xref: /illumos-gate/usr/src/lib/nsswitch/ldap/common/getkeyent.c (revision 002c70ff32f5df6f93c15f88d351ce26443e6ee7)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <pwd.h>
29 #include <ctype.h>
30 #include "ldap_common.h"
31 
32 /* publickey attributes filters */
33 #define	_KEY_CN			"cn"
34 #define	_KEY_NISPUBLICKEY	"nisPublickey"
35 #define	_KEY_NISSECRETKEY	"nisSecretkey"
36 #define	_KEY_UIDNUMBER		"uidnumber"
37 
38 #define	_F_GETKEY_USER		"(&(objectClass=nisKeyObject)(uidNumber=%s))"
39 #define	_F_GETKEY_USER_SSD	"(&(%%s)(uidNumber=%s))"
40 #define	_F_GETKEY_HOST		"(&(objectClass=nisKeyObject)(cn=%s))"
41 #define	_F_GETKEY_HOST_SSD	"(&(%%s)(cn=%s))"
42 
43 static const char *keys_attrs[] = {
44 	_KEY_NISPUBLICKEY,
45 	_KEY_NISSECRETKEY,
46 	(char *)NULL
47 };
48 
49 
50 /*
51  * _nss_ldap_key2str is the data marshaling method for the publickey getXbyY
52  * (e.g., getpublickey() and getsecretkey()) backend processes. This method
53  * is called after a successful ldap search has been performed. This method
54  * will parse the ldap search values into "public:secret" file format.
55  *
56  * c3d91f44568fbbefada50d336d9bd67b16e7016f987bb607:
57  * 7675cd9b8753b5db09dabf12da759c2bd1331c927bb322861fffb54be13f55e9
58  *
59  * (All in one line)
60  *
61  * Publickey does not have a front end marshaller so db_type is set
62  * for special handling.
63  */
64 
65 static int
66 _nss_ldap_key2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
67 {
68 	int		nss_result;
69 	char		*keytype = (char *)argp->key.pkey.keytype;
70 	int		keytypelen = strlen(keytype);
71 	int		len;
72 	int		buflen = argp->buf.buflen;
73 	char		*buffer, *pkey, *skey;
74 	ns_ldap_result_t	*result = be->result;
75 	char		**pkey_array, **skey_array;
76 
77 	if (result == NULL || keytype == NULL) {
78 		nss_result = NSS_STR_PARSE_ERANGE;
79 		goto result_key2str;
80 	}
81 	nss_result = NSS_STR_PARSE_SUCCESS;
82 	(void) memset(argp->buf.buffer, 0, buflen);
83 	/* get the publickey */
84 	pkey_array = __ns_ldap_getAttr(result->entry, _KEY_NISPUBLICKEY);
85 	if (pkey_array == NULL) {
86 		nss_result = NSS_STR_PARSE_PARSE;
87 		goto result_key2str;
88 	}
89 	while (*pkey_array) {
90 		if (strncasecmp(*pkey_array, keytype, keytypelen) == NULL)
91 			break;
92 		pkey_array++;
93 	}
94 	if (*pkey_array == NULL) {
95 		nss_result = NSS_STR_PARSE_PARSE;
96 		goto result_key2str;
97 	}
98 	pkey = *pkey_array + keytypelen;
99 
100 	/* get the secretkey */
101 	skey_array = __ns_ldap_getAttr(result->entry, _KEY_NISSECRETKEY);
102 	if (skey_array == NULL) {
103 		/*
104 		 * if we got this far, it's possible that the secret
105 		 * key is actually missing or no permission to read it.
106 		 * For the current implementation, we assume that the
107 		 * clients have read permission to the secret key.  So,
108 		 * the only possibility of reaching this here is due to
109 		 * missing secret key.
110 		 */
111 		nss_result = NSS_STR_PARSE_PARSE;
112 		goto result_key2str;
113 	}
114 	while (*skey_array) {
115 		if (strncasecmp(*skey_array, keytype, keytypelen) == NULL)
116 			break;
117 		skey_array++;
118 	}
119 	if (*skey_array == NULL) {
120 		nss_result = NSS_STR_PARSE_PARSE;
121 		goto result_key2str;
122 	}
123 	skey = *skey_array + keytypelen;
124 
125 	/* 2 = 1 ':' + 1 '\0' */
126 	len = strlen(pkey) + strlen(skey) + 2;
127 	if (len > buflen) {
128 		nss_result = NSS_STR_PARSE_ERANGE;
129 		goto result_key2str;
130 	}
131 	/*
132 	 * publickey does not have a frontend marshaller.
