1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2017 Joyent Inc 24 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 29 /* All Rights Reserved */ 30 31 /* 32 * University Copyright- Copyright (c) 1982, 1986, 1988 33 * The Regents of the University of California 34 * All Rights Reserved 35 * 36 * University Acknowledgment- Portions of this document are derived from 37 * software developed by the University of California, Berkeley, and its 38 * contributors. 39 */ 40 41 /* 42 * keyserv - server for storing private encryption keys 43 * keyserv(8) performs multiple functions: it stores secret keys per uid; it 44 * performs public key encryption and decryption operations; and it generates 45 * "random" keys. keyserv(8) will talk to no one but a local root process on 46 * the local transport only. 47 */ 48 49 #include <stdio.h> 50 #include <stdio_ext.h> 51 #include <stdlib.h> 52 #include <sys/types.h> 53 #include <sys/stat.h> 54 #include <sys/uio.h> 55 #include <unistd.h> 56 #include <string.h> 57 #include <deflt.h> 58 #include <rpc/rpc.h> 59 #include <sys/param.h> 60 #include <sys/file.h> 61 #include <sys/resource.h> 62 #include <pwd.h> 63 #include <rpc/des_crypt.h> 64 #include <rpc/key_prot.h> 65 #include <thread.h> 66 #include "rpc/svc_mt.h" 67 #include <rpcsvc/nis_dhext.h> 68 #include <syslog.h> 69 #include <libscf.h> 70 #include <sys/debug.h> 71 72 #include "debug.h" 73 #include "keyserv_cache.h" 74 75 #ifdef KEYSERV_RANDOM 76 extern long random(); 77 #endif 78 79 extern keystatus pk_setkey(); 80 extern keystatus pk_encrypt(); 81 extern keystatus pk_decrypt(); 82 extern keystatus pk_netput(); 83 extern keystatus pk_netget(); 84 extern keystatus pk_get_conv_key(); 85 extern bool_t svc_get_local_cred(); 86 87 extern keystatus pk_setkey3(); 88 extern keystatus pk_encrypt3(); 89 extern keystatus pk_decrypt3(); 90 extern keystatus pk_netput3(); 91 extern keystatus pk_netget3(); 92 extern keystatus pk_get_conv_key3(); 93 extern keystatus pk_clear3(); 94 95 extern int init_mechs(); 96 extern int addmasterkey(); 97 extern int storeotherrootkeys(); 98 extern int setdeskeyarray(); 99 100 extern int getdomainname(); 101 102 static void randomize(); 103 static void usage(); 104 static void defaults(); 105 static int getrootkey(); 106 static int get_cache_size(char *); 107 static bool_t get_auth(); 108 109 #ifdef DEBUG 110 extern int test_debug(); 111 extern int real_debug(); 112 int debugging = 1; 113 #else 114 int debugging = 0; 115 #endif 116 117 static void keyprogram(); 118 static des_block masterkey; 119 char *getenv(); 120 static char ROOTKEY[] = "/etc/.rootkey"; 121 122 static char *defaults_file = "/etc/default/keyserv"; 123 static int use_nobody_keys = TRUE; 124 125 /* 126 * Hack to allow the keyserver to use AUTH_DES. The only functions 127 * that get called are key_encryptsession_pk, key_decryptsession_pk, 128 * and key_gendes. 129 * 130 * The approach is to have the keyserver fill in pointers to local 131 * implementations of these functions, and to call those in key_call(). 132 */ 133 134 bool_t __key_encrypt_pk_2_svc(); 135 bool_t __key_decrypt_pk_2_svc(); 136 bool_t __key_gen_1_svc(); 137 138 extern bool_t (*__key_encryptsession_pk_LOCAL)(); 139 extern bool_t (*__key_decryptsession_pk_LOCAL)(); 140 extern bool_t (*__key_gendes_LOCAL)(); 141 142 static int nthreads = 32; 143 144 /* Disk caching of common keys on by default */ 145 int disk_caching = 1; 146 147 mechanism_t **mechs; 148 149 /* 150 * The default size for all types of mech. 151 * positive integers denote multiples of 1MB 152 * negative integers denote number of entries 153 * same goes for non-null entries in cache_size 154 */ 155 static int default_cache = 1; 156 157 int *cache_size; 158 char **cache_options; 159 160 int 161 main(int argc, char *argv[]) 162 { 163 int sflag = 0, s1flag = 0, s2flag = 0, nflag = 0, dflag = 0, eflag = 0; 164 char *options, *value; 165 extern char *optarg; 166 extern int optind; 167 int c, d; 168 struct rlimit rl; 169 int mode = RPC_SVC_MT_AUTO; 170 int maxrecsz = RPC_MAXDATASIZE; 171 172 void detachfromtty(void); 173 int setmodulus(); 174 int pk_nodefaultkeys(); 175 int svc_create_local_service(); 176 177 char domainname[MAXNETNAMELEN + 1]; 178 179 /* 180 * Set our allowed number of file descriptors to the max 181 * of what the system will allow, limited by FD_SETSIZE. 