xref: /freebsd/usr.sbin/keyserv/setkey.c (revision 830940567b49bb0c08dfaed40418999e76616909)
1 /*
2  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3  * unrestricted use provided that this legend is included on all tape
4  * media and as a part of the software program in whole or part.  Users
5  * may copy or modify Sun RPC without charge, but are not authorized
6  * to license or distribute it to anyone else except as part of a product or
7  * program developed by the user.
8  *
9  * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10  * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11  * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
12  *
13  * Sun RPC is provided with no support and without any obligation on the
14  * part of Sun Microsystems, Inc. to assist in its use, correction,
15  * modification or enhancement.
16  *
17  * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18  * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19  * OR ANY PART THEREOF.
20  *
21  * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22  * or profits or other special, indirect and consequential damages, even if
23  * Sun has been advised of the possibility of such damages.
24  *
25  * Sun Microsystems, Inc.
26  * 2550 Garcia Avenue
27  * Mountain View, California  94043
28  */
29 
30 #ifndef lint
31 #if 0
32 static char sccsid[] = "@(#)setkey.c	1.11	94/04/25 SMI";
33 #endif
34 static const char rcsid[] =
35   "$FreeBSD$";
36 #endif /* not lint */
37 
38 /*
39  * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
40  */
41 
42 /*
43  * Do the real work of the keyserver.
44  * Store secret keys. Compute common keys,
45  * and use them to decrypt and encrypt DES keys.
46  * Cache the common keys, so the expensive computation is avoided.
47  */
48 #include <mp.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52 #include <unistd.h>
53 #include <sys/types.h>
54 #include <rpc/rpc.h>
55 #include <rpc/key_prot.h>
56 #include <rpc/des_crypt.h>
57 #include <rpc/des.h>
58 #include <sys/errno.h>
59 #include "keyserv.h"
60 
61 static MINT *MODULUS;
62 static char *fetchsecretkey( uid_t );
63 static void writecache( char *, char *, des_block * );
64 static int readcache( char *, char *, des_block * );
65 static void extractdeskey( MINT *, des_block * );
66 static int storesecretkey( uid_t, keybuf );
67 static keystatus pk_crypt( uid_t, char *, netobj *, des_block *, int);
68 static int nodefaultkeys = 0;
69 
70 
71 /*
72  * prohibit the nobody key on this machine k (the -d flag)
73  */
74 void
75 pk_nodefaultkeys()
76 {
77 	nodefaultkeys = 1;
78 }
79 
80 /*
81  * Set the modulus for all our Diffie-Hellman operations
82  */
83 void
84 setmodulus(modx)
85 	char *modx;
86 {
87 	MODULUS = mp_xtom(modx);
88 }
89 
90 /*
91  * Set the secretkey key for this uid
92  */
93 keystatus
94 pk_setkey(uid, skey)
95 	uid_t uid;
96 	keybuf skey;
97 {
98 	if (!storesecretkey(uid, skey)) {
99 		return (KEY_SYSTEMERR);
100 	}
101 	return (KEY_SUCCESS);
102 }
103 
104 /*
105  * Encrypt the key using the public key associated with remote_name and the
106  * secret key associated with uid.
107  */
108 keystatus
109 pk_encrypt(uid, remote_name, remote_key, key)
110 	uid_t uid;
111 	char *remote_name;
112 	netobj	*remote_key;
113 	des_block *key;
114 {
115 	return (pk_crypt(uid, remote_name, remote_key, key, DES_ENCRYPT));
116 }
117 
118 /*
119  * Decrypt the key using the public key associated with remote_name and the
120  * secret key associated with uid.
