.
36 */
37
38 /*
39 * publickey.c
40 *
41 *
42 * Public and Private (secret) key lookup routines. These functions
43 * are used by the secure RPC auth_des flavor to get the public and
44 * private keys for secure RPC principals. Originally designed to
45 * talk only to YP, AT&T modified them to talk to files, and now
46 * they can also talk to NIS+. The policy for these lookups is now
47 * defined in terms of the nameservice switch as follows :
48 * publickey: nis files
49 *
50 */
51 #include "mt.h"
52 #include "../rpc/rpc_mt.h"
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <syslog.h>
57 #include <assert.h>
58 #include <sys/types.h>
59 #include <pwd.h>
60 #include "nsswitch.h"
61 #include <rpc/rpc.h>
62 #include <rpc/key_prot.h>
63 #include <rpcsvc/nis.h>
64 #include <rpcsvc/ypclnt.h>
65 #include <rpcsvc/nis_dhext.h>
66 #include <thread.h>
67 #include "../nis/gen/nis_clnt.h"
68 #include <nss_dbdefs.h>
69
70
71 static const char *PKMAP = "publickey.byname";
72 static const char *PKFILE = "/etc/publickey";
73 static const char dh_caps_str[] = "DH";
74 static const char des_caps_str[] = AUTH_DES_AUTH_TYPE;
75
76 static char *netname2hashname(const char *, char *, int, keylen_t,
77 algtype_t);
78
79 #define WORKBUFSIZE 1024
80
81 extern int xdecrypt();
82
83 extern int __yp_match_cflookup(char *, char *, char *, int, char **,
84 int *, int *);
85
86
87 /*
88 * default publickey policy:
89 * publickey: nis [NOTFOUND = return] files
90 */
91
92
93 /* NSW_NOTSUCCESS NSW_NOTFOUND NSW_UNAVAIL NSW_TRYAGAIN */
94 #define DEF_ACTION {__NSW_RETURN, __NSW_RETURN, __NSW_CONTINUE, __NSW_CONTINUE}
95
96 static struct __nsw_lookup lookup_files = {"files", DEF_ACTION, NULL, NULL},
97 lookup_nis = {"nis", DEF_ACTION, NULL, &lookup_files};
98 static struct __nsw_switchconfig publickey_default =
99 {0, "publickey", 2, &lookup_nis};
100
101 #ifndef NUL
102 #define NUL '\0'
103 #endif
104
105 extern mutex_t serialize_pkey;
106
107 static int extract_secret();
108
109 /*
110 * db_root is used for switch backends.
111 */
112 static DEFINE_NSS_DB_ROOT(db_root);
113
114 /*
115 * str2key
116 */
117 /* ARGSUSED */
118 static int
str2key(const char * instr,int lenstr,void * ent,char * buffer,int buflen)119 str2key(const char *instr, int lenstr,
120 void *ent, char *buffer, int buflen) {
121 if (lenstr + 1 > buflen)
122 return (NSS_STR_PARSE_ERANGE);
123 /*
124 * We copy the input string into the output buffer
125 */
126 (void) memcpy(buffer, instr, lenstr);
127 buffer[lenstr] = '\0';
128
129 return (NSS_STR_PARSE_SUCCESS);
130 }
131 /*
132 * These functions are the "backends" for the switch for public keys. They
133 * get both the public and private keys from each of the supported name
134 * services (nis, files). They are passed the appropriate parameters
135 * and return 0 if unsuccessful with *errp set, or 1 when they got just the
136 * public key and 3 when they got both the public and private keys.
137 *
138 *
139 * getkey_nis()
140 *
141 * Internal implementation of getpublickey() using NIS (aka Yellow Pages,
142 * aka YP).
143 *
144 * NOTE : *** this function returns nsswitch codes and _not_ the
145 * value returned by getpublickey.
146 */
147 static int
getkeys_nis(int * errp,char * netname,char * pkey,char * skey,char * passwd)148 getkeys_nis(int *errp, char *netname, char *pkey, char *skey, char *passwd)
149 {
150 char *domain;
151 char *keyval = NULL;
152 int keylen, err, r = 0;
153 char *p;
154 int len;
155
156 p = strchr(netname, '@');
157 if (!p) {
158 *errp = __NSW_UNAVAIL;
159 return (0);
160 }
161
162 domain = ++p;
163
164
165 /*
166 * Instead of calling yp_match(), we use __yp_match_cflookup() here
167 * which has time-out control for the binding operation to nis
168 * servers.