182 */ 183 if (getrlimit(RLIMIT_NOFILE, &rl) == 0) { 184 rlim_t limit; 185 186 if ((limit = rl.rlim_max) > FD_SETSIZE) 187 limit = FD_SETSIZE; 188 rl.rlim_cur = limit; 189 (void) setrlimit(RLIMIT_NOFILE, &rl); 190 (void) enable_extended_FILE_stdio(-1, -1); 191 } 192 193 __key_encryptsession_pk_LOCAL = &__key_encrypt_pk_2_svc; 194 __key_decryptsession_pk_LOCAL = &__key_decrypt_pk_2_svc; 195 __key_gendes_LOCAL = &__key_gen_1_svc; 196 197 /* 198 * Pre-option initialisation 199 */ 200 (void) umask(066); /* paranoia */ 201 if (geteuid() != 0) { 202 (void) fprintf(stderr, "%s must be run as root\n", argv[0]); 203 exit(1); 204 } 205 setmodulus(HEXMODULUS); 206 openlog("keyserv", LOG_PID, LOG_DAEMON); 207 208 /* 209 * keyserv will not work with a null domainname. 210 */ 211 if (getdomainname(domainname, MAXNETNAMELEN+1) || 212 (domainname[0] == '\0')) { 213 syslog(LOG_ERR, "could not get a valid domainname.\n"); 214 exit(SMF_EXIT_ERR_CONFIG); 215 } 216 217 /* 218 * Initialise security mechanisms 219 */ 220 cache_size = NULL; 221 cache_options = NULL; 222 if (init_mechs() == -1) { 223 disk_caching = 0; 224 } 225 226 defaults(); 227 228 while ((c = getopt(argc, argv, "ndDet:cs:")) != -1) 229 switch (c) { 230 case 'n': 231 nflag++; 232 break; 233 case 'd': 234 dflag++; 235 use_nobody_keys = FALSE; 236 break; 237 case 'e': 238 eflag++; 239 use_nobody_keys = TRUE; 240 break; 241 case 'D': 242 debugging = 1; 243 break; 244 case 't': 245 nthreads = atoi(optarg); 246 break; 247 case 'c': 248 disk_caching = 0; 249 break; 250 case 's': 251 if (!disk_caching) { 252 fprintf(stderr, "missing configuration file"); 253 fprintf(stderr, " or -c option specified\n"); 254 usage(); 255 } 256 sflag++; 257 /* 258 * Which version of [-s] do we have...? 259 */ 260 if (strchr((const char *) optarg, '=') == NULL) { 261 /* 262 * -s <size> 263 */ 264 if (s1flag) { 265 fprintf(stderr, "duplicate" 266 " [-s <size>]\n"); 267 usage(); 268 } 269 s1flag++; 270 default_cache = get_cache_size(optarg); 271 break; 272 } 273 /* 274 * -s <mechtype>=<size>[,...] 275 */ 276 s2flag++; 277 options = optarg; 278 while (*options != '\0') { 279 d = getsubopt(&options, cache_options, &value); 280 if (d == -1) { 281 /* Ignore unknown mechtype */ 282 continue; 283 } 284 if (value == NULL) { 285 fprintf(stderr, 286 "missing cache size for " 287 "mechtype %s\n", cache_options[d]); 288 usage(); 289 } 290 cache_size[d] = get_cache_size(value); 291 } 292 break; 293 default: 294 usage(); 295 break; 296 } 297 298 299 if (dflag && eflag) { 300 (void) fprintf(stderr, "specify only one of -d and -e\n"); 301 usage(); 302 } 303 304 if (use_nobody_keys == FALSE) { 305 pk_nodefaultkeys(); 306 } 307 308 if (optind != argc) { 309 usage(); 310 } 311 312 if (!disk_caching && sflag) { 313 fprintf(stderr, "missing configuration file"); 314 fprintf(stderr, " or -c option specified\n"); 315 usage(); 316 } 317 318 if (debugging) { 319 if (disk_caching) { 320 char **cpp = cache_options; 321 int *ip = cache_size; 322 (void) fprintf(stderr, "default disk cache size: "); 323 if (default_cache < 0) { 324 (void) fprintf(stderr, "%d entries\n", 325 abs(default_cache)); 326 } else { 327 (void) fprintf(stderr, "%dMB\n", default_cache); 328 } 329 330 (void) fprintf(stderr, "supported mechanisms:\n"); 331 (void) fprintf(stderr, "\talias\t\tdisk cache size\n"); 332 (void) fprintf(stderr, "\t=====\t\t===============\n"); 333 while (*cpp != NULL) { 334 (void) fprintf(stderr, "\t%s\t\t", *cpp++); 335 if (*ip < 0) { 336 (void) fprintf(stderr, "%d entries\n", 337 abs(*ip)); 338 } else { 339 (void) fprintf(stderr, "%dMB\n", *ip); 340 } 341 ip++; 342 } 343 } else { 344 (void) fprintf(stderr, 345 "common key disk caching disabled\n"); 346 } 347 } 348 /* 349 * Post-option initialisation 350 */ 351 if (disk_caching) { 352 int i; 353 for (i = 0; mechs[i]; i++) { 354 if ((AUTH_DES_COMPAT_CHK(mechs[i])) || 355 (mechs[i]->keylen < 0) || (mechs[i]->algtype < 0)) 356 continue; 357 create_cache_file(mechs[i]->keylen, mechs[i]->algtype, 358 cache_size[i] ? cache_size[i] : default_cache); 359 } 360 } 361 getrootkey(&masterkey, nflag); 362 363 /* 364 * Set MT mode 365 */ 366 if (nthreads > 0) { 367 (void) rpc_control(RPC_SVC_MTMODE_SET, &mode); 368 (void) rpc_control(RPC_SVC_THRMAX_SET, &nthreads); 369 } 370 371 /* 372 * Enable non-blocking mode and maximum record size checks for 373 * connection oriented transports. 