121  */
122 keystatus
123 pk_decrypt(uid, remote_name, remote_key, key)
124 	uid_t uid;
125 	char *remote_name;
126 	netobj *remote_key;
127 	des_block *key;
128 {
129 	return (pk_crypt(uid, remote_name, remote_key, key, DES_DECRYPT));
130 }
131 
132 static int store_netname( uid_t, key_netstarg * );
133 static int fetch_netname( uid_t, key_netstarg * );
134 
135 keystatus
136 pk_netput(uid, netstore)
137 	uid_t uid;
138 	key_netstarg *netstore;
139 {
140 	if (!store_netname(uid, netstore)) {
141 		return (KEY_SYSTEMERR);
142 	}
143 	return (KEY_SUCCESS);
144 }
145 
146 keystatus
147 pk_netget(uid, netstore)
148 	uid_t uid;
149 	key_netstarg *netstore;
150 {
151 	if (!fetch_netname(uid, netstore)) {
152 		return (KEY_SYSTEMERR);
153 	}
154 	return (KEY_SUCCESS);
155 }
156 
157 
158 /*
159  * Do the work of pk_encrypt && pk_decrypt
160  */
161 static keystatus
162 pk_crypt(uid, remote_name, remote_key, key, mode)
163 	uid_t uid;
164 	char *remote_name;
165 	netobj *remote_key;
166 	des_block *key;
167 	int mode;
168 {
169 	char *xsecret;
170 	char xpublic[1024];
171 	char xsecret_hold[1024];
172 	des_block deskey;
173 	int err;
174 	MINT *public;
175 	MINT *secret;
176 	MINT *common;
177 	char zero[8];
178 
179 	xsecret = fetchsecretkey(uid);
180 	if (xsecret == NULL || xsecret[0] == 0) {
181 		memset(zero, 0, sizeof (zero));
182 		xsecret = xsecret_hold;
183 		if (nodefaultkeys)
184 			return (KEY_NOSECRET);
185 
186 		if (!getsecretkey("nobody", xsecret, zero) || xsecret[0] == 0) {
187 			return (KEY_NOSECRET);
188 		}
189 	}
190 	if (remote_key) {
191 		memcpy(xpublic, remote_key->n_bytes, remote_key->n_len);
192 	} else {
193 		bzero((char *)&xpublic, sizeof(xpublic));
194 		if (!getpublickey(remote_name, xpublic)) {
195 			if (nodefaultkeys || !getpublickey("nobody", xpublic))
196 				return (KEY_UNKNOWN);
197 		}
198 	}
199 
200 	if (!readcache(xpublic, xsecret, &deskey)) {
201 		public = mp_xtom(xpublic);
202 		secret = mp_xtom(xsecret);
203 		/* Sanity Check on public and private keys */
204 		if ((public == NULL) || (secret == NULL))
205 			return (KEY_SYSTEMERR);
206 
207 		common = mp_itom(0);
208 		mp_pow(public, secret, MODULUS, common);
209 		extractdeskey(common, &deskey);
210 		writecache(xpublic, xsecret, &deskey);
211 		mp_mfree(secret);
212 		mp_mfree(public);
213 		mp_mfree(common);
214 	}
215 	err = ecb_crypt((char *)&deskey, (char *)key, sizeof (des_block),
216 		DES_HW | mode);
217 	if (DES_FAILED(err)) {
218 		return (KEY_SYSTEMERR);
219 	}
220 	return (KEY_SUCCESS);
221 }
222 
223 keystatus
224 pk_get_conv_key(uid, xpublic, result)
225 	uid_t uid;
226 	keybuf xpublic;
227 	cryptkeyres *result;
228 {
229 	char *xsecret;
230 	char xsecret_hold[1024];
231 	MINT *public;
232 	MINT *secret;
233 	MINT *common;
234 	char zero[8];
235 
236 
237 	xsecret = fetchsecretkey(uid);
238 
239 	if (xsecret == NULL || xsecret[0] == 0) {
240 		memset(zero, 0, sizeof (zero));
241 		xsecret = xsecret_hold;
242 		if (nodefaultkeys)
243 			return (KEY_NOSECRET);
244 
245 		if (!getsecretkey("nobody", xsecret, zero) ||
246 			xsecret[0] == 0)
247 			return (KEY_NOSECRET);
248 	}
249 
250 	if (!readcache(xpublic, xsecret, &result->cryptkeyres_u.deskey)) {
251 		public = mp_xtom(xpublic);
252 		secret = mp_xtom(xsecret);
253 		/* Sanity Check on public and private keys */
254 		if ((public == NULL) || (secret == NULL))
255 			return (KEY_SYSTEMERR);
256 
257 		common = mp_itom(0);
258 		mp_pow(public, secret, MODULUS, common);
259 		extractdeskey(common, &result->cryptkeyres_u.deskey);
260 		writecache(xpublic, xsecret, &result->cryptkeyres_u.deskey);
261 		mp_mfree(secret);
262 		mp_mfree(public);
263 		mp_mfree(common);
264 	}
265 
266 	return (KEY_SUCCESS);
267 }
268 
269 /*
270  * Choose middle 64 bits of the common key to use as our des key, possibly
271  * overwriting the lower order bits by setting parity.