133 	 * copy the result to buf.buffer directly
134 	 */
135 	buffer = argp->buf.buffer;
136 
137 	(void) snprintf(buffer, len, "%s:%s", pkey, skey);
138 
139 	be->db_type = NSS_LDAP_DB_PUBLICKEY;
140 
141 result_key2str:
142 
143 	(void) __ns_ldap_freeResult(&be->result);
144 	return ((int)nss_result);
145 }
146 
147 
148 /*
149  * getkeys gets both the public and secret keys from publickey entry by either
150  * uid name or host name. This function constructs an ldap search filter using
151  * the name invocation parameter and the getpwnam search filter defined. Once
152  * the filter is constructed, we search for a matching entry and marshal the
153  * data results into struct passwd for the frontend process. The function
154  * _nss_ldap_key2ent performs the data marshaling.
155  * The lookups will be done using the proxy credential.  We don't want to use
156  * the user's credential for lookup at this point because we don't have any
157  * secure transport.
158  */
159 
160 static nss_status_t
161 getkeys(ldap_backend_ptr be, void *a)
162 {
163 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
164 	char	searchfilter[SEARCHFILTERLEN];
165 	char	userdata[SEARCHFILTERLEN];
166 	char	netname[SEARCHFILTERLEN];
167 	char	*name, *domain, *p;
168 	nss_status_t	rc;
169 	int	ret;
170 
171 	/*
172 	 * We need to break it down to find if this is a netname for host
173 	 * or user.  We'll pass the domain as is to the LDAP call.
174 	 */
175 	if (_ldap_filter_name(netname, argp->key.pkey.name, sizeof (netname))
176 			!= 0)
177 		return ((nss_status_t)NSS_NOTFOUND);
178 
179 	domain = strchr(netname, '@');
180 	if (!domain)
181 		return ((nss_status_t)NSS_NOTFOUND);
182 
183 	*domain++ = '\0';
184 	if ((p = strchr(netname, '.')) == NULL)
185 		return ((nss_status_t)NSS_NOTFOUND);
186 
187 	name = ++p;
188 	if (isdigit(*name)) {
189 		/* user keys lookup */
190 		ret = snprintf(searchfilter, sizeof (searchfilter),
191 		    _F_GETKEY_USER, name);
192 		if (ret >= sizeof (searchfilter) || ret < 0)
193 			return ((nss_status_t)NSS_NOTFOUND);
194 
195 		ret = snprintf(userdata, sizeof (userdata),
196 		    _F_GETKEY_USER_SSD, name);
197 		if (ret >= sizeof (userdata) || ret < 0)
198 			return ((nss_status_t)NSS_NOTFOUND);
199 
200 		rc = (nss_status_t)_nss_ldap_lookup(be, argp,
201 				_PASSWD, searchfilter, domain,
202 				_merge_SSD_filter, userdata);
203 	} else {
204 		/* host keys lookup */
205 		ret = snprintf(searchfilter, sizeof (searchfilter),
206 		    _F_GETKEY_HOST, name);
207 		if (ret >= sizeof (searchfilter) || ret < 0)
208 			return ((nss_status_t)NSS_NOTFOUND);
209 
210 		ret = snprintf(userdata, sizeof (userdata),
211 		    _F_GETKEY_HOST_SSD, name);
212 		if (ret >= sizeof (userdata) || ret < 0)
213 			return ((nss_status_t)NSS_NOTFOUND);
214 
215 		rc = (nss_status_t)_nss_ldap_lookup(be, argp,
216 				_HOSTS, searchfilter, domain,
217 				_merge_SSD_filter, userdata);
218 	}
219 	return (rc);
220 }
221 
222 
223 static ldap_backend_op_t keys_ops[] = {
224 	_nss_ldap_destr,
225 	0,
226 	0,
227 	0,
228 	getkeys
229 };
230 
231 
232 /*
233  * _nss_ldap_publickey_constr is where life begins. This function calls the
234  * generic ldap constructor function to define and build the abstract
235  * data types required to support ldap operations.
236  */
237 
238 /*ARGSUSED0*/
239 nss_backend_t *
240 _nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
241 			const char *dummy3)
242 {
243 
244 	return ((nss_backend_t *)_nss_ldap_constr(keys_ops,
245 		    sizeof (keys_ops)/sizeof (keys_ops[0]),
246 		    _PUBLICKEY, keys_attrs, _nss_ldap_key2str));
247 }
248