374 */ 375 if (!rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrecsz)) { 376 syslog(LOG_INFO, "unable to set max RPC record size"); 377 } 378 379 if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS, 380 "netpath", "keyserv") == 0) { 381 syslog(LOG_ERR, 382 "%s: unable to create service for version %d\n", 383 argv[0], KEY_VERS); 384 exit(1); 385 } 386 387 if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS2, 388 "netpath", "keyserv") == 0) { 389 syslog(LOG_ERR, 390 "%s: unable to create service for version %d\n", 391 argv[0], KEY_VERS2); 392 exit(1); 393 } 394 395 if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS3, 396 "netpath", "keyserv") == 0) { 397 syslog(LOG_ERR, 398 "%s: unable to create service for version %d\n", 399 argv[0], KEY_VERS3); 400 exit(1); 401 } 402 403 if (!debugging) { 404 detachfromtty(); 405 } 406 407 if (svc_create(keyprogram, KEY_PROG, KEY_VERS, "door") == 0) { 408 syslog(LOG_ERR, 409 "%s: unable to create service over doors for version %d\n", 410 argv[0], KEY_VERS); 411 exit(1); 412 } 413 414 if (svc_create(keyprogram, KEY_PROG, KEY_VERS2, "door") == 0) { 415 syslog(LOG_ERR, 416 "%s: unable to create service over doors for version %d\n", 417 argv[0], KEY_VERS2); 418 exit(1); 419 } 420 421 if (svc_create(keyprogram, KEY_PROG, KEY_VERS3, "door") == 0) { 422 syslog(LOG_ERR, 423 "%s: unable to create service over doors for version %d\n", 424 argv[0], KEY_VERS3); 425 exit(1); 426 } 427 428 svc_run(); 429 abort(); 430 /* NOTREACHED */ 431 return (0); 432 } 433 434 435 /* 436 * In the event that we don't get a root password, we try to 437 * randomize the master key the best we can 438 */ 439 static void 440 randomize(master) 441 des_block *master; 442 { 443 int i; 444 int seed; 445 struct timeval tv; 446 int shift; 447 448 seed = 0; 449 for (i = 0; i < 1024; i++) { 450 (void) gettimeofday(&tv, (struct timezone *)NULL); 451 shift = i % 8 * sizeof (int); 452 seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift)); 453 } 454 #ifdef KEYSERV_RANDOM 455 srandom(seed); 456 master->key.low = random(); 457 master->key.high = random(); 458 srandom(seed); 459 #else 460 /* use stupid dangerous bad rand() */ 461 srand(seed); 462 master->key.low = rand(); 463 master->key.high = rand(); 464 srand(seed); 465 #endif 466 } 467 468 static char * 469 fgets_ignorenul(char *s, int n, FILE *stream) 470 { 471 int fildes = fileno(stream); 472 int i = 0; 473 int rs = 0; 474 char c; 475 476 if (fildes < 0) 477 return (NULL); 478 479 while (i < n - 1) { 480 rs = read(fildes, &c, 1); 481 switch (rs) { 482 case 1: 483 break; 484 case 0: 485 /* EOF */ 486 if (i > 0) 487 s[i] = '\0'; 488 return (NULL); 489 break; 490 default: 491 return (NULL); 492 } 493 switch (c) { 494 case '\0': 495 break; 496 case '\n': 497 s[i] = c; 498 s[++i] = '\0'; 499 return (s); 500 default: 501 if (c != '\0') 502 s[i++] = c; 503 } 504 } 505 s[i] = '\0'; 506 return (s); 507 } 508 509 /* Should last until 16384-bit DH keys */ 510 #define MAXROOTKEY_LINE_LEN 4224 511 #define MAXROOTKEY_LEN 4096 512 #define ROOTKEY_FILE "/etc/.rootkey" 513 514 static int 515 getotherrootkeys(char *name) 516 { 517 FILE *rootkey; 518 char line[MAXROOTKEY_LINE_LEN]; 519 char key[MAXROOTKEY_LEN]; 520 algtype_t algtype; 521 int count = 0; 522 523 if (!(rootkey = fopen(ROOTKEY, "r"))) 524 return (0); 525 526 while (fgets_ignorenul(line, MAXROOTKEY_LINE_LEN, rootkey)) { 527 debug(KEYSERV_DEBUG0, ("ROOTKEY %d: %s\n", count, line)); 528 count++; 529 if (sscanf(line, "%s %d", key, &algtype) < 2) { 530 /* 531 * No encryption algorithm found in the file 532 * (algtype) so default to DES. 533 */ 534 algtype = AUTH_DES_ALGTYPE; 535 } 536 if (!strlen(key)) 537 continue; 538 addmasterkey(key, name, algtype); 539 } 540 fclose(rootkey); 541 return (1); 542 } 543 544 /* 545 * Try to get root's secret key, by prompting if terminal is a tty, else trying 546 * from standard input. 547 * Returns 1 on success. 548 */ 549 static int 550 getrootkey(master, prompt) 551 des_block *master; 552 int prompt; 553 { 554 char *passwd; 555 char name[MAXNETNAMELEN + 1]; 556 char secret[HEXKEYBYTES + 1]; 557 FILE *fp; 558 int passwd2des(); 559 int retval; 560 561 randomize(master); 562 if (!getnetname(name)) { 563 (void) fprintf(stderr, "keyserv: \ 564 failed to generate host's netname when establishing root's key.