272  */
273 static void
274 extractdeskey(ck, deskey)
275 	MINT *ck;
276 	des_block *deskey;
277 {
278 	MINT *a;
279 	short r;
280 	int i;
281 	short base = (1 << 8);
282 	char *k;
283 
284 	a = mp_itom(0);
285 #ifdef SOLARIS_MP
286 	_mp_move(ck, a);
287 #else
288 	mp_move(ck, a);
289 #endif
290 	for (i = 0; i < ((KEYSIZE - 64) / 2) / 8; i++) {
291 		mp_sdiv(a, base, a, &r);
292 	}
293 	k = deskey->c;
294 	for (i = 0; i < 8; i++) {
295 		mp_sdiv(a, base, a, &r);
296 		*k++ = r;
297 	}
298 	mp_mfree(a);
299 	des_setparity((char *)deskey);
300 }
301 
302 /*
303  * Key storage management
304  */
305 
306 #define	KEY_ONLY 0
307 #define	KEY_NAME 1
308 struct secretkey_netname_list {
309 	uid_t uid;
310 	key_netstarg keynetdata;
311 	u_char sc_flag;
312 	struct secretkey_netname_list *next;
313 };
314 
315 
316 
317 static struct secretkey_netname_list *g_secretkey_netname;
318 
319 /*
320  * Store the keys and netname for this uid
321  */
322 static int
323 store_netname(uid, netstore)
324 	uid_t uid;
325 	key_netstarg *netstore;
326 {
327 	struct secretkey_netname_list *new;
328 	struct secretkey_netname_list **l;
329 
330 	for (l = &g_secretkey_netname; *l != NULL && (*l)->uid != uid;
331 			l = &(*l)->next) {
332 	}
333 	if (*l == NULL) {
334 		new = (struct secretkey_netname_list *)malloc(sizeof (*new));
335 		if (new == NULL) {
336 			return (0);
337 		}
338 		new->uid = uid;
339 		new->next = NULL;
340 		*l = new;
341 	} else {
342 		new = *l;
343 		if (new->keynetdata.st_netname)
344 			(void) free (new->keynetdata.st_netname);
345 	}
346 	memcpy(new->keynetdata.st_priv_key, netstore->st_priv_key,
347 		HEXKEYBYTES);
348 	memcpy(new->keynetdata.st_pub_key, netstore->st_pub_key, HEXKEYBYTES);
349 
350 	if (netstore->st_netname)
351 		new->keynetdata.st_netname = strdup(netstore->st_netname);
352 	else
353 		new->keynetdata.st_netname = (char *)NULL;
354 	new->sc_flag = KEY_NAME;
355 	return (1);
356 
357 }
358 
359 /*
360  * Fetch the keys and netname for this uid
361  */
362 
363 static int
364 fetch_netname(uid, key_netst)
365 	uid_t uid;
366 	struct key_netstarg *key_netst;
367 {
368 	struct secretkey_netname_list *l;
369 
370 	for (l = g_secretkey_netname; l != NULL; l = l->next) {
371 		if ((l->uid == uid) && (l->sc_flag == KEY_NAME)){
372 
373 			memcpy(key_netst->st_priv_key,
374 				l->keynetdata.st_priv_key, HEXKEYBYTES);
375 
376 			memcpy(key_netst->st_pub_key,
377 				l->keynetdata.st_pub_key, HEXKEYBYTES);
378 
379 			if (l->keynetdata.st_netname)
380 				key_netst->st_netname =
381 					strdup(l->keynetdata.st_netname);
382 			else
383 				key_netst->st_netname = NULL;
384 		return (1);
385 		}
386 	}
387 
388 	return (0);
389 }
390 
391 static char *
392 fetchsecretkey(uid)
393 	uid_t uid;
394 {
395 	struct secretkey_netname_list *l;
396 
397 	for (l = g_secretkey_netname; l != NULL; l = l->next) {
398 		if (l->uid == uid) {
399 			return (l->keynetdata.st_priv_key);
400 		}
401 	}
402 	return (NULL);
403 }
404 
405 /*
406  * Store the secretkey for this uid
407  */
408 static int
409 storesecretkey(uid, key)
410 	uid_t uid;