169 */
170 err = __yp_match_cflookup(domain, (char *)PKMAP, netname,
171 strlen(netname), &keyval, &keylen, 0);
172
173 switch (err) {
174 case YPERR_KEY :
175 if (keyval)
176 free(keyval);
177 *errp = __NSW_NOTFOUND;
178 return (0);
179 default :
180 if (keyval)
181 free(keyval);
182 *errp = __NSW_UNAVAIL;
183 return (0);
184 case 0:
185 break;
186 }
187
188 p = strchr(keyval, ':');
189 if (p == NULL) {
190 free(keyval);
191 *errp = __NSW_NOTFOUND;
192 return (0);
193 }
194 *p = 0;
195 if (pkey) {
196 len = strlen(keyval);
197 if (len > HEXKEYBYTES) {
198 free(keyval);
199 *errp = __NSW_NOTFOUND;
200 return (0);
201 }
202 (void) strcpy(pkey, keyval);
203 }
204 r = 1;
205 p++;
206 if (skey && extract_secret(p, skey, passwd))
207 r |= 2;
208 free(keyval);
209 *errp = __NSW_SUCCESS;
210 return (r);
211 }
212
213 /*
214 * getkey_files()
215 *
216 * The files version of getpublickey. This function attempts to
217 * get the publickey from the file PKFILE .
218 *
219 * This function defines the format of the /etc/publickey file to
220 * be :
221 * netname <whitespace> publickey:privatekey
222 *
223 * NOTE : *** this function returns nsswitch codes and _not_ the
224 * value returned by getpublickey.
225 */
226
227 static int
getkeys_files(int * errp,char * netname,char * pkey,char * skey,char * passwd)228 getkeys_files(int *errp, char *netname, char *pkey, char *skey, char *passwd)
229 {
230 char *mkey;
231 char *mval;
232 char buf[WORKBUFSIZE];
233 int r = 0;
234 char *res;
235 FILE *fd;
236 char *p;
237 char *lasts;
238
239 fd = fopen(PKFILE, "rF");
240 if (fd == NULL) {
241 *errp = __NSW_UNAVAIL;
242 return (0);
243 }
244
245 /* Search through the file linearly :-( */
246 while ((res = fgets(buf, WORKBUFSIZE, fd)) != NULL) {
247
248 if ((res[0] == '#') || (res[0] == '\n'))
249 continue;
250 else {
251 mkey = strtok_r(buf, "\t ", &lasts);
252 if (mkey == NULL) {
253 syslog(LOG_INFO,
254 "getpublickey: Bad record in %s for %s",
255 PKFILE, netname);
256 continue;
257 }
258 mval = strtok_r(NULL, " \t#\n", &lasts);
259 if (mval == NULL) {
260 syslog(LOG_INFO,
261 "getpublickey: Bad record in %s for %s",
262 PKFILE, netname);
263 continue;
264 }
265 /* NOTE : Case insensitive compare. */
266 if (strcasecmp(mkey, netname) == 0) {
267 p = strchr(mval, ':');
268 if (p == NULL) {
269 syslog(LOG_INFO,
270 "getpublickey: Bad record in %s for %s",
271 PKFILE, netname);
272 continue;
273 }
274
275 *p = 0;
276 if (pkey) {
277 int len = strlen(mval);
278
279 if (len > HEXKEYBYTES) {
280 syslog(LOG_INFO,
281 "getpublickey: Bad record in %s for %s",
282 PKFILE, netname);
283 continue;
284 }
285 (void) strcpy(pkey, mval);
286 }
287 r = 1;
288 p++;
289 if (skey && extract_secret(p, skey, passwd))
290 r |= 2;
291 (void) fclose(fd);
292 *errp = __NSW_SUCCESS;
293 return (r);
294 }
295 }
296 }
297
298 (void) fclose(fd);
299 *errp = __NSW_NOTFOUND;
300 return (0);
301 }
302
303 /*
304 * getpublickey(netname, key)
305 *
306 * This is the actual exported interface for this function.