\n"); 565 return (0); 566 } 567 if (!prompt) { 568 return (getotherrootkeys(name)); 569 } 570 /* 571 * Decrypt yellow pages publickey entry to get secret key 572 */ 573 passwd = getpass("root password:"); 574 passwd2des(passwd, master); 575 if (!getsecretkey(name, secret, passwd)) { 576 (void) fprintf(stderr, 577 "Can't find %s's secret key\n", name); 578 return (0); 579 } 580 if (secret[0] == 0) { 581 (void) fprintf(stderr, 582 "Password does not decrypt secret key for %s\n", name); 583 return (0); 584 } 585 if ((fp = fopen(ROOTKEY, "w")) == NULL) { 586 (void) fprintf(stderr, 587 "Cannot open %s for write\n", ROOTKEY); 588 return (0); 589 } 590 retval = storeotherrootkeys(fp, name, passwd, secret); 591 fclose(fp); 592 return (retval); 593 } 594 595 /* 596 * Procedures to implement RPC service. These procedures are named 597 * differently from the definitions in key_prot.h (generated by rpcgen) 598 * because they take different arguments. 599 */ 600 char * 601 strstatus(status) 602 keystatus status; 603 { 604 switch (status) { 605 case KEY_SUCCESS: 606 return ("KEY_SUCCESS"); 607 case KEY_NOSECRET: 608 return ("KEY_NOSECRET"); 609 case KEY_UNKNOWN: 610 return ("KEY_UNKNOWN"); 611 case KEY_SYSTEMERR: 612 return ("KEY_SYSTEMERR"); 613 case KEY_BADALG: 614 return ("KEY_BADALG"); 615 case KEY_BADLEN: 616 return ("KEY_BADLEN"); 617 default: 618 return ("(bad result code)"); 619 } 620 } 621 622 bool_t 623 __key_set_1_svc(uid, key, status) 624 uid_t uid; 625 keybuf key; 626 keystatus *status; 627 { 628 if (debugging) { 629 (void) fprintf(stderr, "set(%d, %.*s) = ", uid, 630 sizeof (keybuf), key); 631 } 632 *status = pk_setkey(uid, key); 633 if (debugging) { 634 (void) fprintf(stderr, "%s\n", strstatus(*status)); 635 (void) fflush(stderr); 636 } 637 return (TRUE); 638 } 639 640 bool_t 641 __key_encrypt_pk_2_svc(uid, arg, res) 642 uid_t uid; 643 cryptkeyarg2 *arg; 644 cryptkeyres *res; 645 { 646 647 if (debugging) { 648 (void) fprintf(stderr, "encrypt(%d, %s, %08x%08x) = ", uid, 649 arg->remotename, arg->deskey.key.high, 650 arg->deskey.key.low); 651 } 652 res->cryptkeyres_u.deskey = arg->deskey; 653 res->status = pk_encrypt(uid, arg->remotename, &(arg->remotekey), 654 &res->cryptkeyres_u.deskey); 655 if (debugging) { 656 if (res->status == KEY_SUCCESS) { 657 (void) fprintf(stderr, "%08x%08x\n", 658 res->cryptkeyres_u.deskey.key.high, 659 res->cryptkeyres_u.deskey.key.low); 660 } else { 661 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 662 } 663 (void) fflush(stderr); 664 } 665 return (TRUE); 666 } 667 668 bool_t 669 __key_decrypt_pk_2_svc(uid, arg, res) 670 uid_t uid; 671 cryptkeyarg2 *arg; 672 cryptkeyres *res; 673 { 674 675 if (debugging) { 676 (void) fprintf(stderr, "decrypt(%d, %s, %08x%08x) = ", uid, 677 arg->remotename, arg->deskey.key.high, 678 arg->deskey.key.low); 679 } 680 res->cryptkeyres_u.deskey = arg->deskey; 681 res->status = pk_decrypt(uid, arg->remotename, &(arg->remotekey), 682 &res->cryptkeyres_u.deskey); 683 if (debugging) { 684 if (res->status == KEY_SUCCESS) { 685 (void) fprintf(stderr, "%08x%08x\n", 686 res->cryptkeyres_u.deskey.key.high, 687 res->cryptkeyres_u.deskey.key.low); 688 } else { 689 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 690 } 691 (void) fflush(stderr); 692 } 693 return (TRUE); 694 } 695 696 bool_t 697 __key_net_put_2_svc(uid, arg, status) 698 uid_t uid; 699 key_netstarg *arg; 700 keystatus *status; 701 { 702 703 if (debugging) { 704 (void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ", 705 arg->st_netname, sizeof (arg->st_pub_key), 706 arg->st_pub_key, sizeof (arg->st_priv_key), 707 arg->st_priv_key); 708 }; 709 710 *status = pk_netput(uid, arg); 711 712 if (debugging) { 713 (void) fprintf(stderr, "%s\n", strstatus(*status)); 714 (void) fflush(stderr); 715 } 716 717 return (TRUE); 718 } 719 720 /* ARGSUSED */ 721 bool_t 722 __key_net_get_2_svc(uid, arg, keynetname) 723 uid_t uid; 724 void *arg; 725 key_netstres *keynetname; 726 { 727 728 if (debugging) 729 (void) fprintf(stderr, "net_get(%d) = ", uid); 730 731 keynetname->status = pk_netget(uid, &keynetname->key_netstres_u.knet); 732 if (debugging) { 733 if (keynetname->status == KEY_SUCCESS) { 734 fprintf(stderr, "<%s, %.*s, %.*s>\n", 735 keynetname->key_netstres_u.knet.st_netname, 736 sizeof (keynetname->key_netstres_u.knet.st_pub_key), 737 keynetname->key_netstres_u.knet.st_pub_key, 738 sizeof (keynetname->key_netstres_u.knet.st_priv_key), 739 keynetname->key_netstres_u.knet.st_priv_key); 740 } else { 741 (void) fprintf(stderr, "NOT FOUND\n"); 742 } 743 (void) fflush(stderr); 744 } 745 746 return (TRUE); 747 748 } 749 750 bool_t 751 __key_get_conv_2_svc(uid_t uid, keybuf arg, cryptkeyres *res) 752 { 753 754 if (debugging) 755 (void) fprintf(stderr, "get_conv(%d, %.