411 	keybuf key;
412 {
413 	struct secretkey_netname_list *new;
414 	struct secretkey_netname_list **l;
415 
416 	for (l = &g_secretkey_netname; *l != NULL && (*l)->uid != uid;
417 			l = &(*l)->next) {
418 	}
419 	if (*l == NULL) {
420 		new = (struct secretkey_netname_list *) malloc(sizeof (*new));
421 		if (new == NULL) {
422 			return (0);
423 		}
424 		new->uid = uid;
425 		new->sc_flag = KEY_ONLY;
426 		memset(new->keynetdata.st_pub_key, 0, HEXKEYBYTES);
427 		new->keynetdata.st_netname = NULL;
428 		new->next = NULL;
429 		*l = new;
430 	} else {
431 		new = *l;
432 	}
433 
434 	memcpy(new->keynetdata.st_priv_key, key,
435 		HEXKEYBYTES);
436 	return (1);
437 }
438 
439 static int
440 hexdigit(val)
441 	int val;
442 {
443 	return ("0123456789abcdef"[val]);
444 }
445 
446 void
447 bin2hex(bin, hex, size)
448 	unsigned char *bin;
449 	unsigned char *hex;
450 	int size;
451 {
452 	int i;
453 
454 	for (i = 0; i < size; i++) {
455 		*hex++ = hexdigit(*bin >> 4);
456 		*hex++ = hexdigit(*bin++ & 0xf);
457 	}
458 }
459 
460 static int
461 hexval(dig)
462 	char dig;
463 {
464 	if ('0' <= dig && dig <= '9') {
465 		return (dig - '0');
466 	} else if ('a' <= dig && dig <= 'f') {
467 		return (dig - 'a' + 10);
468 	} else if ('A' <= dig && dig <= 'F') {
469 		return (dig - 'A' + 10);
470 	} else {
471 		return (-1);
472 	}
473 }
474 
475 void
476 hex2bin(hex, bin, size)
477 	unsigned char *hex;
478 	unsigned char *bin;
479 	int size;
480 {
481 	int i;
482 
483 	for (i = 0; i < size; i++) {
484 		*bin = hexval(*hex++) << 4;
485 		*bin++ |= hexval(*hex++);
486 	}
487 }
488 
489 /*
490  * Exponential caching management
491  */
492 struct cachekey_list {
493 	keybuf secret;
494 	keybuf public;
495 	des_block deskey;
496 	struct cachekey_list *next;
497 };
498 static struct cachekey_list *g_cachedkeys;
499 
500 /*
501  * cache result of expensive multiple precision exponential operation
502  */
503 static void
504 writecache(pub, sec, deskey)
505 	char *pub;
506 	char *sec;
507 	des_block *deskey;
508 {
509 	struct cachekey_list *new;
510 
511 	new = (struct cachekey_list *) malloc(sizeof (struct cachekey_list));
512 	if (new == NULL) {
513 		return;
514 	}
515 	memcpy(new->public, pub, sizeof (keybuf));
516 	memcpy(new->secret, sec, sizeof (keybuf));
517 	new->deskey = *deskey;
518 	new->next = g_cachedkeys;
519 	g_cachedkeys = new;
520 }
521 
522 /*
523  * Try to find the common key in the cache
524  */
525 static int
526 readcache(pub, sec, deskey)
527 	char *pub;
528 	char *sec;
529 	des_block *deskey;
530 {
531 	struct cachekey_list *found;
532 	register struct cachekey_list **l;
533 
534 #define	cachehit(pub, sec, list)	\
535 		(memcmp(pub, (list)->public, sizeof (keybuf)) == 0 && \
536 		memcmp(sec, (list)->secret, sizeof (keybuf)) == 0)
537 
538 	for (l = &g_cachedkeys; (*l) != NULL && !cachehit(pub, sec, *l);
539 		l = &(*l)->next)
540 		;
541 	if ((*l) == NULL) {
542 		return (0);
543 	}
544 	found = *l;
545 	(*l) = (*l)->next;
546 	found->next = g_cachedkeys;
547 	g_cachedkeys = found;
548 	*deskey = found->deskey;
549 	return (1);
550 }
551