307 */
308
309 int
__getpublickey_cached(char * netname,char * pkey,int * from_cache)310 __getpublickey_cached(char *netname, char *pkey, int *from_cache)
311 {
312 return (__getpublickey_cached_g(netname, KEYSIZE, 0, pkey,
313 HEXKEYBYTES+1, from_cache));
314 }
315
316 int
getpublickey(const char * netname,char * pkey)317 getpublickey(const char *netname, char *pkey)
318 {
319 return (__getpublickey_cached((char *)netname, pkey, (int *)0));
320 }
321
322 void
__getpublickey_flush(const char * netname)323 __getpublickey_flush(const char *netname)
324 {
325 __getpublickey_flush_g(netname, 192, 0);
326 }
327
328 int
getsecretkey(const char * netname,char * skey,const char * passwd)329 getsecretkey(const char *netname, char *skey, const char *passwd)
330 {
331 return (getsecretkey_g(netname, KEYSIZE, 0, skey, HEXKEYBYTES+1,
332 passwd));
333 }
334
335 /*
336 * Routines to cache publickeys.
337 */
338
339
340 /*
341 * Generic DH (any size keys) version of extract_secret.
342 */
343 static int
extract_secret_g(char * raw,char * private,int prilen,char * passwd,char * netname,keylen_t keylen,algtype_t algtype)344 extract_secret_g(
345 char *raw, /* in */
346 char *private, /* out */
347 int prilen, /* in */
348 char *passwd, /* in */
349 char *netname, /* in */
350 keylen_t keylen, /* in */
351 algtype_t algtype) /* in */
352
353 {
354 char *buf = malloc(strlen(raw) + 1); /* private tmp buf */
355 char *p;
356
357 if (!buf || !passwd || !raw || !private || !prilen ||
358 !VALID_KEYALG(keylen, algtype)) {
359 if (private)
360 *private = NUL;
361 if (buf)
362 free(buf);
363 return (0);
364 }
365
366 (void) strcpy(buf, raw);
367
368 /* strip off pesky colon if it exists */
369 p = strchr(buf, ':');
370 if (p) {
371 *p = 0;
372 }
373
374 /* raw buf has chksum appended, so let's verify it too */
375 if (!xdecrypt_g(buf, keylen, algtype, passwd, netname, TRUE)) {
376 private[0] = 0;
377 free(buf);
378 return (1); /* yes, return 1 even if xdecrypt fails */
379 }
380
381 if (strlen(buf) >= prilen) {
382 private[0] = 0;
383 free(buf);
384 return (0);
385 }
386
387 (void) strcpy(private, buf);
388 free(buf);
389 return (1);
390 }
391
392 /*
393 * extract_secret()
394 *
395 * This generic function will extract the private key
396 * from a string using the given password. Note that
397 * it uses the DES based function xdecrypt()
398 */
399 static int
extract_secret(char * raw,char * private,char * passwd)400 extract_secret(char *raw, char *private, char *passwd)
401 {
402 return (extract_secret_g(raw, private, HEXKEYBYTES+1, passwd,
403 NULL, KEYSIZE, 0));
404 }
405
406 /*
407 * getkeys_ldap_g()
408 *
409 * Fetches the key pair from LDAP. This version handles any size
410 * DH keys.
411 */
412
413 void
_nss_initf_publickey(nss_db_params_t * p)414 _nss_initf_publickey(nss_db_params_t *p)
415 {
416 p->name = NSS_DBNAM_PUBLICKEY;
417 p->default_config = NSS_DEFCONF_PUBLICKEY;
418 }
419
420
421 static int
getkeys_ldap_g(int * err,char * netname,char * pkey,int pkeylen,char * skey,int skeylen,char * passwd,keylen_t keylen,algtype_t algtype)422 getkeys_ldap_g(
423 int *err, /* in */
424 char *netname, /* in */
425 char *pkey, /* out */
426 int pkeylen, /* in */
427 char *skey, /* out */
428 int skeylen, /* in */
429 char *passwd, /* in */
430 keylen_t keylen, /* in */
431 algtype_t algtype) /* in */
432 {
433 int r = 0;
434 char *p;
435 char keytypename[NIS_MAXNAMELEN+1];
436 int len;
437 const bool_t classic_des = AUTH_DES_KEY(keylen, algtype);
438 int rc = 0;
439 nss_XbyY_args_t arg;
440 nss_XbyY_buf_t *buf = NULL;
441 char *keyval;
442
443 NSS_XbyY_ALLOC(&buf, 0, NSS_BUFLEN_PUBLICKEY);
444
445 NSS_XbyY_INIT(&arg, buf->result, buf->buffer, buf->buflen, str2key);
446 arg.key.pkey.name = netname;
447
448 /*
449 * LDAP stores the public and secret key info in entries using
450 * nisKeyObject objectclass. Each key is tagged with the
451 * keytype, keylength, and algorithm. The tag has the following
452 * format: {<keytype><keylength>-<algorithm>}. For example,
453 * {DH192-0}.