*s) = ", uid, 756 sizeof (keybuf), arg); 757 758 759 res->status = pk_get_conv_key(uid, arg, res); 760 761 if (debugging) { 762 if (res->status == KEY_SUCCESS) { 763 (void) fprintf(stderr, "%08x%08x\n", 764 res->cryptkeyres_u.deskey.key.high, 765 res->cryptkeyres_u.deskey.key.low); 766 } else { 767 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 768 } 769 (void) fflush(stderr); 770 } 771 return (TRUE); 772 } 773 774 775 bool_t 776 __key_encrypt_1_svc(uid, arg, res) 777 uid_t uid; 778 cryptkeyarg *arg; 779 cryptkeyres *res; 780 { 781 782 if (debugging) { 783 (void) fprintf(stderr, "encrypt(%d, %s, %08x%08x) = ", uid, 784 arg->remotename, arg->deskey.key.high, 785 arg->deskey.key.low); 786 } 787 res->cryptkeyres_u.deskey = arg->deskey; 788 res->status = pk_encrypt(uid, arg->remotename, NULL, 789 &res->cryptkeyres_u.deskey); 790 if (debugging) { 791 if (res->status == KEY_SUCCESS) { 792 (void) fprintf(stderr, "%08x%08x\n", 793 res->cryptkeyres_u.deskey.key.high, 794 res->cryptkeyres_u.deskey.key.low); 795 } else { 796 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 797 } 798 (void) fflush(stderr); 799 } 800 return (TRUE); 801 } 802 803 bool_t 804 __key_decrypt_1_svc(uid, arg, res) 805 uid_t uid; 806 cryptkeyarg *arg; 807 cryptkeyres *res; 808 { 809 if (debugging) { 810 (void) fprintf(stderr, "decrypt(%d, %s, %08x%08x) = ", uid, 811 arg->remotename, arg->deskey.key.high, 812 arg->deskey.key.low); 813 } 814 res->cryptkeyres_u.deskey = arg->deskey; 815 res->status = pk_decrypt(uid, arg->remotename, NULL, 816 &res->cryptkeyres_u.deskey); 817 if (debugging) { 818 if (res->status == KEY_SUCCESS) { 819 (void) fprintf(stderr, "%08x%08x\n", 820 res->cryptkeyres_u.deskey.key.high, 821 res->cryptkeyres_u.deskey.key.low); 822 } else { 823 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 824 } 825 (void) fflush(stderr); 826 } 827 return (TRUE); 828 } 829 830 /* ARGSUSED */ 831 bool_t 832 __key_gen_1_svc(v, s, key) 833 void *v; 834 struct svc_req *s; 835 des_block *key; 836 { 837 struct timeval time; 838 static des_block keygen; 839 static mutex_t keygen_mutex = DEFAULTMUTEX; 840 int r; 841 842 (void) gettimeofday(&time, (struct timezone *)NULL); 843 (void) mutex_lock(&keygen_mutex); 844 keygen.key.high += (time.tv_sec ^ time.tv_usec); 845 keygen.key.low += (time.tv_sec ^ time.tv_usec); 846 r = ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen), 847 DES_ENCRYPT | DES_HW); 848 if (r != DESERR_NONE && r != DESERR_NOHWDEVICE) { 849 mutex_unlock(&keygen_mutex); 850 return (FALSE); 851 } 852 *key = keygen; 853 mutex_unlock(&keygen_mutex); 854 855 des_setparity_g(key); 856 if (debugging) { 857 (void) fprintf(stderr, "gen() = %08x%08x\n", key->key.high, 858 key->key.low); 859 (void) fflush(stderr); 860 } 861 return (TRUE); 862 } 863 864 /* ARGSUSED */ 865 bool_t 866 __key_getcred_1_svc(uid, name, res) 867 uid_t uid; 868 netnamestr *name; 869 getcredres *res; 870 { 871 struct unixcred *cred; 872 873 cred = &res->getcredres_u.cred; 874 if (!netname2user(*name, (uid_t *)&cred->uid, (gid_t *)&cred->gid, 875 (int *)&cred->gids.gids_len, 876 (gid_t *)cred->gids.gids_val)) { 877 res->status = KEY_UNKNOWN; 878 } else { 879 res->status = KEY_SUCCESS; 880 } 881 if (debugging) { 882 (void) fprintf(stderr, "getcred(%s) = ", *name); 883 if (res->status == KEY_SUCCESS) { 884 (void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n", 885 cred->uid, cred->gid, cred->gids.gids_len); 886 } else { 887 (void) fprintf(stderr, "%s\n", strstatus(res->status)); 888 } 889 (void) fflush(stderr); 890 } 891 return (TRUE); 892 } 893 894 /* 895 * Version 3 procedures follow... 896 */ 897 898 static bool_t 899 __key_set_3_svc(uid_t uid, setkeyarg3 *arg, keystatus *status) 900 { 901 debug(KEYSERV_DEBUG, ("__key_set_3_svc(%d, %d, %d)", 902 uid, arg->algtype, arg->keylen)); 903 *status = pk_setkey3(uid, arg); 904 debug(KEYSERV_DEBUG, ("__key_set_3_svc %s", strstatus(*status))); 905 return (TRUE); 906 } 907 908 static bool_t 909 __key_encrypt_3_svc(uid_t uid, cryptkeyarg3 *arg, cryptkeyres3 *res) 910 { 911 int len, i; 912 des_block *dp; 913 914 debug(KEYSERV_DEBUG, ("encrypt_3(%d %d %s)", uid, 915 arg->deskey.deskeyarray_len, arg->remotename)); 916 res->status = pk_encrypt3(uid, arg, &res->cryptkeyres3_u.deskey); 917 len = res->cryptkeyres3_u.deskey.deskeyarray_len; 918 dp = res->cryptkeyres3_u.deskey.deskeyarray_val; 919 for (i = 0; i < len; i++) { 920 debug(KEYSERV_DEBUG0, ("encrypt_3 retval[%d] == (%x,%x)", 921 i, dp->key.high, dp->key.low)); 922 dp++; 923 } 924 debug(KEYSERV_DEBUG, ("encrypt_3 returned %s", strstatus(res->status))); 925 return (TRUE); 926 } 927 928 static bool_t 929 __key_decrypt_3_svc(uid_t uid, cryptkeyarg3 *arg, cryptkeyres3 *res) 930 { 931 int len, i; 932 des_block *dp; 933 934 debug(KEYSERV_DEBUG, ("decrypt_3(%d, %d, %s)", uid, 935 arg->deskey.deskeyarray_len, arg->remotename)); 936 res->status = pk_decrypt3(uid, arg, &res->cryptkeyres3_u.deskey); 937 len = res->cryptkeyres3_u.deskey.deskeyarray_len; 938 dp = res->cryptkeyres3_u.deskey.deskeyarray_val; 939 for (i = 0; i < len; i++) { 940 debug(KEYSERV_DEBUG0, ("decrypt_3 retval[%d] == (%x,%x)", 941 i, dp->key.high, dp->key.low)); 942 dp++; 943 } 944 debug(KEYSERV_DEBUG, ("decrypt_3 returned %s", strstatus(res->status))); 945 return (TRUE); 946 } 947 948 /* ARGSUSED */ 949 static bool_t 950 __key_gen_3_svc(void *v, keynum_t *kp, deskeyarray *res) 951 { 952 int i; 953 keynum_t keynum = *kp; 954 955 debug(KEYSERV_DEBUG, ("gen_3(%d %x)", keynum, res)); 956 res->deskeyarray_val = 0; 957 if (!setdeskeyarray(res, keynum)) { 958 return (FALSE); 959 } 960 for (i = 0; i < keynum; i++) { 961 debug(KEYSERV_DEBUG, ("gen_3 calling gen_1 %x", 962 res->deskeyarray_val+i)); 963 __key_gen_1_svc((void *) NULL, (struct svc_req *)NULL, 964 res->deskeyarray_val+i); 965 debug(KEYSERV_DEBUG, ("gen_3 val %d %x", 966 i, *(int *)(res->deskeyarray_val+i))); 967 } 968 return (TRUE); 969 } 970 971 static void 972 __key_gen_3_svc_free(deskeyarray *dp) 973 { 974 free(dp->deskeyarray_val); 975 } 976 977 static bool_t 978 __key_getcred_3_svc(uid_t uid, netnamestr *name, getcredres3 *res) 979 { 980 return (__key_getcred_1_svc(uid, name, (getcredres *)res)); 981 } 982 983 static bool_t 984 __key_encrypt_pk_3_svc(uid_t uid, cryptkeyarg3 *arg, cryptkeyres3 *res) 985 { 986 debug(KEYSERV_DEBUG, ("encrypt_pk_3(%d, %s)", uid, arg->remotename)); 987 res->status = pk_encrypt3(uid, arg, &res->cryptkeyres3_u.deskey); 988 debug(KEYSERV_DEBUG, ("encrypt returned %s", strstatus(res->status))); 989 return (TRUE); 990 } 991 992 static void 993 __key_encrypt_pk_3_svc_free(cryptkeyres3 *res) 994 { 995 if (res->status == KEY_SUCCESS) { 996 free(res->cryptkeyres3_u.deskey.deskeyarray_val); 997 } 998 } 999 1000 static bool_t 1001 __key_decrypt_pk_3(uid_t uid, cryptkeyarg3 *arg, cryptkeyres3 *res) 1002 { 1003 debug(KEYSERV_DEBUG, ("decrypt_pk_3(%d, %s)", uid, arg->remotename)); 1004 res->status = pk_decrypt3(uid, arg, &res->cryptkeyres3_u.deskey); 1005 debug(KEYSERV_DEBUG, ("encrypt returned %s", strstatus(res->status))); 1006 return (TRUE); 1007 } 1008 1009 static void 1010 __key_decrypt_pk_3_free(cryptkeyres3 *res) 1011 { 1012 if (res->status == KEY_SUCCESS) { 1013 free(res->cryptkeyres3_u.deskey.deskeyarray_val); 1014 } 1015 } 1016 1017 static bool_t 1018 __key_net_put_3_svc(uid_t uid, key_netstarg3 *arg, keystatus *status) 1019 { 1020 debug(KEYSERV_DEBUG, ("net_put_3 (%d, %x)", uid, arg)); 1021 *status = pk_netput3(uid, arg); 1022 debug(KEYSERV_DEBUG, ("net_put_3 ret %s", strstatus(*status))); 1023 return (TRUE); 1024 } 1025 1026 static bool_t 1027 __key_net_get_3_svc(uid_t uid, mechtype *arg, key_netstres3 *keynetname) 1028 { 1029 debug(KEYSERV_DEBUG, ("net_get_3 (%d, %x)", uid, arg)); 1030 keynetname->status = pk_netget3(uid, 1031 arg, &keynetname->key_netstres3_u.knet); 1032 debug(KEYSERV_DEBUG, 1033 ("net_get_3 ret %s", strstatus(keynetname->status))); 1034 return (TRUE); 1035 } 1036 1037 static void 1038 __key_net_get_3_svc_free(key_netstres3 *keynetname) 1039 { 1040 if (keynetname->status == KEY_SUCCESS) { 1041 free(keynetname->key_netstres3_u.knet.st_priv_key.keybuf3_val); 1042 free(keynetname->key_netstres3_u.knet.st_pub_key.keybuf3_val); 1043 free(keynetname->key_netstres3_u.knet.st_netname); 1044 } 1045 } 1046 1047 static bool_t 1048 __key_get_conv_3_svc(uid_t uid, deskeyarg3 *arg, cryptkeyres3 *res) 1049 { 1050 debug(KEYSERV_DEBUG, ("get_conv_3(%d %x %x)", uid, arg, res)); 1051 res->status = pk_get_conv_key3(uid, arg, res); 1052 debug(KEYSERV_DEBUG, 1053 ("get_conv_3 ret %s", strstatus(res->status))); 1054 return (TRUE); 1055 } 1056 1057 /* ARGSUSED */ 1058 static bool_t 1059 __key_clear_3_svc(uid_t uid, void *arg, keystatus *status) 1060 { 1061 debug(KEYSERV_DEBUG, ("clear_3(%d)", uid)); 1062 *status = pk_clear3(uid); 1063 debug(KEYSERV_DEBUG, ("clear_3 