454 */
455 if (classic_des)
456 (void) strcpy(keytypename, "{DH192-0}");
457 else
458 (void) sprintf(keytypename, "{%s%d-%d}",
459 dh_caps_str, keylen, algtype);
460 arg.key.pkey.keytype = keytypename;
461
462 if (nss_search(&db_root, _nss_initf_publickey, NSS_DBOP_KEYS_BYNAME,
463 &arg) != NSS_SUCCESS) {
464 NSS_XbyY_FREE(&buf);
465 *err = __NSW_NOTFOUND;
466 return (0);
467 }
468 keyval = buf->buffer;
469 p = strchr(keyval, ':');
470 if (p == NULL) {
471 NSS_XbyY_FREE(&buf);
472 *err = __NSW_NOTFOUND;
473 return (0);
474 }
475 *p = 0;
476 if (pkey) {
477 len = strlen(keyval);
478 if (len > HEXKEYBYTES) {
479 NSS_XbyY_FREE(&buf);
480 *err = __NSW_NOTFOUND;
481 return (0);
482 }
483 (void) strcpy(pkey, keyval);
484 }
485 r = 1;
486 p++;
487 if (skey && extract_secret(p, skey, passwd))
488 r |= 2;
489 NSS_XbyY_FREE(&buf);
490 *err = __NSW_SUCCESS;
491 return (r);
492 }
493
494
495 /*
496 * Convert a netname to a name we will hash on. For classic_des,
497 * just copy netname as is. But for new and improved ("now in
498 * new longer sizes!") DHEXT, add a ":keylen-algtype" suffix to hash on.
499 *
500 * Returns the hashname string on success or NULL on failure.
501 */
502 static char *
netname2hashname(const char * netname,char * hashname,int bufsiz,keylen_t keylen,algtype_t algtype)503 netname2hashname(
504 const char *netname,
505 char *hashname,
506 int bufsiz,
507 keylen_t keylen,
508 algtype_t algtype)
509 {
510 const bool_t classic_des = AUTH_DES_KEY(keylen, algtype);
511
512 if (!netname || !hashname || !bufsiz)
513 return (NULL);
514
515 if (classic_des) {
516 if (bufsiz > strlen(netname))
517 (void) strcpy(hashname, netname);
518 else
519 return (NULL);
520 } else {
521 char tmp[128];
522 (void) sprintf(tmp, ":%d-%d", keylen, algtype);
523 if (bufsiz > (strlen(netname) + strlen(tmp)))
524 (void) sprintf(hashname, "%s%s", netname, tmp);
525 else
526 return (NULL);
527 }
528
529 return (hashname);
530 }
531
532 /*
533 * Flush netname's publickey of the given key length and algorithm type.
534 */
535 void
__getpublickey_flush_g(const char * netname,keylen_t keylen,algtype_t algtype)536 __getpublickey_flush_g(const char *netname, keylen_t keylen, algtype_t algtype)
537 {
538 char *p, hashname[MAXNETNAMELEN+1];
539 p = netname2hashname(netname, hashname, MAXNETNAMELEN, keylen, algtype);
540 }
541
542 /*
543 * Generic DH (any size keys) version of __getpublickey_cached.
544 */
545 int
__getpublickey_cached_g(const char netname[],keylen_t keylen,algtype_t algtype,char * pkey,size_t pkeylen,int * from_cache)546 __getpublickey_cached_g(const char netname[], /* in */
547 keylen_t keylen, /* in */
548 algtype_t algtype, /* in */
549 char *pkey, /* out */
550 size_t pkeylen, /* in */
551 int *from_cache) /* in/out */
552 {
553 int needfree = 1, res, err;
554 struct __nsw_switchconfig *conf;
555 struct __nsw_lookup *look;
556 enum __nsw_parse_err perr;
557 const bool_t classic_des = AUTH_DES_KEY(keylen, algtype);
558 int retry_cache = 0;
559
560 if (!netname || !pkey)
561 return (0);
562
563 conf = __nsw_getconfig("publickey", &perr);
564 if (!conf) {
565 conf = &publickey_default;
566 needfree = 0;
567 }
568 for (look = conf->lookups; look; look = look->next) {
569 if (strcmp(look->service_name, "ldap") == 0) {
570 res = getkeys_ldap_g(&err, (char *)netname,
571 pkey, pkeylen, NULL, 0, NULL,
572 keylen, algtype);
573 /* long DH keys will not be in nis or files */
574 } else if (classic_des &&
575 strcmp(look->service_name, "nis") == 0)
576 res = getkeys_nis(&err, (char *)netname, pkey,
577 NULL, NULL);
578 else if (classic_des &&
579 strcmp(look->service_name, "files") == 0)
580 res = getkeys_files(&err, (char *)netname, pkey,
581 NULL, NULL);
582 else {
583 syslog(LOG_INFO, "Unknown publickey nameservice '%s'",
584 look->service_name);
585 err = __NSW_UNAVAIL;
586 res = 0;
587 }
588
589 switch (look->actions[err]) {
590 case __NSW_CONTINUE :
591 continue;
592 case __NSW_RETURN :
593 if (needfree)
594 __nsw_freeconfig(conf);
595 return ((res & 1) != 0);
596 default :
597 syslog(LOG_INFO, "Unknown action for nameservice %s",
598 look->service_name);
599 }
600 }
601
602 if (needfree)
603 __nsw_freeconfig(conf);
604 return (0);
605 }
606
607
608
609 /*
610 * Generic (all sizes) DH version of getpublickey.
611 */
612 int
getpublickey_g(const char * netname,int keylen,int algtype,char * pkey,size_t pkeylen)613 getpublickey_g(
614 const char *netname, /* in */
615 int keylen, /* in */
616 int algtype, /* in */
617 char *pkey, /* out */
618 size_t pkeylen) /* in */
619 {
620 return (__getpublickey_cached_g(netname, keylen, algtype, pkey,
621 pkeylen, (int *)0));
622 }
623
624 /*
625 * Generic (all sizes) DH version of getsecretkey_g.
626 */
627 int
getsecretkey_g(const char * netname,keylen_t keylen,algtype_t algtype,char * skey,size_t skeylen,const char * passwd)628 getsecretkey_g(
629 const char *netname, /* in */
630 keylen_t keylen, /* in */
631 algtype_t algtype, /* in */
632 char *skey, /* out */
633 size_t skeylen, /* in */
634 const char *passwd) /* in */
635 {
636 int needfree = 1, res, err;
637 struct __nsw_switchconfig *conf;
638 struct __nsw_lookup *look;
639 enum __nsw_parse_err perr;
640 const bool_t classic_des = AUTH_DES_KEY(keylen, algtype);
641
642 if (!netname || !skey || !skeylen)
643 return (0);
644
645 conf = __nsw_getconfig("publickey", &perr);
646
647 if (!conf) {
648 conf = &publickey_default;
649 needfree = 0;
650 }
651
652 for (look = conf->lookups; look; look = look->next) {
653 if (strcmp(look->service_name, "ldap") == 0)
654 res = getkeys_ldap_g(&err, (char *)netname,
655 NULL, 0, skey, skeylen,
656 (char *)passwd, keylen, algtype);
657 /* long DH keys will not be in nis or files */
658 else if (classic_des && strcmp(look->service_name, "nis") == 0)
659 res = getkeys_nis(&err, (char *)netname,
660 NULL, skey, (char *)passwd);
661 else if (classic_des &&
662 strcmp(look->service_name, "files") == 0)
663 res = getkeys_files(&err, (char *)netname,
664 NULL, skey, (char *)passwd);
665 else {
666 syslog(LOG_INFO, "Unknown publickey nameservice '%s'",
667 look->service_name);
668 err = __NSW_UNAVAIL;
669 res = 0;
670 }
671 switch (look->actions[err]) {
672 case __NSW_CONTINUE :
673 continue;
674 case __NSW_RETURN :
675 if (needfree)
676 __nsw_freeconfig(conf);
677 return ((res & 2) != 0);
678 default :
679 syslog(LOG_INFO, "Unknown action for nameservice %s",
680 look->service_name);
681 }
682 }
683 if (needfree)
684 __nsw_freeconfig(conf);
685 return (0);
686 }
687