ret %s", strstatus(*status))); 1064 return (TRUE); 1065 } 1066 1067 /* 1068 * RPC boilerplate 1069 */ 1070 static void 1071 keyprogram(rqstp, transp) 1072 struct svc_req *rqstp; 1073 SVCXPRT *transp; 1074 { 1075 union { 1076 keybuf key_set_1_arg; 1077 cryptkeyarg key_encrypt_1_arg; 1078 cryptkeyarg key_decrypt_1_arg; 1079 netnamestr key_getcred_1_arg; 1080 cryptkeyarg key_encrypt_2_arg; 1081 cryptkeyarg key_decrypt_2_arg; 1082 netnamestr key_getcred_2_arg; 1083 cryptkeyarg2 key_encrypt_pk_2_arg; 1084 cryptkeyarg2 key_decrypt_pk_2_arg; 1085 key_netstarg key_net_put_2_arg; 1086 netobj key_get_conv_2_arg; 1087 keybuf3 key_set_3_arg; 1088 cryptkeyarg3 key_encrypt_3_arg; 1089 cryptkeyarg3 key_decrypt_3_arg; 1090 cryptkeyarg3 key_encrypt_pk_3_arg; 1091 cryptkeyarg3 key_decrypt_pk_3_arg; 1092 keynum_t key_gen_3_arg; 1093 netnamestr key_getcred_3_arg; 1094 key_netstarg3 key_net_put_3_arg; 1095 key_netstarg3 key_net_get_3_arg; 1096 deskeyarg3 key_get_conv_3_arg; 1097 } argument; 1098 union { 1099 keystatus status; 1100 cryptkeyres cres; 1101 des_block key; 1102 getcredres gres; 1103 key_netstres keynetname; 1104 cryptkeyres3 cres3; 1105 deskeyarray keyarray; 1106 getcredres3 gres3; 1107 key_netstres3 keynetname3; 1108 } result; 1109 uint_t gids[MAXGIDS]; 1110 char netname_str[MAXNETNAMELEN + 1]; 1111 bool_t (*xdr_argument)(), (*xdr_result)(); 1112 bool_t (*local)(); 1113 void (*local_free)() = NULL; 1114 bool_t retval; 1115 uid_t uid; 1116 int check_auth; 1117 1118 switch (rqstp->rq_proc) { 1119 case NULLPROC: 1120 svc_sendreply(transp, xdr_void, (char *)NULL); 1121 return; 1122 1123 case KEY_SET: 1124 xdr_argument = xdr_keybuf; 1125 xdr_result = xdr_int; 1126 local = __key_set_1_svc; 1127 check_auth = 1; 1128 break; 1129 1130 case KEY_ENCRYPT: 1131 xdr_argument = xdr_cryptkeyarg; 1132 xdr_result = xdr_cryptkeyres; 1133 local = __key_encrypt_1_svc; 1134 check_auth = 1; 1135 break; 1136 1137 case KEY_DECRYPT: 1138 xdr_argument = xdr_cryptkeyarg; 1139 xdr_result = xdr_cryptkeyres; 1140 local = __key_decrypt_1_svc; 1141 check_auth = 1; 1142 break; 1143 1144 case KEY_GEN: 1145 xdr_argument = xdr_void; 1146 xdr_result = xdr_des_block; 1147 local = __key_gen_1_svc; 1148 check_auth = 0; 1149 break; 1150 1151 case KEY_GETCRED: 1152 xdr_argument = xdr_netnamestr; 1153 xdr_result = xdr_getcredres; 1154 local = __key_getcred_1_svc; 1155 result.gres.getcredres_u.cred.gids.gids_val = gids; 1156 check_auth = 0; 1157 break; 1158 1159 case KEY_ENCRYPT_PK: 1160 xdr_argument = xdr_cryptkeyarg2; 1161 xdr_result = xdr_cryptkeyres; 1162 local = __key_encrypt_pk_2_svc; 1163 check_auth = 1; 1164 break; 1165 1166 case KEY_DECRYPT_PK: 1167 xdr_argument = xdr_cryptkeyarg2; 1168 xdr_result = xdr_cryptkeyres; 1169 local = __key_decrypt_pk_2_svc; 1170 check_auth = 1; 1171 break; 1172 1173 1174 case KEY_NET_PUT: 1175 xdr_argument = xdr_key_netstarg; 1176 xdr_result = xdr_keystatus; 1177 local = __key_net_put_2_svc; 1178 check_auth = 1; 1179 break; 1180 1181 case KEY_NET_GET: 1182 xdr_argument = (xdrproc_t)xdr_void; 1183 xdr_result = xdr_key_netstres; 1184 local = __key_net_get_2_svc; 1185 result.keynetname.key_netstres_u.knet.st_netname = netname_str; 1186 check_auth = 1; 1187 break; 1188 1189 case KEY_GET_CONV: 1190 xdr_argument = (xdrproc_t)xdr_keybuf; 1191 xdr_result = xdr_cryptkeyres; 1192 local = __key_get_conv_2_svc; 1193 check_auth = 1; 1194 break; 1195 1196 /* 1197 * Version 3 procedures follow... 1198 */ 1199 1200 case KEY_SET_3: 1201 xdr_argument = (xdrproc_t)xdr_setkeyarg3; 1202 xdr_result = xdr_keystatus; 1203 local = __key_set_3_svc; 1204 check_auth = 1; 1205 break; 1206 1207 case KEY_ENCRYPT_3: 1208 xdr_argument = (xdrproc_t)xdr_cryptkeyarg3; 1209 xdr_result = xdr_cryptkeyres3; 1210 local = __key_encrypt_3_svc; 1211 check_auth = 1; 1212 break; 1213 1214 case KEY_DECRYPT_3: 1215 xdr_argument = (xdrproc_t)xdr_cryptkeyarg3; 1216 xdr_result = xdr_cryptkeyres3; 1217 local = __key_decrypt_3_svc; 1218 check_auth = 1; 1219 break; 1220 1221 case KEY_GEN_3: 1222 xdr_argument = (xdrproc_t)xdr_keynum_t; 1223 xdr_result = xdr_deskeyarray; 1224 local = __key_gen_3_svc; 1225 local_free = __key_gen_3_svc_free; 1226 check_auth = 0; 1227 break; 1228 1229 case KEY_GETCRED_3: 1230 xdr_argument = (xdrproc_t)xdr_netnamestr; 1231 xdr_result = xdr_getcredres3; 1232 local = __key_getcred_3_svc; 1233 check_auth = 0; 1234 break; 1235 1236 case KEY_ENCRYPT_PK_3: 1237 xdr_argument = (xdrproc_t)xdr_cryptkeyarg3; 1238 xdr_result = xdr_cryptkeyres3; 1239 local = __key_encrypt_pk_3_svc; 1240 local_free = __key_encrypt_pk_3_svc_free; 1241 check_auth = 1; 1242 break; 1243 1244 case KEY_DECRYPT_PK_3: 1245 xdr_argument = (xdrproc_t)xdr_cryptkeyarg3; 1246 xdr_result = xdr_cryptkeyres3; 1247 local = __key_decrypt_pk_3; 1248 local_free = __key_decrypt_pk_3_free; 1249 check_auth = 1; 1250 break; 1251 1252 case KEY_NET_PUT_3: 1253 xdr_argument = (xdrproc_t)xdr_key_netstarg3; 1254 xdr_result = xdr_keystatus; 1255 local = __key_net_put_3_svc; 1256 check_auth = 1; 1257 break; 1258 1259 case KEY_NET_GET_3: 1260 xdr_argument = (xdrproc_t)xdr_mechtype; 1261 xdr_result = xdr_key_netstres3; 1262 local = __key_net_get_3_svc; 1263 local_free = __key_net_get_3_svc_free; 1264 check_auth = 1; 1265 break; 1266 1267 case KEY_GET_CONV_3: 1268 xdr_argument = (xdrproc_t)xdr_deskeyarg3; 1269 xdr_result = xdr_cryptkeyres3; 1270 local = __key_get_conv_3_svc; 1271 check_auth = 1; 1272 break; 1273 1274 case KEY_CLEAR_3: 1275 xdr_argument = (xdrproc_t)xdr_void; 1276 xdr_result = xdr_keystatus; 1277 local = __key_clear_3_svc; 1278 check_auth = 1; 1279 break; 1280 1281 default: 1282 svcerr_noproc(transp); 1283 return; 1284 } 1285 if (check_auth) { 1286 if (!get_auth(transp, rqstp, &uid)) { 1287 if (debugging) { 1288 (void) fprintf(stderr, 1289 "not local privileged process\n"); 1290 } 1291 svcerr_weakauth(transp); 1292 return; 1293 } 1294 } 1295 1296 memset((char *)&argument, 0, sizeof (argument)); 1297 if (!svc_getargs(transp, xdr_argument, (caddr_t)&argument)) { 1298 svcerr_decode(transp); 1299 return; 1300 } 1301 retval = (*local)(uid, &argument, &result); 1302 if (retval && !svc_sendreply(transp, xdr_result, (char *)&result)) { 1303 if (debugging) 1304 (void) fprintf(stderr, "unable to reply\n"); 1305 svcerr_systemerr(transp); 1306 } 1307 if (!svc_freeargs(transp, xdr_argument, (caddr_t)&argument)) { 1308 if (debugging) 1309 (void) fprintf(stderr, 1310 "unable to free arguments\n"); 1311 exit(1); 1312 } 1313 if (local_free) { 1314 (*local_free)(&result); 1315 } 1316 } 1317 1318 static bool_t 1319 get_auth(trans, rqstp, uid) 1320 SVCXPRT *trans; 1321 struct svc_req *rqstp; 1322 uid_t *uid; 1323 { 1324 svc_local_cred_t cred; 1325 1326 if (!svc_get_local_cred(trans, &cred)) { 1327 if (debugging) 1328 fprintf(stderr, "svc_get_local_cred failed %s %s\n", 1329 trans->xp_netid, trans->xp_tp); 1330 return (FALSE); 1331 } 1332 if (debugging) 1333 fprintf(stderr, "local_uid %d\n", cred.euid); 1334 if (rqstp->rq_cred.oa_flavor == AUTH_SYS || 1335 rqstp->rq_cred.oa_flavor == AUTH_LOOPBACK) { 1336 CTASSERT(sizeof (struct authunix_parms) <= RQCRED_SIZE); 1337 /* LINTED pointer alignment */ 1338 *uid = ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid; 1339 return (*uid == cred.euid || cred.euid == 0); 1340 } else { 1341 *uid = cred.euid; 1342 return (TRUE); 1343 } 1344 } 1345 1346 static int 1347 get_cache_size(size) 1348 char *size; 1349 { 1350 int csize, len; 1351 1352 len = (int)strlen(size); 1353 if (len == 0) { 1354 usage(); 1355 } 1356 1357 if (size[len-1] == 'M' || size[len-1] == 'm') { 1358 /* 1359 * cache size in MB 1360 */ 1361 size[len-1] = '\0'; 1362 csize = atoi(size); 1363 } else { 1364 csize = atoi(size); 1365 /* 1366 * negative size indicates number of entries in cache 1367 */ 1368 csize = 0 - csize; 1369 } 1370 1371 if (csize == 0) { 1372 (void) fprintf(stderr, "invalid cache size: %s\n", size); 1373 usage(); 1374 } 1375 1376 return (csize); 1377 } 1378 1379 static void 1380 usage() 1381 { 1382 (void) fprintf(stderr, "usage: \n"); 1383 (void) fprintf(stderr, "keyserv [-c]|[-s "); 1384 (void) fprintf(stderr, "<size>|<mechtype>=<size>[,...]] [-n] [-D] "); 1385 (void) fprintf(stderr, "[-d | -e] "); 1386 (void) fprintf(stderr, "[-t threads]\n"); 1387 (void) fprintf(stderr, "-d disables the use of default keys\n"); 1388 (void) fprintf(stderr, "-e enables the use of default keys\n"); 1389 exit(1); 1390 } 1391 1392 static void 1393 defaults(void) 1394 { 1395 register int flags; 1396 register char *ptr; 1397 1398 if (defopen(defaults_file) == 0) { 1399 /* 1400 * ignore case 1401 */ 1402 flags = defcntl(DC_GETFLAGS, 0); 1403 TURNOFF(flags, DC_CASE); 1404 (void) defcntl(DC_SETFLAGS, flags); 1405 1406 if ((ptr = defread("ENABLE_NOBODY_KEYS=")) != NULL) { 1407 if (strcasecmp(ptr, "NO") == 0) { 1408 use_nobody_keys = FALSE; 1409 } 1410 } 1411 1412 (void) defopen((char *)NULL); 1413 } 